From cafc1868a58c6b3ff4f7f1b60b7e6d9936a7bf20 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 26 Nov 2021 09:57:51 +0900 Subject: [PATCH] Accept system scope credential for Placement API request When SRBAC is enforced, Placement API requires system admin/reader role for (almost) all operations. This change allows usage of system-scoped credential for access to Placement API. Change-Id: I043e1c1edda6f369740d20d1745654eee0e16016 --- manifests/placement.pp | 38 +++++++++++++------ ...stem_scope-placement-e92481eb296c9e57.yaml | 5 +++ spec/classes/nova_placement_spec.rb | 16 ++++++++ 3 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/system_scope-placement-e92481eb296c9e57.yaml diff --git a/manifests/placement.pp b/manifests/placement.pp index 3c79572a6..863482eaf 100644 --- a/manifests/placement.pp +++ b/manifests/placement.pp @@ -12,21 +12,30 @@ # Name of the auth type to load (string value) # Defaults to 'password' # -# [*project_name*] -# (optional) Project name for connecting to Placement API service in -# admin context through the OpenStack Identity service. -# Defaults to 'services' -# # [*project_domain_name*] # (optional) Project Domain name for connecting to Placement API service in # admin context through the OpenStack Identity service. # Defaults to 'Default' # +# [*project_name*] +# (optional) Project name for connecting to Placement API service in +# admin context through the OpenStack Identity service. +# Defaults to 'services' +# +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*user_domain_name*] # (optional) User Domain name for connecting to Placement API service in # admin context through the OpenStack Identity service. # Defaults to 'Default' # +# [*username*] +# (optional) Username for connecting to Placement API service in admin context +# through the OpenStack Identity service. +# Defaults to 'placement' +# # [*region_name*] # (optional) Region name for connecting to Placement API service in admin context # through the OpenStack Identity service. @@ -37,11 +46,6 @@ # the placement API. Comma separated if multiple. # Defaults to $::os_service_default # -# [*username*] -# (optional) Username for connecting to Placement API service in admin context -# through the OpenStack Identity service. -# Defaults to 'placement' -# # [*auth_url*] # (optional) Points to the OpenStack Identity server IP and port. # This is the Identity (keystone) admin API server IP and port value, @@ -56,18 +60,28 @@ class nova::placement( $valid_interfaces = $::os_service_default, $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $user_domain_name = 'Default', $username = 'placement', ) inherits nova::params { include nova::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + nova_config { 'placement/auth_type': value => $auth_type; 'placement/auth_url': value => $auth_url; 'placement/password': value => $password, secret => true; - 'placement/project_domain_name': value => $project_domain_name; - 'placement/project_name': value => $project_name; + 'placement/project_domain_name': value => $project_domain_name_real; + 'placement/project_name': value => $project_name_real; + 'placement/system_scope': value => $system_scope; 'placement/user_domain_name': value => $user_domain_name; 'placement/username': value => $username; 'placement/region_name': value => $region_name; diff --git a/releasenotes/notes/system_scope-placement-e92481eb296c9e57.yaml b/releasenotes/notes/system_scope-placement-e92481eb296c9e57.yaml new file mode 100644 index 000000000..c9e792b83 --- /dev/null +++ b/releasenotes/notes/system_scope-placement-e92481eb296c9e57.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``sysem_scope`` parameter has been added to the ``nova::placement`` + class. diff --git a/spec/classes/nova_placement_spec.rb b/spec/classes/nova_placement_spec.rb index d3dd400f9..87e2073c9 100644 --- a/spec/classes/nova_placement_spec.rb +++ b/spec/classes/nova_placement_spec.rb @@ -25,6 +25,7 @@ describe 'nova::placement' do is_expected.to contain_nova_config('placement/auth_type').with_value(default_params[:auth_type]) is_expected.to contain_nova_config('placement/project_name').with_value(default_params[:project_name]) is_expected.to contain_nova_config('placement/project_domain_name').with_value(default_params[:project_domain_name]) + is_expected.to contain_nova_config('placement/system_scope').with_value('') is_expected.to contain_nova_config('placement/region_name').with_value(default_params[:region_name]) is_expected.to contain_nova_config('placement/valid_interfaces').with_value('') is_expected.to contain_nova_config('placement/username').with_value(default_params[:username]) @@ -52,6 +53,7 @@ describe 'nova::placement' do is_expected.to contain_nova_config('placement/auth_type').with_value(params[:auth_type]) is_expected.to contain_nova_config('placement/project_name').with_value(params[:project_name]) is_expected.to contain_nova_config('placement/project_domain_name').with_value(params[:project_domain_name]) + is_expected.to contain_nova_config('placement/system_scope').with_value('') is_expected.to contain_nova_config('placement/region_name').with_value(params[:region_name]) is_expected.to contain_nova_config('placement/valid_interfaces').with_value(params[:valid_interfaces]) is_expected.to contain_nova_config('placement/username').with_value(params[:username]) @@ -71,6 +73,20 @@ describe 'nova::placement' do is_expected.to contain_nova_config('placement/valid_interfaces').with_value('internal,public') end end + + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + + it 'configures system-scoped credential' do + is_expected.to contain_nova_config('placement/project_name').with_value('') + is_expected.to contain_nova_config('placement/project_domain_name').with_value('') + is_expected.to contain_nova_config('placement/system_scope').with_value(params[:system_scope]) + end + end end on_supported_os({