From 5ca6e6fc9cb2403307114877ece24e394be35794 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 7 Mar 2022 00:20:54 +0900 Subject: [PATCH] Use system scope credentials in providers This change enforces usage of system scope credentials to manage share types, following the new policy rules for SRBAC support in manila. The logic to look up credential for the nova service user from [keystone_authtoken] is left to keep backward compatibility but is deprecated and will be removed. Depends-on: https://review.opendev.org/806474 Depends-on: https://review.opendev.org/828025 Change-Id: Ifd8aa63c94e194083a2b81fa9ea2c14afad5d6ab --- lib/puppet/provider/manila.rb | 17 ++++++++++++----- lib/puppet/provider/manila_type/openstack.rb | 8 ++++---- .../provider-system-scope-cb9a22337ffe738d.yaml | 14 ++++++++++++++ .../unit/provider/manila_type/openstack_spec.rb | 2 +- 4 files changed, 31 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml diff --git a/lib/puppet/provider/manila.rb b/lib/puppet/provider/manila.rb index 039ce8a6..6a257237 100644 --- a/lib/puppet/provider/manila.rb +++ b/lib/puppet/provider/manila.rb @@ -1,5 +1,3 @@ -File.expand_path('../../../../openstacklib/lib', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) } - require 'puppet/util/inifile' require 'puppet/provider/openstack' require 'puppet/provider/openstack/auth' @@ -20,7 +18,15 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack @manila_conf end - def self.request(service, action, properties=nil) + def self.project_request(service, action, properties=nil, options={}) + self.request(service, action, properties, options, 'project') + end + + def self.system_request(service, action, properties=nil, options={}) + self.request(service, action, properties, options, 'system') + end + + def self.request(service, action, properties=nil, options={}, scope='project') begin super rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error @@ -28,7 +34,8 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack end end - def self.manila_request(service, action, error, properties=nil) + def self.manila_request(service, action, error, properties=nil, options={}) + warning('Usage of keystone_authtoken parameters is deprecated.') properties ||= [] @credentials.username = manila_credentials['username'] @credentials.password = manila_credentials['password'] @@ -40,7 +47,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack @credentials.region_name = manila_credentials['region_name'] end raise error unless @credentials.set? - Puppet::Provider::Openstack.request(service, action, properties, @credentials) + Puppet::Provider::Openstack.request(service, action, properties, @credentials, options) end def self.manila_credentials diff --git a/lib/puppet/provider/manila_type/openstack.rb b/lib/puppet/provider/manila_type/openstack.rb index 435cc21e..ba0b15fa 100644 --- a/lib/puppet/provider/manila_type/openstack.rb +++ b/lib/puppet/provider/manila_type/openstack.rb @@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide( opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize - self.class.request('share type', 'create', opts) + self.class.system_request('share type', 'create', opts) [ :name, @@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide( if self.class.do_not_manage fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.") end - self.class.request('share type', 'delete', name) + self.class.system_request('share type', 'delete', name) @property_hash.clear @property_hash[:ensure] = :absent end @@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide( def self.instances self.do_not_manage = true - list = request('share type', 'list').collect do |type| + list = system_request('share type', 'list').collect do |type| required_extra_specs = self.parse_specs(type[:required_extra_specs]) optional_extra_specs = self.parse_specs(type[:optional_extra_specs]) @@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide( opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize end - self.class.request('share type', 'set', opts) + self.class.system_request('share type', 'set', opts) @property_flush.clear end end diff --git a/releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml b/releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml new file mode 100644 index 00000000..d7625a01 --- /dev/null +++ b/releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + Now the ``manila_type`` resource type uses system scope credential instead + of project scope credential when sending requests to Manila API. + +deprecations: + - | + Currently the manila_type`` resource type uses the credential written in + the ``[keystone_authtoken]`` section of ``manila.conf``. However this + behavior has been deprecated and now the resource type first looks for + the yaml files in ``/etc/openstack/puppet``. Make sure one of + ``clouds.yaml`` or ``admin-clouds.yaml`` (which is created by + puppet-keystone) is created in that directory. diff --git a/spec/unit/provider/manila_type/openstack_spec.rb b/spec/unit/provider/manila_type/openstack_spec.rb index 92179523..a900b73b 100644 --- a/spec/unit/provider/manila_type/openstack_spec.rb +++ b/spec/unit/provider/manila_type/openstack_spec.rb @@ -8,7 +8,7 @@ describe provider_class do let(:set_creds_env) do ENV['OS_USERNAME'] = 'test' ENV['OS_PASSWORD'] = 'abc123' - ENV['OS_PROJECT_NAME'] = 'test' + ENV['OS_SYSTEM_SCOPE'] = 'all' ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000' end