openstack
/
puppet-glance
Code Issues Proposed changes
Browse Source

Merge "Accept system scope credentials for Keystone API request"

changes/85/823885/2
Zuul 4 months ago committed by Gerrit Code Review
parent
4e918a748b 27db72f4a0
commit
467193413d
7 changed files with 66 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      manifests/api/authtoken.pp
  2. 27
      manifests/keystone/auth.pp
  3. 6
      manifests/limit.pp
  4. 17
      releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml
  5. 3
      spec/classes/glance_api_authtoken_spec.rb
  6. 9
      spec/classes/glance_keystone_auth_spec.rb
  7. 3
      spec/classes/glance_limit_spec.rb

6
manifests/api/authtoken.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class glance::api::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class glance::api::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

27
manifests/keystone/auth.pp
Unescape View File

@ -47,6 +47,18 @@
# (Optional) Tenant for glance user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to glance user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to glance user.
# Defaults to []
#
# [*public_url*]
# (0ptional) The endpoint's public url.
# This url should *not* contain any trailing '/'.
@ -82,6 +94,9 @@ class glance::keystone::auth(
$service_type = 'image',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$service_description = 'OpenStack Image Service',
$public_url = 'http://127.0.0.1:9292',
$admin_url = 'http://127.0.0.1:9292',
@ -90,8 +105,11 @@ class glance::keystone::auth(
include glance::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['glance::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['glance::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['glance::service::begin']
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['glance::service::end']
}
keystone::resource::service_identity { 'glance':
@ -106,13 +124,12 @@ class glance::keystone::auth(
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['glance::service::begin']
}
}

6
manifests/limit.pp
Unescape View File

@ -30,6 +30,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'.
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'.
@ -59,6 +63,7 @@ class glance::limit(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$auth_type = 'password',
$service_type = $::os_service_default,
$valid_interfaces = $::os_service_default,
@ -76,6 +81,7 @@ class glance::limit(
project_name => $project_name,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
auth_type => $auth_type,
service_type => $service_type,
valid_interfaces => join(any2array($valid_interfaces), ','),

17
releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml
Unescape View File

@ -0,0 +1,17 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``glance::keystone::authtoken`` class.
- |
The ``system_scope`` parameter has been added to the ``glance::limit``
class.
- |
The ``glance::keystone::auth`` class now supports customizing roles
assigned to the glance service user.
- |
The ``glance::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the glance service user.

3
spec/classes/glance_api_authtoken_spec.rb
Unescape View File

@ -18,6 +18,7 @@ describe 'glance::api::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'glance::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'glance::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

9
spec/classes/glance_keystone_auth_spec.rb
Unescape View File

@ -23,6 +23,9 @@ describe 'glance::keystone::auth' do
:password => 'glance_password',
:email => 'glance@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:9292',
:internal_url => 'http://127.0.0.1:9292',
:admin_url => 'http://127.0.0.1:9292',
@ -35,6 +38,9 @@ describe 'glance::keystone::auth' do
:auth_name => 'alt_glance',
:email => 'alt_glance@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -59,6 +65,9 @@ describe 'glance::keystone::auth' do
:password => 'glance_password',
:email => 'alt_glance@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/glance_limit_spec.rb
Unescape View File

@ -20,6 +20,7 @@ describe 'glance::limit' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:auth_type => 'password',
:service_type => '<SERVICE DEFAULT>',
:valid_interfaces => '<SERVICE DEFAULT>',
@ -36,6 +37,7 @@ describe 'glance::limit' do
:project_name => 'alt_services',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:auth_type => 'v3password',
:service_type => 'identity',
:valid_interfaces => 'public',
@ -53,6 +55,7 @@ describe 'glance::limit' do
:project_name => 'alt_services',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:auth_type => 'v3password',
:service_type => 'identity',
:valid_interfaces => 'public',

Write Preview
Loading…
Cancel
Save