diff --git a/playbooks/roles/os_horizon/defaults/main.yml b/playbooks/roles/os_horizon/defaults/main.yml index df6574e1dd..8f30af0267 100644 --- a/playbooks/roles/os_horizon/defaults/main.yml +++ b/playbooks/roles/os_horizon/defaults/main.yml @@ -91,6 +91,9 @@ horizon_keystone_endpoint: "{{ keystone_service_internalurl }}" ## alternatively, you can set horizon to turn off ssl verification for Keystone horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" +## The role which Horizon should use as a default for users +horizon_default_role_name: _member_ + ## Launch instance horizon_launch_instance_legacy: True horizon_launch_instance_ng: False diff --git a/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml b/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml new file mode 100644 index 0000000000..ee08a2cad3 --- /dev/null +++ b/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Add the default user role +- name: Ensure default keystone user role + keystone: + command: "ensure_role" + token: "{{ keystone_auth_admin_token }}" + endpoint: "{{ keystone_service_adminurl }}" + role_name: "{{ horizon_default_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + when: > + keystone_auth_admin_token is defined + and keystone_service_adminurl is defined + and keystone_service_adminuri_insecure is defined + register: add_member_role + until: add_member_role|success + retries: 5 + delay: 10 + tags: + - horizon-member-config diff --git a/playbooks/roles/os_horizon/tasks/main.yml b/playbooks/roles/os_horizon/tasks/main.yml index 87b0a03bd6..fe8fb2277b 100644 --- a/playbooks/roles/os_horizon/tasks/main.yml +++ b/playbooks/roles/os_horizon/tasks/main.yml @@ -28,6 +28,8 @@ - include: horizon_ssl_user_provided.yml +- include: horizon_service_setup.yml + - include: horizon_apache.yml - name: Flush handlers diff --git a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 index 7835dcd29e..df6be92508 100644 --- a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 +++ b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 @@ -168,7 +168,8 @@ OPENSTACK_HOST = "{{ horizon_keystone_host }}" OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}" {% endif %} -OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" +# The default role assigned to users +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_default_role_name }}" {% if keystone_sp is defined %} # Enables keystone web single-sign-on diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index e042354277..fa57eddb51 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -80,6 +80,7 @@ keystone_database_pool_timeout: 30 ## Role info keystone_role_name: admin +keystone_default_role_name: _member_ ## Admin info keystone_admin_port: 35357 diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml index ddddbabe6a..9fb4cf58b3 100644 --- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml +++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml @@ -128,6 +128,22 @@ - keystone-api-setup - keystone-setup +# Add the default user role +- name: Ensure default keystone user role + keystone: + command: "ensure_role" + token: "{{ keystone_auth_admin_token }}" + endpoint: "{{ keystone_service_adminurl }}" + role_name: "{{ keystone_default_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + register: add_member_role + until: add_member_role|success + retries: 5 + delay: 10 + tags: + - keystone-api-setup + - keystone-setup + # Create a service - name: Ensure Keystone Service keystone: diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2 index a60c72af62..d2276353f2 100644 --- a/playbooks/roles/os_keystone/templates/keystone.conf.j2 +++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2 @@ -9,6 +9,7 @@ public_endpoint = {{ keystone_public_endpoint }} {% endif %} admin_endpoint = {{ keystone_service_adminuri }} fatal_deprecations = {{ keystone_fatal_deprecations }} +member_role_name = {{ keystone_default_role_name }} {% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %} secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}