Fix the heat stack user create

The heat stack user was being using the openstack cli tools. This has changed such that its now using our library. This will ensure that the roles, users, groups, projects, domains are created properly without the variability of the CLI interface and returned data. Closes-Bug: #1489947 Change-Id: I3f0af0589825fa506e3618f6f39a54bf89c87d14 (cherry-picked from commit a12dcaff62)
2015-08-28 11:04:23 +01:00 · 2015-08-28 11:04:23 +01:00 · 893f51a453
parent 375f4165d5
commit 893f51a453
3 changed files with 35 additions and 90 deletions
--- a/playbooks/roles/os_heat/defaults/main.yml
+++ b/playbooks/roles/os_heat/defaults/main.yml
@ -45,9 +45,9 @@ heat_system_shell: /bin/false
 heat_system_home_folder: "/var/lib/{{ heat_system_user_name }}"

 ## Default domain
-heat_project_domain_id: default
+heat_project_domain_name: Default
 heat_project_name: admin
-heat_user_domain_id: default
+heat_user_domain_name: Default

 ## Stack
 heat_stack_domain_admin: stack_domain_admin
@ -69,8 +69,8 @@ heat_profiler_trace_sqlalchemy: false
 ## Auth
 heat_service_project_name: "service"
 heat_service_user_name: "heat"
-heat_service_project_domain_id: "default"
-heat_service_user_domain_id: "default"
+heat_service_project_domain_name: "Default"
+heat_service_user_domain_name: "Default"

 ## Keystone authentication middleware
 heat_keystone_auth_plugin: password
--- a/playbooks/roles/os_heat/tasks/heat_domain_setup.yml
+++ b/playbooks/roles/os_heat/tasks/heat_domain_setup.yml
@ -14,136 +14,81 @@
 # limitations under the License.

 # This is the role assigned to users created within Heat stacks themselves
- name: Ensure stack_user role
+- name: Ensure heat_stack_user role
  keystone:
-    command: "ensure_role"
+    command: ensure_role
+    role_name: "heat_stack_user"
    token: "{{ keystone_auth_admin_token }}"
    endpoint: "{{ keystone_service_adminurl }}"
-    role_name: "heat_stack_user"
-  register: add_service
-  until: add_service|success
-  retries: 5
-  delay: 10
+    insecure: "{{ keystone_service_adminuri_insecure }}"
  tags:
    - heat-domain
    - heat-domain-role
    - heat-domain-setup
    - heat-config

- name: check for heat domain
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    openstack --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl_v3 }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
-              domain \
-              show \
-              "{{ heat_stack_user_domain_name }}" | grep -w "{{ heat_stack_user_domain_name }}"
-  failed_when: false
-  changed_when: stack_user_domain.rc == 1
-  register: stack_user_domain
+- name: Ensure heat domain
+  keystone:
+    command: ensure_domain
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config

- name: Create heat domain
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    openstack --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl_v3 }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
-              domain \
-              create \
-              --description "{{ heat_stack_domain_description }}" \
-              "{{ heat_stack_user_domain_name }}"
-  when: stack_user_domain.rc == 1
+- name: Ensure heat project
+  keystone:
+    command: ensure_project
+    project_name: "{{ heat_project_name }}"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config

- name: Check for heat user
+# TODO Change the keystone library to support adding
+# a user to a domain without specifying a project
+- name: Ensure heat user
  shell: |
    . {{ ansible_env.HOME }}/openrc
    openstack --os-identity-api-version=3 \
              --os-auth-url={{ keystone_service_adminurl_v3 }} \
              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
-              user \
-              list | grep -w "{{ heat_stack_domain_admin }}"
-  failed_when: false
-  changed_when: stack_user.rc == 1
-  register: stack_user
-  tags:
-    - heat-domain
-    - heat-domain-setup
-    - heat-config
-
- name: Create heat domain admin user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    openstack --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl_v3 }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
+              --os-project-domain-name={{ heat_project_domain_name }} \
+              --os-user-domain-name={{ heat_user_domain_name }} \
              user \
              create \
+              --or-show \
              --domain {{ heat_stack_user_domain_name }} \
              --password {{ heat_stack_domain_admin_password }} \
              "{{ heat_stack_domain_admin }}"
-  when: stack_user.rc == 1
-  tags:
-    - heat-domain
-    - heat-domain-setup
-    - heat-config
-
- name: Retrieve heat domain id
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    openstack --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl_v3 }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
-              domain \
-              show \
-              {{ heat_stack_user_domain_name }} | grep -oE -m 1 "[0-9a-f]{32}"
-  register: stack_user_domain_id
-  tags:
-    - heat-domain
-    - heat-domain-setup
-    - heat-config
-
- name: Set fact for heat domain id
-  set_fact:
-    stack_user_domain_id: "{{ stack_user_domain_id.stdout }}"
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config

+# TODO Change the keystone library to support adding
+# a role to a user without specifying a project
 - name: Assign admin role to heat domain admin user
  shell: |
    . {{ ansible_env.HOME }}/openrc
    openstack --os-identity-api-version=3 \
              --os-auth-url={{ keystone_service_adminurl_v3 }} \
              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-id={{ heat_project_domain_id }} \
-              --os-user-domain-id={{ heat_user_domain_id }} \
+              --os-project-domain-name={{ heat_project_domain_name }} \
+              --os-user-domain-name={{ heat_user_domain_name }} \
              role \
              add \
              --user {{ heat_stack_domain_admin }} \
-              --domain {{ stack_user_domain_id }} \
+              --domain {{ heat_stack_user_domain_name }} \
              admin
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config
-
--- a/playbooks/roles/os_heat/templates/heat.conf.j2
+++ b/playbooks/roles/os_heat/templates/heat.conf.j2
@ -10,7 +10,7 @@ log_file = /var/log/heat/heat.log

 stack_domain_admin_password = {{ heat_stack_domain_admin_password }}
 stack_domain_admin = {{ heat_stack_domain_admin }}
-stack_user_domain_id = {{ hostvars[groups['heat_api'][0]]['stack_user_domain_id'] }}
+stack_user_domain_name = {{ heat_stack_user_domain_name }}
 max_nested_stack_depth = {{ heat_max_nested_stack_depth }}
 heat_watch_server_url = {{ heat_watch_server_url }}
 heat_waitcondition_server_url = {{ heat_waitcondition_server_url }}