Stop creating the member role in Horizon

The goal is to simplify the os_horizon role by dropping out an unnecessary step of Keystone role creation, when a non-default value is set for `horizon_default_role_name`. In case a deployer needs to have a non-default value for horizon_default_role_name, they are encouraged to leverage an openstack_resources role/playbook to provision such role for them. Change-Id: I97d3c837a880c0ce3ebf6c44d94e85e4e9e52b23
2025-04-28 12:00:20 +02:00 · 2025-04-28 12:00:20 +02:00 · 62fcbf7500
commit 62fcbf7500
parent b2ca7ff261
3 changed files with 12 additions and 50 deletions
--- a/releasenotes/notes/horizon_default_role_name_create-48fb556caa075665.yaml
+++ b/releasenotes/notes/horizon_default_role_name_create-48fb556caa075665.yaml
@ -0,0 +1,12 @@
+---
+
+deprecations:
+  - |
+    The ``horizon_default_role_name`` (default `member`) Keystone role existence
+    is no longer ensured by the Horizon role.
+    It is expected that the role defined by ``horizon_default_role_name``
+    already exists in Keystone and was bootstrapped via ``keystone-bootstrap``
+    command during ``os_keystone`` execution.
+    You can leverage ``opestack.osa.openstack_resources`` playbook to create
+    extra roles if you need/want to use non-default value for the
+    ``horizon_default_role_name`` variable
--- a/tasks/horizon_service_setup.yml
+++ b/tasks/horizon_service_setup.yml
@ -1,42 +0,0 @@
---
-# Copyright 2015, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# We set the python interpreter to the ansible runtime venv if
-# the delegation is to localhost so that we get access to the
-# appropriate python libraries in that venv. If the delegation
-# is to another host, we assume that it is accessible by the
-# system python instead.
- name: Setup the default member role
-  delegate_to: "{{ horizon_service_setup_host }}"
-  vars:
-    ansible_python_interpreter: "{{ horizon_service_setup_host_python_interpreter }}"
-  block:
-    - name: Add default member role
-      os_keystone_role:
-        cloud: default
-        state: present
-        name: "{{ horizon_default_role_name }}"
-        endpoint_type: admin
-        verify: "{{ not keystone_service_adminuri_insecure }}"
-      when:
-        - keystone_admin_user_name is defined
-        - keystone_auth_admin_password is defined
-        - keystone_admin_tenant_name is defined
-        - keystone_service_adminurl is defined
-        - keystone_service_adminuri_insecure is defined
-      register: add_member_role
-      until: add_member_role is success
-      retries: 5
-      delay: 10
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -79,14 +79,6 @@
    - horizon-config
    - post-install

- name: Importing horizon_service_setup tasks
-  ansible.builtin.import_tasks: horizon_service_setup.yml
-  when:
-    - ('horizon_all' in group_names)
-    - inventory_hostname == groups['horizon_all'][0]
-  tags:
-    - horizon-config
-
 - name: Importing uwsgi/apache tasks
  ansible.builtin.import_tasks: "{{ (horizon_use_uwsgi | bool) | ternary('horizon_uwsgi.yml', 'horizon_apache.yml') }}"
  tags: