From 8d5195fdf26b3a3fe6214cf4cdab762b69dd1b23 Mon Sep 17 00:00:00 2001 From: Arx Cruz Date: Mon, 30 May 2022 11:46:14 +0200 Subject: [PATCH] Update role_assignment to use proxy Updating role_assignment module to use the new openstacksdk Change-Id: I09258e18d50acb57501ea1b47d9422dad857607e --- .zuul.yaml | 1 + ci/roles/role_assignment/tasks/main.yml | 47 +++++++++++++++++++++++++ ci/run-collection.yml | 1 + plugins/modules/role_assignment.py | 36 ++++++++----------- 4 files changed, 63 insertions(+), 22 deletions(-) create mode 100644 ci/roles/role_assignment/tasks/main.yml diff --git a/.zuul.yaml b/.zuul.yaml index 2ad67083..53a0ad32 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -94,6 +94,7 @@ port project recordset + role_assignment security_group subnet_pool user diff --git a/ci/roles/role_assignment/tasks/main.yml b/ci/roles/role_assignment/tasks/main.yml new file mode 100644 index 00000000..7f1e4201 --- /dev/null +++ b/ci/roles/role_assignment/tasks/main.yml @@ -0,0 +1,47 @@ +--- +- name: Create project + openstack.cloud.project: + cloud: "{{ cloud }}" + state: present + name: ansible_project + description: dummy description + domain_id: default + enabled: True + register: project + +- name: Grant an admin role on the user admin in the project ansible_project + openstack.cloud.role_assignment: + cloud: "{{ cloud }}" + domain: default + project: ansible_project + role: admin + user: admin + +- name: Grant an admin role on the user admin in the project ansible_project again + openstack.cloud.role_assignment: + cloud: "{{ cloud }}" + domain: default + project: ansible_project + role: admin + user: admin + register: grant_again + +- name: Ensure grant again doesn't change anything + assert: + that: + - not grant_again.changed + +- name: Revoke the admin role on the user admin in the project ansible_project + openstack.cloud.role_assignment: + cloud: "{{ cloud }}" + domain: default + project: ansible_project + role: admin + state: absent + user: admin + +- name: Delete project + openstack.cloud.project: + cloud: "{{ cloud }}" + state: absent + name: ansible_project diff --git a/ci/run-collection.yml b/ci/run-collection.yml index 87009600..d30d28e0 100644 --- a/ci/run-collection.yml +++ b/ci/run-collection.yml @@ -51,6 +51,7 @@ - { role: port, tags: port } - { role: project, tags: project } - { role: recordset, tags: recordset } + - { role: role_assignment, tags: role_assignment } - { role: router, tags: router } - { role: security_group, tags: security_group } - { role: server, tags: server } diff --git a/plugins/modules/role_assignment.py b/plugins/modules/role_assignment.py index 172add83..21c514c6 100644 --- a/plugins/modules/role_assignment.py +++ b/plugins/modules/role_assignment.py @@ -130,47 +130,33 @@ class IdentityRoleAssignmentModule(OpenStackModule): state = self.params.get('state') filters = {} + find_filters = {} domain_id = None - r = self.conn.get_role(role) + r = self.conn.identity.find_role(role) if r is None: self.fail_json(msg="Role %s is not valid" % role) filters['role'] = r['id'] if domain: - d = self.conn.get_domain(name_or_id=domain) + d = self.conn.identity.find_domain(domain) if d is None: self.fail_json(msg="Domain %s is not valid" % domain) - filters['domain'] = d['id'] domain_id = d['id'] + find_filters['domain_id'] = domain_id if user: - if domain: - u = self.conn.get_user(user, domain_id=filters['domain']) - else: - u = self.conn.get_user(user) - + u = self.conn.identity.find_user(user, **find_filters) if u is None: self.fail_json(msg="User %s is not valid" % user) filters['user'] = u['id'] + if group: - if domain: - g = self.conn.get_group(group, domain_id=filters['domain']) - else: - g = self.conn.get_group(group) + g = self.conn.identity.find_group(group, **find_filters) if g is None: self.fail_json(msg="Group %s is not valid" % group) filters['group'] = g['id'] if project: - if domain: - p = self.conn.get_project(project, domain_id=filters['domain']) - # OpenStack won't allow us to use both a domain and project as - # filter. Once we identified the project (using the domain as - # a filter criteria), we need to remove the domain itself from - # the filters list. - domain_id = filters.pop('domain') - else: - p = self.conn.get_project(project) - + p = self.conn.identity.find_project(project, **find_filters) if p is None: self.fail_json(msg="Project %s is not valid" % project) filters['project'] = p['id'] @@ -179,6 +165,9 @@ class IdentityRoleAssignmentModule(OpenStackModule): # fail if the system role name is not valid filters['system'] = system + # Keeping the self.conn.list_role_assignments because it calls directly + # the identity.role_assignments and there are some logics for the + # filters that won't worth rewrite here. assignment = self.conn.list_role_assignments(filters=filters) if self.ansible.check_mode: @@ -186,6 +175,9 @@ class IdentityRoleAssignmentModule(OpenStackModule): changed = False + # Both grant_role and revoke_role calls directly the proxy layer, and + # has some logic that won't worth to rewrite here so keeping it is a + # good idea if state == 'present': if not assignment: kwargs = self._build_kwargs(user, group, project, domain_id, system)