From 9a77b25b5b80d84454e67d2433afb6ddb18bd992 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 12 Aug 2021 14:58:53 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I672a988e77e58df0addb1ed4a47d609cbcef1331 --- manifests/keystone/auth.pp | 18 ++++++++++++++++++ manifests/keystone/authtoken.pp | 6 ++++++ .../notes/system_scope-e1779763b2a264f4.yaml | 14 ++++++++++++++ spec/classes/aodh_keystone_auth_spec.rb | 9 +++++++++ spec/classes/aodh_keystone_authtoken_spec.rb | 3 +++ spec/classes/aodh_service_credentials_spec.rb | 17 ++++++++++++++--- 6 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/system_scope-e1779763b2a264f4.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 95c3662d..97ef77fa 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for aodh user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to aodh user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to aodh user. +# Defaults to ['admin', 'member', 'reader'] +# # [*configure_endpoint*] # (Optional) Should aodh endpoint be configured? # Defaults to true. @@ -67,6 +79,9 @@ class aodh::keystone::auth ( $auth_name = 'aodh', $email = 'aodh@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = ['admin', 'member', 'reader'], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -93,6 +108,9 @@ class aodh::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 24b2e9d9..73dc2d9c 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class aodh::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class aodh::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-e1779763b2a264f4.yaml b/releasenotes/notes/system_scope-e1779763b2a264f4.yaml new file mode 100644 index 00000000..95ebbdb2 --- /dev/null +++ b/releasenotes/notes/system_scope-e1779763b2a264f4.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to the following classes. + - ``aodh::service_credentials`` + - ``aodh::keystone::authtoken`` + + - | + The ``aodh::keystone::auth`` class now supports customizing roles assigned + to the aodh service user. + + - | + The ``aodh::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the aodh service user. diff --git a/spec/classes/aodh_keystone_auth_spec.rb b/spec/classes/aodh_keystone_auth_spec.rb index d552cd6e..d977e793 100644 --- a/spec/classes/aodh_keystone_auth_spec.rb +++ b/spec/classes/aodh_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'aodh@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'http://127.0.0.1:8042', :internal_url => 'http://127.0.0.1:8042', :admin_url => 'http://127.0.0.1:8042', @@ -35,6 +38,9 @@ describe 'aodh::keystone::auth' do :auth_name => 'alt_aodh', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader', 'service'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'aodh::keystone::auth' do :password => 'aodh_password', :email => 'alt_aodh@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader', 'service'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/aodh_keystone_authtoken_spec.rb b/spec/classes/aodh_keystone_authtoken_spec.rb index 3c645fae..7ce2ea79 100644 --- a/spec/classes/aodh_keystone_authtoken_spec.rb +++ b/spec/classes/aodh_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'aodh::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', diff --git a/spec/classes/aodh_service_credentials_spec.rb b/spec/classes/aodh_service_credentials_spec.rb index 95f2f76a..8f2d4526 100644 --- a/spec/classes/aodh_service_credentials_spec.rb +++ b/spec/classes/aodh_service_credentials_spec.rb @@ -17,14 +17,13 @@ describe 'aodh::service_credentials' do is_expected.to contain_aodh_config('service_credentials/auth_url').with_value('http://localhost:5000/v3') is_expected.to contain_aodh_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('Default') - is_expected.to_not contain_aodh_config('service_credentials/project_domain_id') is_expected.to contain_aodh_config('service_credentials/user_domain_name').with_value('Default') - is_expected.to_not contain_aodh_config('service_credentials/user_domain_id') + is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('') is_expected.to contain_aodh_config('service_credentials/auth_type').with_value('password') is_expected.to contain_aodh_config('service_credentials/username').with_value('aodh') is_expected.to contain_aodh_config('service_credentials/password').with_value('password').with_secret(true) is_expected.to contain_aodh_config('service_credentials/project_name').with_value('services') - is_expected.to contain_aodh_config('service_credentials/cacert').with(:value => '') + is_expected.to contain_aodh_config('service_credentials/cacert').with_value('') end context 'when overriding parameters' do @@ -38,6 +37,18 @@ describe 'aodh::service_credentials' do it { is_expected.to contain_aodh_config('service_credentials/interface').with_value(params[:interface]) } end + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all', + ) + end + it 'configures system_scope but ignore project parameters' do + is_expected.to contain_aodh_config('service_credentials/project_domain_name').with_value('') + is_expected.to contain_aodh_config('service_credentials/project_name').with_value('') + is_expected.to contain_aodh_config('service_credentials/system_scope').with_value('all') + end + end end on_supported_os({