Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following three items. - assignment of system scope roles to system user - credential parameters for authtoken middleware - credential parameters for service token feature Note that the credential parameters for authtoken middleware are used in some providers, and these providers still require a project scope credential. This will be fixed by the subsequent change. Depends-on: https://review.opendev.org/804325 Change-Id: I33f912aeb058fd269d4a0eda57438051a2f094ff
This commit is contained in:
Takashi Kajinami
parent
2eea9e71a1
commit
0256c26d21
|
|
@ -79,6 +79,22 @@
|
|||
# (Optional) List of roles assigned to Cinder v3 user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations used by Cinder v3 user.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_scope_v3*]
|
||||
# (Optional) Scope for system operations used by Cinder v3 user.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to Cinder user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*system_roles_v3*]
|
||||
# (Optional) List of system roles assigned to Cinder v3 user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*public_url_v3*]
|
||||
# (0ptional) The v3 endpoint's public url.
|
||||
# This url should *not* contain any trailing '/'.
|
||||
|
|
@ -111,6 +127,10 @@ class cinder::keystone::auth (
|
|||
$tenant_user_v3 = 'services',
|
||||
$roles = ['admin'],
|
||||
$roles_v3 = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_scope_v3 = 'all',
|
||||
$system_roles = [],
|
||||
$system_roles_v3 = [],
|
||||
$email = 'cinder@localhost',
|
||||
$email_user_v3 = 'cinderv3@localhost',
|
||||
$public_url_v3 = 'http://127.0.0.1:8776/v3/%(tenant_id)s',
|
||||
|
|
@ -129,6 +149,9 @@ class cinder::keystone::auth (
|
|||
|
||||
include cinder::deps
|
||||
|
||||
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['cinder::service::end']
|
||||
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['cinder::service::end']
|
||||
|
||||
if $configure_endpoint_v3 {
|
||||
Keystone_endpoint["${region}/${service_name_v3}::${service_type_v3}"] -> Anchor['cinder::service::end']
|
||||
}
|
||||
|
|
@ -146,6 +169,8 @@ class cinder::keystone::auth (
|
|||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
}
|
||||
|
||||
keystone::resource::service_identity { 'cinderv3':
|
||||
|
|
@ -161,13 +186,11 @@ class cinder::keystone::auth (
|
|||
email => $email_user_v3,
|
||||
tenant => $tenant_user_v3,
|
||||
roles => $roles_v3,
|
||||
system_scope => $system_scope_v3,
|
||||
system_roles => $system_roles_v3,
|
||||
public_url => $public_url_v3,
|
||||
admin_url => $admin_url_v3,
|
||||
internal_url => $internal_url_v3,
|
||||
}
|
||||
|
||||
if $configure_user_role {
|
||||
Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['cinder::service::end']
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
|
@ -203,6 +207,7 @@ class cinder::keystone::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
|
@ -256,6 +261,7 @@ class cinder::keystone::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*send_service_user_token*]
|
||||
# (Optional) The service uses service token feature when this is set as true
|
||||
# Defaults to 'false'
|
||||
|
|
@ -70,6 +74,7 @@ class cinder::keystone::service_user(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$send_service_user_token = false,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
|
@ -91,6 +96,7 @@ class cinder::keystone::service_user(
|
|||
auth_type => $auth_type,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
send_service_user_token => $send_service_user_token,
|
||||
insecure => $insecure,
|
||||
cafile => $cafile,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``cinder::keystone::auth`` class now supports the following new
|
||||
parameters to define system-scoped roles.
|
||||
|
||||
- ``system_scope``
|
||||
- ``system_roles``
|
||||
- ``system_scope_v3``
|
||||
- ``system_roles_v3``
|
||||
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to the following classes.
|
||||
|
||||
- ``cinder::keystone::authtoken``
|
||||
- ``cinder::keystone::service_user``
|
||||
|
|
@ -22,6 +22,8 @@ describe 'cinder::keystone::auth' do
|
|||
:email => 'cinder@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
) }
|
||||
|
||||
it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
|
||||
|
|
@ -36,6 +38,8 @@ describe 'cinder::keystone::auth' do
|
|||
:email => 'cinderv3@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
|
||||
:internal_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
|
||||
:admin_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
|
||||
|
|
@ -49,13 +53,17 @@ describe 'cinder::keystone::auth' do
|
|||
:email => 'alt_cinder@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
:password_user_v3 => 'cinderv3_password',
|
||||
:auth_name_v3 => 'alt_cinderv3',
|
||||
:email_user_v3 => 'alt_cinderv3@alt_localhost',
|
||||
:tenant_user_v3 => 'alt_servicev3',
|
||||
:roles_v3 => ['admin', 'service'],
|
||||
:roles_v3 => ['adminv3', 'servicev3'],
|
||||
:system_scope_v3 => 'alt_all_v3',
|
||||
:system_roles_v3 => ['adminv3', 'memberv3', 'readerv3'],
|
||||
:configure_user_v3 => true,
|
||||
:configure_user_role_v3 => true,
|
||||
:service_description_v3 => 'Alternative Cinder Service v3',
|
||||
|
|
@ -79,6 +87,8 @@ describe 'cinder::keystone::auth' do
|
|||
:email => 'alt_cinder@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
) }
|
||||
|
||||
it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
|
||||
|
|
@ -93,7 +103,9 @@ describe 'cinder::keystone::auth' do
|
|||
:password => 'cinderv3_password',
|
||||
:email => 'alt_cinderv3@alt_localhost',
|
||||
:tenant => 'alt_servicev3',
|
||||
:roles => ['admin', 'service'],
|
||||
:roles => ['adminv3', 'servicev3'],
|
||||
:system_scope => 'alt_all_v3',
|
||||
:system_roles => ['adminv3', 'memberv3', 'readerv3'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ describe 'cinder::keystone::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -62,6 +63,7 @@ describe 'cinder::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -103,6 +105,7 @@ describe 'cinder::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
|||
Loading…
Reference in New Issue