Support rbac_service_* options

... which were added recently to ironic. Note that the specific default value is defined for rbac_service_project_name, because in Puppet OpenStack modules 'services' is widely used for service project instead of 'service', which is the default in ironic. Depends-on: https://review.opendev.org/907148 Change-Id: I28485f7946d5a040a039e6c200de264a840ba7c4
2024-03-22 12:32:38 +09:00 · 2024-03-22 12:32:38 +09:00 · b2a7f54584
parent 3817181245
commit b2a7f54584
3 changed files with 34 additions and 7 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -262,6 +262,16 @@
 #   (optional) Topics for the versioned notifications issued by Ironic
 #   Defaults to $facts['os_service_default']
 #
+# [*rbac_service_role_elevated_access*]
+#   (optional) Enable elevated access for users with service role belonging
+#   to the 'rbac_service_project_name' project when using the default policy.
+#   Defaults to $facts['os_service_default']
+#
+# [*rbac_service_project_name*]
+#   (optional) The project name utilized for Role Based Access Control checks
+#   for the reserved `service` project.
+#   Defaults to 'services'
+#
 class ironic (
  Boolean $enabled                    = true,
  $package_ensure                     = 'present',
@ -315,6 +325,8 @@ class ironic (
  $notification_topics                = $facts['os_service_default'],
  $notification_level                 = $facts['os_service_default'],
  $versioned_notifications_topics     = $facts['os_service_default'],
+  $rbac_service_role_elevated_access  = $facts['os_service_default'],
+  $rbac_service_project_name          = 'services',
 ) {

  include ironic::deps
@ -341,13 +353,15 @@ class ironic (
  }

  ironic_config {
-    'DEFAULT/auth_strategy':                   value => $auth_strategy;
-    'DEFAULT/my_ip':                           value => $my_ip;
-    'DEFAULT/my_ipv6':                         value => $my_ipv6;
-    'DEFAULT/default_resource_class':          value => $default_resource_class;
-    'DEFAULT/notification_level':              value => $notification_level;
-    'DEFAULT/versioned_notifications_topics':  value => $versioned_notifications_topics;
-    'DEFAULT/rpc_transport':                   value => $rpc_transport;
+    'DEFAULT/auth_strategy':                     value => $auth_strategy;
+    'DEFAULT/my_ip':                             value => $my_ip;
+    'DEFAULT/my_ipv6':                           value => $my_ipv6;
+    'DEFAULT/default_resource_class':            value => $default_resource_class;
+    'DEFAULT/notification_level':                value => $notification_level;
+    'DEFAULT/versioned_notifications_topics':    value => $versioned_notifications_topics;
+    'DEFAULT/rpc_transport':                     value => $rpc_transport;
+    'DEFAULT/rbac_service_role_elevated_access': value => $rbac_service_role_elevated_access;
+    'DEFAULT/rbac_service_project_name':         value => $rbac_service_project_name;
  }

  if $sync_db {
--- a/releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml
+++ b/releasenotes/notes/rbac_service-opts-ae56def0ce0491f0.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The following two parameters have been added to the ``ironic`` class.
+
+    - ``rbac_service_role_elevated_access``
+    - ``rbac_service_project_name``
--- a/spec/classes/ironic_init_spec.rb
+++ b/spec/classes/ironic_init_spec.rb
@ -69,6 +69,8 @@ describe 'ironic' do
        is_expected.to contain_ironic_config('DEFAULT/notification_level').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_config('DEFAULT/versioned_notifications_topics').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_ironic_config('DEFAULT/rpc_transport').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_role_elevated_access').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_project_name').with_value('services')

        is_expected.to contain_oslo__messaging__default('ironic_config').with(
          :executor_thread_pool_size => '<SERVICE DEFAULT>',
@ -158,6 +160,8 @@ describe 'ironic' do
          :notification_transport_url         => 'rabbit://rabbit_user:password@localhost:5673',
          :notification_driver                => 'messagingv2',
          :notification_topics                => 'openstack',
+          :rbac_service_role_elevated_access  => true,
+          :rbac_service_project_name          => 'service',
        }
      end

@ -169,6 +173,8 @@ describe 'ironic' do
        is_expected.to contain_ironic_config('DEFAULT/notification_level').with_value('warning')
        is_expected.to contain_ironic_config('DEFAULT/versioned_notifications_topics').with_value('ironic_versioned_notifications')
        is_expected.to contain_ironic_config('DEFAULT/rpc_transport').with_value('oslo')
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_role_elevated_access').with_value(true)
+        is_expected.to contain_ironic_config('DEFAULT/rbac_service_project_name').with_value('service')

        is_expected.to contain_oslo__messaging__default('ironic_config').with(
          :executor_thread_pool_size => '128',