openstack/ansible-collections-openstack
Code Issues Proposed changes

Merge "Add support for system role in role assignment"

Browse Source
This commit is contained in:
Zuul 2022-03-08 19:35:48 +00:00 committed by Gerrit Code Review
commit 08bbadedb0
1 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
plugins/modules/role_assignment.py
View File

@ -37,6 +37,12 @@ options:
- Name or ID of the domain to scope the role association to. Valid only - Name or ID of the domain to scope the role association to. Valid only
with keystone version 3, and required if I(project) is not specified. with keystone version 3, and required if I(project) is not specified.
type: str type: str
system:
description:
- Name of system to scope the role association to. Valid only with
keystone version 3, and required if I(project) and I(domain)
are not specified.
type: str
state: state:
description: description:
- Should the roles be present or absent on the user. - Should the roles be present or absent on the user.
@ -82,6 +88,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
group=dict(required=False), group=dict(required=False),
project=dict(required=False), project=dict(required=False),
domain=dict(required=False), domain=dict(required=False),
system=dict(required=False),
state=dict(default='present', choices=['absent', 'present']), state=dict(default='present', choices=['absent', 'present']),
) )
@ -99,7 +106,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
return True return True
return False return False
def _build_kwargs(self, user, group, project, domain): def _build_kwargs(self, user, group, project, domain, system):
kwargs = {} kwargs = {}
if user: if user:
kwargs['user'] = user kwargs['user'] = user
@ -109,6 +116,8 @@ class IdentityRoleAssignmentModule(OpenStackModule):
kwargs['project'] = project kwargs['project'] = project
if domain: if domain:
kwargs['domain'] = domain kwargs['domain'] = domain
if system:
kwargs['system'] = system
return kwargs return kwargs
def run(self): def run(self):
@ -117,6 +126,7 @@ class IdentityRoleAssignmentModule(OpenStackModule):
group = self.params.get('group') group = self.params.get('group')
project = self.params.get('project') project = self.params.get('project')
domain = self.params.get('domain') domain = self.params.get('domain')
system = self.params.get('system')
state = self.params.get('state') state = self.params.get('state')
filters = {} filters = {}
@ -164,6 +174,10 @@ class IdentityRoleAssignmentModule(OpenStackModule):
if p is None: if p is None:
self.fail_json(msg="Project %s is not valid" % project) self.fail_json(msg="Project %s is not valid" % project)
filters['project'] = p['id'] filters['project'] = p['id']
if system:
# the system role name is the argument. list_role_assignments will
# fail if the system role name is not valid
filters['system'] = system
assignment = self.conn.list_role_assignments(filters=filters) assignment = self.conn.list_role_assignments(filters=filters)
@ -174,13 +188,13 @@ class IdentityRoleAssignmentModule(OpenStackModule):
if state == 'present': if state == 'present':
if not assignment: if not assignment:
kwargs = self._build_kwargs(user, group, project, domain_id) kwargs = self._build_kwargs(user, group, project, domain_id, system)
self.conn.grant_role(role, **kwargs) self.conn.grant_role(role, **kwargs)
changed = True changed = True
elif state == 'absent': elif state == 'absent':
if assignment: if assignment:
kwargs = self._build_kwargs(user, group, project, domain_id) kwargs = self._build_kwargs(user, group, project, domain_id, system)
self.conn.revoke_role(role, **kwargs) self.conn.revoke_role(role, **kwargs)
changed = True changed = True