Use system scope credentials in providers

This change enforces usage of system scope credentials to manage share types, following the new policy rules for SRBAC support in manila. The logic to look up credential for the nova service user from [keystone_authtoken] is left to keep backward compatibility but is deprecated and will be removed. Depends-on: https://review.opendev.org/806474 Depends-on: https://review.opendev.org/828025 Change-Id: Ifd8aa63c94e194083a2b81fa9ea2c14afad5d6ab
2022-03-07 00:20:54 +09:00 · 2022-03-07 00:20:54 +09:00 · 5ca6e6fc9c
parent 3b341a2bfd
commit 5ca6e6fc9c
4 changed files with 31 additions and 10 deletions
--- a/lib/puppet/provider/manila.rb
+++ b/lib/puppet/provider/manila.rb
@ -1,5 +1,3 @@
-File.expand_path('../../../../openstacklib/lib', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-
 require 'puppet/util/inifile'
 require 'puppet/provider/openstack'
 require 'puppet/provider/openstack/auth'
@ -20,7 +18,15 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
    @manila_conf
  end

-  def self.request(service, action, properties=nil)
+  def self.project_request(service, action, properties=nil, options={})
+    self.request(service, action, properties, options, 'project')
+  end
+
+  def self.system_request(service, action, properties=nil, options={})
+    self.request(service, action, properties, options, 'system')
+  end
+
+  def self.request(service, action, properties=nil, options={}, scope='project')
    begin
      super
    rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
@ -28,7 +34,8 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
    end
  end

-  def self.manila_request(service, action, error, properties=nil)
+  def self.manila_request(service, action, error, properties=nil, options={})
+    warning('Usage of keystone_authtoken parameters is deprecated.')
    properties ||= []
    @credentials.username = manila_credentials['username']
    @credentials.password = manila_credentials['password']
@ -40,7 +47,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
      @credentials.region_name = manila_credentials['region_name']
    end
    raise error unless @credentials.set?
-    Puppet::Provider::Openstack.request(service, action, properties, @credentials)
+    Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
  end

  def self.manila_credentials
--- a/lib/puppet/provider/manila_type/openstack.rb
+++ b/lib/puppet/provider/manila_type/openstack.rb
@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
    opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
    opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize

-    self.class.request('share type', 'create', opts)
+    self.class.system_request('share type', 'create', opts)

    [
      :name,
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
    if self.class.do_not_manage
      fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
    end
-    self.class.request('share type', 'delete', name)
+    self.class.system_request('share type', 'delete', name)
    @property_hash.clear
    @property_hash[:ensure] = :absent
  end
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(

  def self.instances
    self.do_not_manage = true
-    list = request('share type', 'list').collect do |type|
+    list = system_request('share type', 'list').collect do |type|
      required_extra_specs = self.parse_specs(type[:required_extra_specs])
      optional_extra_specs = self.parse_specs(type[:optional_extra_specs])

@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
        opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
      end

-      self.class.request('share type', 'set', opts)
+      self.class.system_request('share type', 'set', opts)
      @property_flush.clear
    end
  end
--- a/releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml
+++ b/releasenotes/notes/provider-system-scope-cb9a22337ffe738d.yaml
@ -0,0 +1,14 @@
+---
+upgrade:
+  - |
+    Now the ``manila_type`` resource type uses system scope credential instead
+    of project scope credential when sending requests to Manila API.
+
+deprecations:
+  - |
+    Currently the manila_type`` resource type uses the credential written in
+    the ``[keystone_authtoken]`` section of ``manila.conf``. However this
+    behavior has been deprecated and now the resource type first looks for
+    the yaml files in ``/etc/openstack/puppet``. Make sure one of
+    ``clouds.yaml`` or ``admin-clouds.yaml`` (which is created by
+    puppet-keystone) is created in that directory.
--- a/spec/unit/provider/manila_type/openstack_spec.rb
+++ b/spec/unit/provider/manila_type/openstack_spec.rb
@ -8,7 +8,7 @@ describe provider_class do
  let(:set_creds_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all' 
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end