Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: Id0ba4c95005d148477a313f0aa5edddc3c681e15
2021-11-25 18:13:28 +09:00 · 2021-11-25 18:13:28 +09:00 · d95528c4bf
parent e1cba4a002
commit d95528c4bf
5 changed files with 54 additions and 2 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -47,6 +47,18 @@
 #   (Optional) Tenant for designate user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to designate user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to designate user.
+#   Defaults to []
+#
 # [*public_url*]
 #   (0ptional) The endpoint's public url.
 #   This url should *not* contain any trailing '/'.
@ -79,6 +91,9 @@ class designate::keystone::auth (
  $service_description = 'OpenStack DNSaas Service',
  $region              = 'RegionOne',
  $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
  $configure_user      = true,
  $configure_user_role = true,
  $configure_endpoint  = true,
@ -89,8 +104,11 @@ class designate::keystone::auth (

  include designate::deps

-  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['designate::service::end']
+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['designate::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['designate::service::end']
+
+  if $configure_endpoint {
+    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['designate::service::end']
  }

  keystone::resource::service_identity { 'designate':
@ -105,6 +123,9 @@ class designate::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    internal_url        => $internal_url,
    admin_url           => $admin_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
@ -203,6 +207,7 @@ class designate::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@ -256,6 +261,7 @@ class designate::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml
+++ b/releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``designate::keystone::authtoken`` class.
+
+  - |
+    The ``designate::keystone::auth`` class now supports customizing roles
+    assigned to the designate service user.
+
+  - |
+    The ``designate::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the designate service user.
--- a/spec/classes/designate_keystone_auth_spec.rb
+++ b/spec/classes/designate_keystone_auth_spec.rb
@ -23,6 +23,9 @@ describe 'designate::keystone::auth' do
        :password            => 'designate_password',
        :email               => 'designate@localhost',
        :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:9001',
        :internal_url        => 'http://127.0.0.1:9001',
        :admin_url           => 'http://127.0.0.1:9001',
@ -35,6 +38,9 @@ describe 'designate::keystone::auth' do
          :auth_name           => 'alt_designate',
          :email               => 'alt_designate@alt_localhost',
          :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :configure_endpoint  => false,
          :configure_user      => false,
          :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'designate::keystone::auth' do
        :password            => 'designate_password',
        :email               => 'alt_designate@alt_localhost',
        :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/designate_keystone_authtoken_spec.rb
+++ b/spec/classes/designate_keystone_authtoken_spec.rb
@ -18,6 +18,7 @@ describe 'designate::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@ -62,6 +63,7 @@ describe 'designate::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@ -103,6 +105,7 @@ describe 'designate::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',