openstack
/
puppet-nova
Code Issues Proposed changes
Browse Source

Merge "Accept system scope credentials for Keystone API request"

changes/66/824366/1
Zuul 4 months ago committed by Gerrit Code Review
parent
91601648a5 af93169d4d
commit
9f9ca26382
7 changed files with 53 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 15
      manifests/keystone/auth.pp
  2. 6
      manifests/keystone/authtoken.pp
  3. 6
      manifests/keystone/service_user.pp
  4. 14
      releasenotes/notes/system_scope-keystone-443335bece968e41.yaml
  5. 6
      spec/classes/nova_keystone_auth_spec.rb
  6. 3
      spec/classes/nova_keystone_authtoken_spec.rb
  7. 3
      spec/classes/nova_keystone_service_user_spec.rb

15
manifests/keystone/auth.pp
Unescape View File

@ -47,6 +47,14 @@
# (Optional) List of roles assigned to the nova service user
# Defaults to ['admin']
#
# [*system_scope*]
# Scope for system operations
# string; optional: default to 'all'
#
# [*system_roles*]
# List of system roles;
# string; optional: default to []
#
# [*email*]
# (Optional) The email address for the nova service user
# Defaults to 'nova@localhost'
@ -72,6 +80,8 @@ class nova::keystone::auth(
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$email = 'nova@localhost',
$public_url = 'http://127.0.0.1:8774/v2.1',
$internal_url = 'http://127.0.0.1:8774/v2.1',
@ -83,6 +93,9 @@ class nova::keystone::auth(
include nova::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['nova::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['nova::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['nova::service::end']
}
@ -100,6 +113,8 @@ class nova::keystone::auth(
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,

6
manifests/keystone/authtoken.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class nova::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class nova::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

6
manifests/keystone/service_user.pp
Unescape View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true
# Defaults to 'false'
@ -70,6 +74,7 @@ class nova::keystone::service_user(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$send_service_user_token = false,
$insecure = $::os_service_default,
$auth_type = 'password',
@ -91,6 +96,7 @@ class nova::keystone::service_user(
auth_type => $auth_type,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
send_service_user_token => $send_service_user_token,
insecure => $insecure,
cafile => $cafile,

14
releasenotes/notes/system_scope-keystone-443335bece968e41.yaml
Unescape View File

@ -0,0 +1,14 @@
---
features:
- |
The ``nova::keystone::auth`` class now supports the following new
parameters to define system-scoped roles.
- ``system_scope``
- ``system_roles``
- |
The ``system_scope`` parameter has been added to the following classes.
- ``nova::keystone::authtoken``
- ``nova::keystone::service_user``

6
spec/classes/nova_keystone_auth_spec.rb
Unescape View File

@ -24,6 +24,8 @@ describe 'nova::keystone::auth' do
:email => 'nova@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8774/v2.1',
:internal_url => 'http://127.0.0.1:8774/v2.1',
:admin_url => 'http://127.0.0.1:8774/v2.1',
@ -44,6 +46,8 @@ describe 'nova::keystone::auth' do
:service_type => 'alt_compute',
:region => 'RegionTwo',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81' }
@ -62,6 +66,8 @@ describe 'nova::keystone::auth' do
:email => 'alt_nova@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

3
spec/classes/nova_keystone_authtoken_spec.rb
Unescape View File

@ -18,6 +18,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

3
spec/classes/nova_keystone_service_user_spec.rb
Unescape View File

@ -20,6 +20,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:send_service_user_token => false,
:auth_type => 'password',
@ -41,6 +42,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:send_service_user_token => true,
:insecure => false,
:auth_type => 'password',
@ -60,6 +62,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:send_service_user_token => true,
:insecure => false,
:auth_type => 'password',

Write Preview
Loading…
Cancel
Save