Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I2a54b0d0c03a98b3fe7a3a4a28051247eea7e70a
This commit is contained in:
Takashi Kajinami 2022-01-03 15:02:16 +09:00
parent 07822ab838
commit fe7da441a6
5 changed files with 46 additions and 9 deletions

View File

@ -19,6 +19,18 @@
# (Optional) Tenant for zaqar user. # (Optional) Tenant for zaqar user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to neutron user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to neutron user.
# Defaults to []
#
# [*configure_endpoint*] # [*configure_endpoint*]
# (Optional) Should zaqar endpoint be configured? # (Optional) Should zaqar endpoint be configured?
# Defaults to true. # Defaults to true.
@ -63,10 +75,6 @@
# (Optional) Whether to configure the admin role for the service user. # (Optional) Whether to configure the admin role for the service user.
# Defaults to true # Defaults to true
# #
# [*roles*]
# (Optional) Roles to give the service user.
# Defaults to undef
#
class zaqar::keystone::auth( class zaqar::keystone::auth(
$password, $password,
$email = 'zaqar@localhost', $email = 'zaqar@localhost',
@ -78,12 +86,14 @@ class zaqar::keystone::auth(
$internal_url = 'http://127.0.0.1:8888', $internal_url = 'http://127.0.0.1:8888',
$region = 'RegionOne', $region = 'RegionOne',
$tenant = 'services', $tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true, $configure_endpoint = true,
$configure_service = true, $configure_service = true,
$configure_user = true, $configure_user = true,
$configure_user_role = true, $configure_user_role = true,
$service_description = 'OpenStack Messaging Service', $service_description = 'OpenStack Messaging Service',
$roles = undef,
) { ) {
include zaqar::deps include zaqar::deps
@ -102,9 +112,11 @@ class zaqar::keystone::auth(
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url, public_url => $public_url,
admin_url => $admin_url, admin_url => $admin_url,
internal_url => $internal_url, internal_url => $internal_url,
roles => $roles,
} }
} }

View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*insecure*] # [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert # (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with # against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class zaqar::keystone::authtoken(
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default, $insecure = $::os_service_default,
$auth_section = $::os_service_default, $auth_section = $::os_service_default,
$auth_type = 'password', $auth_type = 'password',
@ -251,6 +256,7 @@ class zaqar::keystone::authtoken(
auth_section => $auth_section, auth_section => $auth_section,
user_domain_name => $user_domain_name, user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name, project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure, insecure => $insecure,
cache => $cache, cache => $cache,
cafile => $cafile, cafile => $cafile,

View File

@ -0,0 +1,9 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``zaqar::keystone::authtoken`` class.
- |
The ``zaqar::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the zaqar service user.

View File

@ -23,6 +23,9 @@ describe 'zaqar::keystone::auth' do
:password => 'zaqar_password', :password => 'zaqar_password',
:email => 'zaqar@localhost', :email => 'zaqar@localhost',
:tenant => 'services', :tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8888', :public_url => 'http://127.0.0.1:8888',
:internal_url => 'http://127.0.0.1:8888', :internal_url => 'http://127.0.0.1:8888',
:admin_url => 'http://127.0.0.1:8888', :admin_url => 'http://127.0.0.1:8888',
@ -35,6 +38,9 @@ describe 'zaqar::keystone::auth' do
:auth_name => 'alt_zaqar', :auth_name => 'alt_zaqar',
:email => 'alt_zaqar@alt_localhost', :email => 'alt_zaqar@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false, :configure_endpoint => false,
:configure_user => false, :configure_user => false,
:configure_user_role => false, :configure_user_role => false,
@ -44,8 +50,7 @@ describe 'zaqar::keystone::auth' do
:region => 'RegionTwo', :region => 'RegionTwo',
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81' }
:roles => ['admin', 'ResellerAdmin'] }
end end
it { is_expected.to contain_keystone__resource__service_identity('zaqar').with( it { is_expected.to contain_keystone__resource__service_identity('zaqar').with(
@ -60,10 +65,12 @@ describe 'zaqar::keystone::auth' do
:password => 'zaqar_password', :password => 'zaqar_password',
:email => 'alt_zaqar@alt_localhost', :email => 'alt_zaqar@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81',
:roles => ['admin', 'ResellerAdmin'],
) } ) }
end end
end end

View File

@ -18,6 +18,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'services', :project_name => 'services',
:user_domain_name => 'Default', :user_domain_name => 'Default',
:project_domain_name => 'Default', :project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>', :insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>', :auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password', :auth_type => 'password',
@ -62,6 +63,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',
@ -103,6 +105,7 @@ describe 'zaqar::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',