openstack
/
puppet-ironic
Code Issues Proposed changes

Accept system scope credentials for Keystone API request

Browse Source 
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I95a20233f16d652131f398b50ba0da3146e8129e
changes/20/819320/2
Takashi Kajinami 1 year ago
parent 4b27c00256
commit 2757d7d333
9 changed files with 90 additions and 8 deletions
Show Stats Download Patch File Download Diff File

6
manifests/api/authtoken.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -199,6 +203,7 @@ class ironic::api::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -252,6 +257,7 @@ class ironic::api::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

6
manifests/inspector/authtoken.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class ironic::inspector::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class ironic::inspector::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

20
manifests/keystone/auth.pp
Unescape View File

@ -37,9 +37,17 @@
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to the ironic service user
# (Optional) List of roles assigned to ironic user
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should Ironic endpoint be configured?
# Defaults to true.
@ -97,6 +105,8 @@ class ironic::keystone::auth (
$email = 'ironic@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -111,9 +121,9 @@ class ironic::keystone::auth (
include ironic::deps
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['ironic::service::end']
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['ironic::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['ironic::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['ironic::service::end']
}
@ -131,6 +141,8 @@ class ironic::keystone::auth (
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

26
manifests/keystone/auth_inspector.pp
Unescape View File

@ -33,6 +33,18 @@
# [*tenant*]
# Tenant for Baremetal Introspection user. Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to ironic user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# Should Baremetal Introspection endpoint be configured? Defaults to 'true'.
#
@ -83,6 +95,9 @@ class ironic::keystone::auth_inspector (
$auth_name = 'ironic-inspector',
$email = 'ironic-inspector@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -99,11 +114,11 @@ class ironic::keystone::auth_inspector (
$real_service_name = pick($service_name, $auth_name)
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'ironic-inspector' |>
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> ~> Service <| name == 'ironic-inspector' |>
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> ~> Service <| name == 'ironic-inspector' |>
if $configure_endpoint {
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
}
keystone::resource::service_identity { 'ironic-inspector':
@ -118,6 +133,9 @@ class ironic::keystone::auth_inspector (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

19
releasenotes/notes/system_scope-keystone-0ba98f21e99fd283.yaml
Unescape View File

@ -0,0 +1,19 @@
---
features:
- |
The ``system_scope`` parameter has been added to the following classes.
- ``ironic::api::authtoken``
- ``ironic::inspector::authtoken``
- |
The ``ironic::keystone::auth_inspector`` class now supports customizing
roles assigned to the ironic-inspector service user.
- |
The ``ironic::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the ironic service user.
- |
The ``ironic::keystone::auth_inspector`` class now supports defining
assignmet of system-scoped roles to the ironic-inspector service user.

3
spec/classes/ironic_api_authtoken_spec.rb
Unescape View File

@ -18,6 +18,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

3
spec/classes/ironic_inspector_authtoken_spec.rb
Unescape View File

@ -18,6 +18,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

9
spec/classes/ironic_keystone_auth_inspector_spec.rb
Unescape View File

@ -40,6 +40,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'ironic-inspector@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:5050',
:internal_url => 'http://127.0.0.1:5050',
:admin_url => 'http://127.0.0.1:5050',
@ -52,6 +55,9 @@ describe 'ironic::keystone::auth_inspector' do
:auth_name => 'alt_ironic-inspector',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -76,6 +82,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

6
spec/classes/ironic_keystone_auth_spec.rb
Unescape View File

@ -40,6 +40,8 @@ describe 'ironic::keystone::auth' do
:email => 'ironic@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:6385',
:internal_url => 'http://127.0.0.1:6385',
:admin_url => 'http://127.0.0.1:6385',
@ -53,6 +55,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -78,6 +82,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

Write Preview
Loading…
Cancel
Save