From 937fcf0644e36060c7e90dc4e7b708fc240b9c25 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 6 Jan 2022 15:38:02 +0900
Subject: [PATCH] Accept system scope credentials for Unified Limits API

This change allows usage of system scope credentials in addition to
project scope credentials to use the Unified Limits API in Keystone.

Change-Id: If4f1633c6dd7adf4b80c0a8cc83ddd3d025d099b
---
 manifests/limit.pp                            | 22 ++++++++++++++++---
 ...scope-keystone-limit-422cbeee81ba84c5.yaml |  5 +++++
 spec/defines/oslo_limit_spec.rb               | 22 +++++++++++++++++--
 3 files changed, 44 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/system_scope-keystone-limit-422cbeee81ba84c5.yaml

diff --git a/manifests/limit.pp b/manifests/limit.pp
index 1f320ee..4857f00 100644
--- a/manifests/limit.pp
+++ b/manifests/limit.pp
@@ -27,6 +27,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'.
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*auth_type*]
 #  (Optional) Authentication type to load
 #  Defaults to 'password'.
@@ -53,9 +57,10 @@ define oslo::limit(
   $username,
   $password,
   $auth_url,
-  $project_name,
+  $project_name        = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $auth_type           = 'password',
   $service_type        = $::os_service_default,
   $valid_interfaces    = $::os_service_default,
@@ -63,14 +68,25 @@ define oslo::limit(
   $endpoint_override   = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real        = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    # When system scope is used, project parameters should be removed otherwise
+    # project scope is used.
+    $project_name_real        = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   $limit_options = {
     'oslo_limit/endpoint_id'         => { value => $endpoint_id },
     'oslo_limit/username'            => { value => $username },
     'oslo_limit/password'            => { value => $password, secret => true },
     'oslo_limit/auth_url'            => { value => $auth_url },
-    'oslo_limit/project_name'        => { value => $project_name },
+    'oslo_limit/project_name'        => { value => $project_name_real },
     'oslo_limit/user_domain_name'    => { value => $user_domain_name },
-    'oslo_limit/project_domain_name' => { value => $project_domain_name },
+    'oslo_limit/project_domain_name' => { value => $project_domain_name_real },
+    'oslo_limit/system_scope'        => { value => $system_scope },
     'oslo_limit/auth_type'           => { value => $auth_type },
     'oslo_limit/service_type'        => { value => $service_type },
     'oslo_limit/valid_interfaces'    => { value => join(any2array($valid_interfaces), ',') },
diff --git a/releasenotes/notes/system_scope-keystone-limit-422cbeee81ba84c5.yaml b/releasenotes/notes/system_scope-keystone-limit-422cbeee81ba84c5.yaml
new file mode 100644
index 0000000..da39344
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-limit-422cbeee81ba84c5.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to the ``oslo::limit``
+    resource type.
diff --git a/spec/defines/oslo_limit_spec.rb b/spec/defines/oslo_limit_spec.rb
index 718a4f9..606b62f 100644
--- a/spec/defines/oslo_limit_spec.rb
+++ b/spec/defines/oslo_limit_spec.rb
@@ -12,7 +12,6 @@ describe 'oslo::limit' do
         :username     => 'keystone',
         :password     => 'keystone_password',
         :auth_url     => 'http://127.0.0.1:5000/v3',
-        :project_name => 'services',
       }
     end
 
@@ -26,12 +25,13 @@ describe 'oslo::limit' do
         is_expected.to contain_keystone_config('oslo_limit/username').with_value('keystone')
         is_expected.to contain_keystone_config('oslo_limit/password').with_value('keystone_password').with_secret(true)
         is_expected.to contain_keystone_config('oslo_limit/auth_url').with_value('http://127.0.0.1:5000/v3')
-        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('services')
       end
 
       it 'configures the default params' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/user_domain_name').with_value('Default')
         is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('Default')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/auth_type').with_value('password')
         is_expected.to contain_keystone_config('oslo_limit/service_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/valid_interfaces').with_value('<SERVICE DEFAULT>')
@@ -43,6 +43,7 @@ describe 'oslo::limit' do
     context 'with parameters overridden' do
       let :params do
         required_params.merge!({
+          :project_name        => 'services',
           :user_domain_name    => 'UserDomain',
           :project_domain_name => 'ProjectDomain',
           :auth_type           => 'v3password',
@@ -54,8 +55,10 @@ describe 'oslo::limit' do
       end
 
       it 'configures the overridden values' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('services')
         is_expected.to contain_keystone_config('oslo_limit/user_domain_name').with_value('UserDomain')
         is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('ProjectDomain')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/auth_type').with_value('v3password')
         is_expected.to contain_keystone_config('oslo_limit/service_type').with_value('identity')
         is_expected.to contain_keystone_config('oslo_limit/valid_interfaces').with_value('admin,internal')
@@ -63,6 +66,21 @@ describe 'oslo::limit' do
         is_expected.to contain_keystone_config('oslo_limit/endpoint_override').with_value('http://localhost:5000')
       end
     end
+
+    context 'with system_scope' do
+      let :params do
+        required_params.merge!({
+          :project_name => 'services',
+          :system_scope => 'all',
+        })
+      end
+
+      it 'configures system_scope but ignore project parameters' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({