48cd95a59b
After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I99eb7f368d68e393685041d20cd9adfb8f10eecb
189 lines
7.8 KiB
Ruby
189 lines
7.8 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe 'nova::metadata::novajoin::api' do
|
|
let :default_params do
|
|
{
|
|
:bind_address => '127.0.0.1',
|
|
:api_paste_config => '/etc/novajoin/join-api-paste.ini',
|
|
:auth_strategy => '<SERVICE DEFAULT>',
|
|
:auth_type => 'password',
|
|
:cacert => '/etc/ipa/ca.crt',
|
|
:connect_retries => '<SERVICE DEFAULT>',
|
|
:debug => '<SERVICE DEFAULT>',
|
|
:enabled => true,
|
|
:enable_ipa_client_install => true,
|
|
:ensure_package => 'present',
|
|
:join_listen_port => '<SERVICE DEFAULT>',
|
|
:keytab => '/etc/novajoin/krb5.keytab',
|
|
:log_dir => '/var/log/novajoin',
|
|
:username => 'novajoin',
|
|
:project_domain_name => 'Default',
|
|
:project_name => 'services',
|
|
:user_domain_name => 'Default',
|
|
:ipa_domain => 'EXAMPLE.COM',
|
|
:keystone_auth_url => 'https://keystone.example.com:5000',
|
|
:password => 'my_secret_password',
|
|
:transport_url => 'rabbit:rabbit_pass@rabbit_host',
|
|
}
|
|
end
|
|
|
|
let :pre_condition do
|
|
"class { 'ipaclient': password => 'join_otp', }
|
|
class { 'nova::metadata::novajoin::authtoken':
|
|
password => 'passw0rd',
|
|
}"
|
|
end
|
|
|
|
shared_examples 'nova::metadata::novajoin::api' do
|
|
[{},
|
|
{
|
|
:bind_address => '0.0.0.0',
|
|
:api_paste_config => '/etc/novajoin/join-api-paste.ini',
|
|
:auth_strategy => 'noauth2',
|
|
:auth_type => 'password',
|
|
:cacert => '/etc/ipa/ca.crt',
|
|
:connect_retries => 2,
|
|
:debug => true,
|
|
:enabled => false,
|
|
:enable_ipa_client_install => false,
|
|
:ensure_package => 'present',
|
|
:join_listen_port => '9921',
|
|
:keytab => '/etc/krb5.conf',
|
|
:log_dir => '/var/log/novajoin',
|
|
:username => 'novajoin1',
|
|
:project_domain_name => 'Default',
|
|
:project_name => 'services',
|
|
:user_domain_name => 'Default',
|
|
:ipa_domain => 'EXAMPLE2.COM',
|
|
:keystone_auth_url => 'https://keystone2.example.com:5000',
|
|
:password => 'my_secret_password2',
|
|
:transport_url => 'rabbit:rabbit_pass2@rabbit_host',
|
|
}
|
|
].each do |param_set|
|
|
context "when #{param_set == {} ? "using default" : "specifying"} class parameters" do
|
|
let :param_hash do
|
|
default_params.merge(param_set)
|
|
end
|
|
|
|
let :params do
|
|
param_hash
|
|
end
|
|
|
|
it { should contain_class('nova::metadata::novajoin::authtoken') }
|
|
|
|
it { should contain_service('novajoin-server').with(
|
|
'ensure' => param_hash[:enabled] ? 'running': 'stopped',
|
|
'enable' => param_hash[:enabled],
|
|
'hasstatus' => true,
|
|
'hasrestart' => true,
|
|
'tag' => 'openstack',
|
|
)}
|
|
|
|
it { should contain_service('novajoin-notify').with(
|
|
'ensure' => param_hash[:enabled] ? 'running': 'stopped',
|
|
'enable' => param_hash[:enabled],
|
|
'hasstatus' => true,
|
|
'hasrestart' => true,
|
|
'tag' => 'openstack',
|
|
)}
|
|
|
|
it {
|
|
should contain_novajoin_config('DEFAULT/join_listen').with_value(param_hash[:bind_address])
|
|
should contain_novajoin_config('DEFAULT/api_paste_config').with_value(param_hash[:api_paste_config])
|
|
should contain_novajoin_config('DEFAULT/auth_strategy').with_value(param_hash[:auth_strategy])
|
|
should contain_novajoin_config('DEFAULT/cacert').with_value(param_hash[:cacert])
|
|
should contain_novajoin_config('DEFAULT/connect_retries').with_value(param_hash[:connect_retries])
|
|
should contain_novajoin_config('DEFAULT/debug').with_value(param_hash[:debug])
|
|
should contain_novajoin_config('DEFAULT/join_listen_port').with_value(param_hash[:join_listen_port])
|
|
should contain_novajoin_config('DEFAULT/keytab').with_value(param_hash[:keytab])
|
|
should contain_novajoin_config('DEFAULT/log_dir').with_value(param_hash[:log_dir])
|
|
should contain_novajoin_config('DEFAULT/domain').with_value(param_hash[:ipa_domain])
|
|
should contain_novajoin_config('DEFAULT/transport_url').with_value(param_hash[:transport_url])
|
|
}
|
|
|
|
it {
|
|
should contain_novajoin_config('service_credentials/auth_type').with_value(param_hash[:auth_type])
|
|
should contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url])
|
|
should contain_novajoin_config('service_credentials/password').with_value(param_hash[:password])
|
|
should contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name])
|
|
should contain_novajoin_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
|
should contain_novajoin_config('service_credentials/user_domain_name').with_value(param_hash[:user_domain_name])
|
|
should contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name])
|
|
should contain_novajoin_config('service_credentials/username').with_value(param_hash[:username])
|
|
}
|
|
|
|
it {
|
|
if param_hash[:enable_ipa_client_install]
|
|
should contain_exec('get-service-user-keytab').with(
|
|
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
|
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
|
)
|
|
else
|
|
should contain_exec('get-service-user-keytab').with(
|
|
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
|
|
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
|
)
|
|
end
|
|
}
|
|
|
|
it { should contain_file("/var/log/novajoin").with(
|
|
'ensure' => 'directory',
|
|
'owner' => "#{param_hash[:username]}",
|
|
'group' => "#{param_hash[:username]}",
|
|
'recurse' => true
|
|
)}
|
|
|
|
it { should contain_file("#{param_hash[:keytab]}").with(
|
|
'owner' => "#{param_hash[:username]}",
|
|
'require' => 'Exec[get-service-user-keytab]',
|
|
)}
|
|
end
|
|
end
|
|
|
|
context 'with disabled service managing' do
|
|
let :params do
|
|
{
|
|
:manage_service => false,
|
|
:ipa_domain => 'EXAMPLE.COM',
|
|
:password => 'my_secret_password',
|
|
:transport_url => 'rabbit:rabbit_pass@rabbit_host',
|
|
}
|
|
end
|
|
|
|
it { should_not contain_service('novajoin-server') }
|
|
|
|
it { should_not contain_service('novajoin-notify') }
|
|
end
|
|
end
|
|
|
|
shared_examples 'nova::metadata::novajoin::api on RedHat' do
|
|
let :params do
|
|
default_params
|
|
end
|
|
|
|
it { should contain_package('python-novajoin').with(
|
|
:name => platform_params[:novajoin_package_name],
|
|
:tag => ['openstack', 'novajoin-package'],
|
|
)}
|
|
end
|
|
|
|
on_supported_os({
|
|
:supported_os => OSDefaults.get_supported_os
|
|
}).each do |os,facts|
|
|
context "on #{os}" do
|
|
let (:facts) do
|
|
facts.merge!(OSDefaults.get_facts({ :ipa_hostname => 'ipa.ipadomain',
|
|
:fqdn => "undercloud.example.com" }))
|
|
end
|
|
|
|
if facts[:osfamily] == 'RedHat'
|
|
it_behaves_like 'nova::metadata::novajoin::api'
|
|
it_behaves_like 'nova::metadata::novajoin::api on RedHat'
|
|
let (:platform_params) do
|
|
{ :novajoin_package_name => 'python3-novajoin' }
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|