Add default roles used by Barbican

The default roles used by Barbican are missing. According to the default policy.json the roles 'key-manager:service-admin', 'creator', 'observer', 'audit' are necessary for Barbican. This is reimplementation of the 0ed71b4 because keystone module is used in stable/queens. Change-Id: If50e02a5886a1f3b26eb033103904122302afeda Closes-Bug: #1657742
2018-07-10 12:53:36 -04:00 · 2018-07-10 12:53:36 -04:00 · f3db3d834e
parent 95e38e1c37
commit f3db3d834e
2 changed files with 22 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -47,8 +47,14 @@ barbican_service_name: barbican
 barbican_service_user_name: barbican
 barbican_service_type: key-manager
 barbican_service_description: "OpenStack Key and Secrets Management (Barbican)"
+barbican_default_role_names:
+  - "key-manager:service-admin"
+  - creator
+  - observer
+  - audit
 barbican_service_role_names:
  - admin
+  - creator
 barbican_service_region: RegionOne
 barbican_service_host: "0.0.0.0"
 barbican_service_port: 9311
--- a/tasks/barbican_service_setup.yml
+++ b/tasks/barbican_service_setup.yml
@ -47,6 +47,22 @@
  delay: 2
  no_log: True

+- name: Ensure the Barbican roles
+  keystone:
+    command: "ensure_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    role_name: "{{ item }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: ensure_barbican_roles
+  until: ensure_barbican_roles |success
+  retries: 5
+  delay: 2
+  with_items: "{{ barbican_default_role_names }}"
+  no_log: True
+
 - name: Ensure the Barbican user has the admin role
  keystone:
    command: "ensure_user_role"