Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I94001758cbbbc348fff238f5c352202c7e283b2b
2021-11-25 23:43:24 +09:00 · 2021-11-25 23:43:24 +09:00 · c748dc5e7b
commit c748dc5e7b
parent 2fb4a5b1e0
5 changed files with 56 additions and 0 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -19,6 +19,18 @@
 #   (Optional) Tenant for octavia user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to octavia user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to octavia user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should octavia endpoint be configured?
 #   Defaults to true.
@ -67,6 +79,9 @@ class octavia::keystone::auth (
  $auth_name           = 'octavia',
  $email               = 'octavia@localhost',
  $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
  $configure_endpoint  = true,
  $configure_user      = true,
  $configure_user_role = true,
@ -81,6 +96,13 @@ class octavia::keystone::auth (

  include octavia::deps

+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['octavia::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['octavia::service::end']
+
+  if $configure_endpoint {
+    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['octavia::service::end']
+  }
+
  keystone::resource::service_identity { 'octavia':
    configure_user      => $configure_user,
    configure_user_role => $configure_user_role,
@ -93,6 +115,9 @@ class octavia::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    internal_url        => $internal_url,
    admin_url           => $admin_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -27,6 +27,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@ -197,6 +201,7 @@ class octavia::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@ -246,6 +251,7 @@ class octavia::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml
+++ b/releasenotes/notes/system_scope-keystone-dda7488fa52854e0.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``octavia::keystone::authtoken`` class.
+
+  - |
+    The ``octavia::keystone::auth`` class now supports customizing roles
+    assigned to the octavia service user.
+
+  - |
+    The ``octavia::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the octavia service user.
--- a/spec/classes/octavia_keystone_auth_spec.rb
+++ b/spec/classes/octavia_keystone_auth_spec.rb
@ -23,6 +23,9 @@ describe 'octavia::keystone::auth' do
        :password            => 'octavia_password',
        :email               => 'octavia@localhost',
        :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:9876',
        :internal_url        => 'http://127.0.0.1:9876',
        :admin_url           => 'http://127.0.0.1:9876',
@ -35,6 +38,9 @@ describe 'octavia::keystone::auth' do
          :auth_name           => 'alt_octavia',
          :email               => 'alt_octavia@alt_localhost',
          :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'atl_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :configure_endpoint  => false,
          :configure_user      => false,
          :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'octavia::keystone::auth' do
        :password            => 'octavia_password',
        :email               => 'alt_octavia@alt_localhost',
        :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'atl_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/octavia_keystone_authtoken_spec.rb
+++ b/spec/classes/octavia_keystone_authtoken_spec.rb
@ -18,6 +18,7 @@ describe 'octavia::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@ -62,6 +63,7 @@ describe 'octavia::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@ -103,6 +105,7 @@ describe 'octavia::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',