openstack
/
puppet-tripleo
Code Issues Proposed changes

Create barbican's creator role by default 

Barbican has a very specific set of keystone roles that it uses in order
to properly enforce RBAC. One of them (and the most important) is the
creator role. Which you'll assign to your users in order to allow them
to create and retrieve secrets (the other role that can do this is
admin... but we don't want to rely on this).

For usability, lets create this role automatically as part of the
TripleO installation.

Closes-Bug: #1812209
Change-Id: I9d5f912684a0987a6bdf244321215bd5595a0fa0
(cherry picked from commit dfd408a73d)
This commit is contained in:
Juan Antonio Osorio Robles 2019-01-17 14:17:36 +02:00
parent 035c834e02
commit e8adf4b397
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manifests/profile/base/keystone.pp
View File

@ -301,6 +301,12 @@ class tripleo::profile::base::keystone (
class { '::keystone::roles::admin':
admin_roles => $admin_roles,
}
if hiera('barbican_api_enabled', false) {
keystone_role { 'creator':
ensure => present
}
}
}
if $step == 3 and $manage_endpoint {