From a375c5418633f8b15c7255030ecc008e20ccc806 Mon Sep 17 00:00:00 2001
From: manchandavishal <manchandavishal143@gmail.com>
Date: Wed, 12 Jan 2022 18:32:52 +0530
Subject: [PATCH] Update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE

This patch update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE
to 'member' from '_member_'. If a user tries to create a new project now
it leads to "Could not find default role "_member_" in Keystone" error.

Also long time ago keystone-bootstrap changed the default member role
that is created to member from the legacy _member_ role. Any deployments
that might still be using _member_ should set this explicitly.

Closes-Bug: #1957173
Change-Id: I1fc7f44326b82ceb303f8d663ff0b42f0bdf7855
---
 doc/source/configuration/settings.rst                |  7 ++++++-
 .../contributor/topics/ini-based-configuration.rst   |  2 +-
 .../dashboards/identity/projects/tests.py            | 12 ++++++------
 openstack_dashboard/defaults.py                      |  2 +-
 ...hange-keystone-default-role-3f95b6af11aed63b.yaml |  5 +++++
 5 files changed, 19 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml

diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst
index ebad4967de..f3ae6ad5f8 100644
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@@ -1405,7 +1405,12 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE
 
 .. versionadded:: 2011.3(Diablo)
 
-Default: ``"_member_"``
+.. versionchanged:: 21.0.0(Yoga)
+
+Default: ``"member"``
+
+The default value is changed from ``_member_`` to ``member`` to conform
+with what keystone-bootstrap creates.
 
 The name of the role which will be assigned to a user when added to a project.
 This value must correspond to an existing role name in Keystone. In general,
diff --git a/doc/source/contributor/topics/ini-based-configuration.rst b/doc/source/contributor/topics/ini-based-configuration.rst
index 931b169618..3bb79e0211 100644
--- a/doc/source/contributor/topics/ini-based-configuration.rst
+++ b/doc/source/contributor/topics/ini-based-configuration.rst
@@ -170,7 +170,7 @@ approach will be used in the initial effort.
 
    cfg.StrOpt(
      'default_role',
-     default='_member_',
+     default='member',
      django-setting='OPENSTACK_KEYSTONE_DEFAULT_ROLE',
      help=...
    )
diff --git a/openstack_dashboard/dashboards/identity/projects/tests.py b/openstack_dashboard/dashboards/identity/projects/tests.py
index 5a2fcfc082..873895ac4c 100644
--- a/openstack_dashboard/dashboards/identity/projects/tests.py
+++ b/openstack_dashboard/dashboards/identity/projects/tests.py
@@ -1379,13 +1379,13 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
         # Check the content of the table
         users_expected = {
             '1': {'roles': ['admin'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
-            '2': {'roles': ['_member_'],
+                  'roles_from_groups': [('member', 'group_one'), ], },
+            '2': {'roles': ['member'],
                   'roles_from_groups': [], },
-            '3': {'roles': ['_member_'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
+            '3': {'roles': ['member'],
+                  'roles_from_groups': [('member', 'group_one'), ], },
             '4': {'roles': [],
-                  'roles_from_groups': [('_member_', 'group_one'), ], }
+                  'roles_from_groups': [('member', 'group_one'), ], }
         }
 
         users_id_observed = [user.id for user in
@@ -1490,7 +1490,7 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
                                 "horizon/common/_detail_table.html")
 
         # Check the table content
-        groups_expected = {'1': ["_member_"], }
+        groups_expected = {'1': ["member"], }
         groups_id_observed = [group.id for group in
                               res.context["groupstable_table"].data]
 
diff --git a/openstack_dashboard/defaults.py b/openstack_dashboard/defaults.py
index 693395b982..93e188dc12 100644
--- a/openstack_dashboard/defaults.py
+++ b/openstack_dashboard/defaults.py
@@ -381,7 +381,7 @@ OPENSTACK_CINDER_FEATURES = {
 #    "cloud_admin": "rule:admin_required and domain_id:<your domain id>"
 # This value must be the name of the domain whose ID is specified there.
 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
-OPENSTACK_KEYSTONE_DEFAULT_ROLE = '_member_'
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'member'
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
 # If Keystone has been configured to use LDAP as the auth backend then set
diff --git a/releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml b/releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml
new file mode 100644
index 0000000000..64d96c27a5
--- /dev/null
+++ b/releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE is changed from
+    _member_ to member to conform with what keystone-bootstrap creates.