From f35dc66ff33ddd21ce74606c673c0c800d37d611 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 4 Mar 2022 08:33:27 +0900 Subject: [PATCH] Globally support system scope credentials After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I5cad33c4caf1e3b3408dba5328c8b2f67a85b555 --- manifests/api/service_credentials.pp | 18 +++++++- manifests/guestagent/service_credentials.pp | 18 +++++++- .../system_scope-all-b264889f42741908.yaml | 7 +++ .../trove_api_service_credentials_spec.rb | 45 +++++++++++++------ ...ove_guestagent_service_credentials_spec.rb | 36 +++++++++++---- 5 files changed, 98 insertions(+), 26 deletions(-) create mode 100644 releasenotes/notes/system_scope-all-b264889f42741908.yaml diff --git a/manifests/api/service_credentials.pp b/manifests/api/service_credentials.pp index d3289a1c..dbd7edc3 100644 --- a/manifests/api/service_credentials.pp +++ b/manifests/api/service_credentials.pp @@ -29,6 +29,10 @@ # (optional) the keystone user domain name for trove services # Defaults to 'Default' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# class trove::api::service_credentials ( $password, $auth_url = 'http://127.0.0.1:5000', @@ -37,16 +41,26 @@ class trove::api::service_credentials ( $project_name = 'services', $project_domain_name = 'Default', $user_domain_name = 'Default', + $system_scope = $::os_service_default, ) { include trove::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + trove_config { 'service_credentials/auth_url': value => $auth_url; 'service_credentials/username': value => $username; 'service_credentials/password': value => $password, secret => true; - 'service_credentials/project_name': value => $project_name; - 'service_credentials/project_domain_name': value => $project_domain_name; + 'service_credentials/project_name': value => $project_name_real; + 'service_credentials/project_domain_name': value => $project_domain_name_real; + 'service_credentials/system_scope': value => $system_scope; 'service_credentials/user_domain_name': value => $user_domain_name; 'service_credentials/region_name': value => $region_name; } diff --git a/manifests/guestagent/service_credentials.pp b/manifests/guestagent/service_credentials.pp index 382c37be..61612dc1 100644 --- a/manifests/guestagent/service_credentials.pp +++ b/manifests/guestagent/service_credentials.pp @@ -29,6 +29,10 @@ # (optional) the keystone user domain name for trove services # Defaults to 'Default' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# class trove::guestagent::service_credentials ( $password, $auth_url = 'http://127.0.0.1:5000', @@ -37,17 +41,27 @@ class trove::guestagent::service_credentials ( $project_name = 'services', $project_domain_name = 'Default', $user_domain_name = 'Default', + $system_scope = $::os_service_default, ) { include trove::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + trove_guestagent_config { 'service_credentials/auth_url': value => $auth_url; 'service_credentials/username': value => $username; 'service_credentials/password': value => $password, secret => true; - 'service_credentials/project_name': value => $project_name; - 'service_credentials/project_domain_name': value => $project_domain_name; + 'service_credentials/project_name': value => $project_name_real; + 'service_credentials/project_domain_name': value => $project_domain_name_real; 'service_credentials/user_domain_name': value => $user_domain_name; + 'service_credentials/system_scope': value => $system_scope; 'service_credentials/region_name': value => $region_name; } diff --git a/releasenotes/notes/system_scope-all-b264889f42741908.yaml b/releasenotes/notes/system_scope-all-b264889f42741908.yaml new file mode 100644 index 00000000..fc882edc --- /dev/null +++ b/releasenotes/notes/system_scope-all-b264889f42741908.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + The new ``system_scope`` parameter has been added to the following classes. + + - ``trove::api::service_credentials`` + - ``trove::guestagent::service_credentials`` diff --git a/spec/classes/trove_api_service_credentials_spec.rb b/spec/classes/trove_api_service_credentials_spec.rb index 3241cf1c..ea28babd 100644 --- a/spec/classes/trove_api_service_credentials_spec.rb +++ b/spec/classes/trove_api_service_credentials_spec.rb @@ -19,45 +19,58 @@ describe 'trove::api::service_credentials' do shared_examples 'trove::api::service_credentials' do - context 'with default parameters' do - let :params do - { - :auth_url => 'http://127.0.0.1:5000/v3', - :password => 'verysecrete' - } - end + let :params do + { + :password => 'verysecrete' + } + end + context 'with default parameters' do it 'configures service credentials with default parameters' do - is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3') + is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000') is_expected.to contain_trove_config('service_credentials/username').with_value('trove') is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true) is_expected.to contain_trove_config('service_credentials/project_name').with_value('services') is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default') is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default') + is_expected.to contain_trove_config('service_credentials/system_scope').with_value('') end end context 'when overriding defaults' do - let :params do - { - :auth_url => 'http://127.0.0.1:5000/v3', - :password => 'verysecrete', + before do + params.merge!({ + :auth_url => 'http://localhost:5000', :username => 'trove2', :project_name => 'services2', :region_name => 'RegionTwo', :user_domain_name => 'MyDomain', :project_domain_name => 'MyDomain', - } + }) end it 'configures service credentials with default parameters' do - is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3') + is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://localhost:5000') is_expected.to contain_trove_config('service_credentials/username').with_value('trove2') is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2') is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo') is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain') is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain') + is_expected.to contain_trove_config('service_credentials/system_scope').with_value('') + end + end + + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + it 'configures system-scoped credential' do + is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('') + is_expected.to contain_trove_config('service_credentials/project_name').with_value('') + is_expected.to contain_trove_config('service_credentials/system_scope').with_value('all') end end end @@ -65,6 +78,10 @@ describe 'trove::api::service_credentials' do on_supported_os({ :supported_os => OSDefaults.get_supported_os }).each do |os,facts| + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + context "on #{os}" do it_configures 'trove::api::service_credentials' end diff --git a/spec/classes/trove_guestagent_service_credentials_spec.rb b/spec/classes/trove_guestagent_service_credentials_spec.rb index 865e0bad..a8f5a7ca 100644 --- a/spec/classes/trove_guestagent_service_credentials_spec.rb +++ b/spec/classes/trove_guestagent_service_credentials_spec.rb @@ -19,11 +19,13 @@ describe 'trove::guestagent::service_credentials' do shared_examples 'trove::guestagent::service_credentials' do - context 'with default parameters' do - let :params do - { :password => 'verysecrete' } - end + let :params do + { + :password => 'verysecrete' + } + end + context 'with default parameters' do it 'configures service credentials with default parameters' do is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000') is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove') @@ -32,20 +34,20 @@ describe 'trove::guestagent::service_credentials' do is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default') is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default') + is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('') end end context 'when overriding defaults' do - let :params do - { + before do + params.merge!({ :auth_url => 'http://localhost:5000', - :password => 'verysecrete', :username => 'trove2', :project_name => 'services2', :region_name => 'RegionTwo', :user_domain_name => 'MyDomain', :project_domain_name => 'MyDomain', - } + }) end it 'configures service credentials with default parameters' do @@ -55,6 +57,20 @@ describe 'trove::guestagent::service_credentials' do is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo') is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain') is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain') + is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('') + end + end + + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + it 'configures system-scoped credential' do + is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('') + is_expected.to contain_trove_guestagent_config('service_credentials/project_name').with_value('') + is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('all') end end end @@ -62,6 +78,10 @@ describe 'trove::guestagent::service_credentials' do on_supported_os({ :supported_os => OSDefaults.get_supported_os }).each do |os,facts| + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + context "on #{os}" do it_configures 'trove::guestagent::service_credentials' end