From 4599fd174c0c10f3a7e51ad6cba5d4c74abac207 Mon Sep 17 00:00:00 2001
From: Steve Martinelli <stevemar@ca.ibm.com>
Date: Thu, 12 Mar 2015 21:30:58 -0400
Subject: [PATCH] Add roles when we create groups

We should prime the groups that were created with some roles on
projects. Eventually we can add users directly to the groups
and not have to resort to individual user assignments.

Change-Id: Icebafc06859f8879c584cfd67aa51cb0c9ce48af
---
 functions-common | 21 +++++++++++++++++++++
 lib/keystone     | 16 ++++++++++++++--
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/functions-common b/functions-common
index 4739e42e90..67697671d3 100644
--- a/functions-common
+++ b/functions-common
@@ -728,6 +728,27 @@ function get_or_add_user_project_role {
     echo $user_role_id
 }
 
+# Gets or adds group role to project
+# Usage: get_or_add_group_project_role <role> <group> <project>
+function get_or_add_group_project_role {
+    # Gets group role id
+    local group_role_id=$(openstack role list \
+        --group $2 \
+        --project $3 \
+        --column "ID" \
+        --column "Name" \
+        | grep " $1 " | get_field 1)
+    if [[ -z "$group_role_id" ]]; then
+        # Adds role to group
+        group_role_id=$(openstack role add \
+            $1 \
+            --group $2 \
+            --project $3 \
+            | grep " id " | get_field 2)
+    fi
+    echo $group_role_id
+}
+
 # Gets or creates service
 # Usage: get_or_create_service <name> <type> <description>
 function get_or_create_service {
diff --git a/lib/keystone b/lib/keystone
index c9433d98fe..acc8c2c9d0 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -362,6 +362,12 @@ function configure_keystone_extensions {
 # demo                 demo       Member, anotherrole
 # invisible_to_admin   demo       Member
 
+# Group                Users      Roles                 Tenant
+# ------------------------------------------------------------------
+# admins               admin      admin                 admin
+# nonadmin             demo       Member, anotherrole   demo
+
+
 # Migrated from keystone_data.sh
 function create_keystone_accounts {
 
@@ -403,8 +409,14 @@ function create_keystone_accounts {
     get_or_add_user_project_role $another_role $demo_user $demo_tenant
     get_or_add_user_project_role $member_role $demo_user $invis_tenant
 
-    get_or_create_group "developers" "default" "openstack developers"
-    get_or_create_group "testers" "default"
+    local admin_group=$(get_or_create_group "admins" \
+        "default" "openstack admin group")
+    local non_admin_group=$(get_or_create_group "nonadmins" \
+        "default" "non-admin group")
+
+    get_or_add_group_project_role $member_role $non_admin_group $demo_tenant
+    get_or_add_group_project_role $another_role $non_admin_group $demo_tenant
+    get_or_add_group_project_role $admin_role $admin_group $admin_tenant
 
     # Keystone
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then