diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 95c3662d..97ef77fa 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for aodh user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to aodh user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to aodh user. +# Defaults to ['admin', 'member', 'reader'] +# # [*configure_endpoint*] # (Optional) Should aodh endpoint be configured? # Defaults to true. @@ -67,6 +79,9 @@ class aodh::keystone::auth ( $auth_name = 'aodh', $email = 'aodh@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = ['admin', 'member', 'reader'], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -93,6 +108,9 @@ class aodh::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 24b2e9d9..73dc2d9c 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class aodh::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class aodh::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-e1779763b2a264f4.yaml b/releasenotes/notes/system_scope-e1779763b2a264f4.yaml new file mode 100644 index 00000000..35e3a887 --- /dev/null +++ b/releasenotes/notes/system_scope-e1779763b2a264f4.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``aodh::keystone::authtoken`` class. + + - | + The ``aodh::keystone::auth`` class now supports customizing roles assigned + to the aodh service user. + + - | + The ``aodh::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the aodh service user. diff --git a/spec/classes/aodh_keystone_auth_spec.rb b/spec/classes/aodh_keystone_auth_spec.rb index d552cd6e..d977e793 100644 --- a/spec/classes/aodh_keystone_auth_spec.rb +++ b/spec/classes/aodh_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'aodh@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'http://127.0.0.1:8042', :internal_url => 'http://127.0.0.1:8042', :admin_url => 'http://127.0.0.1:8042', @@ -35,6 +38,9 @@ describe 'aodh::keystone::auth' do :auth_name => 'alt_aodh', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader', 'service'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader', 'service'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/aodh_keystone_authtoken_spec.rb b/spec/classes/aodh_keystone_authtoken_spec.rb index 3c645fae..7ce2ea79 100644 --- a/spec/classes/aodh_keystone_authtoken_spec.rb +++ b/spec/classes/aodh_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', diff --git a/spec/classes/aodh_service_credentials_spec.rb b/spec/classes/aodh_service_credentials_spec.rb index 95f2f76a..8f2d4526 100644 --- a/spec/classes/aodh_service_credentials_spec.rb +++ b/spec/classes/aodh_service_credentials_spec.rb @@ -17,14 +17,13 @@ describe 'aodh::service_credentials' do is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v3') is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('Default') - is_expected.to_not contain_aodh_config('service_credentials/project_domain_id') is_expected.to contain_aodh_config('service_credentials/user_domain_name').with_value('Default') - is_expected.to_not contain_aodh_config('service_credentials/user_domain_id') + is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('') is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password') is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh') is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true) is_expected.to contain_aodh_config('service_credentials/project_name').with_value('services') - is_expected.to contain_aodh_config('service_credentials/cacert').with(:value => '') + is_expected.to contain_aodh_config('service_credentials/cacert').with_value('') end context 'when overriding parameters' do @@ -38,6 +37,18 @@ describe 'aodh::service_credentials' do it { is_expected.to contain_aodh_config('service_credentials/interface').with_value(params[:interface]) } end + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all', + ) + end + it 'configures system_scope but ignore project parameters' do + is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('') + is_expected.to contain_aodh_config('service_credentials/project_name').with_value('') + is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('all') + end + end end on_supported_os({