From 8decdbaeff60ec13fb7978fd79626d25214fd73f Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 26 Nov 2021 12:15:03 +0900
Subject: [PATCH] Accept system scope credential for Placement API request

When SRBAC is enforced, Placement API requires system admin/reader role
for (almost) all operations. This change allows usage of system-scoped
credential for access to Placement API.

Change-Id: I51f2cf770dc53b88bc5842cc72e855be2c0cdc1e
---
 manifests/server/placement.pp                 | 34 +++++++++----
 ...stem_scope-placement-4508da4997e8ce10.yaml |  5 ++
 spec/classes/neutron_server_placement_spec.rb | 51 +++++++++++--------
 3 files changed, 60 insertions(+), 30 deletions(-)
 create mode 100644 releasenotes/notes/system_scope-placement-4508da4997e8ce10.yaml

diff --git a/manifests/server/placement.pp b/manifests/server/placement.pp
index cd8c0cf7a..a85251c2a 100644
--- a/manifests/server/placement.pp
+++ b/manifests/server/placement.pp
@@ -24,10 +24,6 @@
 #   The value should contain auth plugin name
 #   Defaults to 'password'
 #
-# [*username*]
-#   (optional) Username when talking to placement.
-#   Defaults to 'nova'
-#
 # [*project_domain_name*]
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
@@ -36,10 +32,18 @@
 #   (optional) Project name for configured user.
 #   Defaults to 'services'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*user_domain_name*]
 #   (Optional) Name of domain for $username
 #   Defaults to 'Default'
 #
+# [*username*]
+#   (optional) Username when talking to placement.
+#   Defaults to 'nova'
+#
 # [*auth_url*]
 #   (optional) Keystone auth URL.
 #   If version independent identity plugin is used available versions will be
@@ -59,10 +63,11 @@
 class neutron::server::placement (
   $password,
   $auth_type           = 'password',
-  $username            = 'nova',
   $project_domain_name = 'Default',
   $project_name        = 'services',
+  $system_scope        = $::os_service_default,
   $user_domain_name    = 'Default',
+  $username            = 'nova',
   $auth_url            = 'http://127.0.0.1:5000',
   $region_name         = $::os_service_default,
   $endpoint_type       = $::os_service_default,
@@ -75,15 +80,24 @@ class neutron::server::placement (
     warning('The default value of username will change to placement in the next release')
   }
 
+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   neutron_config {
-    'placement/auth_url':            value => $auth_url;
+    'placement/auth_type':           value => $auth_type;
+    'placement/project_domain_name': value => $project_domain_name_real;
+    'placement/project_name':        value => $project_name_real;
+    'placement/system_scope':        value => $system_scope;
+    'placement/user_domain_name':    value => $user_domain_name;
     'placement/username':            value => $username;
     'placement/password':            value => $password, secret => true;
-    'placement/project_domain_name': value => $project_domain_name;
-    'placement/project_name':        value => $project_name;
-    'placement/user_domain_name':    value => $user_domain_name;
+    'placement/auth_url':            value => $auth_url;
     'placement/region_name':         value => $region_name;
     'placement/endpoint_type':       value => $endpoint_type;
-    'placement/auth_type':           value => $auth_type;
   }
 }
diff --git a/releasenotes/notes/system_scope-placement-4508da4997e8ce10.yaml b/releasenotes/notes/system_scope-placement-4508da4997e8ce10.yaml
new file mode 100644
index 000000000..c820231df
--- /dev/null
+++ b/releasenotes/notes/system_scope-placement-4508da4997e8ce10.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``sysem_scope`` parameter has been added to
+    the ``neutron::server::placement`` class.
diff --git a/spec/classes/neutron_server_placement_spec.rb b/spec/classes/neutron_server_placement_spec.rb
index bd11e71ee..a7a72a70b 100644
--- a/spec/classes/neutron_server_placement_spec.rb
+++ b/spec/classes/neutron_server_placement_spec.rb
@@ -18,54 +18,65 @@ require 'spec_helper'
 describe 'neutron::server::placement' do
   let :params do
     {
-      :auth_type           => 'password',
-      :username            => 'nova',
-      :password            => 'secrete',
-      :project_domain_name => 'Default',
-      :project_name        => 'services',
-      :user_domain_name    => 'Default',
-      :auth_url            => 'http://127.0.0.1:5000',
+      :password  => 'secrete',
     }
   end
 
   shared_examples 'neutron server placement' do
     it 'configure neutron.conf' do
       should contain_neutron_config('placement/auth_type').with_value('password')
-      should contain_neutron_config('placement/auth_url').with_value('http://127.0.0.1:5000')
-      should contain_neutron_config('placement/username').with_value('nova')
-      should contain_neutron_config('placement/password').with_value('secrete')
-      should contain_neutron_config('placement/password').with_secret( true )
-      should contain_neutron_config('placement/region_name').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('placement/project_domain_name').with_value('Default')
+      should contain_neutron_config('placement/project_name').with_value('services')
+      should contain_neutron_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('placement/user_domain_name').with_value('Default')
+      should contain_neutron_config('placement/username').with_value('nova')
+      should contain_neutron_config('placement/password').with_value('secrete').with_secret( true )
+      should contain_neutron_config('placement/auth_url').with_value('http://127.0.0.1:5000')
+      should contain_neutron_config('placement/region_name').with_value('<SERVICE DEFAULT>')
       should contain_neutron_config('placement/endpoint_type').with_value('<SERVICE DEFAULT>')
     end
 
     context 'when overriding parameters' do
       before :each do
         params.merge!(
-          :auth_url            => 'http://keystone:5000/v3',
           :auth_type           => 'password',
-          :username            => 'joe',
-          :region_name         => 'MyRegion',
           :project_domain_name => 'Default_2',
+          :project_name        => 'alt_services',
           :user_domain_name    => 'Default_4',
+          :username            => 'joe',
+          :auth_url            => 'http://keystone:5000/v3',
+          :region_name         => 'MyRegion',
           :endpoint_type       => 'internal'
         )
       end
 
       it 'should configure neutron server with overrided parameters' do
-        should contain_neutron_config('placement/auth_url').with_value('http://keystone:5000/v3')
         should contain_neutron_config('placement/auth_type').with_value('password')
-        should contain_neutron_config('placement/username').with_value('joe')
-        should contain_neutron_config('placement/password').with_value('secrete')
-        should contain_neutron_config('placement/password').with_secret( true )
-        should contain_neutron_config('placement/region_name').with_value('MyRegion')
         should contain_neutron_config('placement/project_domain_name').with_value('Default_2')
+        should contain_neutron_config('placement/project_name').with_value('alt_services')
+        should contain_neutron_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
         should contain_neutron_config('placement/user_domain_name').with_value('Default_4')
+        should contain_neutron_config('placement/username').with_value('joe')
+        should contain_neutron_config('placement/password').with_value('secrete').with_secret(true)
+        should contain_neutron_config('placement/auth_url').with_value('http://keystone:5000/v3')
+        should contain_neutron_config('placement/region_name').with_value('MyRegion')
         should contain_neutron_config('placement/endpoint_type').with_value('internal')
       end
     end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+
+      it 'configures system-scoped credential' do
+        is_expected.to contain_neutron_config('placement/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_neutron_config('placement/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_neutron_config('placement/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({