Do not use system scope tokens in providers

This is partial revert of 5ca6e6fc9c .

After discussing several problems caused by scope separation, we
decided to suspend implementing the scope enforcement and focus on
project personas like reader role. As the result of that decision,
the system admin persona will be removed, thus we should use
the project admin persona instead. The previous policy rules to allow
system scope access have been reverted by [1].

[1] 755a1503187a29f9b4f6ecbf369acb781c3e95e7

Change-Id: I52f81faf2008e6d8c152503ca2d706fd962b8ed3
This commit is contained in:
Takashi Kajinami 2022-10-06 10:31:52 +09:00
parent d65fa22282
commit a6dd3edfe3
4 changed files with 14 additions and 16 deletions

View File

@ -18,15 +18,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@manila_conf
end
def self.project_request(service, action, properties=nil, options={})
self.request(service, action, properties, options, 'project')
end
def self.system_request(service, action, properties=nil, options={})
self.request(service, action, properties, options, 'system')
end
def self.request(service, action, properties=nil, options={}, scope='project')
def self.request(service, action, properties=nil)
begin
super
rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
@ -34,7 +26,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
end
end
def self.manila_request(service, action, error, properties=nil, options={})
def self.manila_request(service, action, error, properties=nil)
warning('Usage of keystone_authtoken parameters is deprecated.')
properties ||= []
@credentials.username = manila_credentials['username']
@ -47,7 +39,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@credentials.region_name = manila_credentials['region_name']
end
raise error unless @credentials.set?
Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
Puppet::Provider::Openstack.request(service, action, properties, @credentials)
end
def self.manila_credentials

View File

@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize
self.class.system_request('share type', 'create', opts)
self.class.request('share type', 'create', opts)
[
:name,
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
if self.class.do_not_manage
fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
end
self.class.system_request('share type', 'delete', name)
self.class.request('share type', 'delete', name)
@property_hash.clear
@property_hash[:ensure] = :absent
end
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(
def self.instances
self.do_not_manage = true
list = system_request('share type', 'list').collect do |type|
list = request('share type', 'list').collect do |type|
required_extra_specs = self.parse_specs(type[:required_extra_specs])
optional_extra_specs = self.parse_specs(type[:optional_extra_specs])
@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
end
self.class.system_request('share type', 'set', opts)
self.class.request('share type', 'set', opts)
@property_flush.clear
end
end

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The ``manila_type`` resource type now uses project scope credential instead
of system scope credential, following the change in Manila to retain legacy
project admin behavior.

View File

@ -8,7 +8,7 @@ describe provider_class do
let(:set_creds_env) do
ENV['OS_USERNAME'] = 'test'
ENV['OS_PASSWORD'] = 'abc123'
ENV['OS_SYSTEM_SCOPE'] = 'all'
ENV['OS_PROJECT_NAME'] = 'test'
ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000'
end