Fixes playbook runtime issues with ldap

When using an LDAP backend the playbooks fail when "ensuring.*"
which is a keystone client action. The reason for the failure is
related to how ldap backend, and is triggered when the service
users are within the ldap and not SQL. To resolve the issue a boolean
conditional was created on the various OS_.* roles to skip specific
tasks when the service users have already been added into LDAP.

Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
Closes-Bug: #1518351
Closes-Bug: #1519174
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
(cherry picked from commit 2559ed4f13)
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

playbooks/inventory/group_vars/hosts.yml

@@ -83,6 +83,10 @@ dhcp_domain: openstacklocal
 #openstack_service_internaluri_proto: http
 
 
+## LDAP enabled toggle
+service_ldap_backend_enabled: "{{ keystone_ldap is defined }}"
+
+
 ## Ceilometer
 ceilometer_service_port: 8777
 ceilometer_service_proto: http
@@ -91,6 +95,7 @@ ceilometer_service_tenant_name: service
 ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
 ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
 ceilometer_service_region: "{{ service_region }}"
+ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## Nova
@@ -109,6 +114,7 @@ nova_keystone_auth_plugin: password
 nova_ceph_client: '{{ cinder_ceph_client }}'
 nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}'
 nova_dhcp_domain: "{{ dhcp_domain }}"
+nova_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## Neutron
@@ -123,6 +129,7 @@ neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb
 neutron_service_adminurl: "{{ neutron_service_adminuri }}"
 neutron_service_region: "{{ service_region }}"
 neutron_dhcp_domain: "{{ dhcp_domain }}"
+neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## Glance
@@ -135,6 +142,7 @@ glance_service_project_domain_id: default
 glance_service_user_domain_id: default
 glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
 glance_service_region: "{{ service_region }}"
+glance_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 # Only specify this if you want to list the servers - by default LB host/port will be used
 #glance_api_servers: "{% for host in groups['glance_all'] %}{{ hostvars[host]['container_address'] }}:{{ glance_service_port }}{% if not loop.last %},{% endif %}{% endfor %}"
 
@@ -168,6 +176,7 @@ keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars
 keystone_service_region: "{{ service_region }}"
 keystone_service_adminuri_insecure: false
 keystone_service_internaluri_insecure: false
+keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## Horizon
@@ -177,6 +186,7 @@ horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is de
 
 ## Heat
 heat_service_region: "{{ service_region }}"
+heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## Cinder
@@ -198,6 +208,17 @@ cinder_ceph_client: cinder
 # cinder_backend_lvm_inuse: True if current host has an lvm backend
 cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}'
 cinder_service_region: "{{ service_region }}"
+cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}"
+
+
+## Swift
+swift_system_user_name: swift
+swift_system_group_name: swift
+swift_system_shell: /bin/bash
+swift_system_comment: swift system user
+swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
+swift_service_region: "{{ service_region }}"
+swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 
 
 ## OpenStack Openrc
@@ -216,13 +237,6 @@ tempest_pip_instructions: >
   --trusted-host pypi.python.org
   --trusted-host {{ openstack_upstream_domain }}
 
-## Swift
-swift_system_user_name: swift
-swift_system_group_name: swift
-swift_system_shell: /bin/bash
-swift_system_comment: swift system user
-swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
-swift_service_region: "{{ service_region }}"
 
 ## HAProxy
 haproxy_bind_on_non_local: "{% if groups.haproxy_hosts[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}"

playbooks/roles/os_ceilometer/defaults/main.yml

@@ -65,6 +65,8 @@ ceilometer_service_internalurl: "{{ ceilometer_service_internaluri }}"
 ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
 ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}"
 
+
+ceilometer_service_in_ldap: false
 ## Ceilometer config
 
 # Common apt packages

playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml

@@ -39,6 +39,7 @@
     role_name: "{{ role_name }}"
     password: "{{ ceilometer_service_password }}"
   register: add_service
+  when: not ceilometer_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -55,6 +56,7 @@
     tenant_name: "{{ ceilometer_service_project_name }}"
     role_name: "{{ ceilometer_role_name }}"
   register: add_admin_role
+  when: not ceilometer_service_in_ldap | bool
   until: add_admin_role|success
   retries: 5
   delay: 10

playbooks/roles/os_cinder/defaults/main.yml

@@ -184,6 +184,8 @@ cinder_quota_backup_gigabytes: 1000
 #  "volume:create": ""
 #  "volume:delete": ""
 
+cinder_service_in_ldap: false
+
 # Common apt packages
 cinder_apt_packages:
   - dmeventd

playbooks/roles/os_cinder/tasks/cinder_service_add.yml

@@ -43,6 +43,7 @@
     password: "{{ service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not cinder_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not cinder_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10

playbooks/roles/os_glance/defaults/main.yml

@@ -140,6 +140,8 @@ glance_rbd_store_pool: images
 glance_rbd_store_user: '{{ glance_ceph_client }}'
 glance_rbd_store_chunk_size: 8
 
+glance_service_in_ldap: false
+
 # Common apt packages
 glance_apt_packages:
   - rpcbind

playbooks/roles/os_glance/tasks/glance_service_setup.yml

@@ -43,6 +43,7 @@
     password: "{{ glance_service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not glance_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ glance_role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not glance_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10

playbooks/roles/os_heat/defaults/main.yml

@@ -124,6 +124,8 @@ heat_watch_port: 8003
 heat_watch_server_uri: "{{ heat_watch_proto }}://{{ external_lb_vip_address }}:{{ heat_watch_port }}"
 heat_watch_server_url: "{{ heat_watch_server_uri }}"
 
+heat_service_in_ldap: false
+
 ## Plugin dirs
 heat_plugin_dirs:
   - /usr/lib/heat

playbooks/roles/os_heat/tasks/heat_service_add.yml

@@ -43,6 +43,7 @@
     password: "{{ service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not heat_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not heat_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10

playbooks/roles/os_keystone/defaults/main.yml

@@ -306,6 +306,8 @@ keystone_recreate_keys: False
 #            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
 #              id: upn
 
+keystone_service_in_ldap: false
+
 # Keystone Federation SP Packages
 keystone_sp_apt_packages:
   - libapache2-mod-shib2

playbooks/roles/os_keystone/tasks/keystone_service_setup.yml

@@ -87,6 +87,7 @@
     password: "{{ keystone_auth_admin_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not keystone_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -121,6 +122,7 @@
     role_name: "{{ keystone_role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not keystone_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -137,6 +139,7 @@
     role_name: "{{ keystone_default_role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_member_role
+  when: not keystone_service_in_ldap | bool
   until: add_member_role|success
   retries: 5
   delay: 10

playbooks/roles/os_neutron/defaults/main.yml

@@ -264,6 +264,8 @@ neutron_rpc_thread_pool_size: 64
 neutron_rpc_conn_pool_size: 30
 neutron_rpc_response_timeout: 60
 
+neutron_service_in_ldap: false
+
 ## Policy vars
 # Provide a list of access controls to update the default policy.json with. These changes will be merged
 # with the access controls in the default policy.json. E.g.

playbooks/roles/os_neutron/tasks/neutron_service_add.yml

@@ -43,6 +43,7 @@
     password: "{{ service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not neutron_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not neutron_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10

playbooks/roles/os_nova/defaults/main.yml

@@ -296,6 +296,8 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66
 #  "compute:create": ""
 #  "compute:create:attach_network": ""
 
+nova_service_in_ldap: false
+
 ## libvirtd config options
 nova_libvirtd_listen_tls: 1
 nova_libvirtd_listen_tcp: 0

playbooks/roles/os_nova/tasks/nova_service_add.yml

@@ -43,6 +43,7 @@
     password: "{{ service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not nova_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not nova_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10

playbooks/roles/os_swift/defaults/main.yml

@@ -138,6 +138,8 @@ swift_proxy_server_program_config_options: /etc/swift/proxy-server/proxy-server.
 # of available VCPUS to compute the number of api workers to use.
 # swift_proxy_server_workers: 16
 
+swift_service_in_ldap: false
+
 swift_pip_packages:
   - ceilometermiddleware
   - dnspython

playbooks/roles/os_swift/tasks/swift_service_setup.yml

@@ -43,6 +43,7 @@
     password: "{{ swift_service_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not swift_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -62,6 +63,7 @@
     role_name: "{{ swift_service_role_name }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not swift_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10
@@ -96,6 +98,7 @@
     password: "{{ swift_dispersion_password }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
   register: add_service
+  when: not swift_service_in_ldap | bool
   until: add_service|success
   retries: 5
   delay: 10