From e377658586c737150dad1bfd80b7b2267d46be51 Mon Sep 17 00:00:00 2001 From: Oleksiy Petrenko Date: Thu, 21 Feb 2019 14:49:14 +0200 Subject: [PATCH] Allow creating trusts with allow_redelegation If you set up heat with trusts enabled, heat fails to create remote stack since by default it creates trusts with turned off redelegation. This commit adds a new option `allow_trusts_redelegation` (False by default) which, when enabled together with `reauthentication_auth_method` set to `trusts` will make Heat to create trusts with allow_redelegation=True, both for trusts used for deferred auth and for long creating stacks. Change-Id: I73e73455139a87fb798fd8a4651c075a91be75fd Story: #2005062 Task: 29606 Task: 17266 --- heat/common/config.py | 12 ++++++++++++ .../os/keystone/heat_keystoneclient.py | 11 ++++++----- heat/tests/clients/test_heat_client.py | 14 +++++++++++++- .../trust-redelegate-25a6cfc78528a361.yaml | 19 +++++++++++++++++++ 4 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/trust-redelegate-25a6cfc78528a361.yaml diff --git a/heat/common/config.py b/heat/common/config.py index 40a23fcfaa..26dafe6309 100644 --- a/heat/common/config.py +++ b/heat/common/config.py @@ -117,6 +117,18 @@ engine_opts = [ help=_('Allow reauthentication on token expiry, such that' ' long-running tasks may complete. Note this defeats' ' the expiry of any provided user tokens.')), + cfg.BoolOpt('allow_trusts_redelegation', + default=False, + help=_('Create trusts with redelegation enabled. ' + 'This option is only used when ' + 'reauthentication_auth_method is set to "trusts". ' + 'Note that enabling this option does have ' + 'security implications as all trusts created by Heat ' + 'will use both impersonation and redelegation enabled. ' + 'Enable it only when there are other services that ' + 'need to create trusts from tokens Heat uses to ' + 'access them, examples are Aodh and Heat in another ' + 'region when configured to use trusts too.')), cfg.ListOpt('trusts_delegated_roles', default=[], help=_('Subset of trustor roles to be delegated to heat.' diff --git a/heat/engine/clients/os/keystone/heat_keystoneclient.py b/heat/engine/clients/os/keystone/heat_keystoneclient.py index f91c2c134e..a69dec90b4 100644 --- a/heat/engine/clients/os/keystone/heat_keystoneclient.py +++ b/heat/engine/clients/os/keystone/heat_keystoneclient.py @@ -223,12 +223,13 @@ class KsClientWrapper(object): token_info['token']['roles']] else: role_kw['role_names'] = self.context.roles + allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts' + and cfg.CONF.allow_trusts_redelegation) try: - trust = self.client.trusts.create(trustor_user=trustor_user_id, - trustee_user=trustee_user_id, - project=trustor_proj_id, - impersonation=True, - **role_kw) + trust = self.client.trusts.create( + trustor_user=trustor_user_id, trustee_user=trustee_user_id, + project=trustor_proj_id, impersonation=True, + allow_redelegation=allow_redelegation, **role_kw) except ks_exception.NotFound: LOG.debug("Failed to find roles %s for user %s" % (role_kw, trustor_user_id)) diff --git a/heat/tests/clients/test_heat_client.py b/heat/tests/clients/test_heat_client.py index 8397ca7408..2aa6afc01f 100644 --- a/heat/tests/clients/test_heat_client.py +++ b/heat/tests/clients/test_heat_client.py @@ -539,7 +539,17 @@ class KeystoneClientTest(common.HeatTestCase): def test_create_trust_context_trust_create_deletegate_all_roles(self): self._test_create_trust_context_trust_create() - def _test_create_trust_context_trust_create(self, delegate_roles=None): + def test_create_trust_context_trust_create_with_enabled_redelegation(self): + cfg.CONF.set_override('reauthentication_auth_method', 'trusts') + cfg.CONF.set_override('allow_trusts_redelegation', True) + self._test_create_trust_context_trust_create(redelegate=True) + + def test_create_trust_context_trust_create_with_no_redelegation(self): + cfg.CONF.set_override('reauthentication_auth_method', 'trusts') + self._test_create_trust_context_trust_create() + + def _test_create_trust_context_trust_create(self, delegate_roles=None, + redelegate=False): """Test create_trust_context when creating a trust.""" @@ -571,6 +581,7 @@ class KeystoneClientTest(common.HeatTestCase): self.m_load_auth.assert_called_once_with( cfg.CONF, 'trustee', trust_id=None) self.mock_ks_v3_client.trusts.create.assert_called_once_with( + allow_redelegation=redelegate, trustor_user='5678', trustee_user='1234', project='42', @@ -630,6 +641,7 @@ class KeystoneClientTest(common.HeatTestCase): self.m_load_auth.assert_called_with( cfg.CONF, 'trustee', trust_id=None) self.mock_ks_v3_client.trusts.create.assert_called_once_with( + allow_redelegation=False, trustor_user='5678', trustee_user='1234', project='42', diff --git a/releasenotes/notes/trust-redelegate-25a6cfc78528a361.yaml b/releasenotes/notes/trust-redelegate-25a6cfc78528a361.yaml new file mode 100644 index 0000000000..8d5d1d3b6b --- /dev/null +++ b/releasenotes/notes/trust-redelegate-25a6cfc78528a361.yaml @@ -0,0 +1,19 @@ +--- +features: + - | + Added new config option ``[DEFAULT]allow_trusts_redelegation`` (``False`` + by default). When enabled and ``reauthentication_auth_method`` is set to + ``trusts``, Heat will always create trusts with enabled redelegation, + for both trusts used for long running stacks and for trusts used for + deferred authentication. +security: + - | + With both ``reauthentication_auth_method`` set to ``trusts`` and + ``allow_trusts_redelegation`` set to ``True`` (new config option, ``False`` + by default), Heat will always create trusts with enabled redelegation, + for both trusts used for long running stacks and for trusts used for + deferred authentication. This have security implications and is only + recommended when Heat is set to use trust and you experience problems + with other services Heat consumes that also require to create trusts + from token being passed by Heat (examples are Aodh and Heat running in + another region).