Merge "Accept system scope credentials for Keystone API request"

This commit is contained in:
Zuul 2022-01-08 00:28:45 +00:00 committed by Gerrit Code Review
commit 9f9ca26382
7 changed files with 53 additions and 0 deletions

View File

@ -47,6 +47,14 @@
# (Optional) List of roles assigned to the nova service user
# Defaults to ['admin']
#
# [*system_scope*]
# Scope for system operations
# string; optional: default to 'all'
#
# [*system_roles*]
# List of system roles;
# string; optional: default to []
#
# [*email*]
# (Optional) The email address for the nova service user
# Defaults to 'nova@localhost'
@ -72,6 +80,8 @@ class nova::keystone::auth(
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
$system_roles = [],
$email = 'nova@localhost',
$public_url = 'http://127.0.0.1:8774/v2.1',
$internal_url = 'http://127.0.0.1:8774/v2.1',
@ -83,6 +93,9 @@ class nova::keystone::auth(
include nova::deps
Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['nova::service::end']
Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['nova::service::end']
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['nova::service::end']
}
@ -100,6 +113,8 @@ class nova::keystone::auth(
email => $email,
tenant => $tenant,
roles => $roles,
system_scope => $system_scope,
system_roles => $system_roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,

View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@ -198,6 +202,7 @@ class nova::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@ -251,6 +256,7 @@ class nova::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,

View File

@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_domain_name
# Defaults to 'Default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true
# Defaults to 'false'
@ -70,6 +74,7 @@ class nova::keystone::service_user(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$system_scope = $::os_service_default,
$send_service_user_token = false,
$insecure = $::os_service_default,
$auth_type = 'password',
@ -91,6 +96,7 @@ class nova::keystone::service_user(
auth_type => $auth_type,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
system_scope => $system_scope,
send_service_user_token => $send_service_user_token,
insecure => $insecure,
cafile => $cafile,

View File

@ -0,0 +1,14 @@
---
features:
- |
The ``nova::keystone::auth`` class now supports the following new
parameters to define system-scoped roles.
- ``system_scope``
- ``system_roles``
- |
The ``system_scope`` parameter has been added to the following classes.
- ``nova::keystone::authtoken``
- ``nova::keystone::service_user``

View File

@ -24,6 +24,8 @@ describe 'nova::keystone::auth' do
:email => 'nova@localhost',
:tenant => 'services',
:roles => ['admin'],
:system_scope => 'all',
:system_roles => [],
:public_url => 'http://127.0.0.1:8774/v2.1',
:internal_url => 'http://127.0.0.1:8774/v2.1',
:admin_url => 'http://127.0.0.1:8774/v2.1',
@ -44,6 +46,8 @@ describe 'nova::keystone::auth' do
:service_type => 'alt_compute',
:region => 'RegionTwo',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81' }
@ -62,6 +66,8 @@ describe 'nova::keystone::auth' do
:email => 'alt_nova@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
:system_scope => 'alt_all',
:system_roles => ['admin', 'member', 'reader'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',

View File

@ -18,6 +18,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@ -62,6 +63,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@ -103,6 +105,7 @@ describe 'nova::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',

View File

@ -20,6 +20,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:send_service_user_token => false,
:auth_type => 'password',
@ -41,6 +42,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:send_service_user_token => true,
:insecure => false,
:auth_type => 'password',
@ -60,6 +62,7 @@ describe 'nova::keystone::service_user' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
:system_scope => 'all',
:send_service_user_token => true,
:insecure => false,
:auth_type => 'password',