Customize roles assigned to nova user

This patch introduces a new hieradata nova::keystone::auth::roles,
to configure customized role assigned to nova user.

This is required to configure service token feature, as it requires
special role is assigned to the user who uses the feature.

Change-Id: I00021bac80d09258bf1c1c040adb835b4294df19
This commit is contained in:
Takashi Kajinami 2019-06-25 08:55:12 +09:00
parent f834cc4495
commit d6d55616a0
5 changed files with 43 additions and 2 deletions

View File

@ -39,6 +39,10 @@
# (Optional) The tenant to use for the nova service user
# Defaults to 'services'
#
# [*roles*]
# (Optional) List of roles assigned to the nova service user
# Defaults to ['admin']
#
# [*email*]
# (Optional) The email address for the nova service user
# Defaults to 'nova@localhost'
@ -62,6 +66,7 @@ class nova::keystone::auth(
$service_description = 'Openstack Compute Service',
$region = 'RegionOne',
$tenant = 'services',
$roles = ['admin'],
$email = 'nova@localhost',
$public_url = 'http://127.0.0.1:8774/v2.1',
$internal_url = 'http://127.0.0.1:8774/v2.1',
@ -90,6 +95,7 @@ class nova::keystone::auth(
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,

View File

@ -161,6 +161,16 @@
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
@ -219,6 +229,7 @@ class nova::keystone::authtoken(
$manage_memcache_package = false,
$region_name = $::os_service_default,
$token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS
$check_revocations_for_cached = undef,
@ -272,6 +283,7 @@ class nova::keystone::authtoken(
manage_memcache_package => $manage_memcache_package,
region_name => $region_name,
token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required,
}
}

View File

@ -0,0 +1,9 @@
---
features:
- |
New hieradata, nova::keystone::authtoken::service_token_roles, is
introduced so that specific role can be assigned to the service user
who can use service token feature.
- |
New hieradata, nova::keystone::roles is introduced to configure customized
role for nova user in keystone identity.

View File

@ -46,9 +46,20 @@ describe 'nova::keystone::auth' do
)}
end
context 'when overriding roles' do
before do
params.merge!( :roles => ['admin', 'service'] )
end
it { should contain_keystone_user_role('nova@services').with(
:ensure => 'present',
:roles => ['admin', 'service']
)}
end
context 'when setting auth name' do
before do
params.merge!( :auth_name => 'foo' )
params.merge!( :auth_name => 'foo' )
end
it { should contain_keystone_user('foo').with(

View File

@ -42,6 +42,7 @@ describe 'nova::keystone::authtoken' do
is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
end
end
@ -83,7 +84,8 @@ describe 'nova::keystone::authtoken' do
:manage_memcache_package => true,
:region_name => 'region2',
:token_cache_time => '301',
:service_token_roles_required => false,
:service_token_roles => ['service'],
:service_token_roles_required => true,
})
end
@ -119,6 +121,7 @@ describe 'nova::keystone::authtoken' do
is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_nova_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_nova_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
end