Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: Ifbe407233c0739038f23c645f2bd544a409bb1cd
This commit is contained in:
Takashi Kajinami 2021-11-25 18:58:56 +09:00
parent 5a3035d9eb
commit f3c8731fcd
5 changed files with 56 additions and 0 deletions

View File

@ -19,6 +19,18 @@
# (Optional) Tenant for gnocchi user. # (Optional) Tenant for gnocchi user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to gnocchi user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to gnocchi user.
# Defaults to []
#
# [*configure_endpoint*] # [*configure_endpoint*]
# (Optional) Should gnocchi endpoint be configured? # (Optional) Should gnocchi endpoint be configured?
# Defaults to true # Defaults to true
@ -67,6 +79,9 @@ class gnocchi::keystone::auth (
$auth_name = 'gnocchi', $auth_name = 'gnocchi',
$email = 'gnocchi@localhost', $email = 'gnocchi@localhost',
$tenant = 'services', $tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true, $configure_endpoint = true,
$configure_user = true, $configure_user = true,
$configure_user_role = true, $configure_user_role = true,
@ -81,6 +96,13 @@ class gnocchi::keystone::auth (
include gnocchi::deps include gnocchi::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['gnocchi::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['gnocchi::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['gnocchi::service::end']
}
keystone::resource::service_identity { 'gnocchi': keystone::resource::service_identity { 'gnocchi':
configure_user => $configure_user, configure_user => $configure_user,
configure_user_role => $configure_user_role, configure_user_role => $configure_user_role,
@ -93,6 +115,9 @@ class gnocchi::keystone::auth (
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url, public_url => $public_url,
internal_url => $internal_url, internal_url => $internal_url,
admin_url => $admin_url, admin_url => $admin_url,

View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*insecure*] # [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert # (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with # against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class gnocchi::keystone::authtoken(
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default, $insecure = $::os_service_default,
$auth_section = $::os_service_default, $auth_section = $::os_service_default,
$auth_type = 'password', $auth_type = 'password',
@ -251,6 +256,7 @@ class gnocchi::keystone::authtoken(
auth_section => $auth_section, auth_section => $auth_section,
user_domain_name => $user_domain_name, user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name, project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure, insecure => $insecure,
cache => $cache, cache => $cache,
cafile => $cafile, cafile => $cafile,

View File

@ -0,0 +1,13 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``gnocchi::keystone::authtoken`` class.
- |
The ``gnocchi::keystone::auth`` class now supports customizing roles
assigned to the gnocchi service user.
- |
The ``gnocchi::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the gnocchi service user.

View File

@ -23,6 +23,9 @@ describe 'gnocchi::keystone::auth' do
:password => 'gnocchi_password', :password => 'gnocchi_password',
:email => 'gnocchi@localhost', :email => 'gnocchi@localhost',
:tenant => 'services', :tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8041', :public_url => 'http://127.0.0.1:8041',
:internal_url => 'http://127.0.0.1:8041', :internal_url => 'http://127.0.0.1:8041',
:admin_url => 'http://127.0.0.1:8041', :admin_url => 'http://127.0.0.1:8041',
@ -35,6 +38,9 @@ describe 'gnocchi::keystone::auth' do
:auth_name => 'alt_gnocchi', :auth_name => 'alt_gnocchi',
:email => 'alt_gnocchi@alt_localhost', :email => 'alt_gnocchi@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false, :configure_endpoint => false,
:configure_user => false, :configure_user => false,
:configure_user_role => false, :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'gnocchi::keystone::auth' do
:password => 'gnocchi_password', :password => 'gnocchi_password',
:email => 'alt_gnocchi@alt_localhost', :email => 'alt_gnocchi@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81',

View File

@ -18,6 +18,7 @@ describe 'gnocchi::keystone::authtoken' do
:project_name => 'services', :project_name => 'services',
:user_domain_name => 'Default', :user_domain_name => 'Default',
:project_domain_name => 'Default', :project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>', :insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>', :auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password', :auth_type => 'password',
@ -62,6 +63,7 @@ describe 'gnocchi::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',
@ -103,6 +105,7 @@ describe 'gnocchi::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',