Globally support system scope credentials

After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I28ff22b43ea5938056082361c9d0c98f89de1a03
2022-03-04 00:25:04 +09:00 · 2022-03-04 00:25:04 +09:00 · 442e6965ed
commit 442e6965ed
parent 655406817c
3 changed files with 66 additions and 41 deletions
--- a/manifests/service_credentials.pp
+++ b/manifests/service_credentials.pp
@ -4,44 +4,47 @@
 # == Parameters
 #
 # [*password*]
-#    the keystone password for aodh services
-#    Required.
+#  (Required) the keystone password for aodh services
 #
 # [*auth_url*]
-#    the keystone public endpoint
-#    Optional. Defaults to 'http://localhost:5000/v3'
+#  (Optional) the keystone public endpoint
+#  Defaults to 'http://localhost:5000/v3'
 #
 # [*region_name*]
-#    the keystone region of this node
-#    Optional. Defaults to 'RegionOne'
+#  (Optional) the keystone region of this node
+#  Defaults to 'RegionOne'
 #
 # [*username*]
-#    the keystone user for aodh services
-#    Optional. Defaults to 'aodh'
+#  (Optional) the keystone user for aodh services
+#  Defaults to 'aodh'
 #
 # [*project_name*]
-#    the keystone tenant name for aodh services
-#    Optional. Defaults to 'services'
+#  (Optional) the keystone tenant name for aodh services
+#  Defaults to 'services'
 #
 # [*project_domain_name*]
-#    the keystone project domain name for aodh services
-#    Optional. Defaults to 'Default'
+#  (Optional) the keystone project domain name for aodh services
+#  Defaults to 'Default'
 #
 # [*user_domain_name*]
-#    the keystone user domain name for aodh services
-#    Optional. Defaults to 'Default'
+#  (Optional) the keystone user domain name for aodh services
+#  Defaults to 'Default'
+#
+# [*system_scope*]
+#  (Optional) Scope for system operations.
+#  Defaults to $::os_service_default
 #
 # [*auth_type*]
-#    An authentication type to use with an OpenStack Identity server.
+#  (Optional) An authentication type to use with an OpenStack Identity server.
 #  The value should contain auth plugin name.
-#    Optional. Defaults to 'password'.
+#  Defaults to 'password'.
 #
 # [*cacert*]
-#    Certificate chain for SSL validation.
-#    Optional. Defaults to $::os_service_default
+#  (Optional) Certificate chain for SSL validation.
+#  Defaults to $::os_service_default
 #
 # [*interface*]
-#    Type of endpoint in Identity service catalog to use for
+#  (Optional) Type of endpoint in Identity service catalog to use for
 #  communication with OpenStack services.
 #  Optional. Defaults to $::os_service_default.
 #
@ -53,6 +56,7 @@ class aodh::service_credentials (
  $project_name        = 'services',
  $project_domain_name = 'Default',
  $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
  $auth_type           = 'password',
  $cacert              = $::os_service_default,
  $interface           = $::os_service_default,
@ -60,13 +64,22 @@ class aodh::service_credentials (

  include aodh::deps

+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  aodh_config {
    'service_credentials/auth_url'            : value => $auth_url;
    'service_credentials/region_name'         : value => $region_name;
    'service_credentials/username'            : value => $username;
    'service_credentials/password'            : value => $password, secret => true;
-    'service_credentials/project_name'        : value => $project_name;
-    'service_credentials/project_domain_name' : value => $project_domain_name;
+    'service_credentials/project_name'        : value => $project_name_real;
+    'service_credentials/project_domain_name' : value => $project_domain_name_real;
+    'service_credentials/system_scope'        : value => $system_scope;
    'service_credentials/user_domain_name'    : value => $user_domain_name;
    'service_credentials/cacert'              : value => $cacert;
    'service_credentials/interface'           : value => $interface;
--- a/releasenotes/notes/system_scope-all-3a97b232bc4955a1.yaml
+++ b/releasenotes/notes/system_scope-all-3a97b232bc4955a1.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The ``aodh::service_credentials::system_scope`` parameter has been added.
--- a/spec/classes/aodh_service_credentials_spec.rb
+++ b/spec/classes/aodh_service_credentials_spec.rb
@ -3,11 +3,8 @@ require 'spec_helper'
 describe 'aodh::service_credentials' do

  let :params do
-    { :auth_url     => 'http://localhost:5000/v3',
-      :region_name  => 'RegionOne',
-      :username     => 'aodh',
+    {
      :password => 'password',
-      :project_name => 'services',
    }
  end

@ -17,9 +14,8 @@ describe 'aodh::service_credentials' do
      is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v3')
      is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne')
      is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('Default')
-      is_expected.to_not contain_aodh_config('service_credentials/project_domain_id')
      is_expected.to contain_aodh_config('service_credentials/user_domain_name').with_value('Default')
-      is_expected.to_not contain_aodh_config('service_credentials/user_domain_id')
+      is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
      is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password')
      is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh')
      is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true)
@ -38,6 +34,18 @@ describe 'aodh::service_credentials' do
      it { is_expected.to contain_aodh_config('service_credentials/interface').with_value(params[:interface]) }
    end

+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_aodh_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('all')
+      end
+    end
  end

  on_supported_os({