a528fe3c4e
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Note that the credential parameters for authtoken middleware are used in some providers, and these providers still require a project scope credential. This will be fixed by the subsequent change. Depends-on: https://review.opendev.org/804325 Change-Id: I8b73f04bd10d0129c7437c6f9c6a436b6171f39d
156 lines
7.3 KiB
Ruby
156 lines
7.3 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe 'neutron::keystone::authtoken' do
|
|
|
|
let :params do
|
|
{ :password => 'neutron_password', }
|
|
end
|
|
|
|
shared_examples 'neutron::keystone::authtoken' do
|
|
|
|
context 'with default parameters' do
|
|
|
|
it 'configure keystone_authtoken' do
|
|
is_expected.to contain_keystone__resource__authtoken('neutron_config').with(
|
|
:username => 'neutron',
|
|
:password => 'neutron_password',
|
|
:auth_url => 'http://localhost:5000',
|
|
:project_name => 'services',
|
|
:user_domain_name => 'Default',
|
|
:project_domain_name => 'Default',
|
|
:system_scope => '<SERVICE DEFAULT>',
|
|
:insecure => '<SERVICE DEFAULT>',
|
|
:auth_section => '<SERVICE DEFAULT>',
|
|
:auth_type => 'password',
|
|
:www_authenticate_uri => 'http://localhost:5000',
|
|
:auth_version => '<SERVICE DEFAULT>',
|
|
:cache => '<SERVICE DEFAULT>',
|
|
:cafile => '<SERVICE DEFAULT>',
|
|
:certfile => '<SERVICE DEFAULT>',
|
|
:delay_auth_decision => '<SERVICE DEFAULT>',
|
|
:enforce_token_bind => '<SERVICE DEFAULT>',
|
|
:http_connect_timeout => '<SERVICE DEFAULT>',
|
|
:http_request_max_retries => '<SERVICE DEFAULT>',
|
|
:include_service_catalog => '<SERVICE DEFAULT>',
|
|
:keyfile => '<SERVICE DEFAULT>',
|
|
:memcache_pool_conn_get_timeout => '<SERVICE DEFAULT>',
|
|
:memcache_pool_dead_retry => '<SERVICE DEFAULT>',
|
|
:memcache_pool_maxsize => '<SERVICE DEFAULT>',
|
|
:memcache_pool_socket_timeout => '<SERVICE DEFAULT>',
|
|
:memcache_pool_unused_timeout => '<SERVICE DEFAULT>',
|
|
:memcache_secret_key => '<SERVICE DEFAULT>',
|
|
:memcache_security_strategy => '<SERVICE DEFAULT>',
|
|
:memcache_use_advanced_pool => '<SERVICE DEFAULT>',
|
|
:memcached_servers => '<SERVICE DEFAULT>',
|
|
:manage_memcache_package => false,
|
|
:region_name => '<SERVICE DEFAULT>',
|
|
:token_cache_time => '<SERVICE DEFAULT>',
|
|
:service_token_roles => '<SERVICE DEFAULT>',
|
|
:service_token_roles_required => '<SERVICE DEFAULT>',
|
|
:service_type => '<SERVICE DEFAULT>',
|
|
:interface => '<SERVICE DEFAULT>',
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when overriding parameters' do
|
|
before do
|
|
params.merge!({
|
|
:www_authenticate_uri => 'https://10.0.0.1:9999/',
|
|
:username => 'myuser',
|
|
:password => 'mypasswd',
|
|
:auth_url => 'http://127.0.0.1:5000',
|
|
:project_name => 'service_project',
|
|
:user_domain_name => 'domainX',
|
|
:project_domain_name => 'domainX',
|
|
:system_scope => 'all',
|
|
:insecure => false,
|
|
:auth_section => 'new_section',
|
|
:auth_type => 'password',
|
|
:auth_version => 'v3',
|
|
:cache => 'somevalue',
|
|
:cafile => '/opt/stack/data/cafile.pem',
|
|
:certfile => 'certfile.crt',
|
|
:delay_auth_decision => false,
|
|
:enforce_token_bind => 'permissive',
|
|
:http_connect_timeout => '300',
|
|
:http_request_max_retries => '3',
|
|
:include_service_catalog => true,
|
|
:keyfile => 'keyfile',
|
|
:memcache_pool_conn_get_timeout => '9',
|
|
:memcache_pool_dead_retry => '302',
|
|
:memcache_pool_maxsize => '11',
|
|
:memcache_pool_socket_timeout => '2',
|
|
:memcache_pool_unused_timeout => '61',
|
|
:memcache_secret_key => 'secret_key',
|
|
:memcache_security_strategy => 'ENCRYPT',
|
|
:memcache_use_advanced_pool => true,
|
|
:memcached_servers => ['memcached01:11211','memcached02:11211'],
|
|
:manage_memcache_package => true,
|
|
:region_name => 'region2',
|
|
:token_cache_time => '301',
|
|
:service_token_roles => ['service'],
|
|
:service_token_roles_required => false,
|
|
:service_type => 'identity',
|
|
:interface => 'internal',
|
|
})
|
|
end
|
|
|
|
it 'configure keystone_authtoken' do
|
|
is_expected.to contain_keystone__resource__authtoken('neutron_config').with(
|
|
:www_authenticate_uri => 'https://10.0.0.1:9999/',
|
|
:username => 'myuser',
|
|
:password => 'mypasswd',
|
|
:auth_url => 'http://127.0.0.1:5000',
|
|
:project_name => 'service_project',
|
|
:user_domain_name => 'domainX',
|
|
:project_domain_name => 'domainX',
|
|
:system_scope => 'all',
|
|
:insecure => false,
|
|
:auth_section => 'new_section',
|
|
:auth_type => 'password',
|
|
:auth_version => 'v3',
|
|
:cache => 'somevalue',
|
|
:cafile => '/opt/stack/data/cafile.pem',
|
|
:certfile => 'certfile.crt',
|
|
:delay_auth_decision => false,
|
|
:enforce_token_bind => 'permissive',
|
|
:http_connect_timeout => '300',
|
|
:http_request_max_retries => '3',
|
|
:include_service_catalog => true,
|
|
:keyfile => 'keyfile',
|
|
:memcache_pool_conn_get_timeout => '9',
|
|
:memcache_pool_dead_retry => '302',
|
|
:memcache_pool_maxsize => '11',
|
|
:memcache_pool_socket_timeout => '2',
|
|
:memcache_pool_unused_timeout => '61',
|
|
:memcache_secret_key => 'secret_key',
|
|
:memcache_security_strategy => 'ENCRYPT',
|
|
:memcache_use_advanced_pool => true,
|
|
:memcached_servers => ['memcached01:11211','memcached02:11211'],
|
|
:manage_memcache_package => true,
|
|
:region_name => 'region2',
|
|
:token_cache_time => '301',
|
|
:service_token_roles => ['service'],
|
|
:service_token_roles_required => false,
|
|
:service_type => 'identity',
|
|
:interface => 'internal',
|
|
)
|
|
end
|
|
end
|
|
end
|
|
|
|
on_supported_os({
|
|
:supported_os => OSDefaults.get_supported_os
|
|
}).each do |os,facts|
|
|
context "on #{os}" do
|
|
let (:facts) do
|
|
facts.merge!(OSDefaults.get_facts())
|
|
end
|
|
|
|
it_configures 'neutron::keystone::authtoken'
|
|
end
|
|
end
|
|
|
|
end
|