Allow creating trusts with allow_redelegation

If you set up heat with trusts enabled, heat fails to create remote
stack since by default it creates trusts with turned off redelegation.

This commit adds a new option `allow_trusts_redelegation`
(False by default) which, when enabled together with
`reauthentication_auth_method` set to `trusts` will make Heat to create
trusts with allow_redelegation=True, both for trusts used for deferred
auth and for long creating stacks.

Change-Id: I73e73455139a87fb798fd8a4651c075a91be75fd
Story: #2005062
Task: 29606
Task: 17266
This commit is contained in:
Oleksiy Petrenko 2019-02-21 14:49:14 +02:00 committed by Pavlo Shchelokovskyy
parent 6e89926921
commit e377658586
4 changed files with 50 additions and 6 deletions

View File

@ -117,6 +117,18 @@ engine_opts = [
help=_('Allow reauthentication on token expiry, such that'
' long-running tasks may complete. Note this defeats'
' the expiry of any provided user tokens.')),
cfg.BoolOpt('allow_trusts_redelegation',
default=False,
help=_('Create trusts with redelegation enabled. '
'This option is only used when '
'reauthentication_auth_method is set to "trusts". '
'Note that enabling this option does have '
'security implications as all trusts created by Heat '
'will use both impersonation and redelegation enabled. '
'Enable it only when there are other services that '
'need to create trusts from tokens Heat uses to '
'access them, examples are Aodh and Heat in another '
'region when configured to use trusts too.')),
cfg.ListOpt('trusts_delegated_roles',
default=[],
help=_('Subset of trustor roles to be delegated to heat.'

View File

@ -223,12 +223,13 @@ class KsClientWrapper(object):
token_info['token']['roles']]
else:
role_kw['role_names'] = self.context.roles
allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts'
and cfg.CONF.allow_trusts_redelegation)
try:
trust = self.client.trusts.create(trustor_user=trustor_user_id,
trustee_user=trustee_user_id,
project=trustor_proj_id,
impersonation=True,
**role_kw)
trust = self.client.trusts.create(
trustor_user=trustor_user_id, trustee_user=trustee_user_id,
project=trustor_proj_id, impersonation=True,
allow_redelegation=allow_redelegation, **role_kw)
except ks_exception.NotFound:
LOG.debug("Failed to find roles %s for user %s"
% (role_kw, trustor_user_id))

View File

@ -539,7 +539,17 @@ class KeystoneClientTest(common.HeatTestCase):
def test_create_trust_context_trust_create_deletegate_all_roles(self):
self._test_create_trust_context_trust_create()
def _test_create_trust_context_trust_create(self, delegate_roles=None):
def test_create_trust_context_trust_create_with_enabled_redelegation(self):
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
cfg.CONF.set_override('allow_trusts_redelegation', True)
self._test_create_trust_context_trust_create(redelegate=True)
def test_create_trust_context_trust_create_with_no_redelegation(self):
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
self._test_create_trust_context_trust_create()
def _test_create_trust_context_trust_create(self, delegate_roles=None,
redelegate=False):
"""Test create_trust_context when creating a trust."""
@ -571,6 +581,7 @@ class KeystoneClientTest(common.HeatTestCase):
self.m_load_auth.assert_called_once_with(
cfg.CONF, 'trustee', trust_id=None)
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
allow_redelegation=redelegate,
trustor_user='5678',
trustee_user='1234',
project='42',
@ -630,6 +641,7 @@ class KeystoneClientTest(common.HeatTestCase):
self.m_load_auth.assert_called_with(
cfg.CONF, 'trustee', trust_id=None)
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
allow_redelegation=False,
trustor_user='5678',
trustee_user='1234',
project='42',

View File

@ -0,0 +1,19 @@
---
features:
- |
Added new config option ``[DEFAULT]allow_trusts_redelegation`` (``False``
by default). When enabled and ``reauthentication_auth_method`` is set to
``trusts``, Heat will always create trusts with enabled redelegation,
for both trusts used for long running stacks and for trusts used for
deferred authentication.
security:
- |
With both ``reauthentication_auth_method`` set to ``trusts`` and
``allow_trusts_redelegation`` set to ``True`` (new config option, ``False``
by default), Heat will always create trusts with enabled redelegation,
for both trusts used for long running stacks and for trusts used for
deferred authentication. This have security implications and is only
recommended when Heat is set to use trust and you experience problems
with other services Heat consumes that also require to create trusts
from token being passed by Heat (examples are Aodh and Heat running in
another region).