Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I6907dd4b41dfe009a69fecd3ee5d8332c4c6a424
This commit is contained in:
Takashi Kajinami 2022-01-25 10:43:40 +09:00
parent 2eb937c16c
commit 95f5169393
5 changed files with 49 additions and 0 deletions

View File

@ -36,6 +36,18 @@
# (Optional) Tenant for Trove user. # (Optional) Tenant for Trove user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to trove user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to trove user.
# Defaults to []
#
# [*configure_endpoint*] # [*configure_endpoint*]
# (Optional) Should Trove endpoint be configured? # (Optional) Should Trove endpoint be configured?
# Defaults to true. # Defaults to true.
@ -92,6 +104,9 @@ class trove::keystone::auth (
$auth_name = 'trove', $auth_name = 'trove',
$email = 'trove@localhost', $email = 'trove@localhost',
$tenant = 'services', $tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_user = true, $configure_user = true,
$configure_user_role = true, $configure_user_role = true,
$configure_endpoint = true, $configure_endpoint = true,
@ -123,6 +138,9 @@ class trove::keystone::auth (
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url, public_url => $public_url,
internal_url => $internal_url, internal_url => $internal_url,
admin_url => $admin_url, admin_url => $admin_url,

View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*] # [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert # (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with # against any certificate authorities. WARNING: not recommended. Use with
@ -199,6 +203,7 @@ class trove::keystone::authtoken(
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default, $insecure = $::os_service_default,
$auth_section = $::os_service_default, $auth_section = $::os_service_default,
$auth_type = 'password', $auth_type = 'password',
@ -241,6 +246,7 @@ class trove::keystone::authtoken(
username => $username, username => $username,
password => $password, password => $password,
project_name => $project_name, project_name => $project_name,
system_scope => $system_scope,
auth_url => $auth_url, auth_url => $auth_url,
www_authenticate_uri => $www_authenticate_uri, www_authenticate_uri => $www_authenticate_uri,
auth_version => $auth_version, auth_version => $auth_version,

View File

@ -0,0 +1,13 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``trove::keystone::authtoken`` class.
- |
The ``trove::keystone::auth`` class now supports customizing roles assigned
to the trove service user.
- |
The ``trove::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the trove service user.

View File

@ -23,6 +23,9 @@ describe 'trove::keystone::auth' do
:password => 'trove_password', :password => 'trove_password',
:email => 'trove@localhost', :email => 'trove@localhost',
:tenant => 'services', :tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s', :public_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
:internal_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s', :internal_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
:admin_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s', :admin_url => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
@ -35,6 +38,9 @@ describe 'trove::keystone::auth' do
:auth_name => 'alt_trove', :auth_name => 'alt_trove',
:email => 'alt_trove@alt_localhost', :email => 'alt_trove@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false, :configure_endpoint => false,
:configure_user => false, :configure_user => false,
:configure_user_role => false, :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'trove::keystone::auth' do
:password => 'trove_password', :password => 'trove_password',
:email => 'alt_trove@alt_localhost', :email => 'alt_trove@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81',

View File

@ -18,6 +18,7 @@ describe 'trove::keystone::authtoken' do
:project_name => 'services', :project_name => 'services',
:user_domain_name => 'Default', :user_domain_name => 'Default',
:project_domain_name => 'Default', :project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>', :insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>', :auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password', :auth_type => 'password',
@ -62,6 +63,7 @@ describe 'trove::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',
@ -103,6 +105,7 @@ describe 'trove::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',