From dfd408a73d14ca2e8b8785d685b7d88a0739c71d Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 17 Jan 2019 14:17:36 +0200
Subject: [PATCH] Create barbican's creator role by default

Barbican has a very specific set of keystone roles that it uses in order
to properly enforce RBAC. One of them (and the most important) is the
creator role. Which you'll assign to your users in order to allow them
to create and retrieve secrets (the other role that can do this is
admin... but we don't want to rely on this).

For usability, lets create this role automatically as part of the
TripleO installation.

Closes-Bug: #1812209
Change-Id: I9d5f912684a0987a6bdf244321215bd5595a0fa0
---
 manifests/profile/base/keystone.pp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index cc565319c..cd86fc216 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -319,6 +319,12 @@ class tripleo::profile::base::keystone (
     class { '::keystone::roles::admin':
       admin_roles => $admin_roles,
     }
+
+    if hiera('barbican_api_enabled', false) {
+      keystone_role { 'creator':
+        ensure => present
+      }
+    }
   }
 
   if $step == 3 and $manage_endpoint {