Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following three items. - assignment of system scope roles to system user - credential parameters for authtoken middleware - credential parameters for oslo.limit library Note that the credential parameters for authtoken middleware are used in some providers, and these providers still require a project scope credential. This will be fixed by the subsequent change. Depends-on: https://review.opendev.org/804325 Depends-on: https://review.opendev.org/823629 Change-Id: Ic7682993b341a7d45b0957f102f5c3dbd52f9043
This commit is contained in:
parent
935a76140e
commit
27db72f4a0
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
@ -198,6 +202,7 @@ class glance::api::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
@ -251,6 +256,7 @@ class glance::api::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
@ -47,6 +47,18 @@
|
|||
# (Optional) Tenant for glance user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to glance user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to glance user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*public_url*]
|
||||
# (0ptional) The endpoint's public url.
|
||||
# This url should *not* contain any trailing '/'.
|
||||
|
@ -82,6 +94,9 @@ class glance::keystone::auth(
|
|||
$service_type = 'image',
|
||||
$region = 'RegionOne',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$service_description = 'OpenStack Image Service',
|
||||
$public_url = 'http://127.0.0.1:9292',
|
||||
$admin_url = 'http://127.0.0.1:9292',
|
||||
|
@ -90,8 +105,11 @@ class glance::keystone::auth(
|
|||
|
||||
include glance::deps
|
||||
|
||||
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['glance::service::end']
|
||||
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['glance::service::end']
|
||||
|
||||
if $configure_endpoint {
|
||||
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['glance::service::begin']
|
||||
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['glance::service::end']
|
||||
}
|
||||
|
||||
keystone::resource::service_identity { 'glance':
|
||||
|
@ -106,13 +124,12 @@ class glance::keystone::auth(
|
|||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
admin_url => $admin_url,
|
||||
internal_url => $internal_url,
|
||||
}
|
||||
|
||||
if $configure_user_role {
|
||||
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['glance::service::begin']
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -30,6 +30,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'.
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_type*]
|
||||
# (Optional) Authentication type to load
|
||||
# Defaults to 'password'.
|
||||
|
@ -59,6 +63,7 @@ class glance::limit(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
$service_type = $::os_service_default,
|
||||
$valid_interfaces = $::os_service_default,
|
||||
|
@ -76,6 +81,7 @@ class glance::limit(
|
|||
project_name => $project_name,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
auth_type => $auth_type,
|
||||
service_type => $service_type,
|
||||
valid_interfaces => join(any2array($valid_interfaces), ','),
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to
|
||||
the ``glance::keystone::authtoken`` class.
|
||||
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to the ``glance::limit``
|
||||
class.
|
||||
|
||||
- |
|
||||
The ``glance::keystone::auth`` class now supports customizing roles
|
||||
assigned to the glance service user.
|
||||
|
||||
- |
|
||||
The ``glance::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the glance service user.
|
|
@ -18,6 +18,7 @@ describe 'glance::api::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
@ -62,6 +63,7 @@ describe 'glance::api::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
@ -103,6 +105,7 @@ describe 'glance::api::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
@ -23,6 +23,9 @@ describe 'glance::keystone::auth' do
|
|||
:password => 'glance_password',
|
||||
:email => 'glance@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:9292',
|
||||
:internal_url => 'http://127.0.0.1:9292',
|
||||
:admin_url => 'http://127.0.0.1:9292',
|
||||
|
@ -35,6 +38,9 @@ describe 'glance::keystone::auth' do
|
|||
:auth_name => 'alt_glance',
|
||||
:email => 'alt_glance@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
|
@ -59,6 +65,9 @@ describe 'glance::keystone::auth' do
|
|||
:password => 'glance_password',
|
||||
:email => 'alt_glance@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
@ -20,6 +20,7 @@ describe 'glance::limit' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
:service_type => '<SERVICE DEFAULT>',
|
||||
:valid_interfaces => '<SERVICE DEFAULT>',
|
||||
|
@ -36,6 +37,7 @@ describe 'glance::limit' do
|
|||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:auth_type => 'v3password',
|
||||
:service_type => 'identity',
|
||||
:valid_interfaces => 'public',
|
||||
|
@ -53,6 +55,7 @@ describe 'glance::limit' do
|
|||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:auth_type => 'v3password',
|
||||
:service_type => 'identity',
|
||||
:valid_interfaces => 'public',
|
||||
|
|
Loading…
Reference in New Issue