From 2c2dfe986e1f9994528e290f9b0f08ca2c62a3d3 Mon Sep 17 00:00:00 2001 From: Julia Kreger <juliaashleykreger@gmail.com> Date: Mon, 28 Jun 2021 10:04:37 -0700 Subject: [PATCH] Add rbac scope enforcement handling to devstack plugin Adds explicit handling of scope enforcement setting by putting the appropriate settings in place, and handling the appropriate configuration to communicate back with ironic based upon supplied environment variables. Change-Id: Ia27b26990e52b5b4ffb49b2fee3bdcca41dd75a9 --- devstack/plugin.sh | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 39c730197..97fe7cddc 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -22,6 +22,16 @@ IRONIC_INSPECTOR_STANDALONE=${IRONIC_INSPECTOR_STANDALONE:-True} IRONIC_INSPECTOR_UWSGI=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-api-wsgi IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.ini +# Determine if ironic is in enforce scope node, infer that to mean our operating mode +# explicitly unless otherwise set. +IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}} +# and then fallback to trueorfalse to put it into the standardized string format for the jobs. +IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE) +# Reset the input in the event the plugin is running separately from ironic's +# devstack plugin. +IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE) + + if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then echo "IRONIC_INSPECTOR_MANAGE_FIREWALL is deprecated." >&2 echo "Please, use IRONIC_INSPECTOR_DHCP_FILTER == noop/iptables/dnsmasq instead." >&2 @@ -254,11 +264,20 @@ EOF function inspector_configure_auth_for { inspector_iniset $1 auth_type password inspector_iniset $1 auth_url "$KEYSTONE_SERVICE_URI" - inspector_iniset $1 username $IRONIC_INSPECTOR_ADMIN_USER - inspector_iniset $1 password $SERVICE_PASSWORD - inspector_iniset $1 project_name $SERVICE_PROJECT_NAME + if [[ "$1" == "ironic" ]] && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]]; then + # If ironic is enforcing scope, service credentials are not + # enough, because they live in a "service project" and does not + # have a full view of the system. + inspector_iniset $1 username admin + inspector_iniset $1 password $ADMIN_PASSWORD + inspector_iniset $1 system_scope all + else + inspector_iniset $1 username $IRONIC_INSPECTOR_ADMIN_USER + inspector_iniset $1 password $SERVICE_PASSWORD + inspector_iniset $1 project_name $SERVICE_PROJECT_NAME + inspector_iniset $1 project_domain_id default + fi inspector_iniset $1 user_domain_id default - inspector_iniset $1 project_domain_id default inspector_iniset $1 cafile $SSL_BUNDLE_FILE inspector_iniset $1 region_name $REGION_NAME } @@ -397,6 +416,12 @@ function configure_inspector { configure_inspector_pxe_filter_dnsmasq fi + # Set if inspector should also be running in a scope enforced mode. + if [[ "$IRONIC_INSPECTOR_ENFORCE_SCOPE" == "True" ]]; then + inspector_iniset oslo_policy enforce_scope true + inspector_iniset oslo_policy enforce_new_defaults true + fi + } function configure_inspector_swift {