5457be773e
This change is the initial work to support enforcing secure RBAC(SRBAC)
feature. The following two changes are made by this change.
- The keystone_user_role resource type now supports creating system
roles in addition to project roles and domain roles. The following
example shows how to assign the "admin" role to the "nova" user for
the system scope "all".
keystone_user_role{'nova@::::all':
ensure => 'present',
roles => ['admin'],
}
- Some defined resource types were updated so that the other puppet
modules can define keystone credentials for system scope access
instead of project scope access.
Note that this change does not update the usage of project scope
credentials in each providers, and that should be fixed later to
enforce SRBAC completely.
Change-Id: Id43eeb31424f04d6969a993704e5a5c175eb1cb0
126 lines
4.5 KiB
Puppet
126 lines
4.5 KiB
Puppet
# == Definition: keystone::resource::service_user
|
|
#
|
|
# This resource configures Keystone authentication resources to make OpenStack
|
|
# services like nova or cinder use service token feature. It will manage the
|
|
# [service_user] section in the given config resource.
|
|
#
|
|
# == Parameters:
|
|
#
|
|
# [*name*]
|
|
# (Required) The name of the resource corresponding to the config file.
|
|
# For example, keystone::resource::service_user { 'nova_config': ... }
|
|
# Where 'nova_config' is the name of the resource used to manage
|
|
# the nova configuration.
|
|
#
|
|
# [*username*]
|
|
# (Required) The name of the service user
|
|
#
|
|
# [*password*]
|
|
# (Required) Password to create for the service user
|
|
#
|
|
# [*auth_url*]
|
|
# (Required) The URL to use for authentication.
|
|
#
|
|
# [*project_name*]
|
|
# (Optional) Service project name
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*user_domain_name*]
|
|
# (Optional) Name of domain for $username
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*project_domain_name*]
|
|
# (Optional) Name of domain for $project_name
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*send_service_user_token*]
|
|
# (Optional) The service uses service token feature when this is set as true
|
|
# Defaults to false
|
|
#
|
|
# [*system_scope*]
|
|
# (Optional) Scope for system operations
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*insecure*]
|
|
# (Optional) If true, explicitly allow TLS without checking server cert
|
|
# against any certificate authorities. WARNING: not recommended. Use with
|
|
# caution.
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*auth_type*]
|
|
# (Optional) Authentication type to load
|
|
# Defaults to $::os_service_default
|
|
#
|
|
# [*auth_version*]
|
|
# (Optional) API version of the admin Identity API endpoint.
|
|
# Defaults to $::os_service_default.
|
|
#
|
|
# [*cafile*]
|
|
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
|
|
# connections.
|
|
# Defaults to $::os_service_default.
|
|
#
|
|
# [*certfile*]
|
|
# (Optional) Required if identity server requires client certificate
|
|
# Defaults to $::os_service_default.
|
|
#
|
|
# [*keyfile*]
|
|
# (Optional) Required if identity server requires client certificate
|
|
# Defaults to $::os_service_default.
|
|
#
|
|
# [*region_name*]
|
|
# (Optional) The region in which the identity server can be found.
|
|
# Defaults to $::os_service_default.
|
|
#
|
|
define keystone::resource::service_user(
|
|
$username,
|
|
$password,
|
|
$auth_url,
|
|
$project_name = $::os_service_default,
|
|
$user_domain_name = $::os_service_default,
|
|
$project_domain_name = $::os_service_default,
|
|
$system_scope = $::os_service_default,
|
|
$send_service_user_token = false,
|
|
$insecure = $::os_service_default,
|
|
$auth_type = $::os_service_default,
|
|
$auth_version = $::os_service_default,
|
|
$cafile = $::os_service_default,
|
|
$certfile = $::os_service_default,
|
|
$keyfile = $::os_service_default,
|
|
$region_name = $::os_service_default,
|
|
) {
|
|
|
|
include keystone::params
|
|
include keystone::deps
|
|
|
|
if is_service_default($system_scope) {
|
|
$project_name_real = $project_name
|
|
$project_domain_name_real = $project_domain_name
|
|
} else {
|
|
# When system scope is used, project parameters should be removed otherwise
|
|
# project scope is used.
|
|
$project_name_real = $::os_service_default
|
|
$project_domain_name_real = $::os_service_default
|
|
}
|
|
|
|
$service_user_options = {
|
|
'service_user/auth_type' => {'value' => $auth_type},
|
|
'service_user/auth_version' => {'value' => $auth_version},
|
|
'service_user/cafile' => {'value' => $cafile},
|
|
'service_user/certfile' => {'value' => $certfile},
|
|
'service_user/keyfile' => {'value' => $keyfile},
|
|
'service_user/region_name' => {'value' => $region_name},
|
|
'service_user/auth_url' => {'value' => $auth_url},
|
|
'service_user/username' => {'value' => $username},
|
|
'service_user/password' => {'value' => $password, 'secret' => true},
|
|
'service_user/user_domain_name' => {'value' => $user_domain_name},
|
|
'service_user/project_name' => {'value' => $project_name_real},
|
|
'service_user/project_domain_name' => {'value' => $project_domain_name_real},
|
|
'service_user/system_scope' => {'value' => $system_scope},
|
|
'service_user/send_service_user_token' => {'value' => $send_service_user_token},
|
|
'service_user/insecure' => {'value' => $insecure},
|
|
}
|
|
|
|
create_resources($name, $service_user_options)
|
|
}
|