From 71711d8031e6110cb6e45d21ea9daefcfef1f4b9 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 17 Jan 2022 21:49:35 +0900
Subject: [PATCH] Accept system scope credential for Designate API request

Currently Neutron uses the user credential in [designate] section to
create a zone and PTR record. When SRBAC is enforced is Designate,
the former API call is available for both project member and system
admin but the latter API call is limited for system admin.

This change allows usage of system-scoped credential instead of
project-scoped one, so that the required API calls are permitted when
Designate enforces SRBAC.

Change-Id: I620b49937d01cae5b9a5af74fac8bb4e91ab3e86
---
 manifests/designate.pp                        | 30 ++++++++++++++-----
 ...stem_scope-designate-e5bbd73fc8e59f0b.yaml |  5 ++++
 spec/classes/neutron_designate_spec.rb        | 30 +++++++++++++++----
 3 files changed, 53 insertions(+), 12 deletions(-)
 create mode 100644 releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml

diff --git a/manifests/designate.pp b/manifests/designate.pp
index b075c8511..7d7c118b3 100644
--- a/manifests/designate.pp
+++ b/manifests/designate.pp
@@ -19,6 +19,10 @@
 #   (optional) Username for connection to designate in admin context
 #   Defaults to 'neutron'
 #
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to 'Default'
+#
 # [*project_name*]
 #   (optional) The name of the admin project
 #   Defaults to 'services'
@@ -27,9 +31,9 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
-# [*user_domain_name*]
-#   (Optional) Name of domain for $username
-#   Defaults to 'Default'
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
 #
 # [*auth_url*]
 #   (optional) Authorization URI for connection to designate in admin context.
@@ -61,9 +65,10 @@ class neutron::designate (
   $url,
   $auth_type                 = 'password',
   $username                  = 'neutron',
+  $user_domain_name          = 'Default',
   $project_name              = 'services',
   $project_domain_name       = 'Default',
-  $user_domain_name          = 'Default',
+  $system_scope              = $::os_service_default,
   $auth_url                  = 'http://127.0.0.1:5000',
   $allow_reverse_dns_lookup  = $::os_service_default,
   $ipv4_ptr_zone_prefix_size = $::os_service_default,
@@ -79,16 +84,27 @@ class neutron::designate (
     warning('The neutron::designate::project_id parmaeter is deprecated. Use the project_name parameter.')
   }
 
+  if is_service_default($system_scope){
+    $project_id_real = pick($project_id, $::os_service_default)
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_id_real = $::os_service_default
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   neutron_config {
     'DEFAULT/external_dns_driver':         value => 'designate';
     'designate/password':                  value => $password, secret => true;
     'designate/url':                       value => $url;
     'designate/auth_type':                 value => $auth_type;
     'designate/username':                  value => $username;
-    'designate/project_id':                value => pick($project_id, $::os_service_default);
-    'designate/project_name':              value => $project_name;
-    'designate/project_domain_name':       value => $project_domain_name;
     'designate/user_domain_name':          value => $user_domain_name;
+    'designate/project_id':                value => $project_id_real;
+    'designate/project_name':              value => $project_name_real;
+    'designate/project_domain_name':       value => $project_domain_name_real;
+    'designate/system_scope':              value => $system_scope;
     'designate/auth_url':                  value => $auth_url;
     'designate/allow_reverse_dns_lookup':  value => $allow_reverse_dns_lookup;
     'designate/ipv4_ptr_zone_prefix_size': value => $ipv4_ptr_zone_prefix_size;
diff --git a/releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml b/releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml
new file mode 100644
index 000000000..c1448b80c
--- /dev/null
+++ b/releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to the ``neutron::designate``
+    class.
diff --git a/spec/classes/neutron_designate_spec.rb b/spec/classes/neutron_designate_spec.rb
index 07a5f7587..9d31fe8bb 100644
--- a/spec/classes/neutron_designate_spec.rb
+++ b/spec/classes/neutron_designate_spec.rb
@@ -16,11 +16,12 @@ describe 'neutron::designate' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
         should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
-        should contain_neutron_config('designate/username').with_value('neutron')
         should contain_neutron_config('designate/auth_type').with_value('password')
+        should contain_neutron_config('designate/username').with_value('neutron')
+        should contain_neutron_config('designate/user_domain_name').with_value('Default')
         should contain_neutron_config('designate/project_name').with_value('services')
         should contain_neutron_config('designate/project_domain_name').with_value('Default')
-        should contain_neutron_config('designate/user_domain_name').with_value('Default')
+        should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/auth_url').with_value('http://127.0.0.1:5000')
         should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value('<SERVICE DEFAULT>')
@@ -34,10 +35,10 @@ describe 'neutron::designate' do
         req_params.merge!({
           :auth_type                 => 'token',
           :username                  => 'user',
+          :user_domain_name          => 'Domain2',
           :project_id                => 'id1',
           :project_name              => 'proj',
           :project_domain_name       => 'Domain1',
-          :user_domain_name          => 'Domain2',
           :auth_url                  => 'http://auth/',
           :allow_reverse_dns_lookup  => false,
           :ipv4_ptr_zone_prefix_size => 765,
@@ -50,12 +51,13 @@ describe 'neutron::designate' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
         should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
-        should contain_neutron_config('designate/username').with_value('user')
         should contain_neutron_config('designate/auth_type').with_value('token')
+        should contain_neutron_config('designate/username').with_value('user')
+        should contain_neutron_config('designate/user_domain_name').with_value('Domain2')
         should contain_neutron_config('designate/project_id').with_value('id1')
         should contain_neutron_config('designate/project_name').with_value('proj')
         should contain_neutron_config('designate/project_domain_name').with_value('Domain1')
-        should contain_neutron_config('designate/user_domain_name').with_value('Domain2')
+        should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/auth_url').with_value('http://auth/')
         should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value(false)
         should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value(765)
@@ -63,6 +65,24 @@ describe 'neutron::designate' do
         should contain_neutron_config('designate/ptr_zone_email').with_value('foo@example.com')
       end
     end
+
+    context 'with system_scope' do
+      let :params do
+        req_params.merge!({
+          :project_id          => 'id1',
+          :project_name        => 'proj',
+          :project_domain_name => 'Domain1',
+          :system_scope        => 'all',
+        })
+      end
+
+      it 'configures designate in neutron.conf' do
+        should contain_neutron_config('designate/project_id').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/project_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/project_domain_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({