Do not use system scope tokens in providers
This is partial revert of 5ca6e6fc9c
.
After discussing several problems caused by scope separation, we
decided to suspend implementing the scope enforcement and focus on
project personas like reader role. As the result of that decision,
the system admin persona will be removed, thus we should use
the project admin persona instead. The previous policy rules to allow
system scope access have been reverted by [1].
[1] 755a1503187a29f9b4f6ecbf369acb781c3e95e7
Change-Id: I52f81faf2008e6d8c152503ca2d706fd962b8ed3
This commit is contained in:
parent
d65fa22282
commit
a6dd3edfe3
|
@ -18,15 +18,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
|
|||
@manila_conf
|
||||
end
|
||||
|
||||
def self.project_request(service, action, properties=nil, options={})
|
||||
self.request(service, action, properties, options, 'project')
|
||||
end
|
||||
|
||||
def self.system_request(service, action, properties=nil, options={})
|
||||
self.request(service, action, properties, options, 'system')
|
||||
end
|
||||
|
||||
def self.request(service, action, properties=nil, options={}, scope='project')
|
||||
def self.request(service, action, properties=nil)
|
||||
begin
|
||||
super
|
||||
rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
|
||||
|
@ -34,7 +26,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
|
|||
end
|
||||
end
|
||||
|
||||
def self.manila_request(service, action, error, properties=nil, options={})
|
||||
def self.manila_request(service, action, error, properties=nil)
|
||||
warning('Usage of keystone_authtoken parameters is deprecated.')
|
||||
properties ||= []
|
||||
@credentials.username = manila_credentials['username']
|
||||
|
@ -47,7 +39,7 @@ class Puppet::Provider::Manila < Puppet::Provider::Openstack
|
|||
@credentials.region_name = manila_credentials['region_name']
|
||||
end
|
||||
raise error unless @credentials.set?
|
||||
Puppet::Provider::Openstack.request(service, action, properties, @credentials, options)
|
||||
Puppet::Provider::Openstack.request(service, action, properties, @credentials)
|
||||
end
|
||||
|
||||
def self.manila_credentials
|
||||
|
|
|
@ -36,7 +36,7 @@ Puppet::Type.type(:manila_type).provide(
|
|||
opts << '--revert-to-snapshot-support' << @resource[:revert_to_snapshot_support].to_s.capitalize
|
||||
opts << '--mount-snapshot-support' << @resource[:mount_snapshot_support].to_s.capitalize
|
||||
|
||||
self.class.system_request('share type', 'create', opts)
|
||||
self.class.request('share type', 'create', opts)
|
||||
|
||||
[
|
||||
:name,
|
||||
|
@ -56,7 +56,7 @@ Puppet::Type.type(:manila_type).provide(
|
|||
if self.class.do_not_manage
|
||||
fail("Not managing Manila_type[#{@resource[:name]}] due to earlier Manila API failures.")
|
||||
end
|
||||
self.class.system_request('share type', 'delete', name)
|
||||
self.class.request('share type', 'delete', name)
|
||||
@property_hash.clear
|
||||
@property_hash[:ensure] = :absent
|
||||
end
|
||||
|
@ -71,7 +71,7 @@ Puppet::Type.type(:manila_type).provide(
|
|||
|
||||
def self.instances
|
||||
self.do_not_manage = true
|
||||
list = system_request('share type', 'list').collect do |type|
|
||||
list = request('share type', 'list').collect do |type|
|
||||
required_extra_specs = self.parse_specs(type[:required_extra_specs])
|
||||
optional_extra_specs = self.parse_specs(type[:optional_extra_specs])
|
||||
|
||||
|
@ -124,7 +124,7 @@ Puppet::Type.type(:manila_type).provide(
|
|||
opts << '--mount-snapshot-support' << @property_flush[:mount_snapshot_support].to_s.capitalize
|
||||
end
|
||||
|
||||
self.class.system_request('share type', 'set', opts)
|
||||
self.class.request('share type', 'set', opts)
|
||||
@property_flush.clear
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The ``manila_type`` resource type now uses project scope credential instead
|
||||
of system scope credential, following the change in Manila to retain legacy
|
||||
project admin behavior.
|
|
@ -8,7 +8,7 @@ describe provider_class do
|
|||
let(:set_creds_env) do
|
||||
ENV['OS_USERNAME'] = 'test'
|
||||
ENV['OS_PASSWORD'] = 'abc123'
|
||||
ENV['OS_SYSTEM_SCOPE'] = 'all'
|
||||
ENV['OS_PROJECT_NAME'] = 'test'
|
||||
ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5000'
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue