openstack/puppet-zaqar
Code Issues Proposed changes

Accept system scope credentials for Keystone API request

Browse Source 
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I2a54b0d0c03a98b3fe7a3a4a28051247eea7e70a
This commit is contained in:
Takashi Kajinami 2022-01-03 15:02:16 +09:00
parent 07822ab838
commit fe7da441a6
5 changed files with 46 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
manifests/keystone/auth.pp
View File

@ -19,6 +19,18 @@
# (Optional) Tenant for zaqar user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to neutron user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to neutron user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should zaqar endpoint be configured?
# Defaults to true.
@ -63,10 +75,6 @@
# (Optional) Whether to configure the admin role for the service user.
# Defaults to true
#
# [*roles*]
# (Optional) Roles to give the service user.
# Defaults to undef
#
class zaqar::keystone::auth(
$password,
$email = 'zaqar@localhost',
@ -78,12 +86,14 @@ class zaqar::keystone::auth(
$internal_url = 'http://127.0.0.1:8888',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_service = true,
$configure_user = true,
$configure_user_role = true,
$service_description = 'OpenStack Messaging Service',
$roles = undef,
) {
include zaqar::deps
@ -102,9 +112,11 @@ class zaqar::keystone::auth(
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
roles => $roles,
}
}

6
manifests/keystone/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class zaqar::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class zaqar::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

9
releasenotes/notes/system_scope-keystone-ce89823e072150ce.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``zaqar::keystone::authtoken`` class.
- |
The ``zaqar::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the zaqar service user.

13
spec/classes/zaqar_keystone_auth_spec.rb
View File

@ -23,6 +23,9 @@ describe 'zaqar::keystone::auth' do
:password => 'zaqar_password',
:email => 'zaqar@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8888',
:internal_url => 'http://127.0.0.1:8888',
:admin_url => 'http://127.0.0.1:8888',
@ -35,6 +38,9 @@ describe 'zaqar::keystone::auth' do
:auth_name => 'alt_zaqar',
:email => 'alt_zaqar@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -44,8 +50,7 @@ describe 'zaqar::keystone::auth' do
:region => 'RegionTwo',
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',
:roles => ['admin', 'ResellerAdmin'] }
:admin_url => 'http://10.10.10.12:81' }
end
it { is_expected.to contain_keystone__resource__service_identity('zaqar').with(
@ -60,10 +65,12 @@ describe 'zaqar::keystone::auth' do
:password => 'zaqar_password',
:email => 'alt_zaqar@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',
:roles => ['admin', 'ResellerAdmin'],
) }
end
end

3
spec/classes/zaqar_keystone_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',