Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Note that the credential parameters for authtoken middleware are used in some providers, and these providers still require a project scope credential. This will be fixed by the subsequent change. Depends-on: https://review.opendev.org/804325 Change-Id: I8b73f04bd10d0129c7437c6f9c6a436b6171f39d
2021-11-25 21:18:34 +09:00 · 2021-11-25 21:18:34 +09:00 · a528fe3c4e
commit a528fe3c4e
parent d8a630877b
5 changed files with 52 additions and 4 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -19,6 +19,18 @@
 #   (Optional) Tenant for Neutron user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to neutron user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to neutron user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should Neutron endpoint be configured?
 #   Defaults to true.
@ -75,6 +87,9 @@ class neutron::keystone::auth (
  $auth_name           = 'neutron',
  $email               = 'neutron@localhost',
  $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
  $configure_endpoint  = true,
  $configure_user      = true,
  $configure_user_role = true,
@ -89,14 +104,13 @@ class neutron::keystone::auth (

  include neutron::deps

+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['neutron::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['neutron::service::end']
+
  if $configure_endpoint {
    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['neutron::service::end']
  }

-  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['neutron::service::end']
-  }
-
  keystone::resource::service_identity { 'neutron':
    configure_user      => $configure_user,
    configure_user_role => $configure_user_role,
@ -109,6 +123,9 @@ class neutron::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    admin_url           => $admin_url,
    internal_url        => $internal_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@ -198,6 +202,7 @@ class neutron::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@ -251,6 +256,7 @@ class neutron::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/releasenotes/notes/system_scope-keystone-024e391d7b20ed8b.yaml
+++ b/releasenotes/notes/system_scope-keystone-024e391d7b20ed8b.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``neutron::keystone::authtoken`` class.
+
+  - |
+    The ``neutron::keystone::auth`` class now supports customizing roles
+    assigned to the neutron service user.
+
+  - |
+    The ``neutron::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the neutron service user.
--- a/spec/classes/neutron_keystone_auth_spec.rb
+++ b/spec/classes/neutron_keystone_auth_spec.rb
@ -23,6 +23,9 @@ describe 'neutron::keystone::auth' do
        :password            => 'neutron_password',
        :email               => 'neutron@localhost',
        :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:9696',
        :internal_url        => 'http://127.0.0.1:9696',
        :admin_url           => 'http://127.0.0.1:9696',
@ -35,6 +38,9 @@ describe 'neutron::keystone::auth' do
          :auth_name           => 'alt_neutron',
          :email               => 'alt_neutron@alt_localhost',
          :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :configure_endpoint  => false,
          :configure_user      => false,
          :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'neutron::keystone::auth' do
        :password            => 'neutron_password',
        :email               => 'alt_neutron@alt_localhost',
        :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/neutron_keystone_authtoken_spec.rb
+++ b/spec/classes/neutron_keystone_authtoken_spec.rb
@ -18,6 +18,7 @@ describe 'neutron::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@ -62,6 +63,7 @@ describe 'neutron::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@ -103,6 +105,7 @@ describe 'neutron::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',