Remove domain role from nova, placement service users

This patch removes the openstack_user resource with :grant_domain
action. A user is always created within a specific domain; such a
membership cannot be tacked on later. This resource gave the users
the role intended for their project for the domain (i.e., for the Default
domain instead of for the service project).

We add the domain_name attribute that creates the nova and placement
users in the desired domain. Note that this change needs a sufficiently
recent openstackclient cookbook -- otherwise the domain_name attribute
is ignored (which does not matter as long as the users are to be created
in the Default domain).

Change-Id: I333da4d0d93c8a0065c6c1001b5ebed8cd6eab5c
This commit is contained in:
Roger Luethi 2017-11-09 13:53:36 +01:00
parent cb414a9655
commit d82d6a9f7c
2 changed files with 3 additions and 18 deletions

View File

@ -101,12 +101,14 @@ end
# Register Service Users # Register Service Users
openstack_user service_user do openstack_user service_user do
project_name service_project_name project_name service_project_name
domain_name service_domain_name
password service_pass password service_pass
connection_params connection_params connection_params connection_params
end end
openstack_user placement_service_user do openstack_user placement_service_user do
project_name service_project_name project_name service_project_name
domain_name service_domain_name
password placement_service_pass password placement_service_pass
connection_params connection_params connection_params connection_params
end end
@ -119,12 +121,4 @@ end
connection_params connection_params connection_params connection_params
action :grant_role action :grant_role
end end
openstack_user user do
domain_name service_domain_name
role_name service_role
user_name user
connection_params connection_params
action :grant_domain
end
end end

View File

@ -104,6 +104,7 @@ describe 'openstack-compute::identity_registration' do
expect(chef_run).to create_openstack_user( expect(chef_run).to create_openstack_user(
placement_service_user placement_service_user
).with( ).with(
domain_name: domain_name,
project_name: project_name, project_name: project_name,
password: placement_password, password: placement_password,
connection_params: connection_params connection_params: connection_params
@ -112,16 +113,6 @@ describe 'openstack-compute::identity_registration' do
context 'grants user roles' do context 'grants user roles' do
[service_user, placement_service_user].each do |user_name| [service_user, placement_service_user].each do |user_name|
it do
expect(chef_run).to grant_domain_openstack_user(
user_name
).with(
domain_name: domain_name,
role_name: role_name,
connection_params: connection_params
)
end
it do it do
expect(chef_run).to grant_role_openstack_user( expect(chef_run).to grant_role_openstack_user(
user_name user_name