Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I672a988e77e58df0addb1ed4a47d609cbcef1331
This commit is contained in:
parent
e14e5f12f9
commit
9a77b25b5b
|
@ -19,6 +19,18 @@
|
|||
# (Optional) Tenant for aodh user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to aodh user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to aodh user.
|
||||
# Defaults to ['admin', 'member', 'reader']
|
||||
#
|
||||
# [*configure_endpoint*]
|
||||
# (Optional) Should aodh endpoint be configured?
|
||||
# Defaults to true.
|
||||
|
@ -67,6 +79,9 @@ class aodh::keystone::auth (
|
|||
$auth_name = 'aodh',
|
||||
$email = 'aodh@localhost',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = ['admin', 'member', 'reader'],
|
||||
$configure_endpoint = true,
|
||||
$configure_user = true,
|
||||
$configure_user_role = true,
|
||||
|
@ -93,6 +108,9 @@ class aodh::keystone::auth (
|
|||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
internal_url => $internal_url,
|
||||
admin_url => $admin_url,
|
||||
|
|
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
@ -198,6 +202,7 @@ class aodh::keystone::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
@ -251,6 +256,7 @@ class aodh::keystone::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to the following classes.
|
||||
- ``aodh::service_credentials``
|
||||
- ``aodh::keystone::authtoken``
|
||||
|
||||
- |
|
||||
The ``aodh::keystone::auth`` class now supports customizing roles assigned
|
||||
to the aodh service user.
|
||||
|
||||
- |
|
||||
The ``aodh::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the aodh service user.
|
|
@ -23,6 +23,9 @@ describe 'aodh::keystone::auth' do
|
|||
:password => 'aodh_password',
|
||||
:email => 'aodh@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'http://127.0.0.1:8042',
|
||||
:internal_url => 'http://127.0.0.1:8042',
|
||||
:admin_url => 'http://127.0.0.1:8042',
|
||||
|
@ -35,6 +38,9 @@ describe 'aodh::keystone::auth' do
|
|||
:auth_name => 'alt_aodh',
|
||||
:email => 'alt_aodh@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader', 'service'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
|
@ -59,6 +65,9 @@ describe 'aodh::keystone::auth' do
|
|||
:password => 'aodh_password',
|
||||
:email => 'alt_aodh@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader', 'service'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
@ -18,6 +18,7 @@ describe 'aodh::keystone::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
@ -62,6 +63,7 @@ describe 'aodh::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
@ -103,6 +105,7 @@ describe 'aodh::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
@ -17,14 +17,13 @@ describe 'aodh::service_credentials' do
|
|||
is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v3')
|
||||
is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne')
|
||||
is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('Default')
|
||||
is_expected.to_not contain_aodh_config('service_credentials/project_domain_id')
|
||||
is_expected.to contain_aodh_config('service_credentials/user_domain_name').with_value('Default')
|
||||
is_expected.to_not contain_aodh_config('service_credentials/user_domain_id')
|
||||
is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password')
|
||||
is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh')
|
||||
is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true)
|
||||
is_expected.to contain_aodh_config('service_credentials/project_name').with_value('services')
|
||||
is_expected.to contain_aodh_config('service_credentials/cacert').with(:value => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_aodh_config('service_credentials/cacert').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
|
||||
context 'when overriding parameters' do
|
||||
|
@ -38,6 +37,18 @@ describe 'aodh::service_credentials' do
|
|||
it { is_expected.to contain_aodh_config('service_credentials/interface').with_value(params[:interface]) }
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
before do
|
||||
params.merge!(
|
||||
:system_scope => 'all',
|
||||
)
|
||||
end
|
||||
it 'configures system_scope but ignore project parameters' do
|
||||
is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_aodh_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
|
Loading…
Reference in New Issue