From f4271788b4018bcabbfa6dfda622b6a20425fe58 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 25 Jan 2022 17:06:02 +0900 Subject: [PATCH] Accept system scope credential for Neutron API request Currently Nova uses the user credential in [neutron] section to update port binding/migration profile or get resource_request of ports, but these APIs are available for system admin/reader when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: Id1b4e324c8a46a8951f9e37203eb74a5602700e5 --- manifests/network/neutron.pp | 18 ++++++++++++++++-- .../system_scope-neutron-6d5421393cbf7759.yaml | 5 +++++ spec/classes/nova_network_neutron_spec.rb | 16 ++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml diff --git a/manifests/network/neutron.pp b/manifests/network/neutron.pp index c36c102f3..5ff203618 100644 --- a/manifests/network/neutron.pp +++ b/manifests/network/neutron.pp @@ -22,6 +22,10 @@ # admin context through the OpenStack Identity service. # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*username*] # (optional) Username for connecting to Neutron network services in admin context # through the OpenStack Identity service. @@ -93,6 +97,7 @@ class nova::network::neutron ( $auth_type = 'v3password', $project_name = 'services', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $username = 'neutron', $user_domain_name = 'Default', $auth_url = 'http://127.0.0.1:5000/v3', @@ -111,13 +116,22 @@ class nova::network::neutron ( include nova::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + nova_config { 'DEFAULT/vif_plugging_is_fatal': value => $vif_plugging_is_fatal; 'DEFAULT/vif_plugging_timeout': value => $vif_plugging_timeout; 'neutron/default_floating_pool': value => $default_floating_pool; 'neutron/timeout': value => $timeout; - 'neutron/project_name': value => $project_name; - 'neutron/project_domain_name': value => $project_domain_name; + 'neutron/project_name': value => $project_name_real; + 'neutron/project_domain_name': value => $project_domain_name_real; + 'neutron/system_scope': value => $system_scope; 'neutron/region_name': value => $region_name; 'neutron/username': value => $username; 'neutron/user_domain_name': value => $user_domain_name; diff --git a/releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml b/releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml new file mode 100644 index 000000000..8925229dd --- /dev/null +++ b/releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``system_scope`` parameter has been added to + the ``nova::network::neutron`` class. diff --git a/spec/classes/nova_network_neutron_spec.rb b/spec/classes/nova_network_neutron_spec.rb index fefcfab7c..e927325f5 100644 --- a/spec/classes/nova_network_neutron_spec.rb +++ b/spec/classes/nova_network_neutron_spec.rb @@ -7,6 +7,7 @@ describe 'nova::network::neutron' do :timeout => '30', :project_name => 'services', :project_domain_name => 'Default', + :system_scope => '', :region_name => 'RegionOne', :username => 'neutron', :user_domain_name => 'Default', @@ -38,6 +39,7 @@ describe 'nova::network::neutron' do should contain_nova_config('neutron/timeout').with_value(default_params[:timeout]) should contain_nova_config('neutron/project_name').with_value(default_params[:project_name]) should contain_nova_config('neutron/project_domain_name').with_value(default_params[:project_domain_name]) + should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope]) should contain_nova_config('neutron/region_name').with_value(default_params[:region_name]) should contain_nova_config('neutron/username').with_value(default_params[:username]) should contain_nova_config('neutron/user_domain_name').with_value(default_params[:user_domain_name]) @@ -84,6 +86,7 @@ describe 'nova::network::neutron' do should contain_nova_config('neutron/timeout').with_value(params[:timeout]) should contain_nova_config('neutron/project_name').with_value(params[:project_name]) should contain_nova_config('neutron/project_domain_name').with_value(params[:project_domain_name]) + should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope]) should contain_nova_config('neutron/region_name').with_value(params[:region_name]) should contain_nova_config('neutron/username').with_value(params[:username]) should contain_nova_config('neutron/user_domain_name').with_value(params[:user_domain_name]) @@ -112,6 +115,19 @@ describe 'nova::network::neutron' do is_expected.to contain_nova_config('neutron/valid_interfaces').with_value('internal,public') end end + + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + it 'configures system-scoped credential' do + should contain_nova_config('neutron/project_name').with_value('') + should contain_nova_config('neutron/project_domain_name').with_value('') + should contain_nova_config('neutron/system_scope').with_value('all') + end + end end on_supported_os({