From 1934cb65787540f07258a280b249f8baf3230f49 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 3 Jan 2022 14:50:35 +0900
Subject: [PATCH] Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I73f6b7adf4721e64974ebb8c78a6f70ab00d20f6
---
 manifests/keystone/auth.pp                     | 18 ++++++++++++++++++
 manifests/keystone/authtoken.pp                |  6 ++++++
 ...system_scope-keystone-9a41ff0d799142db.yaml | 13 +++++++++++++
 spec/classes/mistral_keystone_auth_spec.rb     |  9 +++++++++
 .../classes/mistral_keystone_authtoken_spec.rb |  3 +++
 5 files changed, 49 insertions(+)
 create mode 100644 releasenotes/notes/system_scope-keystone-9a41ff0d799142db.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 327ba70..2364a6c 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -19,6 +19,18 @@
 #   (Optional) Tenant for mistral user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to neutron user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to neutron user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should mistral endpoint be configured?
 #   Defaults to true.
@@ -74,6 +86,9 @@ class mistral::keystone::auth(
   $internal_url           = 'http://127.0.0.1:8989/v2',
   $region                 = 'RegionOne',
   $tenant                 = 'services',
+  $roles                  = ['admin'],
+  $system_scope           = 'all',
+  $system_roles           = [],
   $configure_endpoint     = true,
   $configure_service      = true,
   $configure_user         = true,
@@ -97,6 +112,9 @@ class mistral::keystone::auth(
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
     public_url          => $public_url,
     admin_url           => $admin_url,
     internal_url        => $internal_url,
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index c20c625..f6d9f5a 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@@ -198,6 +202,7 @@ class mistral::keystone::authtoken(
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
   $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
   $insecure                       = $::os_service_default,
   $auth_section                   = $::os_service_default,
   $auth_type                      = 'password',
@@ -251,6 +256,7 @@ class mistral::keystone::authtoken(
       auth_section                   => $auth_section,
       user_domain_name               => $user_domain_name,
       project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
       insecure                       => $insecure,
       cache                          => $cache,
       cafile                         => $cafile,
diff --git a/releasenotes/notes/system_scope-keystone-9a41ff0d799142db.yaml b/releasenotes/notes/system_scope-keystone-9a41ff0d799142db.yaml
new file mode 100644
index 0000000..895d14d
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-9a41ff0d799142db.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``mistral::keystone::authtoken`` class.
+
+  - |
+    The ``mistral::keystone::auth`` class now supports customizing roles
+    assigned to the mistral service user.
+
+  - |
+    The ``mistral::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the mistral service user.
diff --git a/spec/classes/mistral_keystone_auth_spec.rb b/spec/classes/mistral_keystone_auth_spec.rb
index 61bd9f9..8e0a2d5 100644
--- a/spec/classes/mistral_keystone_auth_spec.rb
+++ b/spec/classes/mistral_keystone_auth_spec.rb
@@ -23,6 +23,9 @@ describe 'mistral::keystone::auth' do
         :password            => 'mistral_password',
         :email               => 'mistral@localhost',
         :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
         :public_url          => 'http://127.0.0.1:8989/v2',
         :internal_url        => 'http://127.0.0.1:8989/v2',
         :admin_url           => 'http://127.0.0.1:8989/v2',
@@ -35,6 +38,9 @@ describe 'mistral::keystone::auth' do
           :auth_name           => 'alt_mistral',
           :email               => 'alt_mistral@alt_localhost',
           :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
           :configure_endpoint  => false,
           :configure_user      => false,
           :configure_user_role => false,
@@ -59,6 +65,9 @@ describe 'mistral::keystone::auth' do
         :password            => 'mistral_password',
         :email               => 'alt_mistral@alt_localhost',
         :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',
         :internal_url        => 'http://10.10.10.11:81',
         :admin_url           => 'http://10.10.10.12:81',
diff --git a/spec/classes/mistral_keystone_authtoken_spec.rb b/spec/classes/mistral_keystone_authtoken_spec.rb
index f668ace..6b03d5e 100644
--- a/spec/classes/mistral_keystone_authtoken_spec.rb
+++ b/spec/classes/mistral_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'mistral::keystone::authtoken' do
           :project_name                   => 'services',
           :user_domain_name               => 'Default',
           :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
           :insecure                       => '<SERVICE DEFAULT>',
           :auth_section                   => '<SERVICE DEFAULT>',
           :auth_type                      => 'password',
@@ -62,6 +63,7 @@ describe 'mistral::keystone::authtoken' do
           :project_name                         => 'service_project',
           :user_domain_name                     => 'domainX',
           :project_domain_name                  => 'domainX',
+          :system_scope                         => 'all',
           :insecure                             => false,
           :auth_section                         => 'new_section',
           :auth_type                            => 'password',
@@ -103,6 +105,7 @@ describe 'mistral::keystone::authtoken' do
           :project_name                         => 'service_project',
           :user_domain_name                     => 'domainX',
           :project_domain_name                  => 'domainX',
+          :system_scope                         => 'all',
           :insecure                             => false,
           :auth_section                         => 'new_section',
           :auth_type                            => 'password',