diff --git a/manifests/api/authtoken.pp b/manifests/api/authtoken.pp index 960bafec..45127960 100644 --- a/manifests/api/authtoken.pp +++ b/manifests/api/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class glance::api::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class glance::api::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 2ea9cda6..cb7bd0e8 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -47,6 +47,18 @@ # (Optional) Tenant for glance user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to glance user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to glance user. +# Defaults to [] +# # [*public_url*] # (0ptional) The endpoint's public url. # This url should *not* contain any trailing '/'. @@ -82,6 +94,9 @@ class glance::keystone::auth( $service_type = 'image', $region = 'RegionOne', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $service_description = 'OpenStack Image Service', $public_url = 'http://127.0.0.1:9292', $admin_url = 'http://127.0.0.1:9292', @@ -90,8 +105,11 @@ class glance::keystone::auth( include glance::deps + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['glance::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['glance::service::end'] + if $configure_endpoint { - Keystone_endpoint["${region}/${service_name}::${service_type}"] ~> Anchor['glance::service::begin'] + Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['glance::service::end'] } keystone::resource::service_identity { 'glance': @@ -106,13 +124,12 @@ class glance::keystone::auth( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, admin_url => $admin_url, internal_url => $internal_url, } - if $configure_user_role { - Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['glance::service::begin'] - } - } diff --git a/manifests/limit.pp b/manifests/limit.pp index 31df6dfe..1639a251 100644 --- a/manifests/limit.pp +++ b/manifests/limit.pp @@ -30,6 +30,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default'. # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*auth_type*] # (Optional) Authentication type to load # Defaults to 'password'. @@ -59,6 +63,7 @@ class glance::limit( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $auth_type = 'password', $service_type = $::os_service_default, $valid_interfaces = $::os_service_default, @@ -76,6 +81,7 @@ class glance::limit( project_name => $project_name, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, auth_type => $auth_type, service_type => $service_type, valid_interfaces => join(any2array($valid_interfaces), ','), diff --git a/releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml b/releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml new file mode 100644 index 00000000..c32a47ba --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-386b413aa2f30362.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``glance::keystone::authtoken`` class. + + - | + The ``system_scope`` parameter has been added to the ``glance::limit`` + class. + + - | + The ``glance::keystone::auth`` class now supports customizing roles + assigned to the glance service user. + + - | + The ``glance::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the glance service user. diff --git a/spec/classes/glance_api_authtoken_spec.rb b/spec/classes/glance_api_authtoken_spec.rb index 34885c8e..a09ef669 100644 --- a/spec/classes/glance_api_authtoken_spec.rb +++ b/spec/classes/glance_api_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'glance::api::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'glance::api::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'glance::api::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', diff --git a/spec/classes/glance_keystone_auth_spec.rb b/spec/classes/glance_keystone_auth_spec.rb index 1f29ce93..9854c1a6 100644 --- a/spec/classes/glance_keystone_auth_spec.rb +++ b/spec/classes/glance_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'glance::keystone::auth' do :password => 'glance_password', :email => 'glance@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:9292', :internal_url => 'http://127.0.0.1:9292', :admin_url => 'http://127.0.0.1:9292', @@ -35,6 +38,9 @@ describe 'glance::keystone::auth' do :auth_name => 'alt_glance', :email => 'alt_glance@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'glance::keystone::auth' do :password => 'glance_password', :email => 'alt_glance@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/glance_limit_spec.rb b/spec/classes/glance_limit_spec.rb index f9e4f204..98bef00c 100644 --- a/spec/classes/glance_limit_spec.rb +++ b/spec/classes/glance_limit_spec.rb @@ -20,6 +20,7 @@ describe 'glance::limit' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :auth_type => 'password', :service_type => '', :valid_interfaces => '', @@ -36,6 +37,7 @@ describe 'glance::limit' do :project_name => 'alt_services', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :auth_type => 'v3password', :service_type => 'identity', :valid_interfaces => 'public', @@ -53,6 +55,7 @@ describe 'glance::limit' do :project_name => 'alt_services', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :auth_type => 'v3password', :service_type => 'identity', :valid_interfaces => 'public',