openstack
/
puppet-heat
Code Issues Proposed changes

Accept system scope credentials for Keystone API request 

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I1429b2cc6f3c01c07ec26b1a7242e451072be368
This commit is contained in:
Takashi Kajinami 2021-11-25 23:53:05 +09:00
parent 2d1311f1c6
commit d3a63122cb
7 changed files with 98 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
manifests/keystone/auth.pp
View File

@ -50,6 +50,18 @@
# (Optional) Tenant for heat user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to heat user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to heat user.
# Defaults to []
#
# [*trusts_delegated_roles*]
# (Optional) Array of trustor roles to be delegated to heat.
# Defaults to ['heat_stack_owner']
@ -105,6 +117,9 @@ class heat::keystone::auth (
$service_description = 'OpenStack Orchestration Service',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_service = true,
$configure_user = true,
@ -122,6 +137,13 @@ class heat::keystone::auth (
validate_legacy(String, 'validate_string', $password)
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['heat::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['heat::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['heat::service::end']
}
keystone::resource::service_identity { 'heat':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
@ -135,15 +157,14 @@ class heat::keystone::auth (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['heat::service::end']
}
if $manage_heat_stack_user_role {
keystone_role { $heat_stack_user_role:
ensure => present,

29
manifests/keystone/auth_cfn.pp
View File

@ -50,6 +50,18 @@
# (Optional) Tenant for heat-cfn user.
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to heat user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to heat user.
# Defaults to []
#
# [*public_url*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8000/v1')
# This url should *not* contain any trailing '/'.
@ -79,6 +91,9 @@ class heat::keystone::auth_cfn (
$service_type = 'cloudformation',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_service = true,
$configure_user = true,
@ -92,6 +107,13 @@ class heat::keystone::auth_cfn (
validate_legacy(String, 'validate_string', $password)
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['heat::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['heat::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['heat::service::end']
}
keystone::resource::service_identity { 'heat-cfn':
configure_user => $configure_user,
configure_user_role => $configure_user_role,
@ -105,13 +127,12 @@ class heat::keystone::auth_cfn (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Anchor['heat::service::end']
}
}

6
manifests/keystone/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class heat::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class heat::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

21
releasenotes/notes/system_scope-keystone-ea935e84e1f0c430.yaml Normal file
View File

@ -0,0 +1,21 @@
---
features:
- |
The ``system_scope`` parameter has been added to
the ``heat::keystone::authtoken`` class.
- |
The ``heat::keystone::auth`` class now supports customizing roles assigned
to the heat service user.
- |
The ``heat::keystone::auth_cfn`` class now supports customizing roles
assigned to the heat service user.
- |
The ``heat::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the heat service user.
- |
The ``heat::keystone::auth_cfn`` class now supports defining assignmet of
system-scoped roles to the heat service user.

9
spec/classes/heat_keystone_auth_cfn_spec.rb
View File

@ -23,6 +23,9 @@ describe 'heat::keystone::auth_cfn' do
:password => 'heat_password',
:email => 'heat-cfn@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8000/v1',
:internal_url => 'http://127.0.0.1:8000/v1',
:admin_url => 'http://127.0.0.1:8000/v1',
@ -35,6 +38,9 @@ describe 'heat::keystone::auth_cfn' do
:auth_name => 'alt_heat-cfn',
:email => 'alt_heat-cfn@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -60,6 +66,9 @@ describe 'heat::keystone::auth_cfn' do
:password => 'heat_password',
:email => 'alt_heat-cfn@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

9
spec/classes/heat_keystone_auth_spec.rb
View File

@ -23,6 +23,9 @@ describe 'heat::keystone::auth' do
:password => 'heat_password',
:email => 'heat@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
:internal_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
:admin_url => 'http://127.0.0.1:8004/v1/%(tenant_id)s',
@ -38,6 +41,9 @@ describe 'heat::keystone::auth' do
:auth_name => 'alt_heat',
:email => 'alt_heat@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -65,6 +71,9 @@ describe 'heat::keystone::auth' do
:password => 'heat_password',
:email => 'alt_heat@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/heat_keystone_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'heat::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',