Accept system scope credential for Placement API request

When SRBAC is enforced, Placement API requires system admin/reader role
for (almost) all operations. This change allows usage of system-scoped
credential for access to Placement API.

Change-Id: I51f2cf770dc53b88bc5842cc72e855be2c0cdc1e
This commit is contained in:
Takashi Kajinami 2021-11-26 12:15:03 +09:00
parent a528fe3c4e
commit 8decdbaeff
3 changed files with 60 additions and 30 deletions

View File

@ -24,10 +24,6 @@
# The value should contain auth plugin name # The value should contain auth plugin name
# Defaults to 'password' # Defaults to 'password'
# #
# [*username*]
# (optional) Username when talking to placement.
# Defaults to 'nova'
#
# [*project_domain_name*] # [*project_domain_name*]
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to 'Default' # Defaults to 'Default'
@ -36,10 +32,18 @@
# (optional) Project name for configured user. # (optional) Project name for configured user.
# Defaults to 'services' # Defaults to 'services'
# #
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*user_domain_name*] # [*user_domain_name*]
# (Optional) Name of domain for $username # (Optional) Name of domain for $username
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*username*]
# (optional) Username when talking to placement.
# Defaults to 'nova'
#
# [*auth_url*] # [*auth_url*]
# (optional) Keystone auth URL. # (optional) Keystone auth URL.
# If version independent identity plugin is used available versions will be # If version independent identity plugin is used available versions will be
@ -59,10 +63,11 @@
class neutron::server::placement ( class neutron::server::placement (
$password, $password,
$auth_type = 'password', $auth_type = 'password',
$username = 'nova',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$project_name = 'services', $project_name = 'services',
$system_scope = $::os_service_default,
$user_domain_name = 'Default', $user_domain_name = 'Default',
$username = 'nova',
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
$region_name = $::os_service_default, $region_name = $::os_service_default,
$endpoint_type = $::os_service_default, $endpoint_type = $::os_service_default,
@ -75,15 +80,24 @@ class neutron::server::placement (
warning('The default value of username will change to placement in the next release') warning('The default value of username will change to placement in the next release')
} }
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
neutron_config { neutron_config {
'placement/auth_url': value => $auth_url; 'placement/auth_type': value => $auth_type;
'placement/project_domain_name': value => $project_domain_name_real;
'placement/project_name': value => $project_name_real;
'placement/system_scope': value => $system_scope;
'placement/user_domain_name': value => $user_domain_name;
'placement/username': value => $username; 'placement/username': value => $username;
'placement/password': value => $password, secret => true; 'placement/password': value => $password, secret => true;
'placement/project_domain_name': value => $project_domain_name; 'placement/auth_url': value => $auth_url;
'placement/project_name': value => $project_name;
'placement/user_domain_name': value => $user_domain_name;
'placement/region_name': value => $region_name; 'placement/region_name': value => $region_name;
'placement/endpoint_type': value => $endpoint_type; 'placement/endpoint_type': value => $endpoint_type;
'placement/auth_type': value => $auth_type;
} }
} }

View File

@ -0,0 +1,5 @@
---
features:
- |
The new ``sysem_scope`` parameter has been added to
the ``neutron::server::placement`` class.

View File

@ -18,54 +18,65 @@ require 'spec_helper'
describe 'neutron::server::placement' do describe 'neutron::server::placement' do
let :params do let :params do
{ {
:auth_type => 'password',
:username => 'nova',
:password => 'secrete', :password => 'secrete',
:project_domain_name => 'Default',
:project_name => 'services',
:user_domain_name => 'Default',
:auth_url => 'http://127.0.0.1:5000',
} }
end end
shared_examples 'neutron server placement' do shared_examples 'neutron server placement' do
it 'configure neutron.conf' do it 'configure neutron.conf' do
should contain_neutron_config('placement/auth_type').with_value('password') should contain_neutron_config('placement/auth_type').with_value('password')
should contain_neutron_config('placement/auth_url').with_value('http://127.0.0.1:5000')
should contain_neutron_config('placement/username').with_value('nova')
should contain_neutron_config('placement/password').with_value('secrete')
should contain_neutron_config('placement/password').with_secret( true )
should contain_neutron_config('placement/region_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('placement/project_domain_name').with_value('Default') should contain_neutron_config('placement/project_domain_name').with_value('Default')
should contain_neutron_config('placement/project_name').with_value('services')
should contain_neutron_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('placement/user_domain_name').with_value('Default') should contain_neutron_config('placement/user_domain_name').with_value('Default')
should contain_neutron_config('placement/username').with_value('nova')
should contain_neutron_config('placement/password').with_value('secrete').with_secret( true )
should contain_neutron_config('placement/auth_url').with_value('http://127.0.0.1:5000')
should contain_neutron_config('placement/region_name').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('placement/endpoint_type').with_value('<SERVICE DEFAULT>') should contain_neutron_config('placement/endpoint_type').with_value('<SERVICE DEFAULT>')
end end
context 'when overriding parameters' do context 'when overriding parameters' do
before :each do before :each do
params.merge!( params.merge!(
:auth_url => 'http://keystone:5000/v3',
:auth_type => 'password', :auth_type => 'password',
:username => 'joe',
:region_name => 'MyRegion',
:project_domain_name => 'Default_2', :project_domain_name => 'Default_2',
:project_name => 'alt_services',
:user_domain_name => 'Default_4', :user_domain_name => 'Default_4',
:username => 'joe',
:auth_url => 'http://keystone:5000/v3',
:region_name => 'MyRegion',
:endpoint_type => 'internal' :endpoint_type => 'internal'
) )
end end
it 'should configure neutron server with overrided parameters' do it 'should configure neutron server with overrided parameters' do
should contain_neutron_config('placement/auth_url').with_value('http://keystone:5000/v3')
should contain_neutron_config('placement/auth_type').with_value('password') should contain_neutron_config('placement/auth_type').with_value('password')
should contain_neutron_config('placement/username').with_value('joe')
should contain_neutron_config('placement/password').with_value('secrete')
should contain_neutron_config('placement/password').with_secret( true )
should contain_neutron_config('placement/region_name').with_value('MyRegion')
should contain_neutron_config('placement/project_domain_name').with_value('Default_2') should contain_neutron_config('placement/project_domain_name').with_value('Default_2')
should contain_neutron_config('placement/project_name').with_value('alt_services')
should contain_neutron_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
should contain_neutron_config('placement/user_domain_name').with_value('Default_4') should contain_neutron_config('placement/user_domain_name').with_value('Default_4')
should contain_neutron_config('placement/username').with_value('joe')
should contain_neutron_config('placement/password').with_value('secrete').with_secret(true)
should contain_neutron_config('placement/auth_url').with_value('http://keystone:5000/v3')
should contain_neutron_config('placement/region_name').with_value('MyRegion')
should contain_neutron_config('placement/endpoint_type').with_value('internal') should contain_neutron_config('placement/endpoint_type').with_value('internal')
end end
end end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_neutron_config('placement/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_neutron_config('placement/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_neutron_config('placement/system_scope').with_value('all')
end
end
end end
on_supported_os({ on_supported_os({