From bb714ff15aff24476a512279e2f59b379197eb21 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 25 Jan 2022 16:41:38 +0900 Subject: [PATCH] Accept system scope credential for Nova API request Currently Ironic uses the user credential in [nova] section to use External Event API in Nova but this API is available only for system admin when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: Ib5020f4bd01a18580aa765248ea29e132862d57c --- manifests/nova.pp | 20 +++++++++-- .../system_scope-nova-52a51f6b7863a8b7.yaml | 5 +++ spec/classes/ironic_nova_spec.rb | 35 +++++++++++++------ 3 files changed, 48 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/system_scope-nova-52a51f6b7863a8b7.yaml diff --git a/manifests/nova.pp b/manifests/nova.pp index 67f932f5..43ca2545 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -40,6 +40,10 @@ # The name of project's domain (required for Identity V3). # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to nova in admin context # through the OpenStack Identity service. @@ -61,19 +65,31 @@ class ironic::nova ( $password = $::os_service_default, $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $endpoint_override = $::os_service_default, $send_power_notifications = $::os_service_default, ) { + include ironic::deps + + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + ironic_config { 'nova/auth_type': value => $auth_type; 'nova/username': value => $username; 'nova/password': value => $password, secret => true; 'nova/auth_url': value => $auth_url; - 'nova/project_name': value => $project_name; + 'nova/project_name': value => $project_name_real; 'nova/user_domain_name': value => $user_domain_name; - 'nova/project_domain_name': value => $project_domain_name; + 'nova/project_domain_name': value => $project_domain_name_real; + 'nova/system_scope': value => $system_scope; 'nova/region_name': value => $region_name; 'nova/endpoint_override': value => $endpoint_override; 'nova/send_power_notifications': value => $send_power_notifications; diff --git a/releasenotes/notes/system_scope-nova-52a51f6b7863a8b7.yaml b/releasenotes/notes/system_scope-nova-52a51f6b7863a8b7.yaml new file mode 100644 index 00000000..3b347c33 --- /dev/null +++ b/releasenotes/notes/system_scope-nova-52a51f6b7863a8b7.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``sysem_scope`` parameter has been added to the ``ironic::nova`` + class. diff --git a/spec/classes/ironic_nova_spec.rb b/spec/classes/ironic_nova_spec.rb index 4a6c1952..01904e90 100644 --- a/spec/classes/ironic_nova_spec.rb +++ b/spec/classes/ironic_nova_spec.rb @@ -41,6 +41,7 @@ describe 'ironic::nova' do is_expected.to contain_ironic_config('nova/password').with_value('').with_secret(true) is_expected.to contain_ironic_config('nova/user_domain_name').with_value('Default') is_expected.to contain_ironic_config('nova/project_domain_name').with_value('Default') + is_expected.to contain_ironic_config('nova/system_scope').with_value('') is_expected.to contain_ironic_config('nova/region_name').with_value('') is_expected.to contain_ironic_config('nova/endpoint_override').with_value('') is_expected.to contain_ironic_config('nova/send_power_notifications').with_value('') @@ -49,16 +50,16 @@ describe 'ironic::nova' do context 'when overriding parameters' do before :each do params.merge!( - :auth_type => 'noauth', - :auth_url => 'http://example.com', - :project_name => 'project1', - :username => 'admin', - :password => 'pa$$w0rd', - :user_domain_name => 'NonDefault', - :project_domain_name => 'NonDefault', - :region_name => 'regionTwo', - :endpoint_override => 'http://example2.com', - :send_power_notifications => false, + :auth_type => 'noauth', + :auth_url => 'http://example.com', + :project_name => 'project1', + :username => 'admin', + :password => 'pa$$w0rd', + :user_domain_name => 'NonDefault', + :project_domain_name => 'NonDefault', + :region_name => 'regionTwo', + :endpoint_override => 'http://example2.com', + :send_power_notifications => false, ) end @@ -71,11 +72,25 @@ describe 'ironic::nova' do is_expected.to contain_ironic_config('nova/user_domain_name').with_value(p[:user_domain_name]) is_expected.to contain_ironic_config('nova/project_domain_name').with_value(p[:project_domain_name]) is_expected.to contain_ironic_config('nova/region_name').with_value(p[:region_name]) + is_expected.to contain_ironic_config('nova/system_scope').with_value('') is_expected.to contain_ironic_config('nova/endpoint_override').with_value(p[:endpoint_override]) is_expected.to contain_ironic_config('nova/send_power_notifications').with_value(p[:send_power_notifications]) end end + context 'when system_scope is set' do + before :each do + params.merge!( + :system_scope => 'all', + ) + end + + it 'configures system-scoped credential' do + is_expected.to contain_ironic_config('nova/project_name').with_value('') + is_expected.to contain_ironic_config('nova/project_domain_name').with_value('') + is_expected.to contain_ironic_config('nova/system_scope').with_value('all') + end + end end on_supported_os({