openstack/puppet-neutron
Code Issues Proposed changes

Accept system scope credential for Ironic API request

Browse Source 
Currently Neutron uses the user credential in [ironic] section to use
External Event API in Ironic but this API is available only for system
admin when SRBAC is enforced.

Also, networking-baremetal uses the user credentials in [ironic]
section to list all ports, which is available only for system reader
when SRBAC is enforced.

This change allows usage of system-scoped credential instead of
project-scoped one for these two features.

Change-Id: I3bf7b285383ab4494cfa21440d9dd3fe26dd23df
This commit is contained in:
Takashi Kajinami 2021-12-17 00:59:31 +09:00
parent 0d92d0a9d6
commit 7f226bf52c
5 changed files with 97 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/agents/ml2/networking_baremetal.pp
View File

@ -51,6 +51,10 @@
# (optional) The ironic endpoint URL for requests # (optional) The ironic endpoint URL for requests
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*username*] # [*username*]
# (optional) Username for connection to ironic in admin context # (optional) Username for connection to ironic in admin context
# Defaults to 'ironic' # Defaults to 'ironic'
@ -63,9 +67,9 @@
# (optional) Project name to scope to # (optional) Project name to scope to
# Defaults to 'services' # Defaults to 'services'
# #
# [*user_domain_name*] # [*system_scope*]
# (Optional) Name of domain for $username # (Optional) Scope for system operations
# Defaults to 'Default' # Defaults to $::os_service_default
# #
# [*region_name*] # [*region_name*]
# (optional) Name of region to use. Useful if keystone manages more than one # (optional) Name of region to use. Useful if keystone manages more than one
@ -123,10 +127,11 @@ class neutron::agents::ml2::networking_baremetal (
$insecure = $::os_service_default, $insecure = $::os_service_default,
$auth_type = 'password', $auth_type = 'password',
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
$user_domain_name = 'Default',
$username = 'ironic', $username = 'ironic',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $system_scope = $::os_service_default,
$region_name = $::os_service_default, $region_name = $::os_service_default,
$status_code_retry_delay = $::os_service_default, $status_code_retry_delay = $::os_service_default,
$status_code_retries = $::os_service_default, $status_code_retries = $::os_service_default,
@ -182,6 +187,14 @@ Use status_code_retries instead.')
$status_code_retry_delay_real = pick($retry_interval, $status_code_retry_delay) $status_code_retry_delay_real = pick($retry_interval, $status_code_retry_delay)
$status_code_retries_real = pick($max_retries, $status_code_retries) $status_code_retries_real = pick($max_retries, $status_code_retries)
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
ironic_neutron_agent_config { ironic_neutron_agent_config {
'ironic/endpoint_override': value => $endpoint_override_real; 'ironic/endpoint_override': value => $endpoint_override_real;
'ironic/cafile': value => $cafile; 'ironic/cafile': value => $cafile;
@ -190,11 +203,12 @@ Use status_code_retries instead.')
'ironic/insecure': value => $insecure; 'ironic/insecure': value => $insecure;
'ironic/auth_type': value => $auth_type; 'ironic/auth_type': value => $auth_type;
'ironic/auth_url': value => $auth_url; 'ironic/auth_url': value => $auth_url;
'ironic/user_domain_name': value => $user_domain_name;
'ironic/username': value => $username; 'ironic/username': value => $username;
'ironic/password': value => $password, secret => true; 'ironic/password': value => $password, secret => true;
'ironic/project_domain_name': value => $project_domain_name; 'ironic/project_domain_name': value => $project_domain_name_real;
'ironic/project_name': value => $project_name; 'ironic/project_name': value => $project_name_real;
'ironic/user_domain_name': value => $user_domain_name; 'ironic/system_scope': value => $system_scope;
'ironic/region_name': value => $region_name; 'ironic/region_name': value => $region_name;
'ironic/status_code_retry_delay': value => $status_code_retry_delay_real; 'ironic/status_code_retry_delay': value => $status_code_retry_delay_real;
'ironic/status_code_retries': value => $status_code_retries_real; 'ironic/status_code_retries': value => $status_code_retries_real;

34
manifests/server/notifications/ironic.pp
View File

@ -24,21 +24,25 @@
# The value should contain auth plugin name # The value should contain auth plugin name
# Defaults to 'password' # Defaults to 'password'
# #
# [*user_domain_name*]
# (optional) Name of domain for $username
# Defaults to 'Default'
#
# [*username*] # [*username*]
# (optional) Username for connection to ironic in admin context # (optional) Username for connection to ironic in admin context
# Defaults to 'ironic' # Defaults to 'ironic'
# #
# [*project_domain_name*] # [*project_domain_name*]
# (Optional) Name of domain for $project_name # (optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*project_name*] # [*project_name*]
# (optional) ironic project's name # (optional) ironic project's name
# Defaults to 'services' # Defaults to 'services'
# #
# [*user_domain_name*] # [*system_scope*]
# (Optional) Name of domain for $username # (optional) Scope for system operations
# Defaults to 'Default' # Defaults to $::os_service_default
# #
# [*auth_url*] # [*auth_url*]
# (optional) Authorization URL for connection to ironic in admin context. # (optional) Authorization URL for connection to ironic in admin context.
@ -64,9 +68,10 @@ class neutron::server::notifications::ironic (
$password, $password,
$auth_type = 'password', $auth_type = 'password',
$username = 'ironic', $username = 'ironic',
$user_domain_name = 'Default',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$project_name = 'services', $project_name = 'services',
$user_domain_name = 'Default', $system_scope = $::os_service_default,
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
$region_name = $::os_service_default, $region_name = $::os_service_default,
$valid_interfaces = $::os_service_default, $valid_interfaces = $::os_service_default,
@ -75,15 +80,24 @@ class neutron::server::notifications::ironic (
include neutron::deps include neutron::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
neutron_config { neutron_config {
'ironic/auth_url': value => $auth_url; 'ironic/auth_type': value => $auth_type;
'ironic/user_domain_name': value => $user_domain_name;
'ironic/username': value => $username; 'ironic/username': value => $username;
'ironic/password': value => $password, secret => true; 'ironic/password': value => $password, secret => true;
'ironic/project_domain_name': value => $project_domain_name; 'ironic/project_domain_name': value => $project_domain_name_real;
'ironic/project_name': value => $project_name; 'ironic/project_name': value => $project_name_real;
'ironic/user_domain_name': value => $user_domain_name; 'ironic/system_scope': value => $system_scope;
'ironic/auth_url': value => $auth_url;
'ironic/region_name': value => $region_name; 'ironic/region_name': value => $region_name;
'ironic/auth_type': value => $auth_type;
'ironic/valid_interfaces': value => join(any2array($valid_interfaces), ','); 'ironic/valid_interfaces': value => join(any2array($valid_interfaces), ',');
'ironic/enable_notifications': value => $enable_notifications; 'ironic/enable_notifications': value => $enable_notifications;
} }

7
releasenotes/notes/system_scope-ironic-6fabfa5afe2150cf.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
The ``system_scope`` parameter has been added to the following two classes.
- ``neutron::server::notifications::ironic``
- ``neutron::agents::ml2::networking_baremetal``

17
spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb
View File

@ -42,11 +42,12 @@ describe 'neutron::agents::ml2::networking_baremetal' do
should contain_ironic_neutron_agent_config('ironic/keyfile').with_value('<SERVICE DEFAULT>') should contain_ironic_neutron_agent_config('ironic/keyfile').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/auth_type').with_value(p[:auth_type]) should contain_ironic_neutron_agent_config('ironic/auth_type').with_value(p[:auth_type])
should contain_ironic_neutron_agent_config('ironic/auth_url').with_value(p[:auth_url]) should contain_ironic_neutron_agent_config('ironic/auth_url').with_value(p[:auth_url])
should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name])
should contain_ironic_neutron_agent_config('ironic/username').with_value(p[:username]) should contain_ironic_neutron_agent_config('ironic/username').with_value(p[:username])
should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]).with_secret(true) should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]).with_secret(true)
should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value(p[:project_domain_name]) should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value(p[:project_domain_name])
should contain_ironic_neutron_agent_config('ironic/project_name').with_value(p[:project_name]) should contain_ironic_neutron_agent_config('ironic/project_name').with_value(p[:project_name])
should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name]) should contain_ironic_neutron_agent_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/region_name').with_value('<SERVICE DEFAULT>') should contain_ironic_neutron_agent_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/status_code_retry_delay').with_value('<SERVICE DEFAULT>') should contain_ironic_neutron_agent_config('ironic/status_code_retry_delay').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/status_code_retries').with_value('<SERVICE DEFAULT>') should contain_ironic_neutron_agent_config('ironic/status_code_retries').with_value('<SERVICE DEFAULT>')
@ -89,6 +90,20 @@ describe 'neutron::agents::ml2::networking_baremetal' do
should contain_service('ironic-neutron-agent-service').that_notifies('Anchor[neutron::service::end]') should contain_service('ironic-neutron-agent-service').that_notifies('Anchor[neutron::service::end]')
end end
end end
context 'when system_scope is set' do
before :each do
params.merge!(
:system_scope => 'all'
)
end
it 'should configure system scope credential' do
should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
should contain_ironic_neutron_agent_config('ironic/system_scope').with_value('all')
end
end
end end
on_supported_os({ on_supported_os({

39
spec/classes/neutron_server_notifications_ironic_spec.rb
View File

@ -31,12 +31,14 @@ describe 'neutron::server::notifications::ironic' do
shared_examples 'neutron::server::notifications::ironic' do shared_examples 'neutron::server::notifications::ironic' do
it 'configure neutron.conf' do it 'configure neutron.conf' do
should contain_neutron_config('ironic/auth_type').with_value('password') should contain_neutron_config('ironic/auth_type').with_value('password')
should contain_neutron_config('ironic/auth_url').with_value('http://127.0.0.1:5000') should contain_neutron_config('ironic/user_domain_name').with_value('Default')
should contain_neutron_config('ironic/username').with_value('ironic') should contain_neutron_config('ironic/username').with_value('ironic')
should contain_neutron_config('ironic/password').with_value('secrete').with_secret( true ) should contain_neutron_config('ironic/password').with_value('secrete').with_secret( true )
should contain_neutron_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/project_domain_name').with_value('Default') should contain_neutron_config('ironic/project_domain_name').with_value('Default')
should contain_neutron_config('ironic/user_domain_name').with_value('Default') should contain_neutron_config('ironic/project_name').with_value('services')
should contain_neutron_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/auth_url').with_value('http://127.0.0.1:5000')
should contain_neutron_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/valid_interfaces').with_value('<SERVICE DEFAULT>') should contain_neutron_config('ironic/valid_interfaces').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/enable_notifications').with_value('<SERVICE DEFAULT>') should contain_neutron_config('ironic/enable_notifications').with_value('<SERVICE DEFAULT>')
end end
@ -44,25 +46,28 @@ describe 'neutron::server::notifications::ironic' do
context 'when overriding parameters' do context 'when overriding parameters' do
before :each do before :each do
params.merge!( params.merge!(
:auth_url => 'http://keystone:5000/v3',
:auth_type => 'password', :auth_type => 'password',
:username => 'joe',
:region_name => 'MyRegion',
:project_domain_name => 'Default_1',
:user_domain_name => 'Default_2', :user_domain_name => 'Default_2',
:username => 'joe',
:project_domain_name => 'Default_1',
:project_name => 'alt_services',
:auth_url => 'http://keystone:5000/v3',
:region_name => 'MyRegion',
:valid_interfaces => 'internal,public', :valid_interfaces => 'internal,public',
:enable_notifications => false, :enable_notifications => false,
) )
end end
it 'should configure neutron server with overrided parameters' do it 'should configure neutron server with overrided parameters' do
should contain_neutron_config('ironic/auth_url').with_value('http://keystone:5000/v3')
should contain_neutron_config('ironic/auth_type').with_value('password') should contain_neutron_config('ironic/auth_type').with_value('password')
should contain_neutron_config('ironic/user_domain_name').with_value('Default_2')
should contain_neutron_config('ironic/username').with_value('joe') should contain_neutron_config('ironic/username').with_value('joe')
should contain_neutron_config('ironic/password').with_value('secrete').with_secret(true) should contain_neutron_config('ironic/password').with_value('secrete').with_secret(true)
should contain_neutron_config('ironic/region_name').with_value('MyRegion')
should contain_neutron_config('ironic/project_domain_name').with_value('Default_1') should contain_neutron_config('ironic/project_domain_name').with_value('Default_1')
should contain_neutron_config('ironic/user_domain_name').with_value('Default_2') should contain_neutron_config('ironic/project_name').with_value('alt_services')
should contain_neutron_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/auth_url').with_value('http://keystone:5000/v3')
should contain_neutron_config('ironic/region_name').with_value('MyRegion')
should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public') should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public')
should contain_neutron_config('ironic/enable_notifications').with_value(false) should contain_neutron_config('ironic/enable_notifications').with_value(false)
end end
@ -79,6 +84,20 @@ describe 'neutron::server::notifications::ironic' do
should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public') should contain_neutron_config('ironic/valid_interfaces').with_value('internal,public')
end end
end end
context 'when system_scope is set' do
before :each do
params.merge!(
:system_scope => 'all'
)
end
it 'should configure system scope credential' do
should contain_neutron_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('ironic/system_scope').with_value('all')
end
end
end end
on_supported_os({ on_supported_os({