openstack
/
puppet-aodh
Code Issues Proposed changes

Accept system scope credentials for Keystone API request 

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I672a988e77e58df0addb1ed4a47d609cbcef1331
This commit is contained in:
Takashi Kajinami 2021-08-12 14:58:53 +09:00
parent e14e5f12f9
commit c41c16ef2c
5 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
manifests/keystone/auth.pp
View File

@ -19,6 +19,18 @@
# (Optional) Tenant for aodh user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to aodh user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to aodh user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should aodh endpoint be configured?
# Defaults to true.
@ -67,6 +79,9 @@ class aodh::keystone::auth (
$auth_name = 'aodh',
$email = 'aodh@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -81,6 +96,13 @@ class aodh::keystone::auth (
include aodh::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['aodh::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['aodh::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['aodh::service::end']
}
keystone::resource::service_identity { 'aodh':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
@ -93,6 +115,9 @@ class aodh::keystone::auth (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

6
manifests/keystone/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class aodh::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class aodh::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

13
releasenotes/notes/system_scope-e1779763b2a264f4.yaml Normal file
View File

@ -0,0 +1,13 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``aodh::keystone::authtoken`` class.
- |
The ``aodh::keystone::auth`` class now supports customizing roles assigned
to the aodh service user.
- |
The ``aodh::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the aodh service user.

9
spec/classes/aodh_keystone_auth_spec.rb
View File

@ -23,6 +23,9 @@ describe 'aodh::keystone::auth' do
:password => 'aodh_password',
:email => 'aodh@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8042',
:internal_url => 'http://127.0.0.1:8042',
:admin_url => 'http://127.0.0.1:8042',
@ -35,6 +38,9 @@ describe 'aodh::keystone::auth' do
:auth_name => 'alt_aodh',
:email => 'alt_aodh@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -59,6 +65,9 @@ describe 'aodh::keystone::auth' do
:password => 'aodh_password',
:email => 'alt_aodh@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/aodh_keystone_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'aodh::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'aodh::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'aodh::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',