OpenStack Heat

Add properties user_domain and group_domain to heat keystone resources

Registered by Sampat Ponnaganti

Update heat resources below to support multiple domains.

'OS::Keystone::UserRoleAssignment': KeystoneUserRoleAssignment,
'OS::Keystone::GroupRoleAssignment': KeystoneGroupRoleAssignment

Add property user_domain to 'OS::Keystone::UserRoleAssignment'
        USER_DOMAIN: properties.Schema(
            properties.Schema.STRING,
            _('Domain of the user.'),
            update_allowed=True,
            constraints=[constraints.CustomConstraint('keystone.domain')]

Add property group_domain to 'OS::Keystone::GroupRoleAssignment
        GROUP_DOMAIN: properties.Schema(
            properties.Schema.STRING,
            _('Domain of the group.'),
            update_allowed=True,
            constraints=[constraints.CustomConstraint('keystone.domain')]

Current resources fail when user or group is not in default domain

Sample Heat templates and Outputs

Template: user_with_domain.yaml

heat_template_version: 2014-10-16

description: template users user_domain property

resources:
  d0e9b2f031494fb1a86e251e7d6c861c:
    properties:
      description: "Test Customer 1"
      enabled: true
      name: Test Customer 1
    type: OS::Keystone::Project

# Manually create user openstack user create user1 --domain domain1

  user1:
    properties:
      roles:
      - role: admin
        project: {get_resource: d0e9b2f031494fb1a86e251e7d6c861c}
      - role: admin
        domain: domain1
      user: user1
      user_domain: domain1
    type: OS::Keystone::UserRoleAssignment

outputs:
  d0e9b2f031494fb1a86e251e7d6c861c_id:
    value: {get_resource: d0e9b2f031494fb1a86e251e7d6c861c}
  user1_id:
    value: {get_resource: user1}

Template: user_with_group_domain.yaml

heat_template_version: 2014-10-16

description: template uses group_domain property

resources:
  d0e9b2f031494fb1a86e251e7d6c861c:
    properties:
      description: "Test customer 2"
      enabled: true
      name: Test customer
    type: OS::Keystone::Project

  group1:
    properties:
      description: "group1 in domain1"
      domain: domain1
      name: group1
    type: OS::Keystone::Group

  group1_role_assignments:
    properties:
      roles:
      - role: admin
        project: {get_resource: d0e9b2f031494fb1a86e251e7d6c861c}
      - role: admin
        domain: domain1
      group: {get_resource: group1}
      group_domain: domain1
    type: OS::Keystone::GroupRoleAssignment

outputs:
  d0e9b2f031494fb1a86e251e7d6c861c_id:
    value: {get_resource: d0e9b2f031494fb1a86e251e7d6c861c}
  user1_id:
    value: {get_resource: group1_role_assignments}

openstack domain create domain1
openstack user create user1 --domain domain1

openstack stack create -t ./user_with_group_domain.yaml test_group
openstack stack create -t ./user_with_domain.yaml test_user

$ heat stack-list
WARNING (shell) "heat stack-list" is deprecated, please use "openstack stack list" instead
+--------------------------------------+--------------------------+-----------------+----------------------+--------------+----------------------------------+
| id | stack_name | stack_status | creation_time | updated_time | project |
+--------------------------------------+--------------------------+-----------------+----------------------+--------------+----------------------------------+
| 9b2b7961-4eeb-4919-8e5b-d6fd8444812e | user_group_assignment_01 | CREATE_FAILED | 2019-06-05T15:48:30Z | None | b6810ade20084d12826598b5ab396171 |
| e9e5ae5f-f359-45c0-bac4-fbdfa2d9fe0f | test_group | CREATE_COMPLETE | 2019-06-06T14:19:42Z | None | b6810ade20084d12826598b5ab396171 |
| b52e23b0-ef66-4fdb-b5d3-08d77e8ae6ab | test_user | CREATE_COMPLETE | 2019-06-06T14:27:55Z | None | b6810ade20084d12826598b5ab396171 |
+--------------------------------------+--------------------------+-----------------+----------------------+--------------+----------------------------------+

$ openstack role assignment list --user user1
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+-----------+
| 60c855ed0a2c40d5a016738716b42c26 | 88f7a33e6d9f43fdad3cb7e8324a46e5 | | b2467700158f4edbbff7bf12f8b5f6c0 | | False |
| 60c855ed0a2c40d5a016738716b42c26 | 88f7a33e6d9f43fdad3cb7e8324a46e5 | | | 2d96ecda93304b4b9fe36222f898722e | False |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+-----------+

$ openstack role assignment list --group group1
+----------------------------------+------+----------------------------------+----------------------------------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+------+----------------------------------+----------------------------------+----------------------------------+-----------+
| 60c855ed0a2c40d5a016738716b42c26 | | d92f51245b724909a53621a41a8eaceb | 5cf2b023c791484d9838cf2cd06cc3b0 | | False |
| 60c855ed0a2c40d5a016738716b42c26 | | d92f51245b724909a53621a41a8eaceb | | 2d96ecda93304b4b9fe36222f898722e | False |
+----------------------------------+------+----------------------------------+----------------------------------+----------------------------------+-----------+

$ openstack group show group1
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | group1 in domain1 |
| domain_id | 2d96ecda93304b4b9fe36222f898722e |
| id | d92f51245b724909a53621a41a8eaceb |
| name | group1 |
+-------------+----------------------------------+

$ openstack domain list
+----------------------------------+---------+---------+-----------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+-----------------------------------------+
| 136677041cb64be19f43ba1ab19e4800 | heat | True | Owns users and projects created by heat |
| 2d96ecda93304b4b9fe36222f898722e | domain1 | True | |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+-----------------------------------------+

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Sampat Ponnaganti
Direction:
Needs approval
Assignee:
Sampat Ponnaganti
Definition:
New
Series goal:
None
Implementation:
Not started
Milestone target:
None

Related branches

Sprints

Whiteboard

Heat doesn't use blueprints any more, so there's no need to update this page. Just keep everything in storyboard https://storyboard.openstack.org/#!/story/2005523

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.