Globally support system scope credentials
After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I99eb7f368d68e393685041d20cd9adfb8f10eecb
This commit is contained in:
Takashi Kajinami
@@ -33,6 +33,10 @@
|
||||
# admin context through the OpenStack Identity service.
|
||||
# Defaults to 'Default' if password is set
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*username*]
|
||||
# (optional) Username for connecting to Cinder services in admin context
|
||||
# through the OpenStack Identity service.
|
||||
@@ -85,6 +89,7 @@ class nova::cinder (
|
||||
$timeout = $::os_service_default,
|
||||
$project_name = undef,
|
||||
$project_domain_name = undef,
|
||||
$system_scope = undef,
|
||||
$username = undef,
|
||||
$user_domain_name = undef,
|
||||
$os_region_name = $::os_service_default,
|
||||
@@ -110,18 +115,26 @@ Use the nova::cinder::os_region_name parameter')
|
||||
'cinder/region_name': ensure => absent;
|
||||
}
|
||||
|
||||
|
||||
if is_service_default($password) {
|
||||
$auth_type_real = pick($auth_type, $::os_service_default)
|
||||
$auth_url_real = pick($auth_url, $::os_service_default)
|
||||
$project_name_real = pick($project_name, $::os_service_default)
|
||||
$project_domain_name_real = pick($project_domain_name, $::os_service_default)
|
||||
$system_scope_real = pick($system_scope, $::os_service_default)
|
||||
$username_real = pick($username, $::os_service_default)
|
||||
$user_domain_name_real = pick($user_domain_name, $::os_service_default)
|
||||
} else {
|
||||
$system_scope_real = pick($system_scope, $::os_service_default)
|
||||
if is_service_default($system_scope_real) {
|
||||
$project_name_real = pick($project_name, 'services')
|
||||
$project_domain_name_real = pick($project_domain_name, 'Default')
|
||||
} else {
|
||||
$project_name_real = $::os_service_default
|
||||
$project_domain_name_real = $::os_service_default
|
||||
}
|
||||
$auth_type_real = pick($auth_type, 'password')
|
||||
$auth_url_real = pick($auth_url, 'http://127.0.0.1:5000/')
|
||||
$project_name_real = pick($project_name, 'services')
|
||||
$project_domain_name_real = pick($project_domain_name, 'Default')
|
||||
$username_real = pick($username, 'cinder')
|
||||
$user_domain_name_real = pick($user_domain_name, 'Default')
|
||||
}
|
||||
@@ -133,6 +146,7 @@ Use the nova::cinder::os_region_name parameter')
|
||||
'cinder/timeout': value => $timeout;
|
||||
'cinder/project_name': value => $project_name_real;
|
||||
'cinder/project_domain_name': value => $project_domain_name_real;
|
||||
'cinder/system_scope': value => $system_scope_real;
|
||||
'cinder/username': value => $username_real;
|
||||
'cinder/user_domain_name': value => $user_domain_name_real;
|
||||
'cinder/os_region_name': value => $os_region_name_real;
|
||||
|
||||
@@ -12,6 +12,10 @@
|
||||
# The Ironic Keystone project name.
|
||||
# Defaults to 'services'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*password*]
|
||||
# The admin password for Ironic to connect to Nova.
|
||||
# Defaults to 'ironic'
|
||||
@@ -59,6 +63,7 @@ class nova::ironic::common (
|
||||
$auth_url = 'http://127.0.0.1:5000/',
|
||||
$password = 'ironic',
|
||||
$project_name = 'services',
|
||||
$system_scope = $::os_service_default,
|
||||
$username = 'admin',
|
||||
$endpoint_override = $::os_service_default,
|
||||
$region_name = $::os_service_default,
|
||||
@@ -73,18 +78,27 @@ class nova::ironic::common (
|
||||
|
||||
include nova::deps
|
||||
|
||||
if is_service_default($system_scope) {
|
||||
$project_name_real = $project_name
|
||||
$project_domain_name_real = $project_domain_name
|
||||
} else {
|
||||
$project_name_real = $::os_service_default
|
||||
$project_domain_name_real = $::os_service_default
|
||||
}
|
||||
|
||||
nova_config {
|
||||
'ironic/auth_plugin': value => $auth_plugin;
|
||||
'ironic/username': value => $username;
|
||||
'ironic/password': value => $password, secret => true;
|
||||
'ironic/auth_url': value => $auth_url;
|
||||
'ironic/project_name': value => $project_name;
|
||||
'ironic/project_name': value => $project_name_real;
|
||||
'ironic/system_scope': value => $system_scope;
|
||||
'ironic/endpoint_override': value => $endpoint_override;
|
||||
'ironic/region_name': value => $region_name;
|
||||
'ironic/api_max_retries': value => $api_max_retries;
|
||||
'ironic/api_retry_interval': value => $api_retry_interval;
|
||||
'ironic/user_domain_name': value => $user_domain_name;
|
||||
'ironic/project_domain_name': value => $project_domain_name;
|
||||
'ironic/project_domain_name': value => $project_domain_name_real;
|
||||
'ironic/service_type': value => $service_type;
|
||||
'ironic/valid_interfaces': value => join(any2array($valid_interfaces), ',');
|
||||
'ironic/timeout': value => $timeout;
|
||||
|
||||
@@ -92,6 +92,10 @@
|
||||
# (optional) Project name (for novajoin auth).
|
||||
# Defaults to 'services'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*configure_kerberos*]
|
||||
# (optional) Whether or not to create a kerberos configuration file.
|
||||
# Defaults to false
|
||||
@@ -124,6 +128,7 @@ class nova::metadata::novajoin::api (
|
||||
$username = 'novajoin',
|
||||
$project_domain_name = 'Default',
|
||||
$project_name = 'services',
|
||||
$system_scope = $::os_service_default,
|
||||
$configure_kerberos = false,
|
||||
$ipa_realm = undef,
|
||||
) {
|
||||
@@ -139,6 +144,14 @@ class nova::metadata::novajoin::api (
|
||||
fail('password is missing')
|
||||
}
|
||||
|
||||
if is_service_default($system_scope) {
|
||||
$project_name_real = $project_name
|
||||
$project_domain_name_real = $project_domain_name
|
||||
} else {
|
||||
$project_name_real = $::os_service_default
|
||||
$project_domain_name_real = $::os_service_default
|
||||
}
|
||||
|
||||
if $nova::params::novajoin_package_name == undef {
|
||||
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
|
||||
}
|
||||
@@ -206,8 +219,9 @@ class nova::metadata::novajoin::api (
|
||||
'service_credentials/password': value => $password;
|
||||
'service_credentials/username': value => $username;
|
||||
'service_credentials/user_domain_name': value => $user_domain_name;
|
||||
'service_credentials/project_name': value => $project_name;
|
||||
'service_credentials/project_domain_name': value => $project_domain_name;
|
||||
'service_credentials/project_name': value => $project_name_real;
|
||||
'service_credentials/project_domain_name': value => $project_domain_name_real;
|
||||
'service_credentials/system_scope': value => $system_scope;
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
|
||||
@@ -62,6 +62,10 @@
|
||||
# (optional) Project name for the vendordata dynamic plugin credentials.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*vendordata_dynamic_auth_system_scope*]
|
||||
# (optional) Scope for system operations.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*vendordata_dynamic_auth_user_domain_name*]
|
||||
# (optional) User domain name for the vendordata dynamic plugin credentials.
|
||||
# Defaults to 'Default'
|
||||
@@ -83,6 +87,7 @@ class nova::vendordata(
|
||||
$vendordata_dynamic_auth_password = $::os_service_default,
|
||||
$vendordata_dynamic_auth_project_domain_name = 'Default',
|
||||
$vendordata_dynamic_auth_project_name = $::os_service_default,
|
||||
$vendordata_dynamic_auth_system_scope = $::os_service_default,
|
||||
$vendordata_dynamic_auth_user_domain_name = 'Default',
|
||||
$vendordata_dynamic_auth_username = $::os_service_default,
|
||||
) inherits nova::params {
|
||||
@@ -102,6 +107,14 @@ class nova::vendordata(
|
||||
$vendordata_dynamic_targets_real = $::os_service_default
|
||||
}
|
||||
|
||||
if is_service_default($vendordata_dynamic_auth_system_scope) {
|
||||
$vendordata_dynamic_auth_project_name_real = $vendordata_dynamic_auth_project_name
|
||||
$vendordata_dynamic_auth_project_domain_name_real = $vendordata_dynamic_auth_project_domain_name
|
||||
} else {
|
||||
$vendordata_dynamic_auth_project_name_real = $::os_service_default
|
||||
$vendordata_dynamic_auth_project_domain_name_real = $::os_service_default
|
||||
}
|
||||
|
||||
nova_config {
|
||||
'api/vendordata_jsonfile_path': value => $vendordata_jsonfile_path;
|
||||
'api/vendordata_providers': value => $vendordata_providers_real;
|
||||
@@ -113,8 +126,9 @@ class nova::vendordata(
|
||||
'vendordata_dynamic_auth/auth_url': value => $vendordata_dynamic_auth_auth_url;
|
||||
'vendordata_dynamic_auth/os_region_name': value => $vendordata_dynamic_auth_os_region_name;
|
||||
'vendordata_dynamic_auth/password': value => $vendordata_dynamic_auth_password, secret => true;
|
||||
'vendordata_dynamic_auth/project_domain_name': value => $vendordata_dynamic_auth_project_domain_name;
|
||||
'vendordata_dynamic_auth/project_name': value => $vendordata_dynamic_auth_project_name;
|
||||
'vendordata_dynamic_auth/project_domain_name': value => $vendordata_dynamic_auth_project_domain_name_real;
|
||||
'vendordata_dynamic_auth/project_name': value => $vendordata_dynamic_auth_project_name_real;
|
||||
'vendordata_dynamic_auth/system_scope': value => $vendordata_dynamic_auth_system_scope;
|
||||
'vendordata_dynamic_auth/user_domain_name': value => $vendordata_dynamic_auth_user_domain_name;
|
||||
'vendordata_dynamic_auth/username': value => $vendordata_dynamic_auth_username;
|
||||
}
|
||||
|
||||
12
releasenotes/notes/system_scope-all-3d705c45620c2959.yaml
Normal file
12
releasenotes/notes/system_scope-all-3d705c45620c2959.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
The new ``system_scope`` parameter has been added to the following classes.
|
||||
|
||||
- ``nova::cinder``
|
||||
- ``nova::ironic::common``
|
||||
- ``nova::metadata::novajoin::api``
|
||||
|
||||
- |
|
||||
The new ``nova::vendordata::vendordata_dynamic_auth_system_scope``
|
||||
parameter has been added.
|
||||
@@ -11,6 +11,7 @@ describe 'nova::cinder' do
|
||||
should contain_nova_config('cinder/timeout').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/username').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/user_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/os_region_name').with_value('<SERVICE DEFAULT>')
|
||||
@@ -35,6 +36,7 @@ describe 'nova::cinder' do
|
||||
should contain_nova_config('cinder/timeout').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/project_name').with_value('services')
|
||||
should contain_nova_config('cinder/project_domain_name').with_value('Default')
|
||||
should contain_nova_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/username').with_value('cinder')
|
||||
should contain_nova_config('cinder/user_domain_name').with_value('Default')
|
||||
should contain_nova_config('cinder/os_region_name').with_value('<SERVICE DEFAULT>')
|
||||
@@ -45,6 +47,7 @@ describe 'nova::cinder' do
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'when specified parameters' do
|
||||
let :params do
|
||||
{
|
||||
@@ -67,6 +70,7 @@ describe 'nova::cinder' do
|
||||
should contain_nova_config('cinder/timeout').with_value('60')
|
||||
should contain_nova_config('cinder/project_name').with_value('services')
|
||||
should contain_nova_config('cinder/project_domain_name').with_value('Default')
|
||||
should contain_nova_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('cinder/username').with_value('cinder')
|
||||
should contain_nova_config('cinder/user_domain_name').with_value('Default')
|
||||
should contain_nova_config('cinder/os_region_name').with_value('RegionOne')
|
||||
@@ -75,7 +79,20 @@ describe 'nova::cinder' do
|
||||
should contain_nova_config('cinder/cross_az_attach').with_value(true)
|
||||
should contain_nova_config('cinder/debug').with_value(true)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
let :params do
|
||||
{
|
||||
:password => 's3cr3t',
|
||||
:system_scope => 'all'
|
||||
}
|
||||
end
|
||||
it 'configures system-scoped credential' do
|
||||
is_expected.to contain_nova_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('cinder/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -11,10 +11,11 @@ describe 'nova::ironic::common' do
|
||||
is_expected.to contain_nova_config('ironic/password').with_value('ironic').with_secret(true)
|
||||
is_expected.to contain_nova_config('ironic/auth_url').with_value('http://127.0.0.1:5000/')
|
||||
is_expected.to contain_nova_config('ironic/project_name').with_value('services')
|
||||
is_expected.to contain_nova_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/endpoint_override').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/api_max_retries').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/api_retry_interval').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/api_max_retries').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/api_retry_interval').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/user_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('ironic/project_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('ironic/service_type').with_value('<SERVICE DEFAULT>')
|
||||
@@ -48,17 +49,31 @@ describe 'nova::ironic::common' do
|
||||
is_expected.to contain_nova_config('ironic/password').with_value('s3cr3t').with_secret(true)
|
||||
is_expected.to contain_nova_config('ironic/auth_url').with_value('http://10.0.0.10:5000/')
|
||||
is_expected.to contain_nova_config('ironic/project_name').with_value('services2')
|
||||
is_expected.to contain_nova_config('ironic/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/endpoint_override').with_value('http://10.0.0.10:6385/v1')
|
||||
is_expected.to contain_nova_config('ironic/region_name').with_value('regionTwo')
|
||||
is_expected.to contain_nova_config('ironic/api_max_retries').with('value' => '60')
|
||||
is_expected.to contain_nova_config('ironic/api_retry_interval').with('value' => '2')
|
||||
is_expected.to contain_nova_config('ironic/user_domain_name').with('value' => 'custom_domain')
|
||||
is_expected.to contain_nova_config('ironic/project_domain_name').with('value' => 'custom_domain')
|
||||
is_expected.to contain_nova_config('ironic/api_max_retries').with_value('60')
|
||||
is_expected.to contain_nova_config('ironic/api_retry_interval').with_value('2')
|
||||
is_expected.to contain_nova_config('ironic/user_domain_name').with_value('custom_domain')
|
||||
is_expected.to contain_nova_config('ironic/project_domain_name').with_value('custom_domain')
|
||||
is_expected.to contain_nova_config('ironic/service_type').with_value('baremetal')
|
||||
is_expected.to contain_nova_config('ironic/timeout').with_value(30)
|
||||
is_expected.to contain_nova_config('ironic/valid_interfaces').with_value('internal')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
let :params do
|
||||
{
|
||||
:system_scope => 'all'
|
||||
}
|
||||
end
|
||||
it 'configures system-scoped credential' do
|
||||
is_expected.to contain_nova_config('ironic/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('ironic/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
||||
@@ -106,7 +106,7 @@ describe 'nova::metadata::novajoin::api' do
|
||||
should contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url])
|
||||
should contain_novajoin_config('service_credentials/password').with_value(param_hash[:password])
|
||||
should contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name])
|
||||
should_not contain_novajoin_config('service_credentials/user_domain_id')
|
||||
should contain_novajoin_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
should contain_novajoin_config('service_credentials/user_domain_name').with_value(param_hash[:user_domain_name])
|
||||
should contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name])
|
||||
should contain_novajoin_config('service_credentials/username').with_value(param_hash[:username])
|
||||
|
||||
@@ -14,20 +14,21 @@ describe 'nova::vendordata' do
|
||||
|
||||
context 'with default parameters' do
|
||||
it 'configures various stuff' do
|
||||
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_providers').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => '<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_providers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
||||
@@ -52,20 +53,35 @@ describe 'nova::vendordata' do
|
||||
end
|
||||
|
||||
it 'configures various stuff' do
|
||||
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '/tmp')
|
||||
is_expected.to contain_nova_config('api/vendordata_providers').with('value' => 'StaticJSON,DynamicJSON')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => 'join@http://127.0.0.1:9999/v1/')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '30')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '30')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => false)
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => 'password')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => 'http://127.0.0.1:5000')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => 'RegionOne')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => 'secrete').with_secret(true)
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => 'project')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => 'user')
|
||||
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with_value('/tmp')
|
||||
is_expected.to contain_nova_config('api/vendordata_providers').with_value('StaticJSON,DynamicJSON')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with_value('join@http://127.0.0.1:9999/v1/')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with_value('30')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with_value('30')
|
||||
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with_value(false)
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with_value('password')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with_value('http://127.0.0.1:5000')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with_value('RegionOne')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with_value('secrete').with_secret(true)
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('project')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with_value('Default')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with_value('user')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
before do
|
||||
params.merge!({
|
||||
:vendordata_dynamic_auth_project_name => 'services',
|
||||
:vendordata_dynamic_auth_system_scope => 'all'
|
||||
})
|
||||
end
|
||||
it 'configures system-scoped credential' do
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_nova_config('vendordata_dynamic_auth/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user