Update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE

This patch update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE to 'member' from '_member_'. If a user tries to create a new project now it leads to "Could not find default role "_member_" in Keystone" error. Also long time ago keystone-bootstrap changed the default member role that is created to member from the legacy _member_ role. Any deployments that might still be using _member_ should set this explicitly. Closes-Bug: #1957173 Change-Id: I1fc7f44326b82ceb303f8d663ff0b42f0bdf7855
2022-01-12 18:32:52 +05:30 · 2022-01-12 18:32:52 +05:30 · a375c54186
parent 8fe5bbc8da
commit a375c54186
5 changed files with 19 additions and 9 deletions
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@ -1405,7 +1405,12 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE

 .. versionadded:: 2011.3(Diablo)

-Default: ``"_member_"``
+.. versionchanged:: 21.0.0(Yoga)
+
+Default: ``"member"``
+
+The default value is changed from ``_member_`` to ``member`` to conform
+with what keystone-bootstrap creates.

 The name of the role which will be assigned to a user when added to a project.
 This value must correspond to an existing role name in Keystone. In general,
--- a/doc/source/contributor/topics/ini-based-configuration.rst
+++ b/doc/source/contributor/topics/ini-based-configuration.rst
@ -170,7 +170,7 @@ approach will be used in the initial effort.

   cfg.StrOpt(
     'default_role',
-     default='_member_',
+     default='member',
     django-setting='OPENSTACK_KEYSTONE_DEFAULT_ROLE',
     help=...
   )
--- a/openstack_dashboard/dashboards/identity/projects/tests.py
+++ b/openstack_dashboard/dashboards/identity/projects/tests.py
@ -1379,13 +1379,13 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
        # Check the content of the table
        users_expected = {
            '1': {'roles': ['admin'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
-            '2': {'roles': ['_member_'],
+                  'roles_from_groups': [('member', 'group_one'), ], },
+            '2': {'roles': ['member'],
                  'roles_from_groups': [], },
-            '3': {'roles': ['_member_'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
+            '3': {'roles': ['member'],
+                  'roles_from_groups': [('member', 'group_one'), ], },
            '4': {'roles': [],
-                  'roles_from_groups': [('_member_', 'group_one'), ], }
+                  'roles_from_groups': [('member', 'group_one'), ], }
        }

        users_id_observed = [user.id for user in
@ -1490,7 +1490,7 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
                                "horizon/common/_detail_table.html")

        # Check the table content
-        groups_expected = {'1': ["_member_"], }
+        groups_expected = {'1': ["member"], }
        groups_id_observed = [group.id for group in
                              res.context["groupstable_table"].data]

--- a/openstack_dashboard/defaults.py
+++ b/openstack_dashboard/defaults.py
@ -381,7 +381,7 @@ OPENSTACK_CINDER_FEATURES = {
 #    "cloud_admin": "rule:admin_required and domain_id:<your domain id>"
 # This value must be the name of the domain whose ID is specified there.
 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
-OPENSTACK_KEYSTONE_DEFAULT_ROLE = '_member_'
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'member'
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
 # If Keystone has been configured to use LDAP as the auth backend then set
--- a/releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml
+++ b/releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE is changed from
+    _member_ to member to conform with what keystone-bootstrap creates.