openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Stop reffering _member_ role

Browse Source 
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486
This commit is contained in:
Dmitriy Rabotyagov 2023-08-15 13:18:45 +02:00
parent eea1a4853f
commit 9ca29f5754
4 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
defaults/main.yml
View File

@ -448,7 +448,7 @@ keystone_sp: {}
# - domain: default # - domain: default
# project: fedproject # project: fedproject
# group: fedgroup # group: fedgroup
# role: _member_ # role: member
# protocols: # protocols:
# - name: saml2 # - name: saml2
# mapping: # mapping:
@ -485,7 +485,7 @@ keystone_sp: {}
# - domain: default # - domain: default
# project: fedproject # project: fedproject
# group: fedgroup # group: fedgroup
# role: _member_ # role: member
# protocols: # protocols:
# - name: saml2 # - name: saml2
# mapping: # mapping:
@ -511,7 +511,7 @@ keystone_sp: {}
# - domain: default # - domain: default
# project: fedproject # project: fedproject
# group: fedgroup # group: fedgroup
# role: _member_ # role: member
# protocols: # protocols:
# - name: saml2 # - name: saml2
# mapping: # mapping:
@ -550,7 +550,7 @@ keystone_sp: {}
# - domain: default # - domain: default
# project: fedproject # project: fedproject
# group: fedgroup # group: fedgroup
# role: _member_ # role: member
# protocols: # protocols:
# - name: openid # - name: openid
# mapping: # mapping:

10
doc/source/configure-federation-mapping.rst
View File

@ -14,7 +14,7 @@ of federated_identities is not required.
- domain: default - domain: default
project: fedproject project: fedproject
group: fedgroup group: fedgroup
role: _member_ role: member
#. ``project``: The project that federation users have access to. #. ``project``: The project that federation users have access to.
If the project does not already exist, create it in the If the project does not already exist, create it in the
@ -42,13 +42,13 @@ Ansible implements the equivalent of the following OpenStack CLI commands:
openstack group create fedgroup --domain Default openstack group create fedgroup --domain Default
# if the role does not already exist # if the role does not already exist
openstack role create _member_ openstack role create member
# if the project does not already exist # if the project does not already exist
openstack project create --domain default fedproject openstack project create --domain default fedproject
# map the role to the project and user group in the domain # map the role to the project and user group in the domain
openstack role add --project fedproject --group fedgroup _member_ openstack role add --project fedproject --group fedgroup member
To extend simply add more entries to the list. To extend simply add more entries to the list.
For example: For example:
@ -59,11 +59,11 @@ For example:
- domain: default - domain: default
project: fedproject project: fedproject
group: fedgroup group: fedgroup
role: _member_ role: member
- domain: default - domain: default
project: fedproject2 project: fedproject2
group: fedgroup2 group: fedgroup2
role: _member_ role: member
Keystone federation attribute mapping Keystone federation attribute mapping
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6
doc/source/configure-federation-sp.rst
View File

@ -145,7 +145,7 @@ service provider to an IDP using Shibboleth with CADF notifications on.
- domain: default - domain: default
project: fedproject project: fedproject
group: fedgroup group: fedgroup
role: _member_ role: member
protocols: protocols:
- name: saml2 - name: saml2
mapping: mapping:
@ -259,7 +259,7 @@ multiple clouds.
- domain: default - domain: default
project: fedproject project: fedproject
group: fedgroup group: fedgroup
role: _member_ role: member
protocols: protocols:
- name: saml2 - name: saml2
mapping: mapping:
@ -380,7 +380,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
- domain: default - domain: default
project: fedproject project: fedproject
group: fedgroup group: fedgroup
role: _member_ role: member
protocols: protocols:
- name: openid - name: openid
mapping: mapping:

4
tasks/keystone_federation_sp_idp_setup.yml
View File

@ -74,7 +74,7 @@
openstack.cloud.identity_role: openstack.cloud.identity_role:
cloud: default cloud: default
state: present state: present
name: "{{ item.role | default('_member_') }}" name: "{{ item.role | default('member') }}"
interface: admin interface: admin
verify: "{{ keystone_service_adminuri_insecure }}" verify: "{{ keystone_service_adminuri_insecure }}"
with_items: "{{ trusted_idp.federated_identities | default([]) }}" with_items: "{{ trusted_idp.federated_identities | default([]) }}"
@ -89,7 +89,7 @@
state: present state: present
group: "{{ item.group }}" group: "{{ item.group }}"
project: "{{ item.project }}" project: "{{ item.project }}"
role: "{{ item.role | default('_member_') }}" role: "{{ item.role | default('member') }}"
interface: admin interface: admin
verify: "{{ keystone_service_adminuri_insecure }}" verify: "{{ keystone_service_adminuri_insecure }}"
with_items: "{{ trusted_idp.federated_identities | default([]) }}" with_items: "{{ trusted_idp.federated_identities | default([]) }}"