openstack/puppet-barbican
Code Issues Proposed changes

Accept system scope credentials for Keystone API request

Browse Source 
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: Ifbdde0718d1b6a6782c4f098fd152c3f636aa2c4
This commit is contained in:
Takashi Kajinami
2021-11-25 15:59:30 +09:00
parent f6ca184ac0
commit e3a92d7798
5 changed files with 53 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
manifests/keystone/auth.pp
View File

@@ -19,6 +19,18 @@
# (Optional) Tenant for barbican user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to barbican user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to barbican user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should barbican endpoint be configured?
# Defaults to true.
@@ -67,6 +79,9 @@ class barbican::keystone::auth (
$auth_name = 'barbican',
$email = 'barbican@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@@ -81,11 +96,11 @@ class barbican::keystone::auth (
include barbican::deps
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['barbican::service::end']
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['barbican::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['barbican::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['barbican::service::end']
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['barbican::service::end']
}
keystone::resource::service_identity { 'barbican':
@@ -100,6 +115,9 @@ class barbican::keystone::auth (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

6
manifests/keystone/authtoken.pp
View File

@@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@@ -198,6 +202,7 @@ class barbican::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@@ -251,6 +256,7 @@ class barbican::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

13
releasenotes/notes/system_scope-keystone-dfb7566a1f8b1eab.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``barbican::keystone::authtoken`` class.
- |
The ``barbican::keystone::auth`` class now supports customizing roles
assigned to the barbican service user.
- |
The ``barbican::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the barbican service user.

9
spec/classes/barbican_keystone_auth_spec.rb
View File

@@ -23,6 +23,9 @@ describe 'barbican::keystone::auth' do
:password => 'barbican_password',
:email => 'barbican@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:9311',
:internal_url => 'http://127.0.0.1:9311',
:admin_url => 'http://127.0.0.1:9311',
@@ -35,6 +38,9 @@ describe 'barbican::keystone::auth' do
:auth_name => 'alt_barbican',
:email => 'alt_barbican@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@@ -59,6 +65,9 @@ describe 'barbican::keystone::auth' do
:password => 'barbican_password',
:email => 'alt_barbican@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/barbican_keystone_authtoken_spec.rb
View File

@@ -18,6 +18,7 @@ describe 'barbican::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@@ -62,6 +63,7 @@ describe 'barbican::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@@ -103,6 +105,7 @@ describe 'barbican::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',