Merge "Accept system scope credentials for Keystone API request"

2022-01-06 08:59:32 +00:00
parent 753e422ec1 f62deec1da
commit 223bc7ad8c
5 changed files with 51 additions and 3 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -23,6 +23,18 @@
 #   (Optional) Tenant for placement user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to placement user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to placement user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should placement endpoint be configured?
 #   Defaults to true.
@@ -71,6 +83,9 @@ class placement::keystone::auth (
  $auth_name           = 'placement',
  $email               = 'placement@localhost',
  $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
  $configure_endpoint  = true,
  $configure_user      = true,
  $configure_user_role = true,
@@ -85,9 +100,8 @@ class placement::keystone::auth (

  include placement::deps

-  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['placement::service::end']
-  }
+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['barbican::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['barbican::service::end']

  if $configure_endpoint {
    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['placement::service::end']
@@ -106,6 +120,9 @@ class placement::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    internal_url        => $internal_url,
    admin_url           => $admin_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@@ -198,6 +202,7 @@ class placement::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@@ -251,6 +256,7 @@ class placement::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml
+++ b/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``placement::keystone::authtoken`` class.
+
+  - |
+    The ``placement::keystone::auth`` class now supports customizing roles
+    assigned to the placement service user.
+
+  - |
+    The ``placement::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the placement service user.
--- a/spec/classes/placement_keystone_auth_spec.rb
+++ b/spec/classes/placement_keystone_auth_spec.rb
@@ -23,6 +23,9 @@ describe 'placement::keystone::auth' do
        :password            => 'placement_password',
        :email               => 'placement@localhost',
        :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:8778',
        :internal_url        => 'http://127.0.0.1:8778',
        :admin_url           => 'http://127.0.0.1:8778',
@@ -35,6 +38,9 @@ describe 'placement::keystone::auth' do
          :auth_name           => 'alt_placement',
          :email               => 'alt_placement@alt_localhost',
          :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :configure_endpoint  => false,
          :configure_user      => false,
          :configure_user_role => false,
@@ -59,6 +65,9 @@ describe 'placement::keystone::auth' do
        :password            => 'placement_password',
        :email               => 'alt_placement@alt_localhost',
        :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/placement_keystone_authtoken_spec.rb
+++ b/spec/classes/placement_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@@ -62,6 +63,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@@ -103,6 +105,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',