Inherit roles for create_trust_context()
This change the default value of the option 'trusts_delegated_roles' to []. And delegate all of the trustor roles when create the trust unless user set the option to subset roles. Change-Id: I3f1b70b78b91bfac9af5fadb71140679b208c999 Closes-bug: #1376562
This commit is contained in:
parent
6b9a2b54c7
commit
aab01c00ff
|
@ -35,9 +35,10 @@
|
||||||
# (string value)
|
# (string value)
|
||||||
#deferred_auth_method=password
|
#deferred_auth_method=password
|
||||||
|
|
||||||
# Subset of trustor roles to be delegated to heat. (list
|
# Subset of trustor roles to be delegated to heat. If left
|
||||||
# value)
|
# unset, all roles of a user will be delegated to heat when
|
||||||
#trusts_delegated_roles=heat_stack_owner
|
# creating a stack. (list value)
|
||||||
|
#trusts_delegated_roles=
|
||||||
|
|
||||||
# Maximum resources allowed per top-level stack. (integer
|
# Maximum resources allowed per top-level stack. (integer
|
||||||
# value)
|
# value)
|
||||||
|
|
|
@ -105,8 +105,10 @@ engine_opts = [
|
||||||
help=_('Select deferred auth method, '
|
help=_('Select deferred auth method, '
|
||||||
'stored password or trusts.')),
|
'stored password or trusts.')),
|
||||||
cfg.ListOpt('trusts_delegated_roles',
|
cfg.ListOpt('trusts_delegated_roles',
|
||||||
default=['heat_stack_owner'],
|
default=[],
|
||||||
help=_('Subset of trustor roles to be delegated to heat.')),
|
help=_('Subset of trustor roles to be delegated to heat.'
|
||||||
|
' If left unset, all roles of a user will be'
|
||||||
|
' delegated to heat when creating a stack.')),
|
||||||
cfg.IntOpt('max_resources_per_stack',
|
cfg.IntOpt('max_resources_per_stack',
|
||||||
default=1000,
|
default=1000,
|
||||||
help=_('Maximum resources allowed per top-level stack.')),
|
help=_('Maximum resources allowed per top-level stack.')),
|
||||||
|
|
|
@ -275,7 +275,11 @@ class KeystoneClientV3(object):
|
||||||
trustee_user_id = self.admin_client.auth_ref.user_id
|
trustee_user_id = self.admin_client.auth_ref.user_id
|
||||||
trustor_user_id = self.client.auth_ref.user_id
|
trustor_user_id = self.client.auth_ref.user_id
|
||||||
trustor_project_id = self.client.auth_ref.project_id
|
trustor_project_id = self.client.auth_ref.project_id
|
||||||
roles = cfg.CONF.trusts_delegated_roles
|
# inherit the roles of the trustor, unless set trusts_delegated_roles
|
||||||
|
if cfg.CONF.trusts_delegated_roles:
|
||||||
|
roles = cfg.CONF.trusts_delegated_roles
|
||||||
|
else:
|
||||||
|
roles = self.context.roles
|
||||||
try:
|
try:
|
||||||
trust = self.client.trusts.create(trustor_user=trustor_user_id,
|
trust = self.client.trusts.create(trustor_user=trustor_user_id,
|
||||||
trustee_user=trustee_user_id,
|
trustee_user=trustee_user_id,
|
||||||
|
|
|
@ -371,6 +371,14 @@ class EngineService(service.Service):
|
||||||
'deprecated and will be removed in the Juno '
|
'deprecated and will be removed in the Juno '
|
||||||
'release.', DeprecationWarning)
|
'release.', DeprecationWarning)
|
||||||
|
|
||||||
|
if cfg.CONF.trusts_delegated_roles:
|
||||||
|
warnings.warn('The default value of "trusts_delegated_roles" '
|
||||||
|
'option in heat.conf is changed to [] in Kilo '
|
||||||
|
'and heat will delegate all roles of trustor. '
|
||||||
|
'Please keep the same if you do not want to '
|
||||||
|
'delegate subset roles when upgrading.',
|
||||||
|
Warning)
|
||||||
|
|
||||||
def create_periodic_tasks(self):
|
def create_periodic_tasks(self):
|
||||||
LOG.debug("Starting periodic watch tasks pid=%s" % os.getpid())
|
LOG.debug("Starting periodic watch tasks pid=%s" % os.getpid())
|
||||||
# Note with multiple workers, the parent process hasn't called start()
|
# Note with multiple workers, the parent process hasn't called start()
|
||||||
|
|
|
@ -492,7 +492,14 @@ class KeystoneClientTest(HeatTestCase):
|
||||||
trust_context = heat_ks_client.create_trust_context()
|
trust_context = heat_ks_client.create_trust_context()
|
||||||
self.assertEqual(ctx.to_dict(), trust_context.to_dict())
|
self.assertEqual(ctx.to_dict(), trust_context.to_dict())
|
||||||
|
|
||||||
def test_create_trust_context_trust_create(self):
|
def test_create_trust_context_trust_create_deletegate_subset_roles(self):
|
||||||
|
delegate_roles = ['heat_stack_owner']
|
||||||
|
self._test_create_trust_context_trust_create(delegate_roles)
|
||||||
|
|
||||||
|
def test_create_trust_context_trust_create_deletegate_all_roles(self):
|
||||||
|
self._test_create_trust_context_trust_create()
|
||||||
|
|
||||||
|
def _test_create_trust_context_trust_create(self, delegate_roles=None):
|
||||||
|
|
||||||
"""Test create_trust_context when creating a trust."""
|
"""Test create_trust_context when creating a trust."""
|
||||||
|
|
||||||
|
@ -503,22 +510,26 @@ class KeystoneClientTest(HeatTestCase):
|
||||||
|
|
||||||
self._stubs_v3()
|
self._stubs_v3()
|
||||||
cfg.CONF.set_override('deferred_auth_method', 'trusts')
|
cfg.CONF.set_override('deferred_auth_method', 'trusts')
|
||||||
cfg.CONF.set_override('trusts_delegated_roles', ['heat_stack_owner'])
|
if delegate_roles:
|
||||||
|
cfg.CONF.set_override('trusts_delegated_roles', delegate_roles)
|
||||||
|
|
||||||
|
trustor_roles = ['heat_stack_owner', 'admin', '__member__']
|
||||||
|
trustee_roles = delegate_roles or trustor_roles
|
||||||
self.mock_ks_v3_client.auth_ref = self.m.CreateMockAnything()
|
self.mock_ks_v3_client.auth_ref = self.m.CreateMockAnything()
|
||||||
self.mock_ks_v3_client.auth_ref.user_id = '5678'
|
self.mock_ks_v3_client.auth_ref.user_id = '5678'
|
||||||
self.mock_ks_v3_client.auth_ref.project_id = '42'
|
self.mock_ks_v3_client.auth_ref.project_id = '42'
|
||||||
self.mock_ks_v3_client.trusts = self.m.CreateMockAnything()
|
self.mock_ks_v3_client.trusts = self.m.CreateMockAnything()
|
||||||
|
|
||||||
self.mock_ks_v3_client.trusts.create(
|
self.mock_ks_v3_client.trusts.create(
|
||||||
trustor_user='5678',
|
trustor_user='5678',
|
||||||
trustee_user='1234',
|
trustee_user='1234',
|
||||||
project='42',
|
project='42',
|
||||||
impersonation=True,
|
impersonation=True,
|
||||||
role_names=['heat_stack_owner']).AndReturn(MockTrust())
|
role_names=trustee_roles).AndReturn(MockTrust())
|
||||||
|
|
||||||
self.m.ReplayAll()
|
self.m.ReplayAll()
|
||||||
|
|
||||||
ctx = utils.dummy_context()
|
ctx = utils.dummy_context(roles=trustor_roles)
|
||||||
ctx.trust_id = None
|
ctx.trust_id = None
|
||||||
heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
|
heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
|
||||||
trust_context = heat_ks_client.create_trust_context()
|
trust_context = heat_ks_client.create_trust_context()
|
||||||
|
|
Loading…
Reference in New Issue