Add rbac scope enforcement handling to devstack plugin
Adds explicit handling of scope enforcement setting by putting the appropriate settings in place, and handling the appropriate configuration to communicate back with ironic based upon supplied environment variables. Change-Id: Ia27b26990e52b5b4ffb49b2fee3bdcca41dd75a9
This commit is contained in:
Julia Kreger
parent
948325cae7
commit
2c2dfe986e
@ -22,6 +22,16 @@ IRONIC_INSPECTOR_STANDALONE=${IRONIC_INSPECTOR_STANDALONE:-True}
|
||||
IRONIC_INSPECTOR_UWSGI=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-api-wsgi
|
||||
IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.ini
|
||||
|
||||
# Determine if ironic is in enforce scope node, infer that to mean our operating mode
|
||||
# explicitly unless otherwise set.
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}}
|
||||
# and then fallback to trueorfalse to put it into the standardized string format for the jobs.
|
||||
IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE)
|
||||
# Reset the input in the event the plugin is running separately from ironic's
|
||||
# devstack plugin.
|
||||
IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
|
||||
|
||||
|
||||
if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then
|
||||
echo "IRONIC_INSPECTOR_MANAGE_FIREWALL is deprecated." >&2
|
||||
echo "Please, use IRONIC_INSPECTOR_DHCP_FILTER == noop/iptables/dnsmasq instead." >&2
|
||||
@ -254,11 +264,20 @@ EOF
|
||||
function inspector_configure_auth_for {
|
||||
inspector_iniset $1 auth_type password
|
||||
inspector_iniset $1 auth_url "$KEYSTONE_SERVICE_URI"
|
||||
inspector_iniset $1 username $IRONIC_INSPECTOR_ADMIN_USER
|
||||
inspector_iniset $1 password $SERVICE_PASSWORD
|
||||
inspector_iniset $1 project_name $SERVICE_PROJECT_NAME
|
||||
if [[ "$1" == "ironic" ]] && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]]; then
|
||||
# If ironic is enforcing scope, service credentials are not
|
||||
# enough, because they live in a "service project" and does not
|
||||
# have a full view of the system.
|
||||
inspector_iniset $1 username admin
|
||||
inspector_iniset $1 password $ADMIN_PASSWORD
|
||||
inspector_iniset $1 system_scope all
|
||||
else
|
||||
inspector_iniset $1 username $IRONIC_INSPECTOR_ADMIN_USER
|
||||
inspector_iniset $1 password $SERVICE_PASSWORD
|
||||
inspector_iniset $1 project_name $SERVICE_PROJECT_NAME
|
||||
inspector_iniset $1 project_domain_id default
|
||||
fi
|
||||
inspector_iniset $1 user_domain_id default
|
||||
inspector_iniset $1 project_domain_id default
|
||||
inspector_iniset $1 cafile $SSL_BUNDLE_FILE
|
||||
inspector_iniset $1 region_name $REGION_NAME
|
||||
}
|
||||
@ -397,6 +416,12 @@ function configure_inspector {
|
||||
configure_inspector_pxe_filter_dnsmasq
|
||||
fi
|
||||
|
||||
# Set if inspector should also be running in a scope enforced mode.
|
||||
if [[ "$IRONIC_INSPECTOR_ENFORCE_SCOPE" == "True" ]]; then
|
||||
inspector_iniset oslo_policy enforce_scope true
|
||||
inspector_iniset oslo_policy enforce_new_defaults true
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function configure_inspector_swift {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user