Some cloud operators would like to be able to use Heat templates to manage users, projects and roles in Keystone. Currently we can only create users, and only through an AWS IAM resource type.
This was discussed on the mailing list in the thread beginning here:
Implement the following native resource types:
Since in the default policy.json configuration these APIs are available only to administrative users, the plugin would be in the /contrib tree and not installed by default.
Another possible data model would be to have a separate RoleAssignment resource (or similar) to grant roles to users or groups, rather that having the roles listed in the user or group resources. A similar thing could apply to the list of users in a group, which could be implemented instead as a GroupMembership resource.
However, there are a couple of problems with that data model. The first is that adding a user to a group or granting a role to a user/group does not create a physical resource with its own UUID. This makes it difficult for Heat to manage the resources.
The second issue is that such an approach tends to create dependency problems for users - for example in this model if another resource depends on a User, then Heat may begin creating it before the User has been assigned a Role that it may need to perform the operation. This is possibly less of an issue with Keystone resources than it has proven with Neutron resources, but it is a known anti-pattern in Heat data modelling.
A similar issue occurs with Users and Groups - an alternative implementation would be for the Group definition to contain a list of Users rather than for the User definition to contain a list of Groups. The advantage of that is that it more closely follows how the API is implemented, but this way was chosen because it is more likely to automatically generate correct dependencies: anything that depends on a User will always wait for all groups to be assigned. Both approaches are likely to make some (different) subset of use cases awkward, but the only solution would be a separate GroupMembership resources type and that would suffer from all of the problems with a RoleAssignment discussed above.