Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I95a20233f16d652131f398b50ba0da3146e8129e
This commit is contained in:
parent
4b27c00256
commit
2757d7d333
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
@ -199,6 +203,7 @@ class ironic::api::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
@ -252,6 +257,7 @@ class ironic::api::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
@ -198,6 +202,7 @@ class ironic::inspector::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
@ -251,6 +256,7 @@ class ironic::inspector::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
@ -37,9 +37,17 @@
|
|||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to the ironic service user
|
||||
# (Optional) List of roles assigned to ironic user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to ironic user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*configure_endpoint*]
|
||||
# (Optional) Should Ironic endpoint be configured?
|
||||
# Defaults to true.
|
||||
|
@ -97,6 +105,8 @@ class ironic::keystone::auth (
|
|||
$email = 'ironic@localhost',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$configure_endpoint = true,
|
||||
$configure_user = true,
|
||||
$configure_user_role = true,
|
||||
|
@ -111,9 +121,9 @@ class ironic::keystone::auth (
|
|||
|
||||
include ironic::deps
|
||||
|
||||
if $configure_user_role {
|
||||
Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['ironic::service::end']
|
||||
}
|
||||
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['ironic::service::end']
|
||||
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['ironic::service::end']
|
||||
|
||||
if $configure_endpoint {
|
||||
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['ironic::service::end']
|
||||
}
|
||||
|
@ -131,6 +141,8 @@ class ironic::keystone::auth (
|
|||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
internal_url => $internal_url,
|
||||
admin_url => $admin_url,
|
||||
|
|
|
@ -33,6 +33,18 @@
|
|||
# [*tenant*]
|
||||
# Tenant for Baremetal Introspection user. Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to ironic user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to ironic user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*configure_endpoint*]
|
||||
# Should Baremetal Introspection endpoint be configured? Defaults to 'true'.
|
||||
#
|
||||
|
@ -83,6 +95,9 @@ class ironic::keystone::auth_inspector (
|
|||
$auth_name = 'ironic-inspector',
|
||||
$email = 'ironic-inspector@localhost',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$configure_endpoint = true,
|
||||
$configure_user = true,
|
||||
$configure_user_role = true,
|
||||
|
@ -99,9 +114,9 @@ class ironic::keystone::auth_inspector (
|
|||
|
||||
$real_service_name = pick($service_name, $auth_name)
|
||||
|
||||
if $configure_user_role {
|
||||
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'ironic-inspector' |>
|
||||
}
|
||||
Keystone_user_role<| name == "${auth_name}@${tenant}" |> ~> Service <| name == 'ironic-inspector' |>
|
||||
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> ~> Service <| name == 'ironic-inspector' |>
|
||||
|
||||
if $configure_endpoint {
|
||||
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
|
||||
}
|
||||
|
@ -118,6 +133,9 @@ class ironic::keystone::auth_inspector (
|
|||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
internal_url => $internal_url,
|
||||
admin_url => $admin_url,
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to the following classes.
|
||||
|
||||
- ``ironic::api::authtoken``
|
||||
- ``ironic::inspector::authtoken``
|
||||
|
||||
- |
|
||||
The ``ironic::keystone::auth_inspector`` class now supports customizing
|
||||
roles assigned to the ironic-inspector service user.
|
||||
|
||||
- |
|
||||
The ``ironic::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the ironic service user.
|
||||
|
||||
- |
|
||||
The ``ironic::keystone::auth_inspector`` class now supports defining
|
||||
assignmet of system-scoped roles to the ironic-inspector service user.
|
|
@ -18,6 +18,7 @@ describe 'ironic::api::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
@ -62,6 +63,7 @@ describe 'ironic::api::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
@ -103,6 +105,7 @@ describe 'ironic::api::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
@ -18,6 +18,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
@ -62,6 +63,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
@ -103,6 +105,7 @@ describe 'ironic::inspector::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
@ -40,6 +40,9 @@ describe 'ironic::keystone::auth_inspector' do
|
|||
:password => 'ironic-inspector_password',
|
||||
:email => 'ironic-inspector@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:5050',
|
||||
:internal_url => 'http://127.0.0.1:5050',
|
||||
:admin_url => 'http://127.0.0.1:5050',
|
||||
|
@ -52,6 +55,9 @@ describe 'ironic::keystone::auth_inspector' do
|
|||
:auth_name => 'alt_ironic-inspector',
|
||||
:email => 'alt_ironic-inspector@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
|
@ -76,6 +82,9 @@ describe 'ironic::keystone::auth_inspector' do
|
|||
:password => 'ironic-inspector_password',
|
||||
:email => 'alt_ironic-inspector@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
@ -40,6 +40,8 @@ describe 'ironic::keystone::auth' do
|
|||
:email => 'ironic@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:6385',
|
||||
:internal_url => 'http://127.0.0.1:6385',
|
||||
:admin_url => 'http://127.0.0.1:6385',
|
||||
|
@ -53,6 +55,8 @@ describe 'ironic::keystone::auth' do
|
|||
:email => 'alt_ironic@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
|
@ -78,6 +82,8 @@ describe 'ironic::keystone::auth' do
|
|||
:email => 'alt_ironic@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
Loading…
Reference in New Issue