Globally support system scope credentials
After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I3a659a6b43d9c47e88334c24fb866a73a8f24a24
This commit is contained in:
Takashi Kajinami
parent
1bbaea2895
commit
5f52d0d0e7
@ -24,6 +24,10 @@
|
||||
# (Optional) the keystone project name for ceilometer services
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*cafile*]
|
||||
# (Optional) Certificate chain for SSL validation.
|
||||
# Defaults to $::os_service_default.
|
||||
@ -51,6 +55,7 @@ class ceilometer::agent::service_credentials (
|
||||
$region_name = $::os_service_default,
|
||||
$username = 'ceilometer',
|
||||
$project_name = 'services',
|
||||
$system_scope = $::os_service_default,
|
||||
$cafile = $::os_service_default,
|
||||
$interface = $::os_service_default,
|
||||
$user_domain_name = 'Default',
|
||||
@ -60,16 +65,25 @@ class ceilometer::agent::service_credentials (
|
||||
|
||||
include ceilometer::deps
|
||||
|
||||
if is_service_default($system_scope) {
|
||||
$project_name_real = $project_name
|
||||
$project_domain_name_real = $project_domain_name
|
||||
} else {
|
||||
$project_name_real = $::os_service_default
|
||||
$project_domain_name_real = $::os_service_default
|
||||
}
|
||||
|
||||
ceilometer_config {
|
||||
'service_credentials/auth_url' : value => $auth_url;
|
||||
'service_credentials/region_name' : value => $region_name;
|
||||
'service_credentials/username' : value => $username;
|
||||
'service_credentials/password' : value => $password, secret => true;
|
||||
'service_credentials/project_name' : value => $project_name;
|
||||
'service_credentials/project_name' : value => $project_name_real;
|
||||
'service_credentials/system_scope' : value => $system_scope;
|
||||
'service_credentials/cafile' : value => $cafile;
|
||||
'service_credentials/interface' : value => $interface;
|
||||
'service_credentials/user_domain_name' : value => $user_domain_name;
|
||||
'service_credentials/project_domain_name': value => $project_domain_name;
|
||||
'service_credentials/project_domain_name': value => $project_domain_name_real;
|
||||
'service_credentials/auth_type' : value => $auth_type;
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
The ``ceilometer::agent::service_credentials::system_scope`` parameter has
|
||||
been added.
|
||||
@ -19,6 +19,7 @@ describe 'ceilometer::agent::service_credentials' do
|
||||
is_expected.to contain_ceilometer_config('service_credentials/username').with_value('ceilometer')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/password').with_value('password').with_secret(true)
|
||||
is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('services')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/cafile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/interface').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/user_domain_name').with_value('Default')
|
||||
@ -48,6 +49,7 @@ describe 'ceilometer::agent::service_credentials' do
|
||||
is_expected.to contain_ceilometer_config('service_credentials/username').with_value('ceilometer2')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/password').with_value('password').with_secret(true)
|
||||
is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('services2')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/cafile').with_value('/tmp/dummy.pem')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/interface').with_value('internalURL')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/user_domain_name').with_value('MyDomain')
|
||||
@ -56,6 +58,18 @@ describe 'ceilometer::agent::service_credentials' do
|
||||
end
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
before do
|
||||
params.merge!(
|
||||
:system_scope => 'all'
|
||||
)
|
||||
end
|
||||
it 'configures system-scoped credential' do
|
||||
is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
||||
Loading…
Reference in New Issue
Block a user