2014-09-26 01:01:01 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
# -*- coding: utf-8 -*-
|
2015-07-04 03:57:53 +00:00
|
|
|
# This file is part of Ansible
|
|
|
|
|
#
|
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
2014-09-26 01:01:01 +00:00
|
|
|
|
|
|
|
|
# Based on Jimmy Tang's implementation
|
|
|
|
|
|
2016-12-06 10:35:05 +00:00
|
|
|
ANSIBLE_METADATA = {'status': ['deprecated'],
|
|
|
|
|
'supported_by': 'community',
|
|
|
|
|
'version': '1.0'}
|
|
|
|
|
|
2014-09-26 01:01:01 +00:00
|
|
|
DOCUMENTATION = '''
|
|
|
|
|
---
|
|
|
|
|
module: keystone_user
|
|
|
|
|
version_added: "1.2"
|
2015-10-20 17:29:41 +00:00
|
|
|
deprecated: Deprecated in 2.0. Use os_user instead
|
2014-09-26 01:01:01 +00:00
|
|
|
short_description: Manage OpenStack Identity (keystone) users, tenants and roles
|
|
|
|
|
description:
|
|
|
|
|
- Manage users,tenants, roles from OpenStack.
|
|
|
|
|
options:
|
|
|
|
|
login_user:
|
|
|
|
|
description:
|
|
|
|
|
- login username to authenticate to keystone
|
|
|
|
|
required: false
|
|
|
|
|
default: admin
|
|
|
|
|
login_password:
|
|
|
|
|
description:
|
|
|
|
|
- Password of login user
|
|
|
|
|
required: false
|
|
|
|
|
default: 'yes'
|
|
|
|
|
login_tenant_name:
|
|
|
|
|
description:
|
|
|
|
|
- The tenant login_user belongs to
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
version_added: "1.3"
|
|
|
|
|
token:
|
|
|
|
|
description:
|
|
|
|
|
- The token to be uses in case the password is not specified
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
endpoint:
|
|
|
|
|
description:
|
|
|
|
|
- The keystone url for authentication
|
|
|
|
|
required: false
|
2016-12-02 15:39:15 +00:00
|
|
|
default: http://127.0.0.1:35357/v2.0/
|
2014-09-26 01:01:01 +00:00
|
|
|
user:
|
|
|
|
|
description:
|
|
|
|
|
- The name of the user that has to added/removed from OpenStack
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
password:
|
|
|
|
|
description:
|
|
|
|
|
- The password to be assigned to the user
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
tenant:
|
|
|
|
|
description:
|
|
|
|
|
- The tenant name that has be added/removed
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
tenant_description:
|
|
|
|
|
description:
|
|
|
|
|
- A description for the tenant
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
email:
|
|
|
|
|
description:
|
|
|
|
|
- An email address for the user
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
role:
|
|
|
|
|
description:
|
|
|
|
|
- The name of the role to be assigned or created
|
|
|
|
|
required: false
|
|
|
|
|
default: None
|
|
|
|
|
state:
|
|
|
|
|
description:
|
|
|
|
|
- Indicate desired state of the resource
|
|
|
|
|
choices: ['present', 'absent']
|
|
|
|
|
default: present
|
2015-06-15 18:41:22 +00:00
|
|
|
requirements:
|
|
|
|
|
- "python >= 2.6"
|
|
|
|
|
- python-keystoneclient
|
2015-10-28 18:38:11 +00:00
|
|
|
author: "Ansible Core Team (deprecated)"
|
2014-09-26 01:01:01 +00:00
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
2016-11-15 21:00:33 +00:00
|
|
|
- name: Create a tenant
|
|
|
|
|
keystone_user:
|
|
|
|
|
tenant: demo
|
|
|
|
|
tenant_description: "Default Tenant"
|
2014-09-26 01:01:01 +00:00
|
|
|
|
2016-11-15 21:00:33 +00:00
|
|
|
- name: Create a user
|
|
|
|
|
keystone_user:
|
|
|
|
|
user: john
|
|
|
|
|
tenant: demo
|
|
|
|
|
password: secrete
|
2014-09-26 01:01:01 +00:00
|
|
|
|
2016-11-15 21:00:33 +00:00
|
|
|
- name: Apply the admin role to the john user in the demo tenant
|
|
|
|
|
keystone_user:
|
|
|
|
|
role: admin
|
|
|
|
|
user: john
|
|
|
|
|
tenant: demo
|
2014-09-26 01:01:01 +00:00
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
from keystoneclient.v2_0 import client
|
|
|
|
|
except ImportError:
|
|
|
|
|
keystoneclient_found = False
|
|
|
|
|
else:
|
|
|
|
|
keystoneclient_found = True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def authenticate(endpoint, token, login_user, login_password, login_tenant_name):
|
|
|
|
|
"""Return a keystone client object"""
|
|
|
|
|
|
|
|
|
|
if token:
|
|
|
|
|
return client.Client(endpoint=endpoint, token=token)
|
|
|
|
|
else:
|
|
|
|
|
return client.Client(auth_url=endpoint, username=login_user,
|
|
|
|
|
password=login_password, tenant_name=login_tenant_name)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def tenant_exists(keystone, tenant):
|
|
|
|
|
""" Return True if tenant already exists"""
|
|
|
|
|
return tenant in [x.name for x in keystone.tenants.list()]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def user_exists(keystone, user):
|
|
|
|
|
"""" Return True if user already exists"""
|
|
|
|
|
return user in [x.name for x in keystone.users.list()]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_tenant(keystone, name):
|
|
|
|
|
""" Retrieve a tenant by name"""
|
|
|
|
|
tenants = [x for x in keystone.tenants.list() if x.name == name]
|
|
|
|
|
count = len(tenants)
|
|
|
|
|
if count == 0:
|
|
|
|
|
raise KeyError("No keystone tenants with name %s" % name)
|
|
|
|
|
elif count > 1:
|
|
|
|
|
raise ValueError("%d tenants with name %s" % (count, name))
|
|
|
|
|
else:
|
|
|
|
|
return tenants[0]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_user(keystone, name):
|
|
|
|
|
""" Retrieve a user by name"""
|
|
|
|
|
users = [x for x in keystone.users.list() if x.name == name]
|
|
|
|
|
count = len(users)
|
|
|
|
|
if count == 0:
|
|
|
|
|
raise KeyError("No keystone users with name %s" % name)
|
|
|
|
|
elif count > 1:
|
|
|
|
|
raise ValueError("%d users with name %s" % (count, name))
|
|
|
|
|
else:
|
|
|
|
|
return users[0]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_role(keystone, name):
|
|
|
|
|
""" Retrieve a role by name"""
|
|
|
|
|
roles = [x for x in keystone.roles.list() if x.name == name]
|
|
|
|
|
count = len(roles)
|
|
|
|
|
if count == 0:
|
|
|
|
|
raise KeyError("No keystone roles with name %s" % name)
|
|
|
|
|
elif count > 1:
|
|
|
|
|
raise ValueError("%d roles with name %s" % (count, name))
|
|
|
|
|
else:
|
|
|
|
|
return roles[0]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_tenant_id(keystone, name):
|
|
|
|
|
return get_tenant(keystone, name).id
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_user_id(keystone, name):
|
|
|
|
|
return get_user(keystone, name).id
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_tenant_exists(keystone, tenant_name, tenant_description,
|
|
|
|
|
check_mode):
|
|
|
|
|
""" Ensure that a tenant exists.
|
|
|
|
|
|
|
|
|
|
Return (True, id) if a new tenant was created, (False, None) if it
|
|
|
|
|
already existed.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
# Check if tenant already exists
|
|
|
|
|
try:
|
|
|
|
|
tenant = get_tenant(keystone, tenant_name)
|
|
|
|
|
except KeyError:
|
|
|
|
|
# Tenant doesn't exist yet
|
|
|
|
|
pass
|
|
|
|
|
else:
|
|
|
|
|
if tenant.description == tenant_description:
|
|
|
|
|
return (False, tenant.id)
|
|
|
|
|
else:
|
|
|
|
|
# We need to update the tenant description
|
|
|
|
|
if check_mode:
|
|
|
|
|
return (True, tenant.id)
|
|
|
|
|
else:
|
|
|
|
|
tenant.update(description=tenant_description)
|
|
|
|
|
return (True, tenant.id)
|
|
|
|
|
|
|
|
|
|
# We now know we will have to create a new tenant
|
|
|
|
|
if check_mode:
|
|
|
|
|
return (True, None)
|
|
|
|
|
|
|
|
|
|
ks_tenant = keystone.tenants.create(tenant_name=tenant_name,
|
|
|
|
|
description=tenant_description,
|
|
|
|
|
enabled=True)
|
|
|
|
|
return (True, ks_tenant.id)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_tenant_absent(keystone, tenant, check_mode):
|
|
|
|
|
""" Ensure that a tenant does not exist
|
|
|
|
|
|
|
|
|
|
Return True if the tenant was removed, False if it didn't exist
|
|
|
|
|
in the first place
|
|
|
|
|
"""
|
|
|
|
|
if not tenant_exists(keystone, tenant):
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
# We now know we will have to delete the tenant
|
|
|
|
|
if check_mode:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_user_exists(keystone, user_name, password, email, tenant_name,
|
|
|
|
|
check_mode):
|
|
|
|
|
""" Check if user exists
|
|
|
|
|
|
2016-10-13 14:47:50 +00:00
|
|
|
Return (True, id) if a new user was created, (False, id) user already
|
2014-09-26 01:01:01 +00:00
|
|
|
exists
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
# Check if tenant already exists
|
|
|
|
|
try:
|
|
|
|
|
user = get_user(keystone, user_name)
|
|
|
|
|
except KeyError:
|
|
|
|
|
# Tenant doesn't exist yet
|
|
|
|
|
pass
|
|
|
|
|
else:
|
|
|
|
|
# User does exist, we're done
|
|
|
|
|
return (False, user.id)
|
|
|
|
|
|
|
|
|
|
# We now know we will have to create a new user
|
|
|
|
|
if check_mode:
|
|
|
|
|
return (True, None)
|
|
|
|
|
|
|
|
|
|
tenant = get_tenant(keystone, tenant_name)
|
|
|
|
|
|
|
|
|
|
user = keystone.users.create(name=user_name, password=password,
|
|
|
|
|
email=email, tenant_id=tenant.id)
|
|
|
|
|
return (True, user.id)
|
|
|
|
|
|
2015-08-17 16:28:18 +00:00
|
|
|
def ensure_role_exists(keystone, role_name):
|
|
|
|
|
# Get the role if it exists
|
|
|
|
|
try:
|
|
|
|
|
role = get_role(keystone, role_name)
|
2015-08-20 14:24:05 +00:00
|
|
|
# Role does exist, we're done
|
|
|
|
|
return (False, role.id)
|
2015-08-17 16:28:18 +00:00
|
|
|
except KeyError:
|
|
|
|
|
# Role doesn't exist yet
|
2015-08-20 14:24:05 +00:00
|
|
|
pass
|
2015-08-17 16:28:18 +00:00
|
|
|
|
2015-08-20 14:24:05 +00:00
|
|
|
role = keystone.roles.create(role_name)
|
|
|
|
|
return (True, role.id)
|
2014-09-26 01:01:01 +00:00
|
|
|
|
2015-08-17 16:28:18 +00:00
|
|
|
def ensure_user_role_exists(keystone, user_name, tenant_name, role_name,
|
2014-09-26 01:01:01 +00:00
|
|
|
check_mode):
|
|
|
|
|
""" Check if role exists
|
|
|
|
|
|
|
|
|
|
Return (True, id) if a new role was created or if the role was newly
|
|
|
|
|
assigned to the user for the tenant. (False, id) if the role already
|
2016-12-11 02:50:09 +00:00
|
|
|
exists and was already assigned to the user for the tenant.
|
2014-09-26 01:01:01 +00:00
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
# Check if the user has the role in the tenant
|
|
|
|
|
user = get_user(keystone, user_name)
|
|
|
|
|
tenant = get_tenant(keystone, tenant_name)
|
|
|
|
|
roles = [x for x in keystone.roles.roles_for_user(user, tenant)
|
|
|
|
|
if x.name == role_name]
|
|
|
|
|
count = len(roles)
|
|
|
|
|
|
|
|
|
|
if count == 1:
|
|
|
|
|
# If the role is in there, we are done
|
|
|
|
|
role = roles[0]
|
|
|
|
|
return (False, role.id)
|
|
|
|
|
elif count > 1:
|
|
|
|
|
# Too many roles with the same name, throw an error
|
|
|
|
|
raise ValueError("%d roles with name %s" % (count, role_name))
|
|
|
|
|
|
|
|
|
|
# At this point, we know we will need to make changes
|
|
|
|
|
if check_mode:
|
|
|
|
|
return (True, None)
|
|
|
|
|
|
|
|
|
|
# Get the role if it exists
|
|
|
|
|
try:
|
|
|
|
|
role = get_role(keystone, role_name)
|
|
|
|
|
except KeyError:
|
|
|
|
|
# Role doesn't exist yet
|
|
|
|
|
role = keystone.roles.create(role_name)
|
|
|
|
|
|
|
|
|
|
# Associate the role with the user in the admin
|
|
|
|
|
keystone.roles.add_user_role(user, role, tenant)
|
|
|
|
|
return (True, role.id)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_user_absent(keystone, user, check_mode):
|
|
|
|
|
raise NotImplementedError("Not yet implemented")
|
|
|
|
|
|
|
|
|
|
|
2015-08-17 16:28:18 +00:00
|
|
|
def ensure_user_role_absent(keystone, uesr, tenant, role, check_mode):
|
2014-09-26 01:01:01 +00:00
|
|
|
raise NotImplementedError("Not yet implemented")
|
|
|
|
|
|
2015-08-17 16:28:18 +00:00
|
|
|
def ensure_role_absent(keystone, role_name):
|
|
|
|
|
raise NotImplementedError("Not yet implemented")
|
2014-09-26 01:01:01 +00:00
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
|
|
|
|
|
argument_spec = openstack_argument_spec()
|
|
|
|
|
argument_spec.update(dict(
|
|
|
|
|
tenant_description=dict(required=False),
|
|
|
|
|
email=dict(required=False),
|
2014-10-14 06:24:58 +00:00
|
|
|
user=dict(required=False),
|
|
|
|
|
tenant=dict(required=False),
|
|
|
|
|
password=dict(required=False),
|
2014-09-26 01:01:01 +00:00
|
|
|
role=dict(required=False),
|
|
|
|
|
state=dict(default='present', choices=['present', 'absent']),
|
|
|
|
|
endpoint=dict(required=False,
|
|
|
|
|
default="http://127.0.0.1:35357/v2.0"),
|
|
|
|
|
token=dict(required=False),
|
|
|
|
|
login_user=dict(required=False),
|
|
|
|
|
login_password=dict(required=False),
|
|
|
|
|
login_tenant_name=dict(required=False)
|
|
|
|
|
))
|
|
|
|
|
# keystone operations themselves take an endpoint, not a keystone auth_url
|
|
|
|
|
del(argument_spec['auth_url'])
|
|
|
|
|
module = AnsibleModule(
|
|
|
|
|
argument_spec=argument_spec,
|
|
|
|
|
supports_check_mode=True,
|
|
|
|
|
mutually_exclusive=[['token', 'login_user'],
|
|
|
|
|
['token', 'login_password'],
|
|
|
|
|
['token', 'login_tenant_name']]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if not keystoneclient_found:
|
|
|
|
|
module.fail_json(msg="the python-keystoneclient module is required")
|
|
|
|
|
|
|
|
|
|
user = module.params['user']
|
|
|
|
|
password = module.params['password']
|
|
|
|
|
tenant = module.params['tenant']
|
|
|
|
|
tenant_description = module.params['tenant_description']
|
|
|
|
|
email = module.params['email']
|
|
|
|
|
role = module.params['role']
|
|
|
|
|
state = module.params['state']
|
|
|
|
|
endpoint = module.params['endpoint']
|
|
|
|
|
token = module.params['token']
|
|
|
|
|
login_user = module.params['login_user']
|
|
|
|
|
login_password = module.params['login_password']
|
|
|
|
|
login_tenant_name = module.params['login_tenant_name']
|
|
|
|
|
|
|
|
|
|
keystone = authenticate(endpoint, token, login_user, login_password, login_tenant_name)
|
|
|
|
|
|
|
|
|
|
check_mode = module.check_mode
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
d = dispatch(keystone, user, password, tenant, tenant_description,
|
|
|
|
|
email, role, state, endpoint, token, login_user,
|
|
|
|
|
login_password, check_mode)
|
2016-06-03 13:37:09 +00:00
|
|
|
except Exception as e:
|
2014-09-26 01:01:01 +00:00
|
|
|
if check_mode:
|
|
|
|
|
# If we have a failure in check mode
|
|
|
|
|
module.exit_json(changed=True,
|
|
|
|
|
msg="exception: %s" % e)
|
|
|
|
|
else:
|
|
|
|
|
module.fail_json(msg="exception: %s" % e)
|
|
|
|
|
else:
|
|
|
|
|
module.exit_json(**d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def dispatch(keystone, user=None, password=None, tenant=None,
|
|
|
|
|
tenant_description=None, email=None, role=None,
|
|
|
|
|
state="present", endpoint=None, token=None, login_user=None,
|
|
|
|
|
login_password=None, check_mode=False):
|
|
|
|
|
""" Dispatch to the appropriate method.
|
|
|
|
|
|
|
|
|
|
Returns a dict that will be passed to exit_json
|
|
|
|
|
|
|
|
|
|
tenant user role state
|
|
|
|
|
------ ---- ---- --------
|
|
|
|
|
X present ensure_tenant_exists
|
|
|
|
|
X absent ensure_tenant_absent
|
|
|
|
|
X X present ensure_user_exists
|
|
|
|
|
X X absent ensure_user_absent
|
2015-08-17 16:28:18 +00:00
|
|
|
X X X present ensure_user_role_exists
|
|
|
|
|
X X X absent ensure_user_role_absent
|
|
|
|
|
X present ensure_role_exists
|
|
|
|
|
X absent ensure_role_absent
|
2014-09-26 01:01:01 +00:00
|
|
|
"""
|
|
|
|
|
changed = False
|
|
|
|
|
id = None
|
2015-08-17 16:28:18 +00:00
|
|
|
if not tenant and not user and role and state == "present":
|
2015-08-20 14:24:05 +00:00
|
|
|
changed, id = ensure_role_exists(keystone, role)
|
2015-08-17 16:28:18 +00:00
|
|
|
elif not tenant and not user and role and state == "absent":
|
2015-08-20 14:24:05 +00:00
|
|
|
changed = ensure_role_absent(keystone, role)
|
2015-08-17 16:28:18 +00:00
|
|
|
elif tenant and not user and not role and state == "present":
|
2014-09-26 01:01:01 +00:00
|
|
|
changed, id = ensure_tenant_exists(keystone, tenant,
|
|
|
|
|
tenant_description, check_mode)
|
|
|
|
|
elif tenant and not user and not role and state == "absent":
|
|
|
|
|
changed = ensure_tenant_absent(keystone, tenant, check_mode)
|
|
|
|
|
elif tenant and user and not role and state == "present":
|
|
|
|
|
changed, id = ensure_user_exists(keystone, user, password,
|
|
|
|
|
email, tenant, check_mode)
|
|
|
|
|
elif tenant and user and not role and state == "absent":
|
|
|
|
|
changed = ensure_user_absent(keystone, user, check_mode)
|
|
|
|
|
elif tenant and user and role and state == "present":
|
2015-08-17 16:28:18 +00:00
|
|
|
changed, id = ensure_user_role_exists(keystone, user, tenant, role,
|
2014-09-26 01:01:01 +00:00
|
|
|
check_mode)
|
|
|
|
|
elif tenant and user and role and state == "absent":
|
2015-08-17 16:28:18 +00:00
|
|
|
changed = ensure_user_role_absent(keystone, user, tenant, role, check_mode)
|
2014-09-26 01:01:01 +00:00
|
|
|
else:
|
|
|
|
|
# Should never reach here
|
|
|
|
|
raise ValueError("Code should never reach here")
|
|
|
|
|
|
|
|
|
|
return dict(changed=changed, id=id)
|
|
|
|
|
|
|
|
|
|
# import module snippets
|
|
|
|
|
from ansible.module_utils.basic import *
|
|
|
|
|
from ansible.module_utils.openstack import *
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
main()
|
