Do not use system scope tokens in providers

This is partial revert of 5ca6e6fc9cb2403307114877ece24e394be35794 . After discussing several problems caused by scope separation, we decided to suspend implementing the scope enforcement and focus on project personas like reader role. As the result of that decision, the system admin persona will be removed, thus we should use the project admin persona instead. The previous policy rules to allow system scope access have been reverted by [1]. [1] 755a1503187a29f9b4f6ecbf369acb781c3e95e7 Change-Id: I52f81faf2008e6d8c152503ca2d706fd962b8ed3
2022-10-06 10:31:52 +09:00 · 2022-10-06 10:31:52 +09:00 · a6dd3edfe3
commit a6dd3edfe3
parent d65fa22282
4 changed files with 14 additions and 16 deletions
--- a/lib/puppet/provider/manila.rb
+++ b/lib/puppet/provider/manila.rb
@ -18,15 +18,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
    @manila_conf
  end

-  def self.project_request(service, action, properties=nil, options={})
-    self.request(service, action, properties, options, 'project')
-  end
-
-  def self.system_request(service, action, properties=nil, options={})
-    self.request(service, action, properties, options, 'system')
-  end
-
-  def self.request(service, action, properties=nil, options={}, scope='project')
+  def self.request(service, action, properties=nil)
    begin
      super
    rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
@ -34,7 +26,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
    end
  end

-  def self.manila_request(service, action, error, properties=nil, options={})
+  def self.manila_request(service, action, error, properties=nil)
    warning('Usage of keystone_authtoken parameters is deprecated.')
    properties ||= []
    @credentials.username = manila_credentials['username']
@ -47,7 +39,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
      @credentials.region_name = manila_credentials['region_name']
    end
    raise error unless @credentials.set?
-    Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
+    Puppet::Provider::Openstack.request(service, action, properties, @credentials)
  end

  def self.manila_credentials
--- a/lib/puppet/provider/manila_type/openstack.rb
+++ b/lib/puppet/provider/manila_type/openstack.rb
@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
    opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
    opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize

-    self.class.system_request('share type', 'create', opts)
+    self.class.request('share type', 'create', opts)

    [
      :name,
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
    if self.class.do_not_manage
      fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
    end
-    self.class.system_request('share type', 'delete', name)
+    self.class.request('share type', 'delete', name)
    @property_hash.clear
    @property_hash[:ensure] = :absent
  end
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(

  def self.instances
    self.do_not_manage = true
-    list = system_request('share type', 'list').collect do |type|
+    list = request('share type', 'list').collect do |type|
      required_extra_specs = self.parse_specs(type[:required_extra_specs])
      optional_extra_specs = self.parse_specs(type[:optional_extra_specs])

@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
        opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
      end

-      self.class.system_request('share type', 'set', opts)
+      self.class.request('share type', 'set', opts)
      @property_flush.clear
    end
  end
--- a/releasenotes/notes/revert-provider-system-scope-988e0c210359aad7.yaml
+++ b/releasenotes/notes/revert-provider-system-scope-988e0c210359aad7.yaml
@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The ``manila_type`` resource type now uses project scope credential instead
+    of system scope credential, following the change in Manila to retain legacy
+    project admin behavior.
--- a/spec/unit/provider/manila_type/openstack_spec.rb
+++ b/spec/unit/provider/manila_type/openstack_spec.rb
@ -8,7 +8,7 @@ describe provider_class do
  let(:set_creds_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_SYSTEM_SCOPE'] = 'all' 
+    ENV['OS_PROJECT_NAME'] = 'test'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end