Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I95a20233f16d652131f398b50ba0da3146e8129e
changes/20/819320/2
Takashi Kajinami 1 year ago
parent 4b27c00256
commit 2757d7d333

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -199,6 +203,7 @@ class ironic::api::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -252,6 +257,7 @@ class ironic::api::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class ironic::inspector::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class ironic::inspector::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

@ -37,9 +37,17 @@
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to the ironic service user
# (Optional) List of roles assigned to ironic user
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should Ironic endpoint be configured?
# Defaults to true.
@ -97,6 +105,8 @@ class ironic::keystone::auth (
$email = 'ironic@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -111,9 +121,9 @@ class ironic::keystone::auth (
include ironic::deps
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['ironic::service::end']
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['ironic::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['ironic::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['ironic::service::end']
}
@ -131,6 +141,8 @@ class ironic::keystone::auth (
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

@ -33,6 +33,18 @@
# [*tenant*]
# Tenant for Baremetal Introspection user. Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to ironic user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# Should Baremetal Introspection endpoint be configured? Defaults to 'true'.
#
@ -83,6 +95,9 @@ class ironic::keystone::auth_inspector (
$auth_name = 'ironic-inspector',
$email = 'ironic-inspector@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -99,11 +114,11 @@ class ironic::keystone::auth_inspector (
$real_service_name = pick($service_name, $auth_name)
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'ironic-inspector' |>
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> ~> Service <| name == 'ironic-inspector' |>
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> ~> Service <| name == 'ironic-inspector' |>
if $configure_endpoint {
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
}
keystone::resource::service_identity { 'ironic-inspector':
@ -118,6 +133,9 @@ class ironic::keystone::auth_inspector (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

@ -0,0 +1,19 @@
---
features:
- |
The ``system_scope`` parameter has been added to the following classes.
- ``ironic::api::authtoken``
- ``ironic::inspector::authtoken``
- |
The ``ironic::keystone::auth_inspector`` class now supports customizing
roles assigned to the ironic-inspector service user.
- |
The ``ironic::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the ironic service user.
- |
The ``ironic::keystone::auth_inspector`` class now supports defining
assignmet of system-scoped roles to the ironic-inspector service user.

@ -18,6 +18,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

@ -18,6 +18,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

@ -40,6 +40,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'ironic-inspector@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:5050',
:internal_url => 'http://127.0.0.1:5050',
:admin_url => 'http://127.0.0.1:5050',
@ -52,6 +55,9 @@ describe 'ironic::keystone::auth_inspector' do
:auth_name => 'alt_ironic-inspector',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -76,6 +82,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

@ -40,6 +40,8 @@ describe 'ironic::keystone::auth' do
:email => 'ironic@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:6385',
:internal_url => 'http://127.0.0.1:6385',
:admin_url => 'http://127.0.0.1:6385',
@ -53,6 +55,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -78,6 +82,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

Loading…
Cancel
Save