When using devstack, several keystone users are created by default, but I am unable to manipulate these users with a template.
The use case I have is trying to add a role to the admin user in a newly created tenant/project.
The keystone CLI provides the user-role-add command that handles this functionality, but it cannot currently be templated.
I see 2 possible solutions for this:
1) Enhance the OS::Keystone::User resource to accept names of preexisting users. In the event that the engine sees a preexisting username, it adds the functionality provided in the template to the user. Otherwise, a new user is created.
2) Implement a new resource, OS::Keystone::UserRoleAdd, which behaves similar to the CLI command. The resource would have 3 required fields, a user, a role, and a project.
My preference is for solution 2, but please comment with your preference or additional solutions that may be better.
I am not sure that the good solution feasible with the current implementation. By default heat should manage all resources starting from resource creation, so the first approach is not in accordance with current architecture. The second approach may work but please be aware that we need to deprecate roles attribute of the OS::Keystone::User because we need only 1 way to define relationship between users and roles. I am not sure the users will be happy with that.
We would help you if you describe in details the case you trying to test. F.e. why can't you create your own user in template?