Merge "Customize roles assigned to cinder user"

This commit is contained in:
Zuul 2019-07-31 05:40:15 +00:00 committed by Gerrit Code Review
commit 75a4810a83
5 changed files with 82 additions and 33 deletions

View File

@ -111,6 +111,18 @@
# (Optional) Tenant for Cinder v3 user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to Cinder user
# Defaults to ['admin']
#
# [*roles_v2*]
# (Optional) List of roles assigned to Cinder v2 user
# Defaults to ['admin']
#
# [*roles_v3*]
# (Optional) List of roles assigned to Cinder v3 user
# Defaults to ['admin']
#
# [*public_url_v2*]
# (Optional) The v2 endpoint's public url.
# This url should *not* contain any trailing '/'.
@ -193,6 +205,9 @@ class cinder::keystone::auth (
$tenant = 'services',
$tenant_user_v2 = 'services',
$tenant_user_v3 = 'services',
$roles = ['admin'],
$roles_v2 = ['admin'],
$roles_v3 = ['admin'],
$email = 'cinder@localhost',
$email_user_v2 = 'cinderv2@localhost',
$email_user_v3 = 'cinderv3@localhost',
@ -264,6 +279,7 @@ class cinder::keystone::auth (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
}
keystone::resource::service_identity { 'cinderv2':
@ -278,6 +294,7 @@ class cinder::keystone::auth (
password => $password_user_v2,
email => $email_user_v2,
tenant => $tenant_user_v2,
roles => $roles_v2,
public_url => $public_url_v2,
admin_url => $admin_url_v2,
internal_url => $internal_url_v2,
@ -295,6 +312,7 @@ class cinder::keystone::auth (
password => $password_user_v3,
email => $email_user_v3,
tenant => $tenant_user_v3,
roles => $roles_v3,
public_url => $public_url_v3,
admin_url => $admin_url_v3,
internal_url => $internal_url_v3,

View File

@ -165,6 +165,16 @@
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
@ -224,6 +234,7 @@ class cinder::keystone::authtoken(
$manage_memcache_package = false,
$region_name = $::os_service_default,
$token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS
$check_revocations_for_cached = undef,
@ -277,6 +288,7 @@ class cinder::keystone::authtoken(
manage_memcache_package => $manage_memcache_package,
region_name => $region_name,
token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required,
}
}

View File

@ -0,0 +1,10 @@
---
features:
- |
New hieradata, cinder::keystone::authtoken::service_token_roles, is
introduced so that specific role can be assigned to the service user
who can use service token feature.
- |
New hieradata, cinder::keystone::roles, roles_v2 and roles_v3 are
introduced to configure customized role for cinder user in keystone
identity.

View File

@ -48,6 +48,7 @@ describe 'cinder::keystone::auth' do
context 'when overriding parameters' do
before do
params.merge!({
:roles => ['admin', 'service'],
:region => 'RegionThree',
:public_url_v2 => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
:admin_url_v2 => 'https://10.0.42.2:4242/v42/%(tenant_id)s',
@ -58,6 +59,11 @@ describe 'cinder::keystone::auth' do
})
end
it { is_expected.to contain_keystone_user_role('cinder@services').with(
:ensure => 'present',
:roles => ['admin', 'service']
)}
it { is_expected.to contain_keystone_endpoint('RegionThree/cinderv2::volumev2').with(
:ensure => 'present',
:public_url => 'https://10.0.42.1:4242/v42/%(tenant_id)s',

View File

@ -41,6 +41,7 @@ describe 'cinder::keystone::authtoken' do
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
end
end
@ -48,39 +49,40 @@ describe 'cinder::keystone::authtoken' do
context 'when overriding parameters' do
before do
params.merge!({
:www_authenticate_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'https://127.0.0.1:5000',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true,
:region_name => 'region2',
:token_cache_time => '301',
:service_token_roles_required => false,
:www_authenticate_uri => 'https://10.0.0.1:9999/',
:username => 'myuser',
:password => 'mypasswd',
:auth_url => 'https://127.0.0.1:5000',
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
:auth_version => 'v3',
:cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:delay_auth_decision => false,
:enforce_token_bind => 'permissive',
:http_connect_timeout => '300',
:http_request_max_retries => '3',
:include_service_catalog => true,
:keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true,
:region_name => 'region2',
:token_cache_time => '301',
:service_token_roles => ['admin'],
:service_token_roles_required => true,
})
end
@ -116,6 +118,7 @@ describe 'cinder::keystone::authtoken' do
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
end