Accept system scope credentials for Unified Limits API

This change allows usage of system scope credentials in addition to
project scope credentials to use the Unified Limits API in Keystone.

Change-Id: If4f1633c6dd7adf4b80c0a8cc83ddd3d025d099b

manifests/limit.pp

@@ -27,6 +27,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'.
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*auth_type*]
 #  (Optional) Authentication type to load
 #  Defaults to 'password'.
@@ -53,9 +57,10 @@ define oslo::limit(
   $username,
   $password,
   $auth_url,
-  $project_name,
+  $project_name        = $::os_service_default,
   $user_domain_name    = 'Default',
   $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
   $auth_type           = 'password',
   $service_type        = $::os_service_default,
   $valid_interfaces    = $::os_service_default,
@@ -63,14 +68,25 @@ define oslo::limit(
   $endpoint_override   = $::os_service_default,
 ) {
 
+  if is_service_default($system_scope) {
+    $project_name_real        = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    # When system scope is used, project parameters should be removed otherwise
+    # project scope is used.
+    $project_name_real        = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
   $limit_options = {
     'oslo_limit/endpoint_id'         => { value => $endpoint_id },
     'oslo_limit/username'            => { value => $username },
     'oslo_limit/password'            => { value => $password, secret => true },
     'oslo_limit/auth_url'            => { value => $auth_url },
-    'oslo_limit/project_name'        => { value => $project_name },
+    'oslo_limit/project_name'        => { value => $project_name_real },
     'oslo_limit/user_domain_name'    => { value => $user_domain_name },
-    'oslo_limit/project_domain_name' => { value => $project_domain_name },
+    'oslo_limit/project_domain_name' => { value => $project_domain_name_real },
+    'oslo_limit/system_scope'        => { value => $system_scope },
     'oslo_limit/auth_type'           => { value => $auth_type },
     'oslo_limit/service_type'        => { value => $service_type },
     'oslo_limit/valid_interfaces'    => { value => join(any2array($valid_interfaces), ',') },

releasenotes/notes/system_scope-keystone-limit-422cbeee81ba84c5.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to the ``oslo::limit``
+    resource type.

spec/defines/oslo_limit_spec.rb

@@ -12,7 +12,6 @@ describe 'oslo::limit' do
         :username     => 'keystone',
         :password     => 'keystone_password',
         :auth_url     => 'http://127.0.0.1:5000/v3',
-        :project_name => 'services',
       }
     end
 
@@ -26,12 +25,13 @@ describe 'oslo::limit' do
         is_expected.to contain_keystone_config('oslo_limit/username').with_value('keystone')
         is_expected.to contain_keystone_config('oslo_limit/password').with_value('keystone_password').with_secret(true)
         is_expected.to contain_keystone_config('oslo_limit/auth_url').with_value('http://127.0.0.1:5000/v3')
-        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('services')
       end
 
       it 'configures the default params' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/user_domain_name').with_value('Default')
         is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('Default')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/auth_type').with_value('password')
         is_expected.to contain_keystone_config('oslo_limit/service_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/valid_interfaces').with_value('<SERVICE DEFAULT>')
@@ -43,6 +43,7 @@ describe 'oslo::limit' do
     context 'with parameters overridden' do
       let :params do
         required_params.merge!({
+          :project_name        => 'services',
           :user_domain_name    => 'UserDomain',
           :project_domain_name => 'ProjectDomain',
           :auth_type           => 'v3password',
@@ -54,8 +55,10 @@ describe 'oslo::limit' do
       end
 
       it 'configures the overridden values' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('services')
         is_expected.to contain_keystone_config('oslo_limit/user_domain_name').with_value('UserDomain')
         is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('ProjectDomain')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('oslo_limit/auth_type').with_value('v3password')
         is_expected.to contain_keystone_config('oslo_limit/service_type').with_value('identity')
         is_expected.to contain_keystone_config('oslo_limit/valid_interfaces').with_value('admin,internal')
@@ -63,6 +66,21 @@ describe 'oslo::limit' do
         is_expected.to contain_keystone_config('oslo_limit/endpoint_override').with_value('http://localhost:5000')
       end
     end
+
+    context 'with system_scope' do
+      let :params do
+        required_params.merge!({
+          :project_name => 'services',
+          :system_scope => 'all',
+        })
+      end
+
+      it 'configures system_scope but ignore project parameters' do
+        is_expected.to contain_keystone_config('oslo_limit/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('oslo_limit/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('oslo_limit/system_scope').with_value('all')
+      end
+    end
   end
 
   on_supported_os({