From 193498c953663a9fa0092db24895e4792cfa5d33 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 25 Jan 2022 16:51:42 +0900 Subject: [PATCH] Accept system scope credential for Inspector API request Currently Ironic uses the user credential in [inspector] section to start introspection but this API is available only for system admin when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: I4b1c88f36c948c45e87c5d0587589648e8d5d2a4 --- manifests/drivers/inspector.pp | 18 ++++++++- ...stem_scope-inspector-61259d1e1f37d866.yaml | 5 +++ spec/classes/ironic_drivers_inspector_spec.rb | 39 +++++++++++++------ 3 files changed, 48 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/system_scope-inspector-61259d1e1f37d866.yaml diff --git a/manifests/drivers/inspector.pp b/manifests/drivers/inspector.pp index b726398e..52a413fe 100644 --- a/manifests/drivers/inspector.pp +++ b/manifests/drivers/inspector.pp @@ -42,6 +42,10 @@ # The name of project's domain (required for Identity V3). # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to ironic-inspector in admin context # through the OpenStack Identity service. @@ -77,6 +81,7 @@ class ironic::drivers::inspector ( $password = $::os_service_default, $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $endpoint_override = $::os_service_default, $callback_endpoint_override = $::os_service_default, @@ -93,14 +98,23 @@ class ironic::drivers::inspector ( has no effect. Please use ironic::drivers::inspector::endpoint_override instead.") } + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + ironic_config { 'inspector/auth_type': value => $auth_type; 'inspector/username': value => $username; 'inspector/password': value => $password, secret => true; 'inspector/auth_url': value => $auth_url; - 'inspector/project_name': value => $project_name; + 'inspector/project_name': value => $project_name_real; 'inspector/user_domain_name': value => $user_domain_name; - 'inspector/project_domain_name': value => $project_domain_name; + 'inspector/project_domain_name': value => $project_domain_name_real; + 'inspector/system_scope': value => $system_scope; 'inspector/region_name': value => $region_name; 'inspector/endpoint_override': value => $endpoint_override; 'inspector/callback_endpoint_override': value => $callback_endpoint_override; diff --git a/releasenotes/notes/system_scope-inspector-61259d1e1f37d866.yaml b/releasenotes/notes/system_scope-inspector-61259d1e1f37d866.yaml new file mode 100644 index 00000000..e9063158 --- /dev/null +++ b/releasenotes/notes/system_scope-inspector-61259d1e1f37d866.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``sysem_scope`` parameter has been added to + the ``ironic::drivers::inspector`` class. diff --git a/spec/classes/ironic_drivers_inspector_spec.rb b/spec/classes/ironic_drivers_inspector_spec.rb index b9af3925..6a2aab25 100644 --- a/spec/classes/ironic_drivers_inspector_spec.rb +++ b/spec/classes/ironic_drivers_inspector_spec.rb @@ -41,6 +41,7 @@ describe 'ironic::drivers::inspector' do is_expected.to contain_ironic_config('inspector/password').with_value('').with_secret(true) is_expected.to contain_ironic_config('inspector/user_domain_name').with_value('Default') is_expected.to contain_ironic_config('inspector/project_domain_name').with_value('Default') + is_expected.to contain_ironic_config('inspector/system_scope').with_value('') is_expected.to contain_ironic_config('inspector/region_name').with_value('') is_expected.to contain_ironic_config('inspector/endpoint_override').with_value('') end @@ -48,18 +49,18 @@ describe 'ironic::drivers::inspector' do context 'when overriding parameters' do before :each do params.merge!( - :auth_type => 'noauth', - :auth_url => 'http://example.com', - :project_name => 'project1', - :username => 'admin', - :password => 'pa$$w0rd', - :user_domain_name => 'NonDefault', - :project_domain_name => 'NonDefault', - :region_name => 'regionTwo', - :endpoint_override => 'http://example2.com', - :callback_endpoint_override => 'http://10.0.0.1/v1/continue', - :power_off => false, - :extra_kernel_params => 'ipa-inspection-collectors=a,b,c', + :auth_type => 'noauth', + :auth_url => 'http://example.com', + :project_name => 'project1', + :username => 'admin', + :password => 'pa$$w0rd', + :user_domain_name => 'NonDefault', + :project_domain_name => 'NonDefault', + :region_name => 'regionTwo', + :endpoint_override => 'http://example2.com', + :callback_endpoint_override => 'http://10.0.0.1/v1/continue', + :power_off => false, + :extra_kernel_params => 'ipa-inspection-collectors=a,b,c', ) end @@ -71,6 +72,7 @@ describe 'ironic::drivers::inspector' do is_expected.to contain_ironic_config('inspector/password').with_value(p[:password]).with_secret(true) is_expected.to contain_ironic_config('inspector/user_domain_name').with_value(p[:user_domain_name]) is_expected.to contain_ironic_config('inspector/project_domain_name').with_value(p[:project_domain_name]) + is_expected.to contain_ironic_config('inspector/system_scope').with_value('') is_expected.to contain_ironic_config('inspector/region_name').with_value(p[:region_name]) is_expected.to contain_ironic_config('inspector/endpoint_override').with_value(p[:endpoint_override]) is_expected.to contain_ironic_config('inspector/callback_endpoint_override').with_value(p[:callback_endpoint_override]) @@ -79,6 +81,19 @@ describe 'ironic::drivers::inspector' do end end + context 'when system_scope is set' do + before :each do + params.merge!( + :system_scope => 'all' + ) + end + + it 'configures system-scoped credential' do + is_expected.to contain_ironic_config('inspector/project_name').with_value('') + is_expected.to contain_ironic_config('inspector/project_domain_name').with_value('') + is_expected.to contain_ironic_config('inspector/system_scope').with_value('all') + end + end end on_supported_os({