Browse Source

Merge "Accept system scope credentials for Keystone API request"

changes/85/823885/2
Zuul 4 months ago committed by Gerrit Code Review
parent
commit
467193413d
  1. 6
      manifests/api/authtoken.pp
  2. 27
      manifests/keystone/auth.pp
  3. 6
      manifests/limit.pp
  4. 17
      releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml
  5. 3
      spec/classes/glance_api_authtoken_spec.rb
  6. 9
      spec/classes/glance_keystone_auth_spec.rb
  7. 3
      spec/classes/glance_limit_spec.rb

6
manifests/api/authtoken.pp

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class glance::api::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class glance::api::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

27
manifests/keystone/auth.pp

@ -47,6 +47,18 @@
# (Optional) Tenant for glance user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to glance user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to glance user.
# Defaults to []
#
# [*public_url*]
# (0ptional) The endpoint's public url.
# This url should *not* contain any trailing '/'.
@ -82,6 +94,9 @@ class glance::keystone::auth(
$service_type = 'image',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$service_description = 'OpenStack Image Service',
$public_url = 'http://127.0.0.1:9292',
$admin_url = 'http://127.0.0.1:9292',
@ -90,8 +105,11 @@ class glance::keystone::auth(
include glance::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['glance::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['glance::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['glance::service::begin']
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['glance::service::end']
}
keystone::resource::service_identity { 'glance':
@ -106,13 +124,12 @@ class glance::keystone::auth(
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['glance::service::begin']
}
}

6
manifests/limit.pp

@ -30,6 +30,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'.
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'.
@ -59,6 +63,7 @@ class glance::limit(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$auth_type = 'password',
$service_type = $::os_service_default,
$valid_interfaces = $::os_service_default,
@ -76,6 +81,7 @@ class glance::limit(
project_name => $project_name,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
auth_type => $auth_type,
service_type => $service_type,
valid_interfaces => join(any2array($valid_interfaces), ','),

17
releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml

@ -0,0 +1,17 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``glance::keystone::authtoken`` class.
- |
The ``system_scope`` parameter has been added to the ``glance::limit``
class.
- |
The ``glance::keystone::auth`` class now supports customizing roles
assigned to the glance service user.
- |
The ``glance::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the glance service user.

3
spec/classes/glance_api_authtoken_spec.rb

@ -18,6 +18,7 @@ describe 'glance::api::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'glance::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'glance::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

9
spec/classes/glance_keystone_auth_spec.rb

@ -23,6 +23,9 @@ describe 'glance::keystone::auth' do
:password => 'glance_password',
:email => 'glance@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:9292',
:internal_url => 'http://127.0.0.1:9292',
:admin_url => 'http://127.0.0.1:9292',
@ -35,6 +38,9 @@ describe 'glance::keystone::auth' do
:auth_name => 'alt_glance',
:email => 'alt_glance@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -59,6 +65,9 @@ describe 'glance::keystone::auth' do
:password => 'glance_password',
:email => 'alt_glance@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/glance_limit_spec.rb

@ -20,6 +20,7 @@ describe 'glance::limit' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:auth_type => 'password',
:service_type => '<SERVICE DEFAULT>',
:valid_interfaces => '<SERVICE DEFAULT>',
@ -36,6 +37,7 @@ describe 'glance::limit' do
:project_name => 'alt_services',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:auth_type => 'v3password',
:service_type => 'identity',
:valid_interfaces => 'public',
@ -53,6 +55,7 @@ describe 'glance::limit' do
:project_name => 'alt_services',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:auth_type => 'v3password',
:service_type => 'identity',
:valid_interfaces => 'public',

Loading…
Cancel
Save