From d95528c4bf43a9ed5dc74675af86611f4cceaf41 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 25 Nov 2021 18:13:28 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: Id0ba4c95005d148477a313f0aa5edddc3c681e15 --- manifests/keystone/auth.pp | 25 +++++++++++++++++-- manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-b2c230ab973bd178.yaml | 13 ++++++++++ spec/classes/designate_keystone_auth_spec.rb | 9 +++++++ .../designate_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index ecc6b368..eaacdc70 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -47,6 +47,18 @@ # (Optional) Tenant for designate user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to designate user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to designate user. +# Defaults to [] +# # [*public_url*] # (0ptional) The endpoint's public url. # This url should *not* contain any trailing '/'. @@ -79,6 +91,9 @@ class designate::keystone::auth ( $service_description = 'OpenStack DNSaas Service', $region = 'RegionOne', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_user = true, $configure_user_role = true, $configure_endpoint = true, @@ -89,8 +104,11 @@ class designate::keystone::auth ( include designate::deps - if $configure_user_role { - Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['designate::service::end'] + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['designate::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['designate::service::end'] + + if $configure_endpoint { + Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['designate::service::end'] } keystone::resource::service_identity { 'designate': @@ -105,6 +123,9 @@ class designate::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 8d724c81..02f45c02 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -203,6 +207,7 @@ class designate::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -256,6 +261,7 @@ class designate::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml b/releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml new file mode 100644 index 00000000..56a08c31 --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-b2c230ab973bd178.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``designate::keystone::authtoken`` class. + + - | + The ``designate::keystone::auth`` class now supports customizing roles + assigned to the designate service user. + + - | + The ``designate::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the designate service user. diff --git a/spec/classes/designate_keystone_auth_spec.rb b/spec/classes/designate_keystone_auth_spec.rb index b2af68ea..75c328f1 100644 --- a/spec/classes/designate_keystone_auth_spec.rb +++ b/spec/classes/designate_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'designate::keystone::auth' do :password => 'designate_password', :email => 'designate@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:9001', :internal_url => 'http://127.0.0.1:9001', :admin_url => 'http://127.0.0.1:9001', @@ -35,6 +38,9 @@ describe 'designate::keystone::auth' do :auth_name => 'alt_designate', :email => 'alt_designate@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'designate::keystone::auth' do :password => 'designate_password', :email => 'alt_designate@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/designate_keystone_authtoken_spec.rb b/spec/classes/designate_keystone_authtoken_spec.rb index 9fcf9f45..c4541af1 100644 --- a/spec/classes/designate_keystone_authtoken_spec.rb +++ b/spec/classes/designate_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'designate::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'designate::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'designate::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',