Allow creating trusts with allow_redelegation
If you set up heat with trusts enabled, heat fails to create remote stack since by default it creates trusts with turned off redelegation. This commit adds a new option `allow_trusts_redelegation` (False by default) which, when enabled together with `reauthentication_auth_method` set to `trusts` will make Heat to create trusts with allow_redelegation=True, both for trusts used for deferred auth and for long creating stacks. Change-Id: I73e73455139a87fb798fd8a4651c075a91be75fd Story: #2005062 Task: 29606 Task: 17266
This commit is contained in:
parent
6e89926921
commit
e377658586
|
@ -117,6 +117,18 @@ engine_opts = [
|
|||
help=_('Allow reauthentication on token expiry, such that'
|
||||
' long-running tasks may complete. Note this defeats'
|
||||
' the expiry of any provided user tokens.')),
|
||||
cfg.BoolOpt('allow_trusts_redelegation',
|
||||
default=False,
|
||||
help=_('Create trusts with redelegation enabled. '
|
||||
'This option is only used when '
|
||||
'reauthentication_auth_method is set to "trusts". '
|
||||
'Note that enabling this option does have '
|
||||
'security implications as all trusts created by Heat '
|
||||
'will use both impersonation and redelegation enabled. '
|
||||
'Enable it only when there are other services that '
|
||||
'need to create trusts from tokens Heat uses to '
|
||||
'access them, examples are Aodh and Heat in another '
|
||||
'region when configured to use trusts too.')),
|
||||
cfg.ListOpt('trusts_delegated_roles',
|
||||
default=[],
|
||||
help=_('Subset of trustor roles to be delegated to heat.'
|
||||
|
|
|
@ -223,12 +223,13 @@ class KsClientWrapper(object):
|
|||
token_info['token']['roles']]
|
||||
else:
|
||||
role_kw['role_names'] = self.context.roles
|
||||
allow_redelegation = (cfg.CONF.reauthentication_auth_method == 'trusts'
|
||||
and cfg.CONF.allow_trusts_redelegation)
|
||||
try:
|
||||
trust = self.client.trusts.create(trustor_user=trustor_user_id,
|
||||
trustee_user=trustee_user_id,
|
||||
project=trustor_proj_id,
|
||||
impersonation=True,
|
||||
**role_kw)
|
||||
trust = self.client.trusts.create(
|
||||
trustor_user=trustor_user_id, trustee_user=trustee_user_id,
|
||||
project=trustor_proj_id, impersonation=True,
|
||||
allow_redelegation=allow_redelegation, **role_kw)
|
||||
except ks_exception.NotFound:
|
||||
LOG.debug("Failed to find roles %s for user %s"
|
||||
% (role_kw, trustor_user_id))
|
||||
|
|
|
@ -539,7 +539,17 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
def test_create_trust_context_trust_create_deletegate_all_roles(self):
|
||||
self._test_create_trust_context_trust_create()
|
||||
|
||||
def _test_create_trust_context_trust_create(self, delegate_roles=None):
|
||||
def test_create_trust_context_trust_create_with_enabled_redelegation(self):
|
||||
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
|
||||
cfg.CONF.set_override('allow_trusts_redelegation', True)
|
||||
self._test_create_trust_context_trust_create(redelegate=True)
|
||||
|
||||
def test_create_trust_context_trust_create_with_no_redelegation(self):
|
||||
cfg.CONF.set_override('reauthentication_auth_method', 'trusts')
|
||||
self._test_create_trust_context_trust_create()
|
||||
|
||||
def _test_create_trust_context_trust_create(self, delegate_roles=None,
|
||||
redelegate=False):
|
||||
|
||||
"""Test create_trust_context when creating a trust."""
|
||||
|
||||
|
@ -571,6 +581,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
self.m_load_auth.assert_called_once_with(
|
||||
cfg.CONF, 'trustee', trust_id=None)
|
||||
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
||||
allow_redelegation=redelegate,
|
||||
trustor_user='5678',
|
||||
trustee_user='1234',
|
||||
project='42',
|
||||
|
@ -630,6 +641,7 @@ class KeystoneClientTest(common.HeatTestCase):
|
|||
self.m_load_auth.assert_called_with(
|
||||
cfg.CONF, 'trustee', trust_id=None)
|
||||
self.mock_ks_v3_client.trusts.create.assert_called_once_with(
|
||||
allow_redelegation=False,
|
||||
trustor_user='5678',
|
||||
trustee_user='1234',
|
||||
project='42',
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Added new config option ``[DEFAULT]allow_trusts_redelegation`` (``False``
|
||||
by default). When enabled and ``reauthentication_auth_method`` is set to
|
||||
``trusts``, Heat will always create trusts with enabled redelegation,
|
||||
for both trusts used for long running stacks and for trusts used for
|
||||
deferred authentication.
|
||||
security:
|
||||
- |
|
||||
With both ``reauthentication_auth_method`` set to ``trusts`` and
|
||||
``allow_trusts_redelegation`` set to ``True`` (new config option, ``False``
|
||||
by default), Heat will always create trusts with enabled redelegation,
|
||||
for both trusts used for long running stacks and for trusts used for
|
||||
deferred authentication. This have security implications and is only
|
||||
recommended when Heat is set to use trust and you experience problems
|
||||
with other services Heat consumes that also require to create trusts
|
||||
from token being passed by Heat (examples are Aodh and Heat running in
|
||||
another region).
|
Loading…
Reference in New Issue