openstack
/
puppet-manila
Code Issues Proposed changes

Do not use system scope tokens in providers 

This is partial revert of 5ca6e6fc9c .

After discussing several problems caused by scope separation, we
decided to suspend implementing the scope enforcement and focus on
project personas like reader role. As the result of that decision,
the system admin persona will be removed, thus we should use
the project admin persona instead. The previous policy rules to allow
system scope access have been reverted by [1].

[1] 755a1503187a29f9b4f6ecbf369acb781c3e95e7

Change-Id: I52f81faf2008e6d8c152503ca2d706fd962b8ed3
This commit is contained in:
Takashi Kajinami 2022-10-06 10:31:52 +09:00
parent d65fa22282
commit a6dd3edfe3
4 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/puppet/provider/manila.rb
View File

@ -18,15 +18,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@manila_conf @manila_conf
end end
def self.project_request(service, action, properties=nil, options={}) def self.request(service, action, properties=nil)
self.request(service, action, properties, options, 'project')
end
def self.system_request(service, action, properties=nil, options={})
self.request(service, action, properties, options, 'system')
end
def self.request(service, action, properties=nil, options={}, scope='project')
begin begin
super super
rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
@ -34,7 +26,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
end end
end end
def self.manila_request(service, action, error, properties=nil, options={}) def self.manila_request(service, action, error, properties=nil)
warning('Usage of keystone_authtoken parameters is deprecated.') warning('Usage of keystone_authtoken parameters is deprecated.')
properties ||= [] properties ||= []
@credentials.username = manila_credentials['username'] @credentials.username = manila_credentials['username']
@ -47,7 +39,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
@credentials.region_name = manila_credentials['region_name'] @credentials.region_name = manila_credentials['region_name']
end end
raise error unless @credentials.set? raise error unless @credentials.set?
Puppet::Provider::Openstack.request(service, action, properties, @credentials, options) Puppet::Provider::Openstack.request(service, action, properties, @credentials)
end end
def self.manila_credentials def self.manila_credentials

8
lib/puppet/provider/manila_type/openstack.rb
View File

@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize
self.class.system_request('share type', 'create', opts) self.class.request('share type', 'create', opts)
[ [
:name, :name,
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
if self.class.do_not_manage if self.class.do_not_manage
fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.") fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
end end
self.class.system_request('share type', 'delete', name) self.class.request('share type', 'delete', name)
@property_hash.clear @property_hash.clear
@property_hash[:ensure] = :absent @property_hash[:ensure] = :absent
end end
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(
def self.instances def self.instances
self.do_not_manage = true self.do_not_manage = true
list = system_request('share type', 'list').collect do |type| list = request('share type', 'list').collect do |type|
required_extra_specs = self.parse_specs(type[:required_extra_specs]) required_extra_specs = self.parse_specs(type[:required_extra_specs])
optional_extra_specs = self.parse_specs(type[:optional_extra_specs]) optional_extra_specs = self.parse_specs(type[:optional_extra_specs])
@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
end end
self.class.system_request('share type', 'set', opts) self.class.request('share type', 'set', opts)
@property_flush.clear @property_flush.clear
end end
end end

6
releasenotes/notes/revert-provider-system-scope-988e0c210359aad7.yaml Normal file
View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The ``manila_type`` resource type now uses project scope credential instead
of system scope credential, following the change in Manila to retain legacy
project admin behavior.

2
spec/unit/provider/manila_type/openstack_spec.rb
View File

@ -8,7 +8,7 @@ describe provider_class do
let(:set_creds_env) do let(:set_creds_env) do
ENV['OS_USERNAME'] = 'test' ENV['OS_USERNAME'] = 'test'
ENV['OS_PASSWORD'] = 'abc123' ENV['OS_PASSWORD'] = 'abc123'
ENV['OS_SYSTEM_SCOPE'] = 'all' ENV['OS_PROJECT_NAME'] = 'test'
ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000' ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000'
end end