Use keystone library for heat_stack_domain_admin

The keystone library has been updated to support adding a user to a domain and assigning a role without specifying a project. Use it instead of shelling out to the openstackclient. Closes-Bug: 1579612 Depends-On: I6a132e5407c9881a047037b85bd6e25b85c0d8a1 Change-Id: I2659f0496528c29e036c459494a463182e69599d
openstack · May 11, 2016 · b45b74e · b45b74e
1 parent 47088f7
commit b45b74e
Showing 1 changed file with 29 additions and 34 deletions.
diff --git a/tasks/heat_domain_setup.yml b/tasks/heat_domain_setup.yml
@@ -58,47 +58,42 @@
     - heat-domain-setup
     - heat-config
 
-# TODO Change the keystone library to support adding
-# a user to a domain without specifying a project
 - name: Ensure heat user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }}\
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              user \
-              create \
-              --or-show \
-              --domain {{ heat_stack_user_domain_name }} \
-              --password {{ heat_stack_domain_admin_password }} \
-              "{{ heat_stack_domain_admin }}"
+  keystone:
+    command: "ensure_user"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    password: "{{ heat_stack_domain_admin_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
   tags:
     - heat-domain
     - heat-domain-setup
     - heat-config
     - heat-command-bin
 
-
-# TODO Change the keystone library to support adding
-# a role to a user without specifying a project
-- name: Assign admin role to heat domain admin user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }}\
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              role \
-              add \
-              --user {{ heat_stack_domain_admin }} \
-              --domain {{ heat_stack_user_domain_name }} \
-              --user-domain {{ heat_stack_user_domain_name }} \
-              admin
+- name: Ensure heat role
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    role_name: "admin"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
   tags:
     - heat-domain
     - heat-domain-setup