Accept system scope credential for Neutron API request
Currently Nova uses the user credential in [neutron] section to update port binding/migration profile or get resource_request of ports, but these APIs are available for system admin/reader when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: Id1b4e324c8a46a8951f9e37203eb74a5602700e5
This commit is contained in:
parent
228e3aa77b
commit
f4271788b4
|
@ -22,6 +22,10 @@
|
|||
# admin context through the OpenStack Identity service.
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*username*]
|
||||
# (optional) Username for connecting to Neutron network services in admin context
|
||||
# through the OpenStack Identity service.
|
||||
|
@ -93,6 +97,7 @@ class nova::network::neutron (
|
|||
$auth_type = 'v3password',
|
||||
$project_name = 'services',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$username = 'neutron',
|
||||
$user_domain_name = 'Default',
|
||||
$auth_url = 'http://127.0.0.1:5000/v3',
|
||||
|
@ -111,13 +116,22 @@ class nova::network::neutron (
|
|||
|
||||
include nova::deps
|
||||
|
||||
if is_service_default($system_scope) {
|
||||
$project_name_real = $project_name
|
||||
$project_domain_name_real = $project_domain_name
|
||||
} else {
|
||||
$project_name_real = $::os_service_default
|
||||
$project_domain_name_real = $::os_service_default
|
||||
}
|
||||
|
||||
nova_config {
|
||||
'DEFAULT/vif_plugging_is_fatal': value => $vif_plugging_is_fatal;
|
||||
'DEFAULT/vif_plugging_timeout': value => $vif_plugging_timeout;
|
||||
'neutron/default_floating_pool': value => $default_floating_pool;
|
||||
'neutron/timeout': value => $timeout;
|
||||
'neutron/project_name': value => $project_name;
|
||||
'neutron/project_domain_name': value => $project_domain_name;
|
||||
'neutron/project_name': value => $project_name_real;
|
||||
'neutron/project_domain_name': value => $project_domain_name_real;
|
||||
'neutron/system_scope': value => $system_scope;
|
||||
'neutron/region_name': value => $region_name;
|
||||
'neutron/username': value => $username;
|
||||
'neutron/user_domain_name': value => $user_domain_name;
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The new ``system_scope`` parameter has been added to
|
||||
the ``nova::network::neutron`` class.
|
|
@ -7,6 +7,7 @@ describe 'nova::network::neutron' do
|
|||
:timeout => '30',
|
||||
:project_name => 'services',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:region_name => 'RegionOne',
|
||||
:username => 'neutron',
|
||||
:user_domain_name => 'Default',
|
||||
|
@ -38,6 +39,7 @@ describe 'nova::network::neutron' do
|
|||
should contain_nova_config('neutron/timeout').with_value(default_params[:timeout])
|
||||
should contain_nova_config('neutron/project_name').with_value(default_params[:project_name])
|
||||
should contain_nova_config('neutron/project_domain_name').with_value(default_params[:project_domain_name])
|
||||
should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
|
||||
should contain_nova_config('neutron/region_name').with_value(default_params[:region_name])
|
||||
should contain_nova_config('neutron/username').with_value(default_params[:username])
|
||||
should contain_nova_config('neutron/user_domain_name').with_value(default_params[:user_domain_name])
|
||||
|
@ -84,6 +86,7 @@ describe 'nova::network::neutron' do
|
|||
should contain_nova_config('neutron/timeout').with_value(params[:timeout])
|
||||
should contain_nova_config('neutron/project_name').with_value(params[:project_name])
|
||||
should contain_nova_config('neutron/project_domain_name').with_value(params[:project_domain_name])
|
||||
should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
|
||||
should contain_nova_config('neutron/region_name').with_value(params[:region_name])
|
||||
should contain_nova_config('neutron/username').with_value(params[:username])
|
||||
should contain_nova_config('neutron/user_domain_name').with_value(params[:user_domain_name])
|
||||
|
@ -112,6 +115,19 @@ describe 'nova::network::neutron' do
|
|||
is_expected.to contain_nova_config('neutron/valid_interfaces').with_value('internal,public')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when system_scope is set' do
|
||||
before do
|
||||
params.merge!(
|
||||
:system_scope => 'all'
|
||||
)
|
||||
end
|
||||
it 'configures system-scoped credential' do
|
||||
should contain_nova_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
should contain_nova_config('neutron/system_scope').with_value('all')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
|
Loading…
Reference in New Issue