openstack
/
puppet-ironic
Code Issues Proposed changes

Accept system scope credentials for Keystone API request 

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I95a20233f16d652131f398b50ba0da3146e8129e
This commit is contained in:
Takashi Kajinami 2021-11-25 23:13:01 +09:00
parent 4b27c00256
commit 2757d7d333
9 changed files with 90 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manifests/api/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -199,6 +203,7 @@ class ironic::api::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -252,6 +257,7 @@ class ironic::api::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

6
manifests/inspector/authtoken.pp
View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class ironic::inspector::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class ironic::inspector::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

20
manifests/keystone/auth.pp
View File

@ -37,9 +37,17 @@
# Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to the ironic service user
# (Optional) List of roles assigned to ironic user
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# (Optional) Should Ironic endpoint be configured?
# Defaults to true.
@ -97,6 +105,8 @@ class ironic::keystone::auth (
$email = 'ironic@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -111,9 +121,9 @@ class ironic::keystone::auth (
include ironic::deps
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['ironic::service::end']
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['ironic::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['ironic::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['ironic::service::end']
}
@ -131,6 +141,8 @@ class ironic::keystone::auth (
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

26
manifests/keystone/auth_inspector.pp
View File

@ -33,6 +33,18 @@
# [*tenant*]
# Tenant for Baremetal Introspection user. Defaults to 'services'.
#
# [*roles*]
# (Optional) List of roles assigned to ironic user.
# Defaults to ['admin']
#
# [*system_scope*]
# (Optional) Scope for system operations.
# Defaults to 'all'
#
# [*system_roles*]
# (Optional) List of system roles assigned to ironic user.
# Defaults to []
#
# [*configure_endpoint*]
# Should Baremetal Introspection endpoint be configured? Defaults to 'true'.
#
@ -83,6 +95,9 @@ class ironic::keystone::auth_inspector (
$auth_name = 'ironic-inspector',
$email = 'ironic-inspector@localhost',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$configure_endpoint = true,
$configure_user = true,
$configure_user_role = true,
@ -99,11 +114,11 @@ class ironic::keystone::auth_inspector (
$real_service_name = pick($service_name, $auth_name)
if $configure_user_role {
Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'ironic-inspector' |>
}
Keystone_user_role<| name == "${auth_name}@${tenant}" |> ~> Service <| name == 'ironic-inspector' |>
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> ~> Service <| name == 'ironic-inspector' |>
if $configure_endpoint {
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'ironic-inspector' |>
}
keystone::resource::service_identity { 'ironic-inspector':
@ -118,6 +133,9 @@ class ironic::keystone::auth_inspector (
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
internal_url => $internal_url,
admin_url => $admin_url,

19
releasenotes/notes/system_scope-keystone-0ba98f21e99fd283.yaml Normal file
View File

@ -0,0 +1,19 @@
---
features:
- |
The ``system_scope`` parameter has been added to the following classes.
- ``ironic::api::authtoken``
- ``ironic::inspector::authtoken``
- |
The ``ironic::keystone::auth_inspector`` class now supports customizing
roles assigned to the ironic-inspector service user.
- |
The ``ironic::keystone::auth`` class now supports defining assignmet of
system-scoped roles to the ironic service user.
- |
The ``ironic::keystone::auth_inspector`` class now supports defining
assignmet of system-scoped roles to the ironic-inspector service user.

3
spec/classes/ironic_api_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::api::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

3
spec/classes/ironic_inspector_authtoken_spec.rb
View File

@ -18,6 +18,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'ironic::inspector::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

9
spec/classes/ironic_keystone_auth_inspector_spec.rb
View File

@ -40,6 +40,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'ironic-inspector@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:5050',
:internal_url => 'http://127.0.0.1:5050',
:admin_url => 'http://127.0.0.1:5050',
@ -52,6 +55,9 @@ describe 'ironic::keystone::auth_inspector' do
:auth_name => 'alt_ironic-inspector',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -76,6 +82,9 @@ describe 'ironic::keystone::auth_inspector' do
:password => 'ironic-inspector_password',
:email => 'alt_ironic-inspector@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

6
spec/classes/ironic_keystone_auth_spec.rb
View File

@ -40,6 +40,8 @@ describe 'ironic::keystone::auth' do
:email => 'ironic@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:6385',
:internal_url => 'http://127.0.0.1:6385',
:admin_url => 'http://127.0.0.1:6385',
@ -53,6 +55,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:configure_endpoint => false,
:configure_user => false,
:configure_user_role => false,
@ -78,6 +82,8 @@ describe 'ironic::keystone::auth' do
:email => 'alt_ironic@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',