Merge "Accept system scope credentials for Keystone API request"
This commit is contained in:
commit
bdded914ce
|
@ -19,6 +19,18 @@
|
||||||
# (Optional) Tenant for barbican user.
|
# (Optional) Tenant for barbican user.
|
||||||
# Defaults to 'services'.
|
# Defaults to 'services'.
|
||||||
#
|
#
|
||||||
|
# [*roles*]
|
||||||
|
# (Optional) List of roles assigned to barbican user.
|
||||||
|
# Defaults to ['admin']
|
||||||
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (Optional) Scope for system operations.
|
||||||
|
# Defaults to 'all'
|
||||||
|
#
|
||||||
|
# [*system_roles*]
|
||||||
|
# (Optional) List of system roles assigned to barbican user.
|
||||||
|
# Defaults to []
|
||||||
|
#
|
||||||
# [*configure_endpoint*]
|
# [*configure_endpoint*]
|
||||||
# (Optional) Should barbican endpoint be configured?
|
# (Optional) Should barbican endpoint be configured?
|
||||||
# Defaults to true.
|
# Defaults to true.
|
||||||
|
@ -67,6 +79,9 @@ class barbican::keystone::auth (
|
||||||
$auth_name = 'barbican',
|
$auth_name = 'barbican',
|
||||||
$email = 'barbican@localhost',
|
$email = 'barbican@localhost',
|
||||||
$tenant = 'services',
|
$tenant = 'services',
|
||||||
|
$roles = ['admin'],
|
||||||
|
$system_scope = 'all',
|
||||||
|
$system_roles = [],
|
||||||
$configure_endpoint = true,
|
$configure_endpoint = true,
|
||||||
$configure_user = true,
|
$configure_user = true,
|
||||||
$configure_user_role = true,
|
$configure_user_role = true,
|
||||||
|
@ -81,11 +96,11 @@ class barbican::keystone::auth (
|
||||||
|
|
||||||
include barbican::deps
|
include barbican::deps
|
||||||
|
|
||||||
if $configure_user_role {
|
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['barbican::service::end']
|
||||||
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['barbican::service::end']
|
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['barbican::service::end']
|
||||||
}
|
|
||||||
if $configure_endpoint {
|
if $configure_endpoint {
|
||||||
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['barbican::service::end']
|
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['barbican::service::end']
|
||||||
}
|
}
|
||||||
|
|
||||||
keystone::resource::service_identity { 'barbican':
|
keystone::resource::service_identity { 'barbican':
|
||||||
|
@ -100,6 +115,9 @@ class barbican::keystone::auth (
|
||||||
password => $password,
|
password => $password,
|
||||||
email => $email,
|
email => $email,
|
||||||
tenant => $tenant,
|
tenant => $tenant,
|
||||||
|
roles => $roles,
|
||||||
|
system_scope => $system_scope,
|
||||||
|
system_roles => $system_roles,
|
||||||
public_url => $public_url,
|
public_url => $public_url,
|
||||||
internal_url => $internal_url,
|
internal_url => $internal_url,
|
||||||
admin_url => $admin_url,
|
admin_url => $admin_url,
|
||||||
|
|
|
@ -28,6 +28,10 @@
|
||||||
# (Optional) Name of domain for $project_name
|
# (Optional) Name of domain for $project_name
|
||||||
# Defaults to 'Default'
|
# Defaults to 'Default'
|
||||||
#
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (Optional) Scope for system operations
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
# [*insecure*]
|
# [*insecure*]
|
||||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||||
# against any certificate authorities. WARNING: not recommended. Use with
|
# against any certificate authorities. WARNING: not recommended. Use with
|
||||||
|
@ -198,6 +202,7 @@ class barbican::keystone::authtoken(
|
||||||
$project_name = 'services',
|
$project_name = 'services',
|
||||||
$user_domain_name = 'Default',
|
$user_domain_name = 'Default',
|
||||||
$project_domain_name = 'Default',
|
$project_domain_name = 'Default',
|
||||||
|
$system_scope = $::os_service_default,
|
||||||
$insecure = $::os_service_default,
|
$insecure = $::os_service_default,
|
||||||
$auth_section = $::os_service_default,
|
$auth_section = $::os_service_default,
|
||||||
$auth_type = 'password',
|
$auth_type = 'password',
|
||||||
|
@ -251,6 +256,7 @@ class barbican::keystone::authtoken(
|
||||||
auth_section => $auth_section,
|
auth_section => $auth_section,
|
||||||
user_domain_name => $user_domain_name,
|
user_domain_name => $user_domain_name,
|
||||||
project_domain_name => $project_domain_name,
|
project_domain_name => $project_domain_name,
|
||||||
|
system_scope => $system_scope,
|
||||||
insecure => $insecure,
|
insecure => $insecure,
|
||||||
cache => $cache,
|
cache => $cache,
|
||||||
cafile => $cafile,
|
cafile => $cafile,
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The ``system_scope`` parameter has been added to
|
||||||
|
the ``barbican::keystone::authtoken`` class.
|
||||||
|
|
||||||
|
- |
|
||||||
|
The ``barbican::keystone::auth`` class now supports customizing roles
|
||||||
|
assigned to the barbican service user.
|
||||||
|
|
||||||
|
- |
|
||||||
|
The ``barbican::keystone::auth`` class now supports defining assignmet of
|
||||||
|
system-scoped roles to the barbican service user.
|
|
@ -23,6 +23,9 @@ describe 'barbican::keystone::auth' do
|
||||||
:password => 'barbican_password',
|
:password => 'barbican_password',
|
||||||
:email => 'barbican@localhost',
|
:email => 'barbican@localhost',
|
||||||
:tenant => 'services',
|
:tenant => 'services',
|
||||||
|
:roles => ['admin'],
|
||||||
|
:system_scope => 'all',
|
||||||
|
:system_roles => [],
|
||||||
:public_url => 'http://127.0.0.1:9311',
|
:public_url => 'http://127.0.0.1:9311',
|
||||||
:internal_url => 'http://127.0.0.1:9311',
|
:internal_url => 'http://127.0.0.1:9311',
|
||||||
:admin_url => 'http://127.0.0.1:9311',
|
:admin_url => 'http://127.0.0.1:9311',
|
||||||
|
@ -35,6 +38,9 @@ describe 'barbican::keystone::auth' do
|
||||||
:auth_name => 'alt_barbican',
|
:auth_name => 'alt_barbican',
|
||||||
:email => 'alt_barbican@alt_localhost',
|
:email => 'alt_barbican@alt_localhost',
|
||||||
:tenant => 'alt_service',
|
:tenant => 'alt_service',
|
||||||
|
:roles => ['admin', 'service'],
|
||||||
|
:system_scope => 'alt_all',
|
||||||
|
:system_roles => ['admin', 'member', 'reader'],
|
||||||
:configure_endpoint => false,
|
:configure_endpoint => false,
|
||||||
:configure_user => false,
|
:configure_user => false,
|
||||||
:configure_user_role => false,
|
:configure_user_role => false,
|
||||||
|
@ -59,6 +65,9 @@ describe 'barbican::keystone::auth' do
|
||||||
:password => 'barbican_password',
|
:password => 'barbican_password',
|
||||||
:email => 'alt_barbican@alt_localhost',
|
:email => 'alt_barbican@alt_localhost',
|
||||||
:tenant => 'alt_service',
|
:tenant => 'alt_service',
|
||||||
|
:roles => ['admin', 'service'],
|
||||||
|
:system_scope => 'alt_all',
|
||||||
|
:system_roles => ['admin', 'member', 'reader'],
|
||||||
:public_url => 'https://10.10.10.10:80',
|
:public_url => 'https://10.10.10.10:80',
|
||||||
:internal_url => 'http://10.10.10.11:81',
|
:internal_url => 'http://10.10.10.11:81',
|
||||||
:admin_url => 'http://10.10.10.12:81',
|
:admin_url => 'http://10.10.10.12:81',
|
||||||
|
|
|
@ -18,6 +18,7 @@ describe 'barbican::keystone::authtoken' do
|
||||||
:project_name => 'services',
|
:project_name => 'services',
|
||||||
:user_domain_name => 'Default',
|
:user_domain_name => 'Default',
|
||||||
:project_domain_name => 'Default',
|
:project_domain_name => 'Default',
|
||||||
|
:system_scope => '<SERVICE DEFAULT>',
|
||||||
:insecure => '<SERVICE DEFAULT>',
|
:insecure => '<SERVICE DEFAULT>',
|
||||||
:auth_section => '<SERVICE DEFAULT>',
|
:auth_section => '<SERVICE DEFAULT>',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
|
@ -62,6 +63,7 @@ describe 'barbican::keystone::authtoken' do
|
||||||
:project_name => 'service_project',
|
:project_name => 'service_project',
|
||||||
:user_domain_name => 'domainX',
|
:user_domain_name => 'domainX',
|
||||||
:project_domain_name => 'domainX',
|
:project_domain_name => 'domainX',
|
||||||
|
:system_scope => 'all',
|
||||||
:insecure => false,
|
:insecure => false,
|
||||||
:auth_section => 'new_section',
|
:auth_section => 'new_section',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
|
@ -103,6 +105,7 @@ describe 'barbican::keystone::authtoken' do
|
||||||
:project_name => 'service_project',
|
:project_name => 'service_project',
|
||||||
:user_domain_name => 'domainX',
|
:user_domain_name => 'domainX',
|
||||||
:project_domain_name => 'domainX',
|
:project_domain_name => 'domainX',
|
||||||
|
:system_scope => 'all',
|
||||||
:insecure => false,
|
:insecure => false,
|
||||||
:auth_section => 'new_section',
|
:auth_section => 'new_section',
|
||||||
:auth_type => 'password',
|
:auth_type => 'password',
|
||||||
|
|
Loading…
Reference in New Issue