barbican_service_user: Accept system scope credential
This change allows usage of system scope credentials in addition to project scope credentials, to use service user token when accessing Barbican API. Change-Id: I3ab30adbae3e805aee36bd32854e5490b19b0097
This commit is contained in:
parent
87c3977082
commit
f91cf63560
|
@ -20,7 +20,8 @@
|
||||||
# (Required) The URL to use for authentication.
|
# (Required) The URL to use for authentication.
|
||||||
#
|
#
|
||||||
# [*project_name*]
|
# [*project_name*]
|
||||||
# (Required) Service project name
|
# (Optional) Service project name
|
||||||
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
# [*user_domain_name*]
|
# [*user_domain_name*]
|
||||||
# (Optional) Name of domain for $username
|
# (Optional) Name of domain for $username
|
||||||
|
@ -30,6 +31,10 @@
|
||||||
# (Optional) Name of domain for $project_name
|
# (Optional) Name of domain for $project_name
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (Optional) Scope for system operations.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
# [*insecure*]
|
# [*insecure*]
|
||||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||||
# against any certificate authorities. WARNING: not recommended. Use with
|
# against any certificate authorities. WARNING: not recommended. Use with
|
||||||
|
@ -65,9 +70,10 @@ define oslo::key_manager::barbican::service_user(
|
||||||
$username,
|
$username,
|
||||||
$password,
|
$password,
|
||||||
$auth_url,
|
$auth_url,
|
||||||
$project_name,
|
$project_name = $::os_service_default,
|
||||||
$user_domain_name = $::os_service_default,
|
$user_domain_name = $::os_service_default,
|
||||||
$project_domain_name = $::os_service_default,
|
$project_domain_name = $::os_service_default,
|
||||||
|
$system_scope = $::os_service_default,
|
||||||
$insecure = $::os_service_default,
|
$insecure = $::os_service_default,
|
||||||
$auth_type = $::os_service_default,
|
$auth_type = $::os_service_default,
|
||||||
$auth_version = $::os_service_default,
|
$auth_version = $::os_service_default,
|
||||||
|
@ -77,6 +83,16 @@ define oslo::key_manager::barbican::service_user(
|
||||||
$region_name = $::os_service_default,
|
$region_name = $::os_service_default,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
|
if is_service_default($system_scope) {
|
||||||
|
$project_name_real = $project_name
|
||||||
|
$project_domain_name_real = $project_domain_name
|
||||||
|
} else {
|
||||||
|
# When system scope is used, project parameters should be removed otherwise
|
||||||
|
# project scope is used.
|
||||||
|
$project_name_real = $::os_service_default
|
||||||
|
$project_domain_name_real = $::os_service_default
|
||||||
|
}
|
||||||
|
|
||||||
$service_user_options = {
|
$service_user_options = {
|
||||||
'barbican_service_user/auth_type' => {'value' => $auth_type},
|
'barbican_service_user/auth_type' => {'value' => $auth_type},
|
||||||
'barbican_service_user/auth_version' => {'value' => $auth_version},
|
'barbican_service_user/auth_version' => {'value' => $auth_version},
|
||||||
|
@ -88,8 +104,9 @@ define oslo::key_manager::barbican::service_user(
|
||||||
'barbican_service_user/username' => {'value' => $username},
|
'barbican_service_user/username' => {'value' => $username},
|
||||||
'barbican_service_user/password' => {'value' => $password, 'secret' => true},
|
'barbican_service_user/password' => {'value' => $password, 'secret' => true},
|
||||||
'barbican_service_user/user_domain_name' => {'value' => $user_domain_name},
|
'barbican_service_user/user_domain_name' => {'value' => $user_domain_name},
|
||||||
'barbican_service_user/project_name' => {'value' => $project_name},
|
'barbican_service_user/project_name' => {'value' => $project_name_real},
|
||||||
'barbican_service_user/project_domain_name' => {'value' => $project_domain_name},
|
'barbican_service_user/project_domain_name' => {'value' => $project_domain_name_real},
|
||||||
|
'barbican_service_user/system_scope' => {'value' => $system_scope},
|
||||||
'barbican_service_user/insecure' => {'value' => $insecure},
|
'barbican_service_user/insecure' => {'value' => $insecure},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The ``oslo::key_manager::barbican::service_user`` resource type now
|
||||||
|
supports the ``system_scope`` parameter.
|
|
@ -7,8 +7,7 @@ describe 'oslo::key_manager::barbican::service_user' do
|
||||||
let :params do
|
let :params do
|
||||||
{ :username => 'keystone',
|
{ :username => 'keystone',
|
||||||
:password => 'secret',
|
:password => 'secret',
|
||||||
:auth_url => 'http://127.0.0.1:5000',
|
:auth_url => 'http://127.0.0.1:5000' }
|
||||||
:project_name => 'services' }
|
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'oslo::key_manager::barbican::service_user' do
|
shared_examples 'oslo::key_manager::barbican::service_user' do
|
||||||
|
@ -17,8 +16,9 @@ describe 'oslo::key_manager::barbican::service_user' do
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
|
is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
|
is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
|
is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
|
is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
|
||||||
|
@ -55,6 +55,7 @@ describe 'oslo::key_manager::barbican::service_user' do
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
|
is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
|
is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
|
is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
|
||||||
|
is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
|
is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
|
is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
|
||||||
is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
|
is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
|
||||||
|
@ -71,11 +72,20 @@ describe 'oslo::key_manager::barbican::service_user' do
|
||||||
it { expect { is_expected.to raise_error(Puppet::Error) } }
|
it { expect { is_expected.to raise_error(Puppet::Error) } }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'without specify project' do
|
context 'with system_scope' do
|
||||||
let :params do
|
before do
|
||||||
params.delete(:project_name)
|
params.merge!({
|
||||||
|
:project_name => 'NoProject',
|
||||||
|
:project_domain_name => 'OurDomain',
|
||||||
|
:system_scope => 'all',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures system_scope' do
|
||||||
|
is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value(params[:system_scope])
|
||||||
end
|
end
|
||||||
it { expect { is_expected.to raise_error(Puppet::Error) } }
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue