Accept system scope credential for Placement API request

When SRBAC is enforced, Placement API requires system admin/reader role
for (almost) all operations. This change allows usage of system-scoped
credential for access to Placement API.

Change-Id: I043e1c1edda6f369740d20d1745654eee0e16016
This commit is contained in:
Takashi Kajinami 2021-11-26 09:57:51 +09:00
parent af93169d4d
commit cafc1868a5
3 changed files with 47 additions and 12 deletions

View File

@ -12,21 +12,30 @@
# Name of the auth type to load (string value) # Name of the auth type to load (string value)
# Defaults to 'password' # Defaults to 'password'
# #
# [*project_name*]
# (optional) Project name for connecting to Placement API service in
# admin context through the OpenStack Identity service.
# Defaults to 'services'
#
# [*project_domain_name*] # [*project_domain_name*]
# (optional) Project Domain name for connecting to Placement API service in # (optional) Project Domain name for connecting to Placement API service in
# admin context through the OpenStack Identity service. # admin context through the OpenStack Identity service.
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*project_name*]
# (optional) Project name for connecting to Placement API service in
# admin context through the OpenStack Identity service.
# Defaults to 'services'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# [*user_domain_name*] # [*user_domain_name*]
# (optional) User Domain name for connecting to Placement API service in # (optional) User Domain name for connecting to Placement API service in
# admin context through the OpenStack Identity service. # admin context through the OpenStack Identity service.
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*username*]
# (optional) Username for connecting to Placement API service in admin context
# through the OpenStack Identity service.
# Defaults to 'placement'
#
# [*region_name*] # [*region_name*]
# (optional) Region name for connecting to Placement API service in admin context # (optional) Region name for connecting to Placement API service in admin context
# through the OpenStack Identity service. # through the OpenStack Identity service.
@ -37,11 +46,6 @@
# the placement API. Comma separated if multiple. # the placement API. Comma separated if multiple.
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*username*]
# (optional) Username for connecting to Placement API service in admin context
# through the OpenStack Identity service.
# Defaults to 'placement'
#
# [*auth_url*] # [*auth_url*]
# (optional) Points to the OpenStack Identity server IP and port. # (optional) Points to the OpenStack Identity server IP and port.
# This is the Identity (keystone) admin API server IP and port value, # This is the Identity (keystone) admin API server IP and port value,
@ -56,18 +60,28 @@ class nova::placement(
$valid_interfaces = $::os_service_default, $valid_interfaces = $::os_service_default,
$project_domain_name = 'Default', $project_domain_name = 'Default',
$project_name = 'services', $project_name = 'services',
$system_scope = $::os_service_default,
$user_domain_name = 'Default', $user_domain_name = 'Default',
$username = 'placement', $username = 'placement',
) inherits nova::params { ) inherits nova::params {
include nova::deps include nova::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
nova_config { nova_config {
'placement/auth_type': value => $auth_type; 'placement/auth_type': value => $auth_type;
'placement/auth_url': value => $auth_url; 'placement/auth_url': value => $auth_url;
'placement/password': value => $password, secret => true; 'placement/password': value => $password, secret => true;
'placement/project_domain_name': value => $project_domain_name; 'placement/project_domain_name': value => $project_domain_name_real;
'placement/project_name': value => $project_name; 'placement/project_name': value => $project_name_real;
'placement/system_scope': value => $system_scope;
'placement/user_domain_name': value => $user_domain_name; 'placement/user_domain_name': value => $user_domain_name;
'placement/username': value => $username; 'placement/username': value => $username;
'placement/region_name': value => $region_name; 'placement/region_name': value => $region_name;

View File

@ -0,0 +1,5 @@
---
features:
- |
The new ``sysem_scope`` parameter has been added to the ``nova::placement``
class.

View File

@ -25,6 +25,7 @@ describe 'nova::placement' do
is_expected.to contain_nova_config('placement/auth_type').with_value(default_params[:auth_type]) is_expected.to contain_nova_config('placement/auth_type').with_value(default_params[:auth_type])
is_expected.to contain_nova_config('placement/project_name').with_value(default_params[:project_name]) is_expected.to contain_nova_config('placement/project_name').with_value(default_params[:project_name])
is_expected.to contain_nova_config('placement/project_domain_name').with_value(default_params[:project_domain_name]) is_expected.to contain_nova_config('placement/project_domain_name').with_value(default_params[:project_domain_name])
is_expected.to contain_nova_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('placement/region_name').with_value(default_params[:region_name]) is_expected.to contain_nova_config('placement/region_name').with_value(default_params[:region_name])
is_expected.to contain_nova_config('placement/valid_interfaces').with_value('<SERVICE DEFAULT>') is_expected.to contain_nova_config('placement/valid_interfaces').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('placement/username').with_value(default_params[:username]) is_expected.to contain_nova_config('placement/username').with_value(default_params[:username])
@ -52,6 +53,7 @@ describe 'nova::placement' do
is_expected.to contain_nova_config('placement/auth_type').with_value(params[:auth_type]) is_expected.to contain_nova_config('placement/auth_type').with_value(params[:auth_type])
is_expected.to contain_nova_config('placement/project_name').with_value(params[:project_name]) is_expected.to contain_nova_config('placement/project_name').with_value(params[:project_name])
is_expected.to contain_nova_config('placement/project_domain_name').with_value(params[:project_domain_name]) is_expected.to contain_nova_config('placement/project_domain_name').with_value(params[:project_domain_name])
is_expected.to contain_nova_config('placement/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('placement/region_name').with_value(params[:region_name]) is_expected.to contain_nova_config('placement/region_name').with_value(params[:region_name])
is_expected.to contain_nova_config('placement/valid_interfaces').with_value(params[:valid_interfaces]) is_expected.to contain_nova_config('placement/valid_interfaces').with_value(params[:valid_interfaces])
is_expected.to contain_nova_config('placement/username').with_value(params[:username]) is_expected.to contain_nova_config('placement/username').with_value(params[:username])
@ -71,6 +73,20 @@ describe 'nova::placement' do
is_expected.to contain_nova_config('placement/valid_interfaces').with_value('internal,public') is_expected.to contain_nova_config('placement/valid_interfaces').with_value('internal,public')
end end
end end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_nova_config('placement/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('placement/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('placement/system_scope').with_value(params[:system_scope])
end
end
end end
on_supported_os({ on_supported_os({