openstack
/
puppet-designate
Code Issues Proposed changes
Browse Source

Merge "Accept system scope credentials for Keystone API request"

changes/74/824974/1
Zuul 5 months ago committed by Gerrit Code Review
parent
f59f441901 d95528c4bf
commit
b3ec160694
5 changed files with 54 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      manifests/keystone/auth.pp
  2. 6
      manifests/keystone/authtoken.pp
  3. 13
      releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml
  4. 9
      spec/classes/designate_keystone_auth_spec.rb
  5. 3
      spec/classes/designate_keystone_authtoken_spec.rb

25
manifests/keystone/auth.pp
Unescape View File

@ -47,6 +47,18 @@
# (Optional) Tenant for designate user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to designate user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to designate user.
# Defaults to []
#
# [*public_url*]
# (0ptional) The endpoint's public url.
# This url should *not* contain any trailing '/'.
@ -79,6 +91,9 @@ class designate::keystone::auth (
$service_description = 'OpenStack DNSaas Service',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_user = true,
$configure_user_role = true,
$configure_endpoint = true,
@ -89,8 +104,11 @@ class designate::keystone::auth (
include designate::deps
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['designate::service::end']
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['designate::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['designate::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['designate::service::end']
}
keystone::resource::service_identity { 'designate':
@ -105,6 +123,9 @@ class designate::keystone::auth (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

6
manifests/keystone/authtoken.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -203,6 +207,7 @@ class designate::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -256,6 +261,7 @@ class designate::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

13
releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml
Unescape View File

@ -0,0 +1,13 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``designate::keystone::authtoken`` class.
- |
The ``designate::keystone::auth`` class now supports customizing roles
assigned to the designate service user.
- |
The ``designate::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the designate service user.

9
spec/classes/designate_keystone_auth_spec.rb
Unescape View File

@ -23,6 +23,9 @@ describe 'designate::keystone::auth' do
:password => 'designate_password',
:email => 'designate@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:9001',
:internal_url => 'http://127.0.0.1:9001',
:admin_url => 'http://127.0.0.1:9001',
@ -35,6 +38,9 @@ describe 'designate::keystone::auth' do
:auth_name => 'alt_designate',
:email => 'alt_designate@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -59,6 +65,9 @@ describe 'designate::keystone::auth' do
:password => 'designate_password',
:email => 'alt_designate@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/designate_keystone_authtoken_spec.rb
Unescape View File

@ -18,6 +18,7 @@ describe 'designate::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'designate::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'designate::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

Write Preview
Loading…
Cancel
Save