mirror of
https://opendev.org/openstack/ansible-collections-openstack.git
synced 2026-03-26 21:43:02 +00:00
437438e33c
The role_assignment module always looks up the user, group and project so to support cross-domain assignments we should add extra parameters like OSC to look them up from the correct domains. Switch to using the service proxy interface to grant or revoke the roles as well. Partial-Bug: #2052448 Partial-Bug: #2047151 Partial-Bug: #2097203 Change-Id: Id023cb9e7017c749bc39bba2091921154a413723
215 lines
5.1 KiB
YAML
215 lines
5.1 KiB
YAML
---
|
|
- name: Create project
|
|
openstack.cloud.project:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_project
|
|
description: dummy description
|
|
domain: default
|
|
is_enabled: True
|
|
|
|
- name: Grant an admin role on the user admin in the project ansible_project
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
domain: default
|
|
project: ansible_project
|
|
role: admin
|
|
user: admin
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Grant an admin role on the user admin in the project ansible_project again
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
domain: default
|
|
project: ansible_project
|
|
role: admin
|
|
user: admin
|
|
register: role_assignment
|
|
|
|
- name: Ensure grant again did not change anything
|
|
assert:
|
|
that:
|
|
- role_assignment is not changed
|
|
|
|
- name: Revoke the admin role on the user admin in the project ansible_project
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
domain: default
|
|
project: ansible_project
|
|
role: admin
|
|
state: absent
|
|
user: admin
|
|
|
|
- name: Create domain
|
|
openstack.cloud.identity_domain:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_domain
|
|
register: domain
|
|
|
|
- name: Create group in default domain
|
|
openstack.cloud.identity_group:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_group
|
|
domain_id: default
|
|
|
|
- name: Create group in specific domain
|
|
openstack.cloud.identity_group:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_group
|
|
domain_id: "{{ domain.domain.id }}"
|
|
|
|
- name: Create user in default domain
|
|
openstack.cloud.identity_user:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_user
|
|
domain: default
|
|
register: specific_user
|
|
|
|
- name: Create user in specific domain
|
|
openstack.cloud.identity_user:
|
|
cloud: "{{ cloud }}"
|
|
state: present
|
|
name: ansible_user
|
|
domain: "{{ domain.domain.id }}"
|
|
|
|
- name: Assign role to group in default domain
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
group: ansible_group
|
|
domain: default
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Assign role to group in specific domain
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
group: ansible_group
|
|
domain: "{{ domain.domain.id }}"
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Assign role to user in default domain
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
user: ansible_user
|
|
domain: default
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Assign role to user in specific domain
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
user: ansible_user
|
|
domain: "{{ domain.domain.id }}"
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Assign role to user in specific domain on default domain project
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
user: "{{ specific_user.user.id }}"
|
|
domain: default
|
|
project: ansible_project
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Revoke role to user in specific domain
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
user: "{{ specific_user.user.id }}"
|
|
domain: default
|
|
project: ansible_project
|
|
state: absent
|
|
register: role_assignment
|
|
|
|
- name: Assert role assignment revoked
|
|
assert:
|
|
that:
|
|
- role_assignment is changed
|
|
|
|
- name: Assign role to user in specific domain on default domain project
|
|
openstack.cloud.role_assignment:
|
|
cloud: "{{ cloud }}"
|
|
role: anotherrole
|
|
user: ansible_user
|
|
user_domain: "{{ specific_user.user.domain_id }}"
|
|
project: ansible_project
|
|
project_domain: default
|
|
register: role_assignment
|
|
|
|
- name: Delete group in default domain
|
|
openstack.cloud.identity_group:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_group
|
|
domain_id: default
|
|
|
|
- name: Delete group in specific domain
|
|
openstack.cloud.identity_group:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_group
|
|
domain_id: "{{ domain.domain.id }}"
|
|
|
|
- name: Delete user in default domain
|
|
openstack.cloud.identity_user:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_user
|
|
domain: default
|
|
|
|
- name: Delete user in specific domain
|
|
openstack.cloud.identity_user:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_user
|
|
domain: "{{ domain.domain.id }}"
|
|
|
|
- name: Delete domain
|
|
openstack.cloud.identity_domain:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_domain
|
|
|
|
- name: Delete project
|
|
openstack.cloud.project:
|
|
cloud: "{{ cloud }}"
|
|
state: absent
|
|
name: ansible_project
|
|
|