From 69df6cf15222c9df77a6706d0d6450d03940ef07 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 4 Mar 2022 01:04:54 +0900
Subject: [PATCH] Globally support system scope credentials

After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.

Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
configurations consistent.

Change-Id: I180c00bf826387176427a85319cb254713d40924
---
 manifests/cinder.pp                           | 20 ++++++-
 manifests/glance.pp                           | 20 ++++++-
 manifests/inspector/ironic.pp                 | 18 +++++-
 manifests/inspector/service_catalog.pp        | 18 +++++-
 manifests/inspector/swift.pp                  | 18 +++++-
 manifests/neutron.pp                          | 18 +++++-
 manifests/service_catalog.pp                  | 18 +++++-
 manifests/swift.pp                            | 20 ++++++-
 .../system_scope-all-35a686d082e4b1cc.yaml    | 12 ++++
 spec/classes/ironic_cinder_spec.rb            | 32 +++++++---
 spec/classes/ironic_glance_spec.rb            | 58 ++++++++++++-------
 spec/classes/ironic_inspector_ironic_spec.rb  | 36 ++++++++----
 .../ironic_inspector_service_catalog_spec.rb  | 32 +++++++---
 spec/classes/ironic_inspector_swift_spec.rb   | 36 ++++++++----
 spec/classes/ironic_neutron_spec.rb           | 34 +++++++----
 spec/classes/ironic_service_catalog_spec.rb   | 32 +++++++---
 spec/classes/ironic_swift_spec.rb             | 32 +++++++---
 17 files changed, 348 insertions(+), 106 deletions(-)
 create mode 100644 releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml

diff --git a/manifests/cinder.pp b/manifests/cinder.pp
index f51723a1..d5169416 100644
--- a/manifests/cinder.pp
+++ b/manifests/cinder.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to cinder in admin context
 #   through the OpenStack Identity service.
@@ -57,18 +61,30 @@ class ironic::cinder (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
+  include ironic::deps
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'cinder/auth_type':           value => $auth_type;
     'cinder/username':            value => $username;
     'cinder/password':            value => $password, secret => true;
     'cinder/auth_url':            value => $auth_url;
-    'cinder/project_name':        value => $project_name;
+    'cinder/project_name':        value => $project_name_real;
     'cinder/user_domain_name':    value => $user_domain_name;
-    'cinder/project_domain_name': value => $project_domain_name;
+    'cinder/project_domain_name': value => $project_domain_name_real;
+    'cinder/system_scope':        value => $system_scope;
     'cinder/region_name':         value => $region_name;
     'cinder/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/glance.pp b/manifests/glance.pp
index 03c8aaf9..0c2108ff 100644
--- a/manifests/glance.pp
+++ b/manifests/glance.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to glance in admin context
 #   through the OpenStack Identity service.
@@ -103,6 +107,7 @@ class ironic::glance (
   $password                   = $::os_service_default,
   $user_domain_name           = 'Default',
   $project_domain_name        = 'Default',
+  $system_scope               = $::os_service_default,
   $region_name                = $::os_service_default,
   $num_retries                = $::os_service_default,
   $api_insecure               = $::os_service_default,
@@ -117,6 +122,8 @@ class ironic::glance (
   $swift_account_project_name = undef,
 ) {
 
+  include ironic::deps
+
   if $api_servers {
     warning("The ironic::glance::api_servers parameter is deprecated and \
 has no effect. Please use ironic::glance::endpoint_override instead.")
@@ -130,14 +137,23 @@ has no effect. Please use ironic::glance::endpoint_override instead.")
     fail('swift_account_project_name and swift_account can not be specified in the same time.')
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'glance/auth_type':               value => $auth_type;
     'glance/username':                value => $username;
     'glance/password':                value => $password, secret => true;
     'glance/auth_url':                value => $auth_url;
-    'glance/project_name':            value => $project_name;
+    'glance/project_name':            value => $project_name_real;
     'glance/user_domain_name':        value => $user_domain_name;
-    'glance/project_domain_name':     value => $project_domain_name;
+    'glance/project_domain_name':     value => $project_domain_name_real;
+    'glance/system_scope':            value => $system_scope;
     'glance/region_name':             value => $region_name;
     'glance/num_retries':             value => $num_retries;
     'glance/insecure':                value => $api_insecure;
diff --git a/manifests/inspector/ironic.pp b/manifests/inspector/ironic.pp
index 73c4429a..f31568c8 100644
--- a/manifests/inspector/ironic.pp
+++ b/manifests/inspector/ironic.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to ironic in admin context
 #   through the OpenStack Identity service.
@@ -65,20 +69,30 @@ class ironic::inspector::ironic (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
   $max_retries         = $::os_service_default,
   $retry_interval      = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'ironic/auth_type':           value => $auth_type;
     'ironic/username':            value => $username;
     'ironic/password':            value => $password, secret => true;
     'ironic/auth_url':            value => $auth_url;
-    'ironic/project_name':        value => $project_name;
+    'ironic/project_name':        value => $project_name_real;
     'ironic/user_domain_name':    value => $user_domain_name;
-    'ironic/project_domain_name': value => $project_domain_name;
+    'ironic/project_domain_name': value => $project_domain_name_real;
+    'ironic/system_scope':        value => $system_scope;
     'ironic/region_name':         value => $region_name;
     'ironic/endpoint_override':   value => $endpoint_override;
     'ironic/max_retries':         value => $max_retries;
diff --git a/manifests/inspector/service_catalog.pp b/manifests/inspector/service_catalog.pp
index c37e3253..dcf2aa04 100644
--- a/manifests/inspector/service_catalog.pp
+++ b/manifests/inspector/service_catalog.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for accessing Keystone catalog
 #   through the OpenStack Identity service.
@@ -57,20 +61,30 @@ class ironic::inspector::service_catalog (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
   include ironic::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'service_catalog/auth_type':           value => $auth_type;
     'service_catalog/username':            value => $username;
     'service_catalog/password':            value => $password, secret => true;
     'service_catalog/auth_url':            value => $auth_url;
-    'service_catalog/project_name':        value => $project_name;
+    'service_catalog/project_name':        value => $project_name_real;
     'service_catalog/user_domain_name':    value => $user_domain_name;
-    'service_catalog/project_domain_name': value => $project_domain_name;
+    'service_catalog/project_domain_name': value => $project_domain_name_real;
+    'service_catalog/system_scope':        value => $system_scope;
     'service_catalog/region_name':         value => $region_name;
     'service_catalog/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/inspector/swift.pp b/manifests/inspector/swift.pp
index e8934658..a891d4ea 100644
--- a/manifests/inspector/swift.pp
+++ b/manifests/inspector/swift.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to swift in admin context
 #   through the OpenStack Identity service.
@@ -67,20 +71,30 @@ class ironic::inspector::swift (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
   $container           = $::os_service_default,
   $delete_after        = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_inspector_config {
     'swift/auth_type':           value => $auth_type;
     'swift/username':            value => $username;
     'swift/password':            value => $password, secret => true;
     'swift/auth_url':            value => $auth_url;
-    'swift/project_name':        value => $project_name;
+    'swift/project_name':        value => $project_name_real;
     'swift/user_domain_name':    value => $user_domain_name;
-    'swift/project_domain_name': value => $project_domain_name;
+    'swift/project_domain_name': value => $project_domain_name_real;
+    'swift/system_scope':        value => $system_scope;
     'swift/region_name':         value => $region_name;
     'swift/endpoint_override':   value => $endpoint_override;
     'swift/container':           value => $container;
diff --git a/manifests/neutron.pp b/manifests/neutron.pp
index 04eb95bf..05b3afec 100644
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to neutron in admin context
 #   through the OpenStack Identity service.
@@ -72,6 +76,7 @@ class ironic::neutron (
   $password                      = $::os_service_default,
   $user_domain_name              = 'Default',
   $project_domain_name           = 'Default',
+  $system_scope                  = $::os_service_default,
   $region_name                   = $::os_service_default,
   $endpoint_override             = $::os_service_default,
   $dhcpv6_stateful_address_count = $::os_service_default,
@@ -84,14 +89,23 @@ class ironic::neutron (
 has no effect. Please use ironic::neutron::endpoint_override instead.")
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'neutron/auth_type':                     value => $auth_type;
     'neutron/username':                      value => $username;
     'neutron/password':                      value => $password, secret => true;
     'neutron/auth_url':                      value => $auth_url;
-    'neutron/project_name':                  value => $project_name;
+    'neutron/project_name':                  value => $project_name_real;
     'neutron/user_domain_name':              value => $user_domain_name;
-    'neutron/project_domain_name':           value => $project_domain_name;
+    'neutron/project_domain_name':           value => $project_domain_name_real;
+    'neutron/system_scope':                  value => $system_scope;
     'neutron/region_name':                   value => $region_name;
     'neutron/endpoint_override':             value => $endpoint_override;
     'neutron/dhcpv6_stateful_address_count': value => $dhcpv6_stateful_address_count;
diff --git a/manifests/service_catalog.pp b/manifests/service_catalog.pp
index 9a55e4a7..9065d6d9 100644
--- a/manifests/service_catalog.pp
+++ b/manifests/service_catalog.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for accessing Keystone catalog
 #   through the OpenStack Identity service.
@@ -57,20 +61,30 @@ class ironic::service_catalog (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
   include ironic::deps
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'service_catalog/auth_type':           value => $auth_type;
     'service_catalog/username':            value => $username;
     'service_catalog/password':            value => $password, secret => true;
     'service_catalog/auth_url':            value => $auth_url;
-    'service_catalog/project_name':        value => $project_name;
+    'service_catalog/project_name':        value => $project_name_real;
     'service_catalog/user_domain_name':    value => $user_domain_name;
-    'service_catalog/project_domain_name': value => $project_domain_name;
+    'service_catalog/project_domain_name': value => $project_domain_name_real;
+    'service_catalog/system_scope':        value => $system_scope;
     'service_catalog/region_name':         value => $region_name;
     'service_catalog/endpoint_override':   value => $endpoint_override;
   }
diff --git a/manifests/swift.pp b/manifests/swift.pp
index 0484fc25..c13ba4d2 100644
--- a/manifests/swift.pp
+++ b/manifests/swift.pp
@@ -40,6 +40,10 @@
 #   The name of project's domain (required for Identity V3).
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*region_name*]
 #   (optional) Region name for connecting to swift in admin context
 #   through the OpenStack Identity service.
@@ -57,18 +61,30 @@ class ironic::swift (
   $password            = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $region_name         = $::os_service_default,
   $endpoint_override   = $::os_service_default,
 ) {
 
+  include ironic::deps
+
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   ironic_config {
     'swift/auth_type':           value => $auth_type;
     'swift/username':            value => $username;
     'swift/password':            value => $password, secret => true;
     'swift/auth_url':            value => $auth_url;
-    'swift/project_name':        value => $project_name;
+    'swift/project_name':        value => $project_name_real;
     'swift/user_domain_name':    value => $user_domain_name;
-    'swift/project_domain_name': value => $project_domain_name;
+    'swift/project_domain_name': value => $project_domain_name_real;
+    'swift/system_scope':        value => $system_scope;
     'swift/region_name':         value => $region_name;
     'swift/endpoint_override':   value => $endpoint_override;
   }
diff --git a/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml b/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml
new file mode 100644
index 00000000..f5e4f150
--- /dev/null
+++ b/releasenotes/notes/system_scope-all-35a686d082e4b1cc.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    The new ``system_scope`` parameter has been added to the following classes.
+
+    - ``ironic::cinder``
+    - ``ironic::glance``
+    - ``ironic::neutron``
+    - ``ironic::service_catalog``
+    - ``ironic::swift``
+    - ``ironic::inspector::ironic``
+    - ``ironic::inspector::swift``
diff --git a/spec/classes/ironic_cinder_spec.rb b/spec/classes/ironic_cinder_spec.rb
index 60cd1b35..669e9f0b 100644
--- a/spec/classes/ironic_cinder_spec.rb
+++ b/spec/classes/ironic_cinder_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::cinder' do
       is_expected.to contain_ironic_config('cinder/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('cinder/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('cinder/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('cinder/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::cinder' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::cinder' do
         is_expected.to contain_ironic_config('cinder/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('cinder/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('cinder/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('cinder/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('cinder/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('cinder/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_glance_spec.rb b/spec/classes/ironic_glance_spec.rb
index c8a9a95a..402453b7 100644
--- a/spec/classes/ironic_glance_spec.rb
+++ b/spec/classes/ironic_glance_spec.rb
@@ -41,37 +41,38 @@ describe 'ironic::glance' do
       is_expected.to contain_ironic_config('glance/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('glance/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('glance/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/insecure').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/num_retries').with_value('<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_account').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_container').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_endpoint_url').with(:value => '<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('glance/swift_temp_url_key').with(:value => '<SERVICE DEFAULT>').with_secret(true)
-      is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_account').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_container').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_endpoint_url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('glance/swift_temp_url_key').with_value('<SERVICE DEFAULT>').with_secret(true)
+      is_expected.to contain_ironic_config('glance/swift_temp_url_duration').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('glance/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
 
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type               => 'noauth',
-            :auth_url                => 'http://example.com',
-            :project_name            => 'project1',
-            :username                => 'admin',
-            :password                => 'pa$$w0rd',
-            :user_domain_name        => 'NonDefault',
-            :project_domain_name     => 'NonDefault',
-            :region_name             => 'regionTwo',
-            :api_servers             => '10.0.0.1:9292',
-            :api_insecure            => true,
-            :num_retries             => 42,
-            :swift_account           => '00000000-0000-0000-0000-000000000000',
-            :swift_container         => 'glance',
-            :swift_endpoint_url      => 'http://example2.com',
-            :swift_temp_url_key      => 'the-key',
-            :swift_temp_url_duration => 3600,
-            :endpoint_override   => 'http://example2.com',
+          :auth_type               => 'noauth',
+          :auth_url                => 'http://example.com',
+          :project_name            => 'project1',
+          :username                => 'admin',
+          :password                => 'pa$$w0rd',
+          :user_domain_name        => 'NonDefault',
+          :project_domain_name     => 'NonDefault',
+          :region_name             => 'regionTwo',
+          :api_servers             => '10.0.0.1:9292',
+          :api_insecure            => true,
+          :num_retries             => 42,
+          :swift_account           => '00000000-0000-0000-0000-000000000000',
+          :swift_container         => 'glance',
+          :swift_endpoint_url      => 'http://example2.com',
+          :swift_temp_url_key      => 'the-key',
+          :swift_temp_url_duration => 3600,
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -83,6 +84,7 @@ describe 'ironic::glance' do
         is_expected.to contain_ironic_config('glance/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('glance/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('glance/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('glance/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('glance/insecure').with_value(p[:api_insecure])
         is_expected.to contain_ironic_config('glance/num_retries').with_value(p[:num_retries])
@@ -106,6 +108,18 @@ describe 'ironic::glance' do
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('glance/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('glance/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('glance/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_ironic_spec.rb b/spec/classes/ironic_inspector_ironic_spec.rb
index f5b83d4f..0e4f5ded 100644
--- a/spec/classes/ironic_inspector_ironic_spec.rb
+++ b/spec/classes/ironic_inspector_ironic_spec.rb
@@ -42,6 +42,7 @@ describe 'ironic::inspector::ironic' do
       is_expected.to contain_ironic_inspector_config('ironic/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value('<SERVICE DEFAULT>')
@@ -51,17 +52,17 @@ describe 'ironic::inspector::ironic' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
-            :max_retries         => 30,
-            :retry_interval      => 2,
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
+          :max_retries         => 30,
+          :retry_interval      => 2,
         )
       end
 
@@ -73,6 +74,7 @@ describe 'ironic::inspector::ironic' do
         is_expected.to contain_ironic_inspector_config('ironic/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_inspector_config('ironic/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('ironic/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_inspector_config('ironic/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_inspector_config('ironic/max_retries').with_value(p[:max_retries])
@@ -80,6 +82,18 @@ describe 'ironic::inspector::ironic' do
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('ironic/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_service_catalog_spec.rb b/spec/classes/ironic_inspector_service_catalog_spec.rb
index 90def994..da236cca 100644
--- a/spec/classes/ironic_inspector_service_catalog_spec.rb
+++ b/spec/classes/ironic_inspector_service_catalog_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::inspector::service_catalog' do
       is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::inspector::service_catalog' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::inspector::service_catalog' do
         is_expected.to contain_ironic_inspector_config('service_catalog/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_inspector_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('service_catalog/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_inspector_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('service_catalog/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_inspector_swift_spec.rb b/spec/classes/ironic_inspector_swift_spec.rb
index 90f70797..3f848ae7 100644
--- a/spec/classes/ironic_inspector_swift_spec.rb
+++ b/spec/classes/ironic_inspector_swift_spec.rb
@@ -42,6 +42,7 @@ describe 'ironic::inspector::swift' do
       is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('Default')
       is_expected.to contain_ironic_inspector_config('swift/region_name').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/container').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value('<SERVICE DEFAULT>')
@@ -50,17 +51,17 @@ describe 'ironic::inspector::swift' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
-            :container           => 'mycontainer',
-            :delete_after        => 0,
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
+          :container           => 'mycontainer',
+          :delete_after        => 0,
         )
       end
 
@@ -73,12 +74,25 @@ describe 'ironic::inspector::swift' do
         is_expected.to contain_ironic_inspector_config('swift/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value(p[:project_domain_name])
         is_expected.to contain_ironic_inspector_config('swift/region_name').with_value(p[:region_name])
+        is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_inspector_config('swift/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_inspector_config('swift/container').with_value(p[:container])
         is_expected.to contain_ironic_inspector_config('swift/delete_after').with_value(0)
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_inspector_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('swift/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_inspector_config('swift/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_neutron_spec.rb b/spec/classes/ironic_neutron_spec.rb
index 02fe2d43..6b82d4b6 100644
--- a/spec/classes/ironic_neutron_spec.rb
+++ b/spec/classes/ironic_neutron_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::neutron' do
       is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('neutron/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/endpoint_override').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value('<SERVICE DEFAULT>')
@@ -49,16 +50,16 @@ describe 'ironic::neutron' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type                     => 'noauth',
-            :auth_url                      => 'http://example.com',
-            :project_name                  => 'project1',
-            :username                      => 'admin',
-            :password                      => 'pa$$w0rd',
-            :user_domain_name              => 'NonDefault',
-            :project_domain_name           => 'NonDefault',
-            :region_name                   => 'regionTwo',
-            :endpoint_override             => 'http://example2.com',
-            :dhcpv6_stateful_address_count => 8,
+          :auth_type                     => 'noauth',
+          :auth_url                      => 'http://example.com',
+          :project_name                  => 'project1',
+          :username                      => 'admin',
+          :password                      => 'pa$$w0rd',
+          :user_domain_name              => 'NonDefault',
+          :project_domain_name           => 'NonDefault',
+          :region_name                   => 'regionTwo',
+          :endpoint_override             => 'http://example2.com',
+          :dhcpv6_stateful_address_count => 8,
         )
       end
 
@@ -70,12 +71,25 @@ describe 'ironic::neutron' do
         is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('neutron/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('neutron/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('neutron/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('neutron/endpoint_override').with_value(p[:endpoint_override])
         is_expected.to contain_ironic_config('neutron/dhcpv6_stateful_address_count').with_value(p[:dhcpv6_stateful_address_count])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('neutron/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_service_catalog_spec.rb b/spec/classes/ironic_service_catalog_spec.rb
index 786a1472..ec4e9c88 100644
--- a/spec/classes/ironic_service_catalog_spec.rb
+++ b/spec/classes/ironic_service_catalog_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::service_catalog' do
       is_expected.to contain_ironic_config('service_catalog/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('service_catalog/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::service_catalog' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::service_catalog' do
         is_expected.to contain_ironic_config('service_catalog/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('service_catalog/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('service_catalog/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('service_catalog/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('service_catalog/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('service_catalog/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('service_catalog/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/ironic_swift_spec.rb b/spec/classes/ironic_swift_spec.rb
index 1564bf1d..38a190d0 100644
--- a/spec/classes/ironic_swift_spec.rb
+++ b/spec/classes/ironic_swift_spec.rb
@@ -41,6 +41,7 @@ describe 'ironic::swift' do
       is_expected.to contain_ironic_config('swift/password').with_value('<SERVICE DEFAULT>').with_secret(true)
       is_expected.to contain_ironic_config('swift/user_domain_name').with_value('Default')
       is_expected.to contain_ironic_config('swift/project_domain_name').with_value('Default')
+      is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('swift/region_name').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('swift/endpoint_override').with_value('<SERVICE DEFAULT>')
     end
@@ -48,15 +49,15 @@ describe 'ironic::swift' do
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-            :auth_type           => 'noauth',
-            :auth_url            => 'http://example.com',
-            :project_name        => 'project1',
-            :username            => 'admin',
-            :password            => 'pa$$w0rd',
-            :user_domain_name    => 'NonDefault',
-            :project_domain_name => 'NonDefault',
-            :region_name         => 'regionTwo',
-            :endpoint_override   => 'http://example2.com',
+          :auth_type           => 'noauth',
+          :auth_url            => 'http://example.com',
+          :project_name        => 'project1',
+          :username            => 'admin',
+          :password            => 'pa$$w0rd',
+          :user_domain_name    => 'NonDefault',
+          :project_domain_name => 'NonDefault',
+          :region_name         => 'regionTwo',
+          :endpoint_override   => 'http://example2.com',
         )
       end
 
@@ -68,11 +69,24 @@ describe 'ironic::swift' do
         is_expected.to contain_ironic_config('swift/password').with_value(p[:password]).with_secret(true)
         is_expected.to contain_ironic_config('swift/user_domain_name').with_value(p[:user_domain_name])
         is_expected.to contain_ironic_config('swift/project_domain_name').with_value(p[:project_domain_name])
+        is_expected.to contain_ironic_config('swift/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_ironic_config('swift/region_name').with_value(p[:region_name])
         is_expected.to contain_ironic_config('swift/endpoint_override').with_value(p[:endpoint_override])
       end
     end
 
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_ironic_config('swift/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('swift/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('swift/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({