From c748dc5e7bf20b2eb4f790b2cd94b74d7d9bbb66 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 25 Nov 2021 23:43:24 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I94001758cbbbc348fff238f5c352202c7e283b2b --- manifests/keystone/auth.pp | 25 +++++++++++++++++++ manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-dda7488fa52854e0.yaml | 13 ++++++++++ spec/classes/octavia_keystone_auth_spec.rb | 9 +++++++ .../octavia_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 56 insertions(+) create mode 100644 releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 827ece45..b516cb2a 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for octavia user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to octavia user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to octavia user. +# Defaults to [] +# # [*configure_endpoint*] # (Optional) Should octavia endpoint be configured? # Defaults to true. @@ -67,6 +79,9 @@ class octavia::keystone::auth ( $auth_name = 'octavia', $email = 'octavia@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -81,6 +96,13 @@ class octavia::keystone::auth ( include octavia::deps + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['octavia::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['octavia::service::end'] + + if $configure_endpoint { + Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['octavia::service::end'] + } + keystone::resource::service_identity { 'octavia': configure_user => $configure_user, configure_user_role => $configure_user_role, @@ -93,6 +115,9 @@ class octavia::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 18e8c0e1..1facd1fa 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -27,6 +27,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -197,6 +201,7 @@ class octavia::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -246,6 +251,7 @@ class octavia::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml b/releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml new file mode 100644 index 00000000..0d486a48 --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``octavia::keystone::authtoken`` class. + + - | + The ``octavia::keystone::auth`` class now supports customizing roles + assigned to the octavia service user. + + - | + The ``octavia::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the octavia service user. diff --git a/spec/classes/octavia_keystone_auth_spec.rb b/spec/classes/octavia_keystone_auth_spec.rb index 53170147..77fedd95 100644 --- a/spec/classes/octavia_keystone_auth_spec.rb +++ b/spec/classes/octavia_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'octavia::keystone::auth' do :password => 'octavia_password', :email => 'octavia@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:9876', :internal_url => 'http://127.0.0.1:9876', :admin_url => 'http://127.0.0.1:9876', @@ -35,6 +38,9 @@ describe 'octavia::keystone::auth' do :auth_name => 'alt_octavia', :email => 'alt_octavia@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'atl_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'octavia::keystone::auth' do :password => 'octavia_password', :email => 'alt_octavia@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'atl_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/octavia_keystone_authtoken_spec.rb b/spec/classes/octavia_keystone_authtoken_spec.rb index 3d07581e..2756facd 100644 --- a/spec/classes/octavia_keystone_authtoken_spec.rb +++ b/spec/classes/octavia_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'octavia::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'octavia::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'octavia::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',