1 require 'puppet/provider/keystone'
3 Puppet::Type.type(:keystone_user_role).provide(
5 :parent => Puppet::Provider::Keystone
8 desc "Provider to manage keystone role assignments to users."
10 @credentials = Puppet::Provider::Openstack::CredentialsV2_0.new
12 def initialize(value={})
19 properties << '--project' << get_project
20 properties << '--user' << get_user
22 resource[:roles].each do |role|
23 self.class.request('role', 'add', [role] + properties)
30 properties << '--project' << get_project
31 properties << '--user' << get_user
32 if @property_hash[:roles]
33 @property_hash[:roles].each do |role|
34 self.class.request('role', 'remove', [role] + properties)
37 @property_hash[:ensure] = :absent
42 return ! @property_hash[:name].empty?
44 roles = self.class.request('user role', 'list', [get_user, '--project', get_project])
45 # Since requesting every combination of users, roles, and
46 # projects is so expensive, construct the property hash here
47 # instead of in self.instances so it can be used in the role
49 @property_hash[:name] = resource[:name]
51 @property_hash[:ensure] = :absent
53 @property_hash[:ensure] = :present
54 @property_hash[:roles] = roles.collect do |role|
58 return @property_hash[:ensure] == :present
63 @property_hash[:roles]
68 # determine the roles to be added and removed
69 remove = current_roles - Array(value)
70 add = Array(value) - current_roles
73 add.each do |role_name|
74 self.class.request('role', 'add', [role_name, '--project', project, '--user', user])
76 remove.each do |role_name|
77 self.class.request('role', 'remove', [role_name, '--project', project, '--user', user])
82 instances = build_user_role_hash
83 instances.collect do |title, roles|
95 resource[:name].rpartition('@').first
99 resource[:name].rpartition('@').last
102 def self.get_projects
103 request('project', 'list').collect { |project| project[:name] }
106 def self.get_users(project)
107 request('user', 'list', ['--project', project]).collect { |user| user[:name] }
110 def self.set_user_role_hash(user_role_hash)
111 @user_role_hash = user_role_hash
114 def self.build_user_role_hash
115 hash = @user_role_hash || {}
116 return hash unless hash.empty?
117 projects = get_projects
118 projects.each do |project|
119 users = get_users(project)
121 user_roles = request('user role', 'list', [user, '--project', project])
122 hash["#{user}@#{project}"] = []
123 user_roles.each do |role|
124 hash["#{user}@#{project}"] << role[:name]
128 set_user_role_hash(hash)