Adding required monasca roles so users can query the apis.

Change-Id: Id225d81b2d24b0e952ca6fb95c77d72ba189fd69
2016-11-16 09:59:09 +02:00 · 2016-11-16 09:59:09 +02:00 · 7f1c7d8c52
parent 9ce2f1c49e
commit 7f1c7d8c52
4 changed files with 23 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -38,6 +38,8 @@ monasca_service_description: "OpenStack Monitoring Service (Monasca)"
 monasca_service_project_name: service
 monasca_service_role_names:
  - admin
+monasca_role_names:
+  - monasca-user
 monasca_service_region: RegionOne
 monasca_service_host: "0.0.0.0"
 monasca_bind_port: 8070
--- a/tasks/monasca_service_setup.yml
+++ b/tasks/monasca_service_setup.yml
@ -77,6 +77,23 @@
    - monasca-user-add
    - monasca-setup

+- name: Ensure the monasca role exists
+  keystone:
+    command: "ensure_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ monasca_service_user_name }}"
+    tenant_name: "{{ monasca_service_project_name }}"
+    role_name: "{{ item }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: ensure_monasca_roles
+  until: ensure_monasca_roles |success
+  retries: 5
+  delay: 2
+  with_items: "{{ monasca_role_names }}"
+
 - name: Ensure the monasca user has the admin role
  keystone:
    command: "ensure_user_role"
@ -88,8 +105,8 @@
    tenant_name: "{{ monasca_service_project_name }}"
    role_name: "{{ item }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: ensure_monasca_roles
-  until: ensure_monasca_roles |success
+  register: ensure_monasca_service_roles
+  until: ensure_monasca_service_roles |success
  retries: 5
  delay: 2
  with_items: "{{ monasca_service_role_names }}"
--- a/templates/monasca-api.conf.j2
+++ b/templates/monasca-api.conf.j2
@ -20,7 +20,7 @@ dimension_names = monasca_api.v2.reference.metrics:DimensionNames
 notification_method_types = monasca_api.v2.reference.notificationstype:NotificationsType

 [security]
-default_authorized_roles = user, domainuser, domainadmin, {{ monasca_service_user_name }}
+default_authorized_roles = user, domainuser, domainadmin, {{ monasca_service_role_names | join(', ') }}, {{ monasca_role_names | join(', ') }}
 agent_authorized_roles = {{ monasca_service_user_name }}
 read_only_authorized_roles = {{ monasca_readonly_user_name }}
 delegate_authorized_roles = admin
--- a/templates/monasca-log-api.conf.j2
+++ b/templates/monasca-log-api.conf.j2
@ -16,7 +16,7 @@ kafka_topics = log
 [roles_middleware]
 path = /v2.0/log
 path = /v3.0/logs
-default_roles = user, domainuser, domainadmin, {{ monasca_service_user_name }}
+default_roles = user, domainuser, domainadmin, {{ monasca_service_role_names | join(', ') }}, {{ monasca_role_names | join(', ') }}
 agent_roles = {{ monasca_service_user_name }}, admin

 [dispatcher]