From 0d92d0a9d6417af12802f589fdce4d2a1d947c50 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 26 Nov 2021 22:26:24 +0900 Subject: [PATCH] Accept system scope credential for Nova API request Currently Neutron uses the user credential in [nova] section to use External Event API in Nova but this API is available only for system admin when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: I3f90e59f1daa06e41b1f29434feb0b8d85ac6753 --- manifests/server/notifications/nova.pp | 32 +++++++++---- .../system_scope-nova-c5fd722cf46244bb.yaml | 6 +++ .../neutron_server_notifications_nova_spec.rb | 46 ++++++++++++------- 3 files changed, 58 insertions(+), 26 deletions(-) create mode 100644 releasenotes/notes/system_scope-nova-c5fd722cf46244bb.yaml diff --git a/manifests/server/notifications/nova.pp b/manifests/server/notifications/nova.pp index 931771f3e..884ef721b 100644 --- a/manifests/server/notifications/nova.pp +++ b/manifests/server/notifications/nova.pp @@ -33,6 +33,10 @@ # The value should contain auth plugin name # Defaults to 'password' # +# [*user_domain_name*] +# (Optional) Name of domain for $username +# Defaults to 'Default' +# # [*username*] # (optional) Username for connection to nova in admin context # Defaults to 'nova' @@ -45,9 +49,9 @@ # (optional) Nova project's name # Defaults to 'services' # -# [*user_domain_name*] -# (Optional) Name of domain for $username -# Defaults to 'Default' +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default # # [*auth_url*] # (optional) Authorization URL for connection to nova in admin context. @@ -70,10 +74,11 @@ class neutron::server::notifications::nova ( $notify_nova_on_port_status_changes = $::os_service_default, $notify_nova_on_port_data_changes = $::os_service_default, $auth_type = 'password', + $user_domain_name = 'Default', $username = 'nova', $project_domain_name = 'Default', $project_name = 'services', - $user_domain_name = 'Default', + $system_scope = $::os_service_default, $auth_url = 'http://127.0.0.1:5000', $region_name = $::os_service_default, $endpoint_type = $::os_service_default, @@ -81,16 +86,25 @@ class neutron::server::notifications::nova ( include neutron::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + neutron_config { - 'nova/auth_url': value => $auth_url; + 'nova/auth_type': value => $auth_type; + 'nova/user_domain_name': value => $user_domain_name; 'nova/username': value => $username; 'nova/password': value => $password, secret => true; - 'nova/project_domain_name': value => $project_domain_name; - 'nova/project_name': value => $project_name; - 'nova/user_domain_name': value => $user_domain_name; + 'nova/project_domain_name': value => $project_domain_name_real; + 'nova/project_name': value => $project_name_real; + 'nova/system_scope': value => $system_scope; + 'nova/auth_url': value => $auth_url; 'nova/region_name': value => $region_name; 'nova/endpoint_type': value => $endpoint_type; - 'nova/auth_type': value => $auth_type; } neutron_config { diff --git a/releasenotes/notes/system_scope-nova-c5fd722cf46244bb.yaml b/releasenotes/notes/system_scope-nova-c5fd722cf46244bb.yaml new file mode 100644 index 000000000..229894e58 --- /dev/null +++ b/releasenotes/notes/system_scope-nova-c5fd722cf46244bb.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The new ``sysem_scope`` parameter has been added to + the ``neutron::server::notifications::nova`` class. + diff --git a/spec/classes/neutron_server_notifications_nova_spec.rb b/spec/classes/neutron_server_notifications_nova_spec.rb index 673f66ab9..de5430d57 100644 --- a/spec/classes/neutron_server_notifications_nova_spec.rb +++ b/spec/classes/neutron_server_notifications_nova_spec.rb @@ -18,13 +18,7 @@ require 'spec_helper' describe 'neutron::server::notifications::nova' do let :params do { - :auth_type => 'password', - :username => 'nova', - :password => 'secrete', - :project_domain_name => 'Default', - :project_name => 'services', - :user_domain_name => 'Default', - :auth_url => 'http://127.0.0.1:5000', + :password => 'secrete', } end @@ -32,13 +26,15 @@ describe 'neutron::server::notifications::nova' do it 'configure neutron.conf' do should contain_neutron_config('DEFAULT/notify_nova_on_port_status_changes').with_value('') should contain_neutron_config('DEFAULT/notify_nova_on_port_data_changes').with_value('') - should contain_neutron_config('nova/auth_url').with_value('http://127.0.0.1:5000') should contain_neutron_config('nova/auth_type').with_value('password') + should contain_neutron_config('nova/user_domain_name').with_value('Default') should contain_neutron_config('nova/username').with_value('nova') should contain_neutron_config('nova/password').with_value('secrete').with_secret( true ) - should contain_neutron_config('nova/region_name').with_value('') should contain_neutron_config('nova/project_domain_name').with_value('Default') - should contain_neutron_config('nova/user_domain_name').with_value('Default') + should contain_neutron_config('nova/project_name').with_value('services') + should contain_neutron_config('nova/system_scope').with_value('') + should contain_neutron_config('nova/auth_url').with_value('http://127.0.0.1:5000') + should contain_neutron_config('nova/region_name').with_value('') should contain_neutron_config('nova/endpoint_type').with_value('') end @@ -47,12 +43,13 @@ describe 'neutron::server::notifications::nova' do params.merge!( :notify_nova_on_port_status_changes => false, :notify_nova_on_port_data_changes => false, - :auth_url => 'http://keystone:5000/v3', :auth_type => 'password', - :username => 'joe', - :region_name => 'MyRegion', - :project_domain_name => 'Default_1', :user_domain_name => 'Default_2', + :username => 'joe', + :project_domain_name => 'Default_1', + :project_name => 'alt_services', + :auth_url => 'http://keystone:5000/v3', + :region_name => 'MyRegion', :endpoint_type => 'internal', ) end @@ -60,17 +57,32 @@ describe 'neutron::server::notifications::nova' do it 'should configure neutron server with overrided parameters' do should contain_neutron_config('DEFAULT/notify_nova_on_port_status_changes').with_value(false) should contain_neutron_config('DEFAULT/notify_nova_on_port_data_changes').with_value(false) - should contain_neutron_config('nova/auth_url').with_value('http://keystone:5000/v3') should contain_neutron_config('nova/auth_type').with_value('password') + should contain_neutron_config('nova/user_domain_name').with_value('Default_2') should contain_neutron_config('nova/username').with_value('joe') should contain_neutron_config('nova/password').with_value('secrete').with_secret( true ) - should contain_neutron_config('nova/region_name').with_value('MyRegion') should contain_neutron_config('nova/project_domain_name').with_value('Default_1') - should contain_neutron_config('nova/user_domain_name').with_value('Default_2') + should contain_neutron_config('nova/project_name').with_value('alt_services') + should contain_neutron_config('nova/system_scope').with_value('') + should contain_neutron_config('nova/auth_url').with_value('http://keystone:5000/v3') + should contain_neutron_config('nova/region_name').with_value('MyRegion') should contain_neutron_config('nova/endpoint_type').with_value('internal') end end + context 'when system_scope is set' do + before :each do + params.merge!( + :system_scope => 'all' + ) + end + + it 'should configure system scope credential' do + should contain_neutron_config('nova/project_domain_name').with_value('') + should contain_neutron_config('nova/project_name').with_value('') + should contain_neutron_config('nova/system_scope').with_value('all') + end + end end on_supported_os({