openstack/puppet-manila
Code Issues Proposed changes

Use system scope credentials in providers

Browse Source 
This change enforces usage of system scope credentials to manage share
types, following the new policy rules for SRBAC support in manila.

The logic to look up credential for the nova service user from
[keystone_authtoken] is left to keep backward compatibility but is
deprecated and will be removed.

Depends-on: https://review.opendev.org/806474
Depends-on: https://review.opendev.org/828025
Change-Id: Ifd8aa63c94e194083a2b81fa9ea2c14afad5d6ab
This commit is contained in:
Takashi Kajinami 2022-03-07 00:20:54 +09:00
parent 3b341a2bfd
commit 5ca6e6fc9c
4 changed files with 31 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/puppet/provider/manila.rb
View File

@ -1,5 +1,3 @@
File.expand_path('../../../../openstacklib/lib', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
require 'puppet/util/inifile'
require 'puppet/provider/openstack'
require 'puppet/provider/openstack/auth'
@ -20,7 +18,15 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@manila_conf
end
def self.request(service, action, properties=nil)
def self.project_request(service, action, properties=nil, options={})
self.request(service, action, properties, options, 'project')
end
def self.system_request(service, action, properties=nil, options={})
self.request(service, action, properties, options, 'system')
end
def self.request(service, action, properties=nil, options={}, scope='project')
begin
super
rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
@ -28,7 +34,8 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
end
end
def self.manila_request(service, action, error, properties=nil)
def self.manila_request(service, action, error, properties=nil, options={})
warning('Usage of keystone_authtoken parameters is deprecated.')
properties ||= []
@credentials.username = manila_credentials['username']
@credentials.password = manila_credentials['password']
@ -40,7 +47,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@credentials.region_name = manila_credentials['region_name']
end
raise error unless @credentials.set?
Puppet::Provider::Openstack.request(service, action, properties, @credentials)
Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
end
def self.manila_credentials

8
lib/puppet/provider/manila_type/openstack.rb
View File

@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize
self.class.request('share type', 'create', opts)
self.class.system_request('share type', 'create', opts)
[
:name,
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
if self.class.do_not_manage
fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
end
self.class.request('share type', 'delete', name)
self.class.system_request('share type', 'delete', name)
@property_hash.clear
@property_hash[:ensure] = :absent
end
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(
def self.instances
self.do_not_manage = true
list = request('share type', 'list').collect do |type|
list = system_request('share type', 'list').collect do |type|
required_extra_specs = self.parse_specs(type[:required_extra_specs])
optional_extra_specs = self.parse_specs(type[:optional_extra_specs])
@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
end
self.class.request('share type', 'set', opts)
self.class.system_request('share type', 'set', opts)
@property_flush.clear
end
end

14
releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml Normal file
View File

@ -0,0 +1,14 @@
---
upgrade:
- |
Now the ``manila_type`` resource type uses system scope credential instead
of project scope credential when sending requests to Manila API.
deprecations:
- |
Currently the manila_type`` resource type uses the credential written in
the ``[keystone_authtoken]`` section of ``manila.conf``. However this
behavior has been deprecated and now the resource type first looks for
the yaml files in ``/etc/openstack/puppet``. Make sure one of
``clouds.yaml`` or ``admin-clouds.yaml`` (which is created by
puppet-keystone) is created in that directory.

2
spec/unit/provider/manila_type/openstack_spec.rb
View File

@ -8,7 +8,7 @@ describe provider_class do
let(:set_creds_env) do
ENV['OS_USERNAME'] = 'test'
ENV['OS_PASSWORD'] = 'abc123'
ENV['OS_PROJECT_NAME'] = 'test'
ENV['OS_SYSTEM_SCOPE'] = 'all'
ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000'
end