Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I3fdb61f675836f7de4d83baa0d3f45c491afbe68
This commit is contained in:
Takashi Kajinami
@@ -52,6 +52,18 @@
|
||||
# (Optional) Tenant for Manila user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to Manila user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to Manila user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*public_url*]
|
||||
# (0ptional) The endpoint's public url.
|
||||
# This url should *not* contain any trailing '/'.
|
||||
@@ -132,6 +144,9 @@ class manila::keystone::auth (
|
||||
$email = 'manila@localhost',
|
||||
$email_v2 = 'manilav2@localhost',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$configure_endpoint = true,
|
||||
$configure_endpoint_v2 = true,
|
||||
$configure_user = true,
|
||||
@@ -153,6 +168,17 @@ class manila::keystone::auth (
|
||||
|
||||
include manila::deps
|
||||
|
||||
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['manila::service::end']
|
||||
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['manila::service::end']
|
||||
|
||||
if $configure_endpoint {
|
||||
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['manila::service::end']
|
||||
}
|
||||
|
||||
if $configure_endpoint_v2 {
|
||||
Keystone_endpoint["${region}/${service_name_v2}::${service_type_v2}"] -> Anchor['manila::service::end']
|
||||
}
|
||||
|
||||
# for interface backward compatibility, we can't enforce to set a new parameter
|
||||
# so we take 'password' parameter by default but allow to override it.
|
||||
if ! $password_v2 {
|
||||
@@ -173,6 +199,9 @@ class manila::keystone::auth (
|
||||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
admin_url => $admin_url,
|
||||
internal_url => $internal_url,
|
||||
@@ -190,6 +219,9 @@ class manila::keystone::auth (
|
||||
password => $password_v2_real,
|
||||
email => $email_v2,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url_v2,
|
||||
admin_url => $admin_url_v2,
|
||||
internal_url => $internal_url_v2,
|
||||
|
||||
@@ -28,6 +28,10 @@
|
||||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
@@ -198,6 +202,7 @@ class manila::keystone::authtoken(
|
||||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
@@ -251,6 +256,7 @@ class manila::keystone::authtoken(
|
||||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to
|
||||
the ``manila::keystone::authtoken`` class.
|
||||
|
||||
- |
|
||||
The ``manila::keystone::auth`` class now supports customizing roles
|
||||
assigned to the manila service user.
|
||||
|
||||
- |
|
||||
The ``manila::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the manila service user.
|
||||
@@ -23,6 +23,9 @@ describe 'manila::keystone::auth' do
|
||||
:password => 'manila_password',
|
||||
:email => 'manila@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:8786/v1/%(tenant_id)s',
|
||||
:internal_url => 'http://127.0.0.1:8786/v1/%(tenant_id)s',
|
||||
:admin_url => 'http://127.0.0.1:8786/v1/%(tenant_id)s',
|
||||
@@ -40,6 +43,9 @@ describe 'manila::keystone::auth' do
|
||||
:password => 'manila_password',
|
||||
:email => 'manilav2@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:8786/v2',
|
||||
:internal_url => 'http://127.0.0.1:8786/v2',
|
||||
:admin_url => 'http://127.0.0.1:8786/v2',
|
||||
@@ -52,6 +58,9 @@ describe 'manila::keystone::auth' do
|
||||
:auth_name => 'alt_manila',
|
||||
:email => 'alt_manila@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
@@ -88,6 +97,9 @@ describe 'manila::keystone::auth' do
|
||||
:password => 'manila_password',
|
||||
:email => 'alt_manila@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
@@ -105,6 +117,9 @@ describe 'manila::keystone::auth' do
|
||||
:password => 'manilav2_password',
|
||||
:email => 'alt_manilav2@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.20:80',
|
||||
:internal_url => 'http://10.10.10.21:81',
|
||||
:admin_url => 'http://10.10.10.22:81',
|
||||
|
||||
@@ -18,6 +18,7 @@ describe 'manila::keystone::authtoken' do
|
||||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
@@ -62,6 +63,7 @@ describe 'manila::keystone::authtoken' do
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
@@ -103,6 +105,7 @@ describe 'manila::keystone::authtoken' do
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
||||
Reference in New Issue
Block a user