barbican_service_user: Accept system scope credential

This change allows usage of system scope credentials in addition to project scope credentials, to use service user token when accessing Barbican API. Change-Id: I3ab30adbae3e805aee36bd32854e5490b19b0097
2022-01-08 12:09:26 +09:00 · 2022-01-08 12:09:26 +09:00 · f91cf63560
parent 87c3977082
commit f91cf63560
3 changed files with 43 additions and 11 deletions
--- a/manifests/key_manager/barbican/service_user.pp
+++ b/manifests/key_manager/barbican/service_user.pp
@ -20,7 +20,8 @@
 #  (Required) The URL to use for authentication.
 #
 # [*project_name*]
-#  (Required) Service project name
+#  (Optional) Service project name
+#  Defaults to $::os_service_default
 #
 # [*user_domain_name*]
 #  (Optional) Name of domain for $username
@ -30,6 +31,10 @@
 #  (Optional) Name of domain for $project_name
 #  Defaults to $::os_service_default
 #
+# [*system_scope*]
+#  (Optional) Scope for system operations.
+#  Defaults to $::os_service_default
+#
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
@ -65,9 +70,10 @@ define oslo::key_manager::barbican::service_user(
  $username,
  $password,
  $auth_url,
-  $project_name,
+  $project_name            = $::os_service_default,
  $user_domain_name        = $::os_service_default,
  $project_domain_name     = $::os_service_default,
+  $system_scope            = $::os_service_default,
  $insecure                = $::os_service_default,
  $auth_type               = $::os_service_default,
  $auth_version            = $::os_service_default,
@ -77,6 +83,16 @@ define oslo::key_manager::barbican::service_user(
  $region_name             = $::os_service_default,
 ) {

+  if is_service_default($system_scope) {
+    $project_name_real        = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    # When system scope is used, project parameters should be removed otherwise
+    # project scope is used.
+    $project_name_real        = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  $service_user_options = {
    'barbican_service_user/auth_type'           => {'value' => $auth_type},
    'barbican_service_user/auth_version'        => {'value' => $auth_version},
@ -88,8 +104,9 @@ define oslo::key_manager::barbican::service_user(
    'barbican_service_user/username'            => {'value' => $username},
    'barbican_service_user/password'            => {'value' => $password, 'secret' => true},
    'barbican_service_user/user_domain_name'    => {'value' => $user_domain_name},
-    'barbican_service_user/project_name'        => {'value' => $project_name},
-    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name},
+    'barbican_service_user/project_name'        => {'value' => $project_name_real},
+    'barbican_service_user/project_domain_name' => {'value' => $project_domain_name_real},
+    'barbican_service_user/system_scope'        => {'value' => $system_scope},
    'barbican_service_user/insecure'            => {'value' => $insecure},
  }

--- a/releasenotes/notes/system_scope-barbican_service_user-3e9cba1bba4f22b8.yaml
+++ b/releasenotes/notes/system_scope-barbican_service_user-3e9cba1bba4f22b8.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``oslo::key_manager::barbican::service_user`` resource type now
+    supports the ``system_scope`` parameter.
--- a/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
+++ b/spec/defines/oslo_key_manager_barbican_service_user_spec.rb
@ -7,8 +7,7 @@ describe 'oslo::key_manager::barbican::service_user' do
  let :params do
    { :username     => 'keystone',
      :password     => 'secret',
-      :auth_url     => 'http://127.0.0.1:5000',
-      :project_name => 'services' }
+      :auth_url     => 'http://127.0.0.1:5000' }
  end

  shared_examples 'oslo::key_manager::barbican::service_user' do
@ -17,8 +16,9 @@ describe 'oslo::key_manager::barbican::service_user' do
        is_expected.to contain_keystone_config('barbican_service_user/username').with_value('keystone')
        is_expected.to contain_keystone_config('barbican_service_user/password').with_value('secret').with_secret(true)
        is_expected.to contain_keystone_config('barbican_service_user/auth_url').with_value( params[:auth_url] )
-        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/auth_type').with_value('<SERVICE DEFAULT>')
@ -55,6 +55,7 @@ describe 'oslo::key_manager::barbican::service_user' do
        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value( params[:project_name] )
        is_expected.to contain_keystone_config('barbican_service_user/user_domain_name').with_value(params[:user_domain_name])
        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('barbican_service_user/insecure').with_value(params[:insecure])
        is_expected.to contain_keystone_config('barbican_service_user/auth_version').with_value(params[:auth_version])
        is_expected.to contain_keystone_config('barbican_service_user/cafile').with_value(params[:cafile])
@ -71,11 +72,20 @@ describe 'oslo::key_manager::barbican::service_user' do
      it { expect { is_expected.to raise_error(Puppet::Error) } }
    end

-    context 'without specify project' do
-      let :params do
-        params.delete(:project_name)
+    context 'with system_scope' do
+      before do
+        params.merge!({
+          :project_name        => 'NoProject',
+          :project_domain_name => 'OurDomain',
+          :system_scope        => 'all',
+        })
+      end
+
+      it 'configures system_scope' do
+        is_expected.to contain_keystone_config('barbican_service_user/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('barbican_service_user/system_scope').with_value(params[:system_scope])
      end
-      it { expect { is_expected.to raise_error(Puppet::Error) } }
    end
  end