novajoin: Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: Id1e235f792e1690454874718d6e83e7ff4ff313b
This commit is contained in:
Takashi Kajinami
parent
228e3aa77b
commit
e082614f11
|
|
@ -43,6 +43,18 @@
|
|||
# (optional) The tenant to use for the novajoin service user
|
||||
# Defaults to 'services'
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to the nova service user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# Scope for system operations
|
||||
# string; optional: default to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# List of system roles;
|
||||
# string; optional: default to []
|
||||
#
|
||||
# [*email*]
|
||||
# (optional) The email address for the novajoin service user
|
||||
# Defaults to 'novajoin@localhost'
|
||||
|
|
@ -67,6 +79,9 @@ class nova::metadata::novajoin::auth(
|
|||
$service_description = 'Novajoin vendordata plugin',
|
||||
$region = 'RegionOne',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$email = 'novajoin@localhost',
|
||||
$public_url = 'http://127.0.0.1:9090',
|
||||
$internal_url = 'http://127.0.0.1:9090',
|
||||
|
|
@ -93,6 +108,9 @@ class nova::metadata::novajoin::auth(
|
|||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
admin_url => $admin_url,
|
||||
internal_url => $internal_url,
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@
|
|||
# (Optional) Name of domain for $project_domain_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
|
@ -198,6 +202,7 @@ class nova::metadata::novajoin::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
|
@ -251,6 +256,7 @@ class nova::metadata::novajoin::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to
|
||||
the ``nova::metadata::novajoin::authtoken`` class.
|
||||
|
||||
- |
|
||||
The ``nova::metadata::novajoin::auth`` class now supports customizing roles
|
||||
assigned to the novajoin service user.
|
||||
|
||||
- |
|
||||
The ``nova::metadata::novajoinkeystone::auth`` class now supports defining
|
||||
assignmet of system-scoped roles to the novajoin service user.
|
||||
|
|
@ -23,6 +23,9 @@ describe 'nova::metadata::novajoin::auth' do
|
|||
:password => 'novajoin_password',
|
||||
:email => 'novajoin@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:9090',
|
||||
:internal_url => 'http://127.0.0.1:9090',
|
||||
:admin_url => 'http://127.0.0.1:9090',
|
||||
|
|
@ -42,6 +45,9 @@ describe 'nova::metadata::novajoin::auth' do
|
|||
:service_name => 'alt_service',
|
||||
:service_type => 'alt_compute-vendordata-plugin',
|
||||
:region => 'RegionTwo',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81' }
|
||||
|
|
@ -59,6 +65,9 @@ describe 'nova::metadata::novajoin::auth' do
|
|||
:password => 'novajoin_password',
|
||||
:email => 'alt_novajoin@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ describe 'nova::metadata::novajoin::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -62,6 +63,7 @@ describe 'nova::metadata::novajoin::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -103,6 +105,7 @@ describe 'nova::metadata::novajoin::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
|||
Loading…
Reference in New Issue