openstack/puppet-neutron
Code Issues Proposed changes

Accept system scope credential for Designate API request

Browse Source 
Currently Neutron uses the user credential in [designate] section to
create a zone and PTR record. When SRBAC is enforced is Designate,
the former API call is available for both project member and system
admin but the latter API call is limited for system admin.

This change allows usage of system-scoped credential instead of
project-scoped one, so that the required API calls are permitted when
Designate enforces SRBAC.

Change-Id: I620b49937d01cae5b9a5af74fac8bb4e91ab3e86
This commit is contained in:
Takashi Kajinami
2022-01-17 21:49:35 +09:00
parent a321b3ffa1
commit 71711d8031
3 changed files with 53 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
manifests/designate.pp
View File

@@ -19,6 +19,10 @@
# (optional) Username for connection to designate in admin context # (optional) Username for connection to designate in admin context
# Defaults to 'neutron' # Defaults to 'neutron'
# #
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*project_name*] # [*project_name*]
# (optional) The name of the admin project # (optional) The name of the admin project
# Defaults to 'services' # Defaults to 'services'
@@ -27,9 +31,9 @@
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*user_domain_name*] # [*system_scope*]
# (Optional) Name of domain for $username # (Optional) Scope for system operations
# Defaults to 'Default' # Defaults to $::os_service_default
# #
# [*auth_url*] # [*auth_url*]
# (optional) Authorization URI for connection to designate in admin context. # (optional) Authorization URI for connection to designate in admin context.
@@ -61,9 +65,10 @@ class neutron::designate (
$url, $url,
$auth_type = 'password', $auth_type = 'password',
$username = 'neutron', $username = 'neutron',
$user_domain_name = 'Default',
$project_name = 'services', $project_name = 'services',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$user_domain_name = 'Default', $system_scope = $::os_service_default,
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
$allow_reverse_dns_lookup = $::os_service_default, $allow_reverse_dns_lookup = $::os_service_default,
$ipv4_ptr_zone_prefix_size = $::os_service_default, $ipv4_ptr_zone_prefix_size = $::os_service_default,
@@ -79,16 +84,27 @@ class neutron::designate (
warning('The neutron::designate::project_id parmaeter is deprecated. Use the project_name parameter.') warning('The neutron::designate::project_id parmaeter is deprecated. Use the project_name parameter.')
} }
if is_service_default($system_scope){
$project_id_real = pick($project_id, $::os_service_default)
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_id_real = $::os_service_default
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
neutron_config { neutron_config {
'DEFAULT/external_dns_driver': value => 'designate'; 'DEFAULT/external_dns_driver': value => 'designate';
'designate/password': value => $password, secret => true; 'designate/password': value => $password, secret => true;
'designate/url': value => $url; 'designate/url': value => $url;
'designate/auth_type': value => $auth_type; 'designate/auth_type': value => $auth_type;
'designate/username': value => $username; 'designate/username': value => $username;
'designate/project_id': value => pick($project_id, $::os_service_default);
'designate/project_name': value => $project_name;
'designate/project_domain_name': value => $project_domain_name;
'designate/user_domain_name': value => $user_domain_name; 'designate/user_domain_name': value => $user_domain_name;
'designate/project_id': value => $project_id_real;
'designate/project_name': value => $project_name_real;
'designate/project_domain_name': value => $project_domain_name_real;
'designate/system_scope': value => $system_scope;
'designate/auth_url': value => $auth_url; 'designate/auth_url': value => $auth_url;
'designate/allow_reverse_dns_lookup': value => $allow_reverse_dns_lookup; 'designate/allow_reverse_dns_lookup': value => $allow_reverse_dns_lookup;
'designate/ipv4_ptr_zone_prefix_size': value => $ipv4_ptr_zone_prefix_size; 'designate/ipv4_ptr_zone_prefix_size': value => $ipv4_ptr_zone_prefix_size;

5
releasenotes/notes/system_scope-designate-e5bbd73fc8e59f0b.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
The ``system_scope`` parameter has been added to the ``neutron::designate``
class.

30
spec/classes/neutron_designate_spec.rb
View File

@@ -16,11 +16,12 @@ describe 'neutron::designate' do
should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate') should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
should contain_neutron_config('designate/url').with_value('http://ip/designate') should contain_neutron_config('designate/url').with_value('http://ip/designate')
should contain_neutron_config('designate/password').with_value('secret').with_secret(true) should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
should contain_neutron_config('designate/username').with_value('neutron')
should contain_neutron_config('designate/auth_type').with_value('password') should contain_neutron_config('designate/auth_type').with_value('password')
should contain_neutron_config('designate/username').with_value('neutron')
should contain_neutron_config('designate/user_domain_name').with_value('Default')
should contain_neutron_config('designate/project_name').with_value('services') should contain_neutron_config('designate/project_name').with_value('services')
should contain_neutron_config('designate/project_domain_name').with_value('Default') should contain_neutron_config('designate/project_domain_name').with_value('Default')
should contain_neutron_config('designate/user_domain_name').with_value('Default') should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/auth_url').with_value('http://127.0.0.1:5000') should contain_neutron_config('designate/auth_url').with_value('http://127.0.0.1:5000')
should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value('<SERVICE DEFAULT>') should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value('<SERVICE DEFAULT>') should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value('<SERVICE DEFAULT>')
@@ -34,10 +35,10 @@ describe 'neutron::designate' do
req_params.merge!({ req_params.merge!({
:auth_type => 'token', :auth_type => 'token',
:username => 'user', :username => 'user',
:user_domain_name => 'Domain2',
:project_id => 'id1', :project_id => 'id1',
:project_name => 'proj', :project_name => 'proj',
:project_domain_name => 'Domain1', :project_domain_name => 'Domain1',
:user_domain_name => 'Domain2',
:auth_url => 'http://auth/', :auth_url => 'http://auth/',
:allow_reverse_dns_lookup => false, :allow_reverse_dns_lookup => false,
:ipv4_ptr_zone_prefix_size => 765, :ipv4_ptr_zone_prefix_size => 765,
@@ -50,12 +51,13 @@ describe 'neutron::designate' do
should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate') should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate')
should contain_neutron_config('designate/url').with_value('http://ip/designate') should contain_neutron_config('designate/url').with_value('http://ip/designate')
should contain_neutron_config('designate/password').with_value('secret').with_secret(true) should contain_neutron_config('designate/password').with_value('secret').with_secret(true)
should contain_neutron_config('designate/username').with_value('user')
should contain_neutron_config('designate/auth_type').with_value('token') should contain_neutron_config('designate/auth_type').with_value('token')
should contain_neutron_config('designate/username').with_value('user')
should contain_neutron_config('designate/user_domain_name').with_value('Domain2')
should contain_neutron_config('designate/project_id').with_value('id1') should contain_neutron_config('designate/project_id').with_value('id1')
should contain_neutron_config('designate/project_name').with_value('proj') should contain_neutron_config('designate/project_name').with_value('proj')
should contain_neutron_config('designate/project_domain_name').with_value('Domain1') should contain_neutron_config('designate/project_domain_name').with_value('Domain1')
should contain_neutron_config('designate/user_domain_name').with_value('Domain2') should contain_neutron_config('designate/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/auth_url').with_value('http://auth/') should contain_neutron_config('designate/auth_url').with_value('http://auth/')
should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value(false) should contain_neutron_config('designate/allow_reverse_dns_lookup').with_value(false)
should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value(765) should contain_neutron_config('designate/ipv4_ptr_zone_prefix_size').with_value(765)
@@ -63,6 +65,24 @@ describe 'neutron::designate' do
should contain_neutron_config('designate/ptr_zone_email').with_value('foo@example.com') should contain_neutron_config('designate/ptr_zone_email').with_value('foo@example.com')
end end
end end
context 'with system_scope' do
let :params do
req_params.merge!({
:project_id => 'id1',
:project_name => 'proj',
:project_domain_name => 'Domain1',
:system_scope => 'all',
})
end
it 'configures designate in neutron.conf' do
should contain_neutron_config('designate/project_id').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/project_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/project_domain_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('designate/system_scope').with_value('all')
end
end
end end
on_supported_os({ on_supported_os({