Browse Source

Heat Fixes

- currently non-admin user aren't able to create stacks with i.e.
  Resource OS::Heat::SoftwareDeployment
- added heat domain
        heat domain_admin
        heat_stack_owner and user role
- added missing configuration options
- fixed some smaller ruby /cookstyle offenses
Change-Id: I6ae544dcc6260050304e66e227383e0e944a6bb6
Christoph Albers 1 year ago
parent
commit
cb26f25be4
7 changed files with 96 additions and 25 deletions
  1. 7
    8
      Berksfile
  2. 15
    16
      Rakefile
  3. 2
    0
      attributes/heat_conf.rb
  4. 3
    0
      recipes/common.rb
  5. 30
    1
      recipes/identity_registration.rb
  6. 36
    0
      spec/identity_registration_spec.rb
  7. 3
    0
      spec/spec_helper.rb

+ 7
- 8
Berksfile View File

@@ -1,11 +1,10 @@
1
-source "https://supermarket.chef.io"
1
+source 'https://supermarket.chef.io'
2 2
 
3 3
 metadata
4 4
 
5
-cookbook "openstack-identity",
6
-  github: "openstack/cookbook-openstack-identity"
7
-cookbook "openstack-common",
8
-  github: "openstack/cookbook-openstack-common"
9
-cookbook "openstackclient",
10
-  github: "cloudbau/cookbook-openstackclient"
11
-
5
+cookbook 'openstack-identity',
6
+  github: 'openstack/cookbook-openstack-identity'
7
+cookbook 'openstack-common',
8
+  github: 'openstack/cookbook-openstack-common'
9
+cookbook 'openstackclient',
10
+  github: 'cloudbau/cookbook-openstackclient'

+ 15
- 16
Rakefile View File

@@ -1,40 +1,39 @@
1
-task default: ["test"]
1
+task default: ['test']
2 2
 
3
-task :test => [:syntax, :lint, :unit]
3
+task test: [:syntax, :lint, :unit]
4 4
 
5
-desc "Vendor the cookbooks in the Berksfile"
5
+desc 'Vendor the cookbooks in the Berksfile'
6 6
 task :berks_prep do
7
-  sh %{chef exec berks vendor}
7
+  sh %(chef exec berks vendor)
8 8
 end
9 9
 
10
-desc "Run FoodCritic (syntax) tests"
10
+desc 'Run FoodCritic (syntax) tests'
11 11
 task :syntax do
12
-  sh %{chef exec foodcritic --exclude spec -f any .}
12
+  sh %(chef exec foodcritic --exclude spec -f any .)
13 13
 end
14 14
 
15
-desc "Run RuboCop (lint) tests"
15
+desc 'Run RuboCop (lint) tests'
16 16
 task :lint do
17
-  sh %{chef exec cookstyle}
17
+  sh %(chef exec cookstyle)
18 18
 end
19 19
 
20
-desc "Run RSpec (unit) tests"
21
-task :unit => :berks_prep do
22
-  sh %{chef exec rspec --format documentation}
20
+desc 'Run RSpec (unit) tests'
21
+task unit: :berks_prep do
22
+  sh %(chef exec rspec --format documentation)
23 23
 end
24 24
 
25
-desc "Remove the berks-cookbooks directory and the Berksfile.lock"
25
+desc 'Remove the berks-cookbooks directory and the Berksfile.lock'
26 26
 task :clean do
27 27
   rm_rf [
28 28
     'berks-cookbooks',
29
-    'Berksfile.lock'
29
+    'Berksfile.lock',
30 30
   ]
31 31
 end
32 32
 
33
-desc "All-in-One Neutron build Infra using Common task"
33
+desc 'All-in-One Neutron build Infra using Common task'
34 34
 task :integration do
35 35
   # Use the common integration task
36 36
   sh %(wget -nv -t 3 -O Rakefile-Common https://raw.githubusercontent.com/openstack/cookbook-openstack-common/master/Rakefile)
37 37
   load './Rakefile-Common'
38
-  Rake::Task["common_integration"].invoke
38
+  Rake::Task['common_integration'].invoke
39 39
 end
40
-

+ 2
- 0
attributes/heat_conf.rb View File

@@ -18,6 +18,8 @@
18 18
 #
19 19
 
20 20
 default['openstack']['orchestration']['conf']['DEFAULT']['log_dir'] = '/var/log/heat'
21
+default['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin'] = 'heat_domain_admin'
22
+default['openstack']['orchestration']['conf']['DEFAULT']['stack_user_domain_name'] = 'heat'
21 23
 default['openstack']['orchestration']['conf']['oslo_messaging_notifications']['driver'] = 'heat.openstack.common.notifier.rpc_notifier'
22 24
 default['openstack']['orchestration']['conf']['keystone_authtoken']['auth_type'] = 'v3password'
23 25
 default['openstack']['orchestration']['conf']['keystone_authtoken']['username'] = 'heat'

+ 3
- 0
recipes/common.rb View File

@@ -50,6 +50,7 @@ end
50 50
 
51 51
 db_user = node['openstack']['db']['orchestration']['username']
52 52
 db_pass = get_password 'db', 'heat'
53
+stack_domain_admin = node['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin']
53 54
 
54 55
 identity_endpoint = internal_endpoint 'identity'
55 56
 identity_admin_endpoint = admin_endpoint 'identity'
@@ -97,6 +98,8 @@ node.default['openstack']['orchestration']['conf_secrets'].tap do |conf_secrets|
97 98
     get_password 'service', 'openstack-orchestration'
98 99
   conf_secrets['trustee']['password'] =
99 100
     get_password 'service', 'openstack-orchestration'
101
+  conf_secrets['DEFAULT']['stack_domain_admin_password'] =
102
+    get_password 'user', stack_domain_admin
100 103
 end
101 104
 
102 105
 # merge all config options and secrets to be used in the heat.conf

+ 30
- 1
recipes/identity_registration.rb View File

@@ -34,7 +34,8 @@ public_heat_endpoint = public_endpoint 'orchestration-api'
34 34
 admin_heat_cfn_endpoint = admin_endpoint 'orchestration-api-cfn'
35 35
 internal_heat_cfn_endpoint = internal_endpoint 'orchestration-api-cfn'
36 36
 public_heat_cfn_endpoint = public_endpoint 'orchestration-api-cfn'
37
-
37
+stack_domain_admin = node['openstack']['orchestration']['conf']['DEFAULT']['stack_domain_admin']
38
+stack_domain_admin_password = get_password 'user', stack_domain_admin
38 39
 service_pass = get_password 'service', 'openstack-orchestration'
39 40
 service_project_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['project_name']
40 41
 service_user = node['openstack']['orchestration']['conf']['keystone_authtoken']['username']
@@ -42,6 +43,7 @@ service_role = node['openstack']['orchestration']['service_role']
42 43
 service_type = 'orchestration'
43 44
 service_name = 'heat'
44 45
 service_domain_name = node['openstack']['orchestration']['conf']['keystone_authtoken']['user_domain_name']
46
+heat_domain_name = node['openstack']['orchestration']['conf']['DEFAULT']['stack_user_domain_name']
45 47
 admin_user = node['openstack']['identity']['admin_user']
46 48
 admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
47 49
 admin_project = node['openstack']['identity']['admin_project']
@@ -184,3 +186,30 @@ openstack_user service_user do
184 186
   connection_params connection_params
185 187
   action :grant_domain
186 188
 end
189
+
190
+openstack_domain heat_domain_name do
191
+  connection_params connection_params
192
+end
193
+
194
+openstack_user stack_domain_admin do
195
+  domain_name heat_domain_name
196
+  role_name 'admin'
197
+  password stack_domain_admin_password
198
+  connection_params connection_params
199
+end
200
+
201
+openstack_user stack_domain_admin do
202
+  domain_name heat_domain_name
203
+  role_name 'admin'
204
+  user_name stack_domain_admin
205
+  connection_params connection_params
206
+  action :grant_role
207
+end
208
+
209
+openstack_role 'heat_stack_owner' do
210
+  connection_params connection_params
211
+end
212
+
213
+openstack_role 'heat_stack_user' do
214
+  connection_params connection_params
215
+end

+ 36
- 0
spec/identity_registration_spec.rb View File

@@ -19,6 +19,8 @@ describe 'openstack-orchestration::identity_registration' do
19 19
     service_name = 'heat'
20 20
     service_type = 'orchestration'
21 21
     service_user = 'heat'
22
+    stack_domain_admin = 'heat_domain_admin'
23
+    stack_domain_name = 'heat'
22 24
     url = 'http://127.0.0.1:8004/v1/%(tenant_id)s'
23 25
     region = 'RegionOne'
24 26
     project_name = 'service'
@@ -80,6 +82,22 @@ describe 'openstack-orchestration::identity_registration' do
80 82
       )
81 83
     end
82 84
 
85
+    it do
86
+      expect(chef_run).to create_openstack_role(
87
+        'heat_stack_owner'
88
+      ).with(
89
+        connection_params: connection_params
90
+      )
91
+    end
92
+
93
+    it do
94
+      expect(chef_run).to create_openstack_role(
95
+        'heat_stack_user'
96
+      ).with(
97
+        connection_params: connection_params
98
+      )
99
+    end
100
+
83 101
     it do
84 102
       expect(chef_run).to grant_role_openstack_user(
85 103
         service_user
@@ -91,6 +109,24 @@ describe 'openstack-orchestration::identity_registration' do
91 109
       )
92 110
     end
93 111
 
112
+    it do
113
+      expect(chef_run).to create_openstack_domain(
114
+        stack_domain_name
115
+      ).with(
116
+        connection_params: connection_params
117
+      )
118
+    end
119
+
120
+    it do
121
+      expect(chef_run).to grant_role_openstack_user(
122
+        stack_domain_admin
123
+      ).with(
124
+        domain_name: stack_domain_name,
125
+        role_name: 'admin',
126
+        password: password,
127
+        connection_params: connection_params
128
+      )
129
+    end
94 130
     it 'register heat cloudformation service' do
95 131
       expect(chef_run).to create_openstack_service(
96 132
         'heat-cfn'

+ 3
- 0
spec/spec_helper.rb View File

@@ -46,6 +46,9 @@ shared_context 'orchestration_stubs' do
46 46
     allow_any_instance_of(Chef::Recipe).to receive(:get_password)
47 47
       .with('service', 'openstack-orchestration')
48 48
       .and_return 'heat-pass'
49
+    allow_any_instance_of(Chef::Recipe).to receive(:get_password)
50
+      .with('user', 'heat_domain_admin')
51
+      .and_return 'heat-pass'
49 52
     allow_any_instance_of(Chef::Recipe).to receive(:get_password)
50 53
       .with('user', 'admin')
51 54
       .and_return 'admin-pass'

Loading…
Cancel
Save