ansible-playbooks/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml

---
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Tasks to create both keystone and LDAP user account inside the system
# controller, and subclouds as well for distributed systems with specific
# admin role.

- name: Create keystone user on System Controller
  block:
  - name: Create the keystone user {{ in_user_id }}
    expect:
      command: >-
        /bin/sh -c 'source /etc/platform/openrc; openstack {{ os_param_region_name }} user create --project
        admin --password-prompt {{ in_user_id }}'
      responses:
        Password: '{{ in_user_password }}'
        "\\~\\$": exit

  - name: Add keystone user to the {{ in_user_role }} role
    shell: |
      source /etc/platform/openrc
      openstack {{ os_param_region_name }} role add --user {{ in_user_id }} --project admin {{ in_user_role }}

  when: ('systemcontroller' in group_names)

- name: Complete keystone user creation on the subcloud
  block:
  - name: Wait for keystone user to propagate to all subclouds
    shell: source /etc/platform/openrc; openstack user show {{ in_user_id }}
    register: user_output
    until: user_output.rc == 0
    retries: 12
    delay: 10

  - name: Create LDAP user keystone-account home directory on the subcloud
    expect:
      command: ssh {{ ssh_internal_args }} {{ in_user_id }}@localhost
      responses:
        s password: "{{ in_user_password }}"
        "\\~\\$": exit
    # do not show passwords in the logs
    no_log: true

  when: ('systemcontroller' not in group_names)

- name: Retrieve region name
  shell: source /etc/platform/openrc; system show | grep region_name | awk '{ print $4 }'
  register: region_name

- name: Retrieve management network floating IP
  shell: >-
    source /etc/platform/openrc; system addrpool-list --nowrap |
    awk -F \| '$3 ~ / management / { gsub(/ /,"",$8); print $8 }'
  register: management_floating_ip

- name: Generate keystone user credentials file
  template:
    src: openrc-template.j2
    dest: /home/{{ in_user_id }}/{{ in_user_id }}-openrc
    owner: "{{ in_user_id }}"
    group: users
    mode: 0600
  become: yes

- name: Add LDAP user to 'root' group
  command: usermod -a -G root {{ in_user_id }}
  become: yes
  when: in_sudo_permission

- name: Add LDAP user to 'sys_protected' group
  command: usermod -a -G sys_protected {{ in_user_id }}
  become: yes
  when: in_sys_protected

- name: Retrieve LDAP user groups
  command: groups {{ in_user_id }}
  register: user_groups

- name: Set array of user groups to check
  set_fact:
    user_group_array: ['users', 'sys_protected']

- name: Update array of user groups to include root group if sudo permission is granted
  set_fact:
    user_group_array: "{{ user_group_array }} + ['root']"
  when: in_sudo_permission

- name: Verify LDAP user groups
  fail:
    msg: "{{ in_user_id }} is not part of group {{ item }}"
  when: item not in user_groups.stdout
  loop: "{{ user_group_array }}"