openstack
/
puppet-heat
Code Issues Proposed changes

Merge "Accept system scope credentials for Keystone API request"

This commit is contained in:
Zuul 2022-01-08 01:02:56 +00:00 committed by Gerrit Code Review
parent 7744ef8963 d3a63122cb
commit 14c630bffa
7 changed files with 98 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
manifests/keystone/auth.pp
View File

@ -50,6 +50,18 @@
# (Optional) Tenant for heat user. # (Optional) Tenant for heat user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to heat user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to heat user.
# Defaults to []
#
# [*trusts_delegated_roles*] # [*trusts_delegated_roles*]
# (Optional) Array of trustor roles to be delegated to heat. # (Optional) Array of trustor roles to be delegated to heat.
# Defaults to ['heat_stack_owner'] # Defaults to ['heat_stack_owner']
@ -105,6 +117,9 @@ class heat::keystone::auth (
$service_description = 'OpenStack Orchestration Service', $service_description = 'OpenStack Orchestration Service',
$region = 'RegionOne', $region = 'RegionOne',
$tenant = 'services', $tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true, $configure_endpoint = true,
$configure_service = true, $configure_service = true,
$configure_user = true, $configure_user = true,
@ -122,6 +137,13 @@ class heat::keystone::auth (
validate_legacy(String, 'validate_string', $password) validate_legacy(String, 'validate_string', $password)
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['heat::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['heat::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['heat::service::end']
}
keystone::resource::service_identity { 'heat': keystone::resource::service_identity { 'heat':
configure_user => $configure_user, configure_user => $configure_user,
configure_user_role => $configure_user_role, configure_user_role => $configure_user_role,
@ -135,15 +157,14 @@ class heat::keystone::auth (
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url, public_url => $public_url,
admin_url => $admin_url, admin_url => $admin_url,
internal_url => $internal_url, internal_url => $internal_url,
} }
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['heat::service::end']
}
if $manage_heat_stack_user_role { if $manage_heat_stack_user_role {
keystone_role { $heat_stack_user_role: keystone_role { $heat_stack_user_role:
ensure => present, ensure => present,

29
manifests/keystone/auth_cfn.pp
View File

@ -50,6 +50,18 @@
# (Optional) Tenant for heat-cfn user. # (Optional) Tenant for heat-cfn user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to heat user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to heat user.
# Defaults to []
#
# [*public_url*] # [*public_url*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8000/v1') # (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8000/v1')
# This url should *not* contain any trailing '/'. # This url should *not* contain any trailing '/'.
@ -79,6 +91,9 @@ class heat::keystone::auth_cfn (
$service_type = 'cloudformation', $service_type = 'cloudformation',
$region = 'RegionOne', $region = 'RegionOne',
$tenant = 'services', $tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true, $configure_endpoint = true,
$configure_service = true, $configure_service = true,
$configure_user = true, $configure_user = true,
@ -92,6 +107,13 @@ class heat::keystone::auth_cfn (
validate_legacy(String, 'validate_string', $password) validate_legacy(String, 'validate_string', $password)
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['heat::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['heat::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['heat::service::end']
}
keystone::resource::service_identity { 'heat-cfn': keystone::resource::service_identity { 'heat-cfn':
configure_user => $configure_user, configure_user => $configure_user,
configure_user_role => $configure_user_role, configure_user_role => $configure_user_role,
@ -105,13 +127,12 @@ class heat::keystone::auth_cfn (
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url, public_url => $public_url,
admin_url => $admin_url, admin_url => $admin_url,
internal_url => $internal_url, internal_url => $internal_url,
} }
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['heat::service::end']
}
} }

6
manifests/keystone/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*] # [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert # (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with # against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class heat::keystone::authtoken(
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default, $insecure = $::os_service_default,
$auth_section = $::os_service_default, $auth_section = $::os_service_default,
$auth_type = 'password', $auth_type = 'password',
@ -251,6 +256,7 @@ class heat::keystone::authtoken(
auth_section => $auth_section, auth_section => $auth_section,
user_domain_name => $user_domain_name, user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name, project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure, insecure => $insecure,
cache => $cache, cache => $cache,
cafile => $cafile, cafile => $cafile,

21
releasenotes/notes/system_scope-keystone-ea935e84e1f0c430.yaml Normal file
View File

@ -0,0 +1,21 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``heat::keystone::authtoken`` class.
- |
The ``heat::keystone::auth`` class now supports customizing roles assigned
to the heat service user.
- |
The ``heat::keystone::auth_cfn`` class now supports customizing roles
assigned to the heat service user.
- |
The ``heat::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the heat service user.
- |
The ``heat::keystone::auth_cfn`` class now supports defining assignmet of
system-scoped roles to the heat service user.

9
spec/classes/heat_keystone_auth_cfn_spec.rb
View File

@ -23,6 +23,9 @@ describe 'heat::keystone::auth_cfn' do
:password => 'heat_password', :password => 'heat_password',
:email => 'heat-cfn@localhost', :email => 'heat-cfn@localhost',
:tenant => 'services', :tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8000/v1', :public_url => 'http://127.0.0.1:8000/v1',
:internal_url => 'http://127.0.0.1:8000/v1', :internal_url => 'http://127.0.0.1:8000/v1',
:admin_url => 'http://127.0.0.1:8000/v1', :admin_url => 'http://127.0.0.1:8000/v1',
@ -35,6 +38,9 @@ describe 'heat::keystone::auth_cfn' do
:auth_name => 'alt_heat-cfn', :auth_name => 'alt_heat-cfn',
:email => 'alt_heat-cfn@alt_localhost', :email => 'alt_heat-cfn@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false, :configure_endpoint => false,
:configure_user => false, :configure_user => false,
:configure_user_role => false, :configure_user_role => false,
@ -60,6 +66,9 @@ describe 'heat::keystone::auth_cfn' do
:password => 'heat_password', :password => 'heat_password',
:email => 'alt_heat-cfn@alt_localhost', :email => 'alt_heat-cfn@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81',

9
spec/classes/heat_keystone_auth_spec.rb
View File

@ -23,6 +23,9 @@ describe 'heat::keystone::auth' do
:password => 'heat_password', :password => 'heat_password',
:email => 'heat@localhost', :email => 'heat@localhost',
:tenant => 'services', :tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s', :public_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
:internal_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s', :internal_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
:admin_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s', :admin_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
@ -38,6 +41,9 @@ describe 'heat::keystone::auth' do
:auth_name => 'alt_heat', :auth_name => 'alt_heat',
:email => 'alt_heat@alt_localhost', :email => 'alt_heat@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false, :configure_endpoint => false,
:configure_user => false, :configure_user => false,
:configure_user_role => false, :configure_user_role => false,
@ -65,6 +71,9 @@ describe 'heat::keystone::auth' do
:password => 'heat_password', :password => 'heat_password',
:email => 'alt_heat@alt_localhost', :email => 'alt_heat@alt_localhost',
:tenant => 'alt_service', :tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80', :public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81', :internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81', :admin_url => 'http://10.10.10.12:81',

3
spec/classes/heat_keystone_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'services', :project_name => 'services',
:user_domain_name => 'Default', :user_domain_name => 'Default',
:project_domain_name => 'Default', :project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>', :insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>', :auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password', :auth_type => 'password',
@ -62,6 +63,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',
@ -103,6 +105,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',