From b2a7f545841b9f2c13684fd6dd15de1d0e708508 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 22 Mar 2024 12:32:38 +0900
Subject: [PATCH] Support rbac_service_* options

... which were added recently to ironic. Note that the specific default
value is defined for rbac_service_project_name, because in Puppet
OpenStack modules 'services' is widely used for service project instead
of 'service', which is the default in ironic.

Depends-on: https://review.opendev.org/907148
Change-Id: I28485f7946d5a040a039e6c200de264a840ba7c4
---
 manifests/init.pp                             | 28 ++++++++++++++-----
 .../rbac_service-opts-ae56def0ce0491f0.yaml   |  7 +++++
 spec/classes/ironic_init_spec.rb              |  6 ++++
 3 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index 98934496..c771ad48 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -262,6 +262,16 @@
 #   (optional) Topics for the versioned notifications issued by Ironic
 #   Defaults to $facts['os_service_default']
 #
+# [*rbac_service_role_elevated_access*]
+#   (optional) Enable elevated access for users with service role belonging
+#   to the 'rbac_service_project_name' project when using the default policy.
+#   Defaults to $facts['os_service_default']
+#
+# [*rbac_service_project_name*]
+#   (optional) The project name utilized for Role Based Access Control checks
+#   for the reserved `service` project.
+#   Defaults to 'services'
+#
 class ironic (
   Boolean $enabled                    = true,
   $package_ensure                     = 'present',
@@ -315,6 +325,8 @@ class ironic (
   $notification_topics                = $facts['os_service_default'],
   $notification_level                 = $facts['os_service_default'],
   $versioned_notifications_topics     = $facts['os_service_default'],
+  $rbac_service_role_elevated_access  = $facts['os_service_default'],
+  $rbac_service_project_name          = 'services',
 ) {
 
   include ironic::deps
@@ -341,13 +353,15 @@ class ironic (
   }
 
   ironic_config {
-    'DEFAULT/auth_strategy':                   value => $auth_strategy;
-    'DEFAULT/my_ip':                           value => $my_ip;
-    'DEFAULT/my_ipv6':                         value => $my_ipv6;
-    'DEFAULT/default_resource_class':          value => $default_resource_class;
-    'DEFAULT/notification_level':              value => $notification_level;
-    'DEFAULT/versioned_notifications_topics':  value => $versioned_notifications_topics;
-    'DEFAULT/rpc_transport':                   value => $rpc_transport;
+    'DEFAULT/auth_strategy':                     value => $auth_strategy;
+    'DEFAULT/my_ip':                             value => $my_ip;
+    'DEFAULT/my_ipv6':                           value => $my_ipv6;
+    'DEFAULT/default_resource_class':            value => $default_resource_class;
+    'DEFAULT/notification_level':                value => $notification_level;
+    'DEFAULT/versioned_notifications_topics':    value => $versioned_notifications_topics;
+    'DEFAULT/rpc_transport':                     value => $rpc_transport;
+    'DEFAULT/rbac_service_role_elevated_access': value => $rbac_service_role_elevated_access;
+    'DEFAULT/rbac_service_project_name':         value => $rbac_service_project_name;
   }
 
   if $sync_db {
diff --git a/releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml b/releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml
new file mode 100644
index 00000000..43ea23e0
--- /dev/null
+++ b/releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The following two parameters have been added to the ``ironic`` class.
+
+    - ``rbac_service_role_elevated_access``
+    - ``rbac_service_project_name``
diff --git a/spec/classes/ironic_init_spec.rb b/spec/classes/ironic_init_spec.rb
index b98fbffb..628be9cf 100644
--- a/spec/classes/ironic_init_spec.rb
+++ b/spec/classes/ironic_init_spec.rb
@@ -69,6 +69,8 @@ describe 'ironic' do
         is_expected.to contain_ironic_config('DEFAULT/notification_level').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('DEFAULT/versioned_notifications_topics').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('DEFAULT/rpc_transport').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_role_elevated_access').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_project_name').with_value('services')
 
         is_expected.to contain_oslo__messaging__default('ironic_config').with(
           :executor_thread_pool_size => '<SERVICE DEFAULT>',
@@ -158,6 +160,8 @@ describe 'ironic' do
           :notification_transport_url         => 'rabbit://rabbit_user:password@localhost:5673',
           :notification_driver                => 'messagingv2',
           :notification_topics                => 'openstack',
+          :rbac_service_role_elevated_access  => true,
+          :rbac_service_project_name          => 'service',
         }
       end
 
@@ -169,6 +173,8 @@ describe 'ironic' do
         is_expected.to contain_ironic_config('DEFAULT/notification_level').with_value('warning')
         is_expected.to contain_ironic_config('DEFAULT/versioned_notifications_topics').with_value('ironic_versioned_notifications')
         is_expected.to contain_ironic_config('DEFAULT/rpc_transport').with_value('oslo')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_role_elevated_access').with_value(true)
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_project_name').with_value('service')
 
         is_expected.to contain_oslo__messaging__default('ironic_config').with(
           :executor_thread_pool_size => '128',