From 7f1c7d8c5270c5d743027bae80d268418c95476f Mon Sep 17 00:00:00 2001
From: "Donovan Francesco (drifterza)" <donovan.francesco@gmail.com>
Date: Wed, 16 Nov 2016 09:59:09 +0200
Subject: [PATCH] Adding required monasca roles so users can query the apis.

Change-Id: Id225d81b2d24b0e952ca6fb95c77d72ba189fd69
---
 defaults/main.yml                 |  2 ++
 tasks/monasca_service_setup.yml   | 21 +++++++++++++++++++--
 templates/monasca-api.conf.j2     |  2 +-
 templates/monasca-log-api.conf.j2 |  2 +-
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 5a40e82..f3a28d4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,6 +38,8 @@ monasca_service_description: "OpenStack Monitoring Service (Monasca)"
 monasca_service_project_name: service
 monasca_service_role_names:
   - admin
+monasca_role_names:
+  - monasca-user
 monasca_service_region: RegionOne
 monasca_service_host: "0.0.0.0"
 monasca_bind_port: 8070
diff --git a/tasks/monasca_service_setup.yml b/tasks/monasca_service_setup.yml
index 98bd686..b54c395 100644
--- a/tasks/monasca_service_setup.yml
+++ b/tasks/monasca_service_setup.yml
@@ -77,6 +77,23 @@
     - monasca-user-add
     - monasca-setup
 
+- name: Ensure the monasca role exists
+  keystone:
+    command: "ensure_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ monasca_service_user_name }}"
+    tenant_name: "{{ monasca_service_project_name }}"
+    role_name: "{{ item }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: ensure_monasca_roles
+  until: ensure_monasca_roles |success
+  retries: 5
+  delay: 2
+  with_items: "{{ monasca_role_names }}"
+
 - name: Ensure the monasca user has the admin role
   keystone:
     command: "ensure_user_role"
@@ -88,8 +105,8 @@
     tenant_name: "{{ monasca_service_project_name }}"
     role_name: "{{ item }}"
     insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: ensure_monasca_roles
-  until: ensure_monasca_roles |success
+  register: ensure_monasca_service_roles
+  until: ensure_monasca_service_roles |success
   retries: 5
   delay: 2
   with_items: "{{ monasca_service_role_names }}"
diff --git a/templates/monasca-api.conf.j2 b/templates/monasca-api.conf.j2
index 77972fd..6728f7c 100644
--- a/templates/monasca-api.conf.j2
+++ b/templates/monasca-api.conf.j2
@@ -20,7 +20,7 @@ dimension_names = monasca_api.v2.reference.metrics:DimensionNames
 notification_method_types = monasca_api.v2.reference.notificationstype:NotificationsType
 
 [security]
-default_authorized_roles = user, domainuser, domainadmin, {{ monasca_service_user_name }}
+default_authorized_roles = user, domainuser, domainadmin, {{ monasca_service_role_names | join(', ') }}, {{ monasca_role_names | join(', ') }}
 agent_authorized_roles = {{ monasca_service_user_name }}
 read_only_authorized_roles = {{ monasca_readonly_user_name }}
 delegate_authorized_roles = admin
diff --git a/templates/monasca-log-api.conf.j2 b/templates/monasca-log-api.conf.j2
index 49da5b1..a2ab64c 100644
--- a/templates/monasca-log-api.conf.j2
+++ b/templates/monasca-log-api.conf.j2
@@ -16,7 +16,7 @@ kafka_topics = log
 [roles_middleware]
 path = /v2.0/log
 path = /v3.0/logs
-default_roles = user, domainuser, domainadmin, {{ monasca_service_user_name }}
+default_roles = user, domainuser, domainadmin, {{ monasca_service_role_names | join(', ') }}, {{ monasca_role_names | join(', ') }}
 agent_roles = {{ monasca_service_user_name }}, admin
 
 [dispatcher]