Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I2a54b0d0c03a98b3fe7a3a4a28051247eea7e70a
This commit is contained in:
parent
07822ab838
commit
fe7da441a6
@ -19,6 +19,18 @@
|
|||||||
# (Optional) Tenant for zaqar user.
|
# (Optional) Tenant for zaqar user.
|
||||||
# Defaults to 'services'.
|
# Defaults to 'services'.
|
||||||
#
|
#
|
||||||
|
# [*roles*]
|
||||||
|
# (Optional) List of roles assigned to neutron user.
|
||||||
|
# Defaults to ['admin']
|
||||||
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (Optional) Scope for system operations.
|
||||||
|
# Defaults to 'all'
|
||||||
|
#
|
||||||
|
# [*system_roles*]
|
||||||
|
# (Optional) List of system roles assigned to neutron user.
|
||||||
|
# Defaults to []
|
||||||
|
#
|
||||||
# [*configure_endpoint*]
|
# [*configure_endpoint*]
|
||||||
# (Optional) Should zaqar endpoint be configured?
|
# (Optional) Should zaqar endpoint be configured?
|
||||||
# Defaults to true.
|
# Defaults to true.
|
||||||
@ -63,10 +75,6 @@
|
|||||||
# (Optional) Whether to configure the admin role for the service user.
|
# (Optional) Whether to configure the admin role for the service user.
|
||||||
# Defaults to true
|
# Defaults to true
|
||||||
#
|
#
|
||||||
# [*roles*]
|
|
||||||
# (Optional) Roles to give the service user.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class zaqar::keystone::auth(
|
class zaqar::keystone::auth(
|
||||||
$password,
|
$password,
|
||||||
$email = 'zaqar@localhost',
|
$email = 'zaqar@localhost',
|
||||||
@ -78,12 +86,14 @@ class zaqar::keystone::auth(
|
|||||||
$internal_url = 'http://127.0.0.1:8888',
|
$internal_url = 'http://127.0.0.1:8888',
|
||||||
$region = 'RegionOne',
|
$region = 'RegionOne',
|
||||||
$tenant = 'services',
|
$tenant = 'services',
|
||||||
|
$roles = ['admin'],
|
||||||
|
$system_scope = 'all',
|
||||||
|
$system_roles = [],
|
||||||
$configure_endpoint = true,
|
$configure_endpoint = true,
|
||||||
$configure_service = true,
|
$configure_service = true,
|
||||||
$configure_user = true,
|
$configure_user = true,
|
||||||
$configure_user_role = true,
|
$configure_user_role = true,
|
||||||
$service_description = 'OpenStack Messaging Service',
|
$service_description = 'OpenStack Messaging Service',
|
||||||
$roles = undef,
|
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include zaqar::deps
|
include zaqar::deps
|
||||||
@ -102,9 +112,11 @@ class zaqar::keystone::auth(
|
|||||||
password => $password,
|
password => $password,
|
||||||
email => $email,
|
email => $email,
|
||||||
tenant => $tenant,
|
tenant => $tenant,
|
||||||
|
roles => $roles,
|
||||||
|
system_scope => $system_scope,
|
||||||
|
system_roles => $system_roles,
|
||||||
public_url => $public_url,
|
public_url => $public_url,
|
||||||
admin_url => $admin_url,
|
admin_url => $admin_url,
|
||||||
internal_url => $internal_url,
|
internal_url => $internal_url,
|
||||||
roles => $roles,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,6 +28,10 @@
|
|||||||
# (Optional) Name of domain for $project_name
|
# (Optional) Name of domain for $project_name
|
||||||
# Defaults to 'Default'
|
# Defaults to 'Default'
|
||||||
#
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (Optional) Scope for system operations.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
# [*insecure*]
|
# [*insecure*]
|
||||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||||
# against any certificate authorities. WARNING: not recommended. Use with
|
# against any certificate authorities. WARNING: not recommended. Use with
|
||||||
@ -198,6 +202,7 @@ class zaqar::keystone::authtoken(
|
|||||||
$project_name = 'services',
|
$project_name = 'services',
|
||||||
$user_domain_name = 'Default',
|
$user_domain_name = 'Default',
|
||||||
$project_domain_name = 'Default',
|
$project_domain_name = 'Default',
|
||||||
|
$system_scope = $::os_service_default,
|
||||||
$insecure = $::os_service_default,
|
$insecure = $::os_service_default,
|
||||||
$auth_section = $::os_service_default,
|
$auth_section = $::os_service_default,
|
||||||
$auth_type = 'password',
|
$auth_type = 'password',
|
||||||
@ -251,6 +256,7 @@ class zaqar::keystone::authtoken(
|
|||||||
auth_section => $auth_section,
|
auth_section => $auth_section,
|
||||||
user_domain_name => $user_domain_name,
|
user_domain_name => $user_domain_name,
|
||||||
project_domain_name => $project_domain_name,
|
project_domain_name => $project_domain_name,
|
||||||
|
system_scope => $system_scope,
|
||||||
insecure => $insecure,
|
insecure => $insecure,
|
||||||
cache => $cache,
|
cache => $cache,
|
||||||
cafile => $cafile,
|
cafile => $cafile,
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The ``system_scope`` parameter has been added to
|
||||||
|
the ``zaqar::keystone::authtoken`` class.
|
||||||
|
|
||||||
|
- |
|
||||||
|
The ``zaqar::keystone::auth`` class now supports defining assignmet of
|
||||||
|
system-scoped roles to the zaqar service user.
|
@ -23,6 +23,9 @@ describe 'zaqar::keystone::auth' do
|
|||||||
:password => 'zaqar_password',
|
:password => 'zaqar_password',
|
||||||
:email => 'zaqar@localhost',
|
:email => 'zaqar@localhost',
|
||||||
:tenant => 'services',
|
:tenant => 'services',
|
||||||
|
:roles => ['admin'],
|
||||||
|
:system_scope => 'all',
|
||||||
|
:system_roles => [],
|
||||||
:public_url => 'http://127.0.0.1:8888',
|
:public_url => 'http://127.0.0.1:8888',
|
||||||
:internal_url => 'http://127.0.0.1:8888',
|
:internal_url => 'http://127.0.0.1:8888',
|
||||||
:admin_url => 'http://127.0.0.1:8888',
|
:admin_url => 'http://127.0.0.1:8888',
|
||||||
@ -35,6 +38,9 @@ describe 'zaqar::keystone::auth' do
|
|||||||
:auth_name => 'alt_zaqar',
|
:auth_name => 'alt_zaqar',
|
||||||
:email => 'alt_zaqar@alt_localhost',
|
:email => 'alt_zaqar@alt_localhost',
|
||||||
:tenant => 'alt_service',
|
:tenant => 'alt_service',
|
||||||
|
:roles => ['admin', 'service'],
|
||||||
|
:system_scope => 'alt_all',
|
||||||
|
:system_roles => ['admin', 'member', 'reader'],
|
||||||
:configure_endpoint => false,
|
:configure_endpoint => false,
|
||||||
:configure_user => false,
|
:configure_user => false,
|
||||||
:configure_user_role => false,
|
:configure_user_role => false,
|
||||||
@ -44,8 +50,7 @@ describe 'zaqar::keystone::auth' do
|
|||||||
:region => 'RegionTwo',
|
:region => 'RegionTwo',
|
||||||
:public_url => 'https://10.10.10.10:80',
|
:public_url => 'https://10.10.10.10:80',
|
||||||
:internal_url => 'http://10.10.10.11:81',
|
:internal_url => 'http://10.10.10.11:81',
|
||||||
:admin_url => 'http://10.10.10.12:81',
|
:admin_url => 'http://10.10.10.12:81' }
|
||||||
:roles => ['admin', 'ResellerAdmin'] }
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it { is_expected.to contain_keystone__resource__service_identity('zaqar').with(
|
it { is_expected.to contain_keystone__resource__service_identity('zaqar').with(
|
||||||
@ -60,10 +65,12 @@ describe 'zaqar::keystone::auth' do
|
|||||||
:password => 'zaqar_password',
|
:password => 'zaqar_password',
|
||||||
:email => 'alt_zaqar@alt_localhost',
|
:email => 'alt_zaqar@alt_localhost',
|
||||||
:tenant => 'alt_service',
|
:tenant => 'alt_service',
|
||||||
|
:roles => ['admin', 'service'],
|
||||||
|
:system_scope => 'alt_all',
|
||||||
|
:system_roles => ['admin', 'member', 'reader'],
|
||||||
:public_url => 'https://10.10.10.10:80',
|
:public_url => 'https://10.10.10.10:80',
|
||||||
:internal_url => 'http://10.10.10.11:81',
|
:internal_url => 'http://10.10.10.11:81',
|
||||||
:admin_url => 'http://10.10.10.12:81',
|
:admin_url => 'http://10.10.10.12:81',
|
||||||
:roles => ['admin', 'ResellerAdmin'],
|
|
||||||
) }
|
) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -18,6 +18,7 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
:project_name => 'services',
|
:project_name => 'services',
|
||||||
:user_domain_name => 'Default',
|
:user_domain_name => 'Default',
|
||||||
:project_domain_name => 'Default',
|
:project_domain_name => 'Default',
|
||||||
|
:system_scope => '<SERVICE DEFAULT>',
|
||||||
:insecure => '<SERVICE DEFAULT>',
|
:insecure => '<SERVICE DEFAULT>',
|
||||||
:auth_section => '<SERVICE DEFAULT>',
|
:auth_section => '<SERVICE DEFAULT>',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
@ -62,6 +63,7 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
:project_name => 'service_project',
|
:project_name => 'service_project',
|
||||||
:user_domain_name => 'domainX',
|
:user_domain_name => 'domainX',
|
||||||
:project_domain_name => 'domainX',
|
:project_domain_name => 'domainX',
|
||||||
|
:system_scope => 'all',
|
||||||
:insecure => false,
|
:insecure => false,
|
||||||
:auth_section => 'new_section',
|
:auth_section => 'new_section',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
@ -103,6 +105,7 @@ describe 'zaqar::keystone::authtoken' do
|
|||||||
:project_name => 'service_project',
|
:project_name => 'service_project',
|
||||||
:user_domain_name => 'domainX',
|
:user_domain_name => 'domainX',
|
||||||
:project_domain_name => 'domainX',
|
:project_domain_name => 'domainX',
|
||||||
|
:system_scope => 'all',
|
||||||
:insecure => false,
|
:insecure => false,
|
||||||
:auth_section => 'new_section',
|
:auth_section => 'new_section',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
|
Loading…
Reference in New Issue
Block a user