diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 77f41c0f7..82fb29943 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -39,6 +39,10 @@ # (Optional) The tenant to use for the nova service user # Defaults to 'services' # +# [*roles*] +# (Optional) List of roles assigned to the nova service user +# Defaults to ['admin'] +# # [*email*] # (Optional) The email address for the nova service user # Defaults to 'nova@localhost' @@ -62,6 +66,7 @@ class nova::keystone::auth( $service_description = 'Openstack Compute Service', $region = 'RegionOne', $tenant = 'services', + $roles = ['admin'], $email = 'nova@localhost', $public_url = 'http://127.0.0.1:8774/v2.1', $internal_url = 'http://127.0.0.1:8774/v2.1', @@ -90,6 +95,7 @@ class nova::keystone::auth( password => $password, email => $email, tenant => $tenant, + roles => $roles, public_url => $public_url, admin_url => $admin_url, internal_url => $internal_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index ccc312e75..3b06dabd4 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -161,6 +161,16 @@ # (in seconds). Set to -1 to disable caching completely. Integer value # Defaults to $::os_service_default. # +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# # [*service_token_roles_required*] # (optional) backwards compatibility to ensure that the service tokens are # compared against a list of possible roles for validity @@ -219,6 +229,7 @@ class nova::keystone::authtoken( $manage_memcache_package = false, $region_name = $::os_service_default, $token_cache_time = $::os_service_default, + $service_token_roles = $::os_service_default, $service_token_roles_required = $::os_service_default, # DEPRECATED PARAMETERS $check_revocations_for_cached = undef, @@ -272,6 +283,7 @@ class nova::keystone::authtoken( manage_memcache_package => $manage_memcache_package, region_name => $region_name, token_cache_time => $token_cache_time, + service_token_roles => $service_token_roles, service_token_roles_required => $service_token_roles_required, } } diff --git a/releasenotes/notes/keystone_authtoken-service_token_roles-12dbba5484efb7c6.yaml b/releasenotes/notes/keystone_authtoken-service_token_roles-12dbba5484efb7c6.yaml new file mode 100644 index 000000000..70fd83d72 --- /dev/null +++ b/releasenotes/notes/keystone_authtoken-service_token_roles-12dbba5484efb7c6.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + New hieradata, nova::keystone::authtoken::service_token_roles, is + introduced so that specific role can be assigned to the service user + who can use service token feature. + - | + New hieradata, nova::keystone::roles is introduced to configure customized + role for nova user in keystone identity. diff --git a/spec/classes/nova_keystone_auth_spec.rb b/spec/classes/nova_keystone_auth_spec.rb index 6b282b596..7c2e9d4a7 100644 --- a/spec/classes/nova_keystone_auth_spec.rb +++ b/spec/classes/nova_keystone_auth_spec.rb @@ -46,9 +46,20 @@ describe 'nova::keystone::auth' do )} end + context 'when overriding roles' do + before do + params.merge!( :roles => ['admin', 'service'] ) + end + + it { should contain_keystone_user_role('nova@services').with( + :ensure => 'present', + :roles => ['admin', 'service'] + )} + end + context 'when setting auth name' do before do - params.merge!( :auth_name => 'foo' ) + params.merge!( :auth_name => 'foo' ) end it { should contain_keystone_user('foo').with( diff --git a/spec/classes/nova_keystone_authtoken_spec.rb b/spec/classes/nova_keystone_authtoken_spec.rb index 82d05d61e..933f0a070 100644 --- a/spec/classes/nova_keystone_authtoken_spec.rb +++ b/spec/classes/nova_keystone_authtoken_spec.rb @@ -42,6 +42,7 @@ describe 'nova::keystone::authtoken' do is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value('') is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value('') + is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value('') is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value('') end end @@ -83,7 +84,8 @@ describe 'nova::keystone::authtoken' do :manage_memcache_package => true, :region_name => 'region2', :token_cache_time => '301', - :service_token_roles_required => false, + :service_token_roles => ['service'], + :service_token_roles_required => true, }) end @@ -119,6 +121,7 @@ describe 'nova::keystone::authtoken' do is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) + is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles]) is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) end