Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following three items. - assignment of system scope roles to system user - credential parameters for authtoken middleware - credential parameters for service token feature Note that the credential parameters for authtoken middleware are used in some providers, and these providers still require a project scope credential. This will be fixed by the subsequent change. Depends-on: https://review.opendev.org/804325 Change-Id: Ibd7afcb121b669cf533b077b926637b092e3df19
2021-08-27 15:35:13 +09:00 · 2021-08-27 15:35:13 +09:00 · af93169d4d
commit af93169d4d
parent 50dd912073
7 changed files with 53 additions and 0 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -47,6 +47,14 @@
 #   (Optional) List of roles assigned to the nova service user
 #   Defaults to ['admin']
 #
+# [*system_scope*]
+#   Scope for system operations
+#   string; optional: default to 'all'
+#
+# [*system_roles*]
+#   List of system roles;
+#   string; optional: default to []
+#
 # [*email*]
 #   (Optional) The email address for the nova service user
 #   Defaults to 'nova@localhost'
@ -72,6 +80,8 @@ class nova::keystone::auth(
  $region                  = 'RegionOne',
  $tenant                  = 'services',
  $roles                   = ['admin'],
+  $system_scope            = 'all',
+  $system_roles            = [],
  $email                   = 'nova@localhost',
  $public_url              = 'http://127.0.0.1:8774/v2.1',
  $internal_url            = 'http://127.0.0.1:8774/v2.1',
@ -83,6 +93,9 @@ class nova::keystone::auth(

  include nova::deps

+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['nova::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['nova::service::end']
+
  if $configure_endpoint {
    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['nova::service::end']
  }
@ -100,6 +113,8 @@ class nova::keystone::auth(
    email               => $email,
    tenant              => $tenant,
    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    admin_url           => $admin_url,
    internal_url        => $internal_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_domain_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@ -198,6 +202,7 @@ class nova::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@ -251,6 +256,7 @@ class nova::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/manifests/keystone/service_user.pp
+++ b/manifests/keystone/service_user.pp
@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_domain_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*send_service_user_token*]
 #   (Optional) The service uses service token feature when this is set as true
 #   Defaults to 'false'
@ -70,6 +74,7 @@ class nova::keystone::service_user(
  $project_name            = 'services',
  $user_domain_name        = 'Default',
  $project_domain_name     = 'Default',
+  $system_scope            = $::os_service_default,
  $send_service_user_token = false,
  $insecure                = $::os_service_default,
  $auth_type               = 'password',
@ -91,6 +96,7 @@ class nova::keystone::service_user(
    auth_type               => $auth_type,
    user_domain_name        => $user_domain_name,
    project_domain_name     => $project_domain_name,
+    system_scope            => $system_scope,
    send_service_user_token => $send_service_user_token,
    insecure                => $insecure,
    cafile                  => $cafile,
--- a/releasenotes/notes/system_scope-keystone-443335bece968e41.yaml
+++ b/releasenotes/notes/system_scope-keystone-443335bece968e41.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The ``nova::keystone::auth`` class now supports the following new
+    parameters to define system-scoped roles.
+
+    - ``system_scope``
+    - ``system_roles``
+
+  - |
+    The ``system_scope`` parameter has been added to the following classes.
+
+    - ``nova::keystone::authtoken``
+    - ``nova::keystone::service_user``
--- a/spec/classes/nova_keystone_auth_spec.rb
+++ b/spec/classes/nova_keystone_auth_spec.rb
@ -24,6 +24,8 @@ describe 'nova::keystone::auth' do
        :email               => 'nova@localhost',
        :tenant              => 'services',
        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:8774/v2.1',
        :internal_url        => 'http://127.0.0.1:8774/v2.1',
        :admin_url           => 'http://127.0.0.1:8774/v2.1',
@ -44,6 +46,8 @@ describe 'nova::keystone::auth' do
          :service_type        => 'alt_compute',
          :region              => 'RegionTwo',
          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :public_url          => 'https://10.10.10.10:80',
          :internal_url        => 'http://10.10.10.11:81',
          :admin_url           => 'http://10.10.10.12:81' }
@ -62,6 +66,8 @@ describe 'nova::keystone::auth' do
        :email               => 'alt_nova@alt_localhost',
        :tenant              => 'alt_service',
        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/nova_keystone_authtoken_spec.rb
+++ b/spec/classes/nova_keystone_authtoken_spec.rb
@ -18,6 +18,7 @@ describe 'nova::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@ -62,6 +63,7 @@ describe 'nova::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@ -103,6 +105,7 @@ describe 'nova::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
--- a/spec/classes/nova_keystone_service_user_spec.rb
+++ b/spec/classes/nova_keystone_service_user_spec.rb
@ -20,6 +20,7 @@ describe 'nova::keystone::service_user' do
          :project_name            => 'services',
          :user_domain_name        => 'Default',
          :project_domain_name     => 'Default',
+          :system_scope            => '<SERVICE DEFAULT>',
          :insecure                => '<SERVICE DEFAULT>',
          :send_service_user_token => false,
          :auth_type               => 'password',
@ -41,6 +42,7 @@ describe 'nova::keystone::service_user' do
          :project_name            => 'service_project',
          :user_domain_name        => 'domainX',
          :project_domain_name     => 'domainX',
+          :system_scope            => 'all',
          :send_service_user_token => true,
          :insecure                => false,
          :auth_type               => 'password',
@ -60,6 +62,7 @@ describe 'nova::keystone::service_user' do
          :project_name            => 'service_project',
          :user_domain_name        => 'domainX',
          :project_domain_name     => 'domainX',
+          :system_scope            => 'all',
          :send_service_user_token => true,
          :insecure                => false,
          :auth_type               => 'password',