Accept system scope credential for Designate API request

Currently Neutron uses the user credential in [designate] section to
create a zone and PTR record. When SRBAC is enforced is Designate,
the former API call is available for both project member and system
admin but the latter API call is limited for system admin.

This change allows usage of system-scoped credential instead of
project-scoped one, so that the required API calls are permitted when
Designate enforces SRBAC.

Change-Id: I620b49937d01cae5b9a5af74fac8bb4e91ab3e86

manifests/designate.pp

@@ -19,6 +19,10 @@
 #   (optional) Username for connection to designate in admin context
 #   Defaults to 'neutron'
 #
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to 'Default'
+#
 # [*project_name*]
 #   (optional) The name of the admin project
 #   Defaults to 'services'
@@ -27,9 +31,9 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
-# [*user_domain_name*]
-#   (Optional) Name of domain for $username
-#   Defaults to 'Default'
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
 #
 # [*auth_url*]
 #   (optional) Authorization URI for connection to designate in admin context.
@@ -61,9 +65,10 @@ class neutron::designate (
   $url,
   $auth_type                 = 'password',
   $username                  = 'neutron',
+  $user_domain_name          = 'Default',
   $project_name              = 'services',
   $project_domain_name       = 'Default',
-  $user_domain_name          = 'Default',
+  $system_scope              = $::os_service_default,
   $auth_url                  = 'http://127.0.0.1:5000',
   $allow_reverse_dns_lookup  = $::os_service_default,
   $ipv4_ptr_zone_prefix_size = $::os_service_default,
@@ -79,16 +84,27 @@ class neutron::designate (
     warning('The neutron::designate::project_id parmaeter is deprecated. Use the project_name parameter.')
   }
 
+  if is_service_default($system_scope){
+    $project_id_real = pick($project_id, $::os_service_default)
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_id_real = $::os_service_default
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   neutron_config {
     'DEFAULT/external_dns_driver':         value => 'designate';
     'designate/password':                  value => $password, secret => true;
     'designate/url':                       value => $url;
     'designate/auth_type':                 value => $auth_type;
     'designate/username':                  value => $username;
-    'designate/project_id':                value => pick($project_id, $::os_service_default);
-    'designate/project_name':              value => $project_name;
-    'designate/project_domain_name':       value => $project_domain_name;
     'designate/user_domain_name':          value => $user_domain_name;
+    'designate/project_id':                value => $project_id_real;
+    'designate/project_name':              value => $project_name_real;
+    'designate/project_domain_name':       value => $project_domain_name_real;
+    'designate/system_scope':              value => $system_scope;
     'designate/auth_url':                  value => $auth_url;
     'designate/allow_reverse_dns_lookup':  value => $allow_reverse_dns_lookup;
     'designate/ipv4_ptr_zone_prefix_size': value => $ipv4_ptr_zone_prefix_size;

releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to the ``neutron::designate``
+    class.

spec/classes/neutron_designate_spec.rb

@@ -16,11 +16,12 @@ describe 'neutron::designate' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
         should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
-        should contain_neutron_config('designate/username').with_value('neutron')
         should contain_neutron_config('designate/auth_type').with_value('password')
+        should contain_neutron_config('designate/username').with_value('neutron')
+        should contain_neutron_config('designate/user_domain_name').with_value('Default')
         should contain_neutron_config('designate/project_name').with_value('services')
         should contain_neutron_config('designate/project_domain_name').with_value('Default')
-        should contain_neutron_config('designate/user_domain_name').with_value('Default')
+        should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/auth_url').with_value('http://127.0.0.1:5000')
         should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value('<SERVICE DEFAULT>')
@@ -34,10 +35,10 @@ describe 'neutron::designate' do
         req_params.merge!({
           :auth_type                 => 'token',
           :username                  => 'user',
+          :user_domain_name          => 'Domain2',
           :project_id                => 'id1',
           :project_name              => 'proj',
           :project_domain_name       => 'Domain1',
-          :user_domain_name          => 'Domain2',
           :auth_url                  => 'http://auth/',
           :allow_reverse_dns_lookup  => false,
           :ipv4_ptr_zone_prefix_size => 765,
@@ -50,12 +51,13 @@ describe 'neutron::designate' do
         should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
         should contain_neutron_config('designate/url').with_value('http://ip/designate')
         should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
-        should contain_neutron_config('designate/username').with_value('user')
         should contain_neutron_config('designate/auth_type').with_value('token')
+        should contain_neutron_config('designate/username').with_value('user')
+        should contain_neutron_config('designate/user_domain_name').with_value('Domain2')
         should contain_neutron_config('designate/project_id').with_value('id1')
         should contain_neutron_config('designate/project_name').with_value('proj')
         should contain_neutron_config('designate/project_domain_name').with_value('Domain1')
-        should contain_neutron_config('designate/user_domain_name').with_value('Domain2')
+        should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('designate/auth_url').with_value('http://auth/')
         should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value(false)
         should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value(765)
@@ -63,6 +65,24 @@ describe 'neutron::designate' do
         should contain_neutron_config('designate/ptr_zone_email').with_value('foo@example.com')
       end
     end
+
+    context 'with system_scope' do
+      let :params do
+        req_params.merge!({
+          :project_id          => 'id1',
+          :project_name        => 'proj',
+          :project_domain_name => 'Domain1',
+          :system_scope        => 'all',
+        })
+      end
+
+      it 'configures designate in neutron.conf' do
+        should contain_neutron_config('designate/project_id').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/project_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/project_domain_name').with_value('<SERVICE DEFAULT>')
+        should contain_neutron_config('designate/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({