From c678df66d61936b2ada17eb7207ddbdf84baf28a Mon Sep 17 00:00:00 2001
From: Roger Luethi <rl@patchworkscience.org>
Date: Thu, 9 Nov 2017 13:56:56 +0100
Subject: [PATCH] Remove domain role from neutron service user

This patch removes the openstack_user resource with :grant_domain
action. A user is always created within a specific domain; such a
membership cannot be tacked on later. This resource gave the user the
role intended for their project for the domain (i.e., for the Default
domain instead of for the service project).

We add the domain_name attribute that creates the neutron user in the
desired domain. Note that this change needs a sufficiently recent
openstackclient cookbook -- otherwise the domain_name attribute is
ignored (which does not matter as long as the neutron user is to be
created in the Default domain).

Change-Id: I4b67565c9408c758acefc681dd756a1dca836ec3
---
 recipes/identity_registration.rb   |  8 +-------
 spec/identity_registration_spec.rb | 11 +----------
 2 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/recipes/identity_registration.rb b/recipes/identity_registration.rb
index 448041a3..54ce4900 100644
--- a/recipes/identity_registration.rb
+++ b/recipes/identity_registration.rb
@@ -86,6 +86,7 @@ end
 # Register Service User
 openstack_user service_user do
   project_name service_tenant_name
+  domain_name service_domain_name
   password service_pass
   connection_params connection_params
 end
@@ -97,10 +98,3 @@ openstack_user service_user do
   connection_params connection_params
   action :grant_role
 end
-
-openstack_user service_user do
-  domain_name service_domain_name
-  role_name service_role
-  connection_params connection_params
-  action :grant_domain
-end
diff --git a/spec/identity_registration_spec.rb b/spec/identity_registration_spec.rb
index a9b2e832..a8296d22 100644
--- a/spec/identity_registration_spec.rb
+++ b/spec/identity_registration_spec.rb
@@ -67,22 +67,13 @@ describe 'openstack-network::identity_registration' do
       expect(chef_run).to create_openstack_user(
         service_user
       ).with(
+        domain_name: domain_name,
         project_name: project_name,
         password: password,
         connection_params: connection_params
       )
     end
 
-    it do
-      expect(chef_run).to grant_domain_openstack_user(
-        service_user
-      ).with(
-        domain_name: domain_name,
-        role_name: role_name,
-        connection_params: connection_params
-      )
-    end
-
     it do
       expect(chef_run).to grant_role_openstack_user(
         service_user