From e13c2c971349c282c83bcfe3c47e61b2e63f89f3 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 12 Aug 2021 14:58:53 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I672a988e77e58df0addb1ed4a47d609cbcef1331 --- manifests/keystone/auth.pp | 25 +++++++++++++++++++ manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-af2d2f0ea5ed7043.yaml | 13 ++++++++++ spec/classes/aodh_keystone_auth_spec.rb | 9 +++++++ spec/classes/aodh_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 56 insertions(+) create mode 100644 releasenotes/notes/system_scope-keystone-af2d2f0ea5ed7043.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 95c3662d..9fb8794f 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for aodh user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to aodh user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to aodh user. +# Defaults to [] +# # [*configure_endpoint*] # (Optional) Should aodh endpoint be configured? # Defaults to true. @@ -67,6 +79,9 @@ class aodh::keystone::auth ( $auth_name = 'aodh', $email = 'aodh@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -81,6 +96,13 @@ class aodh::keystone::auth ( include aodh::deps + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['aodh::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['aodh::service::end'] + + if $configure_endpoint { + Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['aodh::service::end'] + } + keystone::resource::service_identity { 'aodh': configure_user => $configure_user, configure_user_role => $configure_user_role, @@ -93,6 +115,9 @@ class aodh::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 24b2e9d9..73dc2d9c 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class aodh::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class aodh::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-af2d2f0ea5ed7043.yaml b/releasenotes/notes/system_scope-keystone-af2d2f0ea5ed7043.yaml new file mode 100644 index 00000000..35e3a887 --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-af2d2f0ea5ed7043.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``aodh::keystone::authtoken`` class. + + - | + The ``aodh::keystone::auth`` class now supports customizing roles assigned + to the aodh service user. + + - | + The ``aodh::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the aodh service user. diff --git a/spec/classes/aodh_keystone_auth_spec.rb b/spec/classes/aodh_keystone_auth_spec.rb index d552cd6e..15adfe8a 100644 --- a/spec/classes/aodh_keystone_auth_spec.rb +++ b/spec/classes/aodh_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'aodh@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:8042', :internal_url => 'http://127.0.0.1:8042', :admin_url => 'http://127.0.0.1:8042', @@ -35,6 +38,9 @@ describe 'aodh::keystone::auth' do :auth_name => 'alt_aodh', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/aodh_keystone_authtoken_spec.rb b/spec/classes/aodh_keystone_authtoken_spec.rb index 3c645fae..7ce2ea79 100644 --- a/spec/classes/aodh_keystone_authtoken_spec.rb +++ b/spec/classes/aodh_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',