Create barbican's creator role by default
Barbican has a very specific set of keystone roles that it uses in order
to properly enforce RBAC. One of them (and the most important) is the
creator role. Which you'll assign to your users in order to allow them
to create and retrieve secrets (the other role that can do this is
admin... but we don't want to rely on this).
For usability, lets create this role automatically as part of the
TripleO installation.
Closes-Bug: #1812209
Change-Id: I9d5f912684a0987a6bdf244321215bd5595a0fa0
(cherry picked from commit dfd408a73d
)
This commit is contained in:
parent
035c834e02
commit
e8adf4b397
|
@ -301,6 +301,12 @@ class tripleo::profile::base::keystone (
|
|||
class { '::keystone::roles::admin':
|
||||
admin_roles => $admin_roles,
|
||||
}
|
||||
|
||||
if hiera('barbican_api_enabled', false) {
|
||||
keystone_role { 'creator':
|
||||
ensure => present
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if $step == 3 and $manage_endpoint {
|
||||
|
|
Loading…
Reference in New Issue