Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I73f6b7adf4721e64974ebb8c78a6f70ab00d20f6
This commit is contained in:
Takashi Kajinami
parent
789b8f107f
commit
1934cb6578
@ -19,6 +19,18 @@
|
||||
# (Optional) Tenant for mistral user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to neutron user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to neutron user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*configure_endpoint*]
|
||||
# (Optional) Should mistral endpoint be configured?
|
||||
# Defaults to true.
|
||||
@ -74,6 +86,9 @@ class mistral::keystone::auth(
|
||||
$internal_url = 'http://127.0.0.1:8989/v2',
|
||||
$region = 'RegionOne',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$configure_endpoint = true,
|
||||
$configure_service = true,
|
||||
$configure_user = true,
|
||||
@ -97,6 +112,9 @@ class mistral::keystone::auth(
|
||||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
admin_url => $admin_url,
|
||||
internal_url => $internal_url,
|
||||
|
||||
@ -28,6 +28,10 @@
|
||||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
@ -198,6 +202,7 @@ class mistral::keystone::authtoken(
|
||||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
@ -251,6 +256,7 @@ class mistral::keystone::authtoken(
|
||||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to
|
||||
the ``mistral::keystone::authtoken`` class.
|
||||
|
||||
- |
|
||||
The ``mistral::keystone::auth`` class now supports customizing roles
|
||||
assigned to the mistral service user.
|
||||
|
||||
- |
|
||||
The ``mistral::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the mistral service user.
|
||||
@ -23,6 +23,9 @@ describe 'mistral::keystone::auth' do
|
||||
:password => 'mistral_password',
|
||||
:email => 'mistral@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:8989/v2',
|
||||
:internal_url => 'http://127.0.0.1:8989/v2',
|
||||
:admin_url => 'http://127.0.0.1:8989/v2',
|
||||
@ -35,6 +38,9 @@ describe 'mistral::keystone::auth' do
|
||||
:auth_name => 'alt_mistral',
|
||||
:email => 'alt_mistral@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
@ -59,6 +65,9 @@ describe 'mistral::keystone::auth' do
|
||||
:password => 'mistral_password',
|
||||
:email => 'alt_mistral@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
||||
@ -18,6 +18,7 @@ describe 'mistral::keystone::authtoken' do
|
||||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
@ -62,6 +63,7 @@ describe 'mistral::keystone::authtoken' do
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
@ -103,6 +105,7 @@ describe 'mistral::keystone::authtoken' do
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user