Allow creating trusts with allow_redelegation
If you set up heat with trusts enabled, heat fails to create remote stack since by default it creates trusts with turned off redelegation. This commit adds a new option `allow_trusts_redelegation` (False by default) which, when enabled together with `reauthentication_auth_method` set to `trusts` will make Heat to create trusts with allow_redelegation=True, both for trusts used for deferred auth and for long creating stacks. Change-Id: I73e73455139a87fb798fd8a4651c075a91be75fd Story: #2005062 Task: 29606 Task: 17266
This commit is contained in:
parent
6e89926921
commit
e377658586
|
@ -117,6 +117,18 @@ engine_opts = [
|
||||||
help=_('Allow reauthentication on token expiry, such that'
|
help=_('Allow reauthentication on token expiry, such that'
|
||||||
' long-running tasks may complete. Note this defeats'
|
' long-running tasks may complete. Note this defeats'
|
||||||
' the expiry of any provided user tokens.')),
|
' the expiry of any provided user tokens.')),
|
||||||
|
cfg.BoolOpt('allow_trusts_redelegation',
|
||||||
|
default=False,
|
||||||
|
help=_('Create trusts with redelegation enabled. '
|
||||||
|
'This option is only used when '
|
||||||
|
'reauthentication_auth_method is set to "trusts". '
|
||||||
|
'Note that enabling this option does have '
|
||||||
|
'security implications as all trusts created by Heat '
|
||||||
|
'will use both impersonation and redelegation enabled. '
|
||||||
|
'Enable it only when there are other services that '
|
||||||
|
'need to create trusts from tokens Heat uses to '
|
||||||
|
'access them, examples are Aodh and Heat in another '
|
||||||
|
'region when configured to use trusts too.')),
|
||||||
cfg.ListOpt('trusts_delegated_roles',
|
cfg.ListOpt('trusts_delegated_roles',
|
||||||
default=[],
|
default=[],
|
||||||
help=_('Subset of trustor roles to be delegated to heat.'
|
help=_('Subset of trustor roles to be delegated to heat.'
|
||||||
|
|
|
@ -223,12 +223,13 @@ class KsClientWrapper(object):
|
||||||
token_info['token']['roles']]
|
token_info['token']['roles']]
|
||||||
else:
|
else:
|
||||||
role_kw['role_names'] = self.context.roles
|
role_kw['role_names'] = self.context.roles
|
||||||
|
allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts'
|
||||||
|
and cfg.CONF.allow_trusts_redelegation)
|
||||||
try:
|
try:
|
||||||
trust = self.client.trusts.create(trustor_user=trustor_user_id,
|
trust = self.client.trusts.create(
|
||||||
trustee_user=trustee_user_id,
|
trustor_user=trustor_user_id, trustee_user=trustee_user_id,
|
||||||
project=trustor_proj_id,
|
project=trustor_proj_id, impersonation=True,
|
||||||
impersonation=True,
|
allow_redelegation=allow_redelegation, **role_kw)
|
||||||
**role_kw)
|
|
||||||
except ks_exception.NotFound:
|
except ks_exception.NotFound:
|
||||||
LOG.debug("Failed to find roles %s for user %s"
|
LOG.debug("Failed to find roles %s for user %s"
|
||||||
% (role_kw, trustor_user_id))
|
% (role_kw, trustor_user_id))
|
||||||
|
|
|
@ -539,7 +539,17 @@ class KeystoneClientTest(common.HeatTestCase):
|
||||||
def test_create_trust_context_trust_create_deletegate_all_roles(self):
|
def test_create_trust_context_trust_create_deletegate_all_roles(self):
|
||||||
self._test_create_trust_context_trust_create()
|
self._test_create_trust_context_trust_create()
|
||||||
|
|
||||||
def _test_create_trust_context_trust_create(self, delegate_roles=None):
|
def test_create_trust_context_trust_create_with_enabled_redelegation(self):
|
||||||
|
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
|
||||||
|
cfg.CONF.set_override('allow_trusts_redelegation', True)
|
||||||
|
self._test_create_trust_context_trust_create(redelegate=True)
|
||||||
|
|
||||||
|
def test_create_trust_context_trust_create_with_no_redelegation(self):
|
||||||
|
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
|
||||||
|
self._test_create_trust_context_trust_create()
|
||||||
|
|
||||||
|
def _test_create_trust_context_trust_create(self, delegate_roles=None,
|
||||||
|
redelegate=False):
|
||||||
|
|
||||||
"""Test create_trust_context when creating a trust."""
|
"""Test create_trust_context when creating a trust."""
|
||||||
|
|
||||||
|
@ -571,6 +581,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
||||||
self.m_load_auth.assert_called_once_with(
|
self.m_load_auth.assert_called_once_with(
|
||||||
cfg.CONF, 'trustee', trust_id=None)
|
cfg.CONF, 'trustee', trust_id=None)
|
||||||
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
||||||
|
allow_redelegation=redelegate,
|
||||||
trustor_user='5678',
|
trustor_user='5678',
|
||||||
trustee_user='1234',
|
trustee_user='1234',
|
||||||
project='42',
|
project='42',
|
||||||
|
@ -630,6 +641,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
||||||
self.m_load_auth.assert_called_with(
|
self.m_load_auth.assert_called_with(
|
||||||
cfg.CONF, 'trustee', trust_id=None)
|
cfg.CONF, 'trustee', trust_id=None)
|
||||||
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
||||||
|
allow_redelegation=False,
|
||||||
trustor_user='5678',
|
trustor_user='5678',
|
||||||
trustee_user='1234',
|
trustee_user='1234',
|
||||||
project='42',
|
project='42',
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added new config option ``[DEFAULT]allow_trusts_redelegation`` (``False``
|
||||||
|
by default). When enabled and ``reauthentication_auth_method`` is set to
|
||||||
|
``trusts``, Heat will always create trusts with enabled redelegation,
|
||||||
|
for both trusts used for long running stacks and for trusts used for
|
||||||
|
deferred authentication.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
With both ``reauthentication_auth_method`` set to ``trusts`` and
|
||||||
|
``allow_trusts_redelegation`` set to ``True`` (new config option, ``False``
|
||||||
|
by default), Heat will always create trusts with enabled redelegation,
|
||||||
|
for both trusts used for long running stacks and for trusts used for
|
||||||
|
deferred authentication. This have security implications and is only
|
||||||
|
recommended when Heat is set to use trust and you experience problems
|
||||||
|
with other services Heat consumes that also require to create trusts
|
||||||
|
from token being passed by Heat (examples are Aodh and Heat running in
|
||||||
|
another region).
|
Loading…
Reference in New Issue