+ # v3 admin
+ # we don't use ::keystone::roles::admin but still create resources manually:
+ keystone_domain { 'admin_domain':
+ ensure => present,
+ enabled => true,
+ description => 'Domain for admin v3 users',
+ }
+ keystone_domain { 'service_domain':
+ ensure => present,
+ enabled => true,
+ description => 'Domain for admin v3 users',
+ }
+ keystone_tenant { 'servicesv3':
+ ensure => present,
+ enabled => true,
+ description => 'Tenant for the openstack services',
+ domain => 'service_domain',
+ }
+ keystone_tenant { 'openstackv3':
+ ensure => present,
+ enabled => true,
+ description => 'admin tenant',
+ domain => 'admin_domain',
+ }
+ keystone_user { 'adminv3':
+ ensure => present,
+ enabled => true,
+ tenant => 'openstackv3', # note: don't have to use 'openstackv3::admin_domain' here since the tenant name 'openstackv3' is unique among all domains
+ email => 'test@example.tld',
+ password => 'a_big_secret',
+ domain => 'admin_domain',
+ }
+ keystone_user_role { 'adminv3@openstackv3':
+ ensure => present,
+ roles => ['admin'],
+ }
+ # service user exists only in the service_domain - must
+ # use v3 api
+ ::keystone::resource::service_identity { 'beaker-civ3':
+ service_type => 'beakerv3',
+ service_description => 'beakerv3 service',
+ service_name => 'beakerv3',
+ password => 'secret',
+ tenant => 'servicesv3',
+ public_url => 'http://127.0.0.1:1234/v3',
+ admin_url => 'http://127.0.0.1:1234/v3',
+ internal_url => 'http://127.0.0.1:1234/v3',
+ user_domain => 'service_domain',
+ project_domain => 'service_domain',
+ }