openstack/puppet-nova
Code Issues Proposed changes

Accept system scope credential for Neutron API request

Browse Source 
Currently Nova uses the user credential in [neutron] section to update
port binding/migration profile or get resource_request of ports, but
these APIs are available for system admin/reader when SRBAC is
enforced.

This change allows usage of system-scoped credential instead of
project-scoped one.

Change-Id: Id1b4e324c8a46a8951f9e37203eb74a5602700e5
This commit is contained in:
Takashi Kajinami
2022-01-25 17:06:02 +09:00
parent 228e3aa77b
commit f4271788b4
3 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
manifests/network/neutron.pp
View File

@@ -22,6 +22,10 @@
# admin context through the OpenStack Identity service. # admin context through the OpenStack Identity service.
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*username*] # [*username*]
# (optional) Username for connecting to Neutron network services in admin context # (optional) Username for connecting to Neutron network services in admin context
# through the OpenStack Identity service. # through the OpenStack Identity service.
@@ -93,6 +97,7 @@ class nova::network::neutron (
$auth_type = 'v3password', $auth_type = 'v3password',
$project_name = 'services', $project_name = 'services',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$system_scope = $::os_service_default,
$username = 'neutron', $username = 'neutron',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$auth_url = 'http://127.0.0.1:5000/v3', $auth_url = 'http://127.0.0.1:5000/v3',
@@ -111,13 +116,22 @@ class nova::network::neutron (
include nova::deps include nova::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
nova_config { nova_config {
'DEFAULT/vif_plugging_is_fatal': value => $vif_plugging_is_fatal; 'DEFAULT/vif_plugging_is_fatal': value => $vif_plugging_is_fatal;
'DEFAULT/vif_plugging_timeout': value => $vif_plugging_timeout; 'DEFAULT/vif_plugging_timeout': value => $vif_plugging_timeout;
'neutron/default_floating_pool': value => $default_floating_pool; 'neutron/default_floating_pool': value => $default_floating_pool;
'neutron/timeout': value => $timeout; 'neutron/timeout': value => $timeout;
'neutron/project_name': value => $project_name; 'neutron/project_name': value => $project_name_real;
'neutron/project_domain_name': value => $project_domain_name; 'neutron/project_domain_name': value => $project_domain_name_real;
'neutron/system_scope': value => $system_scope;
'neutron/region_name': value => $region_name; 'neutron/region_name': value => $region_name;
'neutron/username': value => $username; 'neutron/username': value => $username;
'neutron/user_domain_name': value => $user_domain_name; 'neutron/user_domain_name': value => $user_domain_name;

5
releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
The new ``system_scope`` parameter has been added to
the ``nova::network::neutron`` class.

16
spec/classes/nova_network_neutron_spec.rb
View File

@@ -7,6 +7,7 @@ describe 'nova::network::neutron' do
:timeout => '30', :timeout => '30',
:project_name => 'services', :project_name => 'services',
:project_domain_name => 'Default', :project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:region_name => 'RegionOne', :region_name => 'RegionOne',
:username => 'neutron', :username => 'neutron',
:user_domain_name => 'Default', :user_domain_name => 'Default',
@@ -38,6 +39,7 @@ describe 'nova::network::neutron' do
should contain_nova_config('neutron/timeout').with_value(default_params[:timeout]) should contain_nova_config('neutron/timeout').with_value(default_params[:timeout])
should contain_nova_config('neutron/project_name').with_value(default_params[:project_name]) should contain_nova_config('neutron/project_name').with_value(default_params[:project_name])
should contain_nova_config('neutron/project_domain_name').with_value(default_params[:project_domain_name]) should contain_nova_config('neutron/project_domain_name').with_value(default_params[:project_domain_name])
should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
should contain_nova_config('neutron/region_name').with_value(default_params[:region_name]) should contain_nova_config('neutron/region_name').with_value(default_params[:region_name])
should contain_nova_config('neutron/username').with_value(default_params[:username]) should contain_nova_config('neutron/username').with_value(default_params[:username])
should contain_nova_config('neutron/user_domain_name').with_value(default_params[:user_domain_name]) should contain_nova_config('neutron/user_domain_name').with_value(default_params[:user_domain_name])
@@ -84,6 +86,7 @@ describe 'nova::network::neutron' do
should contain_nova_config('neutron/timeout').with_value(params[:timeout]) should contain_nova_config('neutron/timeout').with_value(params[:timeout])
should contain_nova_config('neutron/project_name').with_value(params[:project_name]) should contain_nova_config('neutron/project_name').with_value(params[:project_name])
should contain_nova_config('neutron/project_domain_name').with_value(params[:project_domain_name]) should contain_nova_config('neutron/project_domain_name').with_value(params[:project_domain_name])
should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
should contain_nova_config('neutron/region_name').with_value(params[:region_name]) should contain_nova_config('neutron/region_name').with_value(params[:region_name])
should contain_nova_config('neutron/username').with_value(params[:username]) should contain_nova_config('neutron/username').with_value(params[:username])
should contain_nova_config('neutron/user_domain_name').with_value(params[:user_domain_name]) should contain_nova_config('neutron/user_domain_name').with_value(params[:user_domain_name])
@@ -112,6 +115,19 @@ describe 'nova::network::neutron' do
is_expected.to contain_nova_config('neutron/valid_interfaces').with_value('internal,public') is_expected.to contain_nova_config('neutron/valid_interfaces').with_value('internal,public')
end end
end end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
should contain_nova_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
should contain_nova_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
should contain_nova_config('neutron/system_scope').with_value('all')
end
end
end end
on_supported_os({ on_supported_os({