Accept system scope credential for Neutron API request

Currently Nova uses the user credential in [neutron] section to update port binding/migration profile or get resource_request of ports, but these APIs are available for system admin/reader when SRBAC is enforced. This change allows usage of system-scoped credential instead of project-scoped one. Change-Id: Id1b4e324c8a46a8951f9e37203eb74a5602700e5
2022-01-25 17:06:02 +09:00 · 2022-01-25 17:06:02 +09:00 · f4271788b4
parent 228e3aa77b
commit f4271788b4
3 changed files with 37 additions and 2 deletions
--- a/manifests/network/neutron.pp
+++ b/manifests/network/neutron.pp
@ -22,6 +22,10 @@
 #   admin context through the OpenStack Identity service.
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*username*]
 #   (optional) Username for connecting to Neutron network services in admin context
 #   through the OpenStack Identity service.
@ -93,6 +97,7 @@ class nova::network::neutron (
  $auth_type               = 'v3password',
  $project_name            = 'services',
  $project_domain_name     = 'Default',
+  $system_scope            = $::os_service_default,
  $username                = 'neutron',
  $user_domain_name        = 'Default',
  $auth_url                = 'http://127.0.0.1:5000/v3',
@ -111,13 +116,22 @@ class nova::network::neutron (

  include nova::deps

+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  nova_config {
    'DEFAULT/vif_plugging_is_fatal':   value => $vif_plugging_is_fatal;
    'DEFAULT/vif_plugging_timeout':    value => $vif_plugging_timeout;
    'neutron/default_floating_pool':   value => $default_floating_pool;
    'neutron/timeout':                 value => $timeout;
-    'neutron/project_name':            value => $project_name;
-    'neutron/project_domain_name':     value => $project_domain_name;
+    'neutron/project_name':            value => $project_name_real;
+    'neutron/project_domain_name':     value => $project_domain_name_real;
+    'neutron/system_scope':            value => $system_scope;
    'neutron/region_name':             value => $region_name;
    'neutron/username':                value => $username;
    'neutron/user_domain_name':        value => $user_domain_name;
--- a/releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml
+++ b/releasenotes/notes/system_scope-neutron-6d5421393cbf7759.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``system_scope`` parameter has been added to
+    the ``nova::network::neutron`` class.
--- a/spec/classes/nova_network_neutron_spec.rb
+++ b/spec/classes/nova_network_neutron_spec.rb
@ -7,6 +7,7 @@ describe 'nova::network::neutron' do
      :timeout                 => '30',
      :project_name            => 'services',
      :project_domain_name     => 'Default',
+      :system_scope            => '<SERVICE DEFAULT>',
      :region_name             => 'RegionOne',
      :username                => 'neutron',
      :user_domain_name        => 'Default',
@ -38,6 +39,7 @@ describe 'nova::network::neutron' do
        should contain_nova_config('neutron/timeout').with_value(default_params[:timeout])
        should contain_nova_config('neutron/project_name').with_value(default_params[:project_name])
        should contain_nova_config('neutron/project_domain_name').with_value(default_params[:project_domain_name])
+        should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
        should contain_nova_config('neutron/region_name').with_value(default_params[:region_name])
        should contain_nova_config('neutron/username').with_value(default_params[:username])
        should contain_nova_config('neutron/user_domain_name').with_value(default_params[:user_domain_name])
@ -84,6 +86,7 @@ describe 'nova::network::neutron' do
        should contain_nova_config('neutron/timeout').with_value(params[:timeout])
        should contain_nova_config('neutron/project_name').with_value(params[:project_name])
        should contain_nova_config('neutron/project_domain_name').with_value(params[:project_domain_name])
+        should contain_nova_config('neutron/system_scope').with_value(default_params[:system_scope])
        should contain_nova_config('neutron/region_name').with_value(params[:region_name])
        should contain_nova_config('neutron/username').with_value(params[:username])
        should contain_nova_config('neutron/user_domain_name').with_value(params[:user_domain_name])
@ -112,6 +115,19 @@ describe 'nova::network::neutron' do
        is_expected.to contain_nova_config('neutron/valid_interfaces').with_value('internal,public')
      end
    end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        should contain_nova_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
+        should contain_nova_config('neutron/system_scope').with_value('all')
+      end
+    end
  end

  on_supported_os({