Update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE

This patch update default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE
to 'member' from '_member_'. If a user tries to create a new project now
it leads to "Could not find default role "_member_" in Keystone" error.

Also long time ago keystone-bootstrap changed the default member role
that is created to member from the legacy _member_ role. Any deployments
that might still be using _member_ should set this explicitly.

Closes-Bug: #1957173
Change-Id: I1fc7f44326b82ceb303f8d663ff0b42f0bdf7855

doc/source/configuration/settings.rst

@@ -1405,7 +1405,12 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE
 
 .. versionadded:: 2011.3(Diablo)
 
-Default: ``"_member_"``
+.. versionchanged:: 21.0.0(Yoga)
+
+Default: ``"member"``
+
+The default value is changed from ``_member_`` to ``member`` to conform
+with what keystone-bootstrap creates.
 
 The name of the role which will be assigned to a user when added to a project.
 This value must correspond to an existing role name in Keystone. In general,

doc/source/contributor/topics/ini-based-configuration.rst

@@ -170,7 +170,7 @@ approach will be used in the initial effort.
 
    cfg.StrOpt(
      'default_role',
-     default='_member_',
+     default='member',
      django-setting='OPENSTACK_KEYSTONE_DEFAULT_ROLE',
      help=...
    )

openstack_dashboard/dashboards/identity/projects/tests.py

@@ -1379,13 +1379,13 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
         # Check the content of the table
         users_expected = {
             '1': {'roles': ['admin'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
+                  'roles_from_groups': [('member', 'group_one'), ], },
-            '2': {'roles': ['_member_'],
+            '2': {'roles': ['member'],
                   'roles_from_groups': [], },
-            '3': {'roles': ['_member_'],
+            '3': {'roles': ['member'],
-                  'roles_from_groups': [('_member_', 'group_one'), ], },
+                  'roles_from_groups': [('member', 'group_one'), ], },
             '4': {'roles': [],
-                  'roles_from_groups': [('_member_', 'group_one'), ], }
+                  'roles_from_groups': [('member', 'group_one'), ], }
         }
 
         users_id_observed = [user.id for user in
@@ -1490,7 +1490,7 @@ class DetailProjectViewTests(test.BaseAdminViewTests):
                                 "horizon/common/_detail_table.html")
 
         # Check the table content
-        groups_expected = {'1': ["_member_"], }
+        groups_expected = {'1': ["member"], }
         groups_id_observed = [group.id for group in
                               res.context["groupstable_table"].data]
 

openstack_dashboard/defaults.py

@@ -381,7 +381,7 @@ OPENSTACK_CINDER_FEATURES = {
 #    "cloud_admin": "rule:admin_required and domain_id:<your domain id>"
 # This value must be the name of the domain whose ID is specified there.
 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
-OPENSTACK_KEYSTONE_DEFAULT_ROLE = '_member_'
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'member'
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
 # If Keystone has been configured to use LDAP as the auth backend then set

releasenotes/notes/change-keystone-default-role-3f95b6af11aed63b.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The default value of OPENSTACK_KEYSTONE_DEFAULT_ROLE is changed from
+    _member_ to member to conform with what keystone-bootstrap creates.