Globally support system scope credentials

After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I2d8c35023c9851e6c043b07a1270e386feb9b1dd
2022-03-04 01:52:41 +09:00 · 2022-03-04 01:52:41 +09:00 · be91d620fa
commit be91d620fa
parent 59da852d52
3 changed files with 41 additions and 8 deletions
--- a/manifests/service_auth.pp
+++ b/manifests/service_auth.pp
@ -7,27 +7,31 @@
 #   (required) Password for user
 #
 # [*auth_url*]
-#   (optional) Keystone Authentication URL
+#   (Optional) Keystone Authentication URL
 #   Defaults to 'http://localhost:5000'
 #
 # [*username*]
-#   (optional) User for accessing neutron and other services.
+#   (Optional) User for accessing neutron and other services.
 #   Defaults to 'octavia'
 #
 # [*project_name*]
-#   (optional) Tenant for accessing neutron and other services
+#   (Optional) Tenant for accessing neutron and other services
 #   Defaults to 'services'
 #
 # [*user_domain_name*]
-#   (optional) keystone user domain
+#   (Optional) keystone user domain
 #   Defaults to 'Default'
 #
 # [*project_domain_name*]
-#   (optional) keystone project domain
+#   (Optional) keystone project domain
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*auth_type*]
-#   (optional) keystone authentication type
+#   (Optional) keystone authentication type
 #   Defaults to 'password'
 #
 # [*region_name*]
@ -41,19 +45,29 @@ class octavia::service_auth (
  $project_name        = 'services',
  $user_domain_name    = 'Default',
  $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
  $auth_type           = 'password',
  $region_name         = $::os_service_default,
 ) {

  include octavia::deps

+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  octavia_config {
    'service_auth/auth_url'            : value => $auth_url;
    'service_auth/username'            : value => $username;
-    'service_auth/project_name'        : value => $project_name;
+    'service_auth/project_name'        : value => $project_name_real;
    'service_auth/password'            : value => $password, secret => true;
    'service_auth/user_domain_name'    : value => $user_domain_name;
-    'service_auth/project_domain_name' : value => $project_domain_name;
+    'service_auth/project_domain_name' : value => $project_domain_name_real;
+    'service_auth/system_scope'        : value => $system_scope;
    'service_auth/auth_type'           : value => $auth_type;
    'service_auth/region_name'         : value => $region_name;
  }
--- a/releasenotes/notes/system_scope-all-0895d770ca1afffb.yaml
+++ b/releasenotes/notes/system_scope-all-0895d770ca1afffb.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``octavia::service_auth::system_scope`` parameter has been added.
--- a/spec/classes/octavia_service_auth_spec.rb
+++ b/spec/classes/octavia_service_auth_spec.rb
@ -18,6 +18,7 @@ describe 'octavia::service_auth' do
        is_expected.to contain_octavia_config('service_auth/password').with_value('secrete').with_secret(true)
        is_expected.to contain_octavia_config('service_auth/user_domain_name').with_value('Default')
        is_expected.to contain_octavia_config('service_auth/project_domain_name').with_value('Default')
+        is_expected.to contain_octavia_config('service_auth/system_scope').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('service_auth/auth_type').with_value('password')
        is_expected.to contain_octavia_config('service_auth/region_name').with_value('<SERVICE DEFAULT>')
      end
@ -43,10 +44,24 @@ describe 'octavia::service_auth' do
        is_expected.to contain_octavia_config('service_auth/password').with_value('secrete').with_secret(true)
        is_expected.to contain_octavia_config('service_auth/user_domain_name').with_value('my_domain_name')
        is_expected.to contain_octavia_config('service_auth/project_domain_name').with_value('our_domain_name')
+        is_expected.to contain_octavia_config('service_auth/system_scope').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('service_auth/auth_type').with_value('v3password')
        is_expected.to contain_octavia_config('service_auth/region_name').with_value('regionOne')
      end
    end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_octavia_config('service_auth/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('service_auth/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('service_auth/system_scope').with_value('all')
+      end
+    end
  end

  on_supported_os({