Use keystone library for heat_stack_domain_admin

The keystone library has been updated to support adding a user to a domain and assigning a role without specifying a project. Use it instead of shelling out to the openstackclient. Backport for change I2659f0496528c29e036c459494a463182e69599d Closes-Bug: 1579612 Depends-On: If515ec94e980365ebd38781498ee541df2f3d431 Change-Id: I79ac6820c03ddbb2df33d123bddfa917613f033d
2016-07-28 13:49:58 +00:00 · 2016-07-28 13:49:58 +00:00 · da8c5e2ec0
parent a9291b9dc0
commit da8c5e2ec0
1 changed files with 25 additions and 34 deletions
--- a/playbooks/roles/os_heat/tasks/heat_domain_setup.yml
+++ b/playbooks/roles/os_heat/tasks/heat_domain_setup.yml
@ -52,47 +52,38 @@
    - heat-domain-setup
    - heat-config

-# TODO Change the keystone library to support adding
-# a user to a domain without specifying a project
 - name: Ensure heat user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack \
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              user \
-              create \
-              --or-show \
-              --domain {{ heat_stack_user_domain_name }} \
-              --password {{ heat_stack_domain_admin_password }} \
-              "{{ heat_stack_domain_admin }}"
+  keystone:
+    command: "ensure_user"
+    endpoint: "{{ keystone_service_adminurl }}"
+    token: "{{ keystone_auth_admin_token }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    password: "{{ heat_stack_domain_admin_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config
    - heat-command-bin

-
-# TODO Change the keystone library to support adding
-# a role to a user without specifying a project
- name: Assign admin role to heat domain admin user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack \
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              role \
-              add \
-              --user {{ heat_stack_domain_admin }} \
-              --domain {{ heat_stack_user_domain_name }} \
-              --user-domain {{ heat_stack_user_domain_name }} \
-              admin
+- name: Ensure heat role
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    token: "{{ keystone_auth_admin_token }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    role_name: "admin"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
  tags:
    - heat-domain
    - heat-domain-setup