Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I587f94d909ed393eb6aea74f7110abaece13269c
2021-11-25 21:06:09 +09:00 · 2021-11-25 21:06:09 +09:00 · f62deec1da
commit f62deec1da
parent 1f9583c805
5 changed files with 51 additions and 3 deletions
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -23,6 +23,18 @@
 #   (Optional) Tenant for placement user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to placement user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to placement user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should placement endpoint be configured?
 #   Defaults to true.
@ -71,6 +83,9 @@ class placement::keystone::auth (
  $auth_name           = 'placement',
  $email               = 'placement@localhost',
  $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
  $configure_endpoint  = true,
  $configure_user      = true,
  $configure_user_role = true,
@ -85,9 +100,8 @@ class placement::keystone::auth (

  include placement::deps

-  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['placement::service::end']
-  }
+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['barbican::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['barbican::service::end']

  if $configure_endpoint {
    Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['placement::service::end']
@ -106,6 +120,9 @@ class placement::keystone::auth (
    password            => $password,
    email               => $email,
    tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
    public_url          => $public_url,
    internal_url        => $internal_url,
    admin_url           => $admin_url,
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@ -198,6 +202,7 @@ class placement::keystone::authtoken(
  $project_name                   = 'services',
  $user_domain_name               = 'Default',
  $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
  $insecure                       = $::os_service_default,
  $auth_section                   = $::os_service_default,
  $auth_type                      = 'password',
@ -251,6 +256,7 @@ class placement::keystone::authtoken(
      auth_section                   => $auth_section,
      user_domain_name               => $user_domain_name,
      project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
      insecure                       => $insecure,
      cache                          => $cache,
      cafile                         => $cafile,
--- a/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml
+++ b/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``placement::keystone::authtoken`` class.
+
+  - |
+    The ``placement::keystone::auth`` class now supports customizing roles
+    assigned to the placement service user.
+
+  - |
+    The ``placement::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the placement service user.
--- a/spec/classes/placement_keystone_auth_spec.rb
+++ b/spec/classes/placement_keystone_auth_spec.rb
@ -23,6 +23,9 @@ describe 'placement::keystone::auth' do
        :password            => 'placement_password',
        :email               => 'placement@localhost',
        :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
        :public_url          => 'http://127.0.0.1:8778',
        :internal_url        => 'http://127.0.0.1:8778',
        :admin_url           => 'http://127.0.0.1:8778',
@ -35,6 +38,9 @@ describe 'placement::keystone::auth' do
          :auth_name           => 'alt_placement',
          :email               => 'alt_placement@alt_localhost',
          :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
          :configure_endpoint  => false,
          :configure_user      => false,
          :configure_user_role => false,
@ -59,6 +65,9 @@ describe 'placement::keystone::auth' do
        :password            => 'placement_password',
        :email               => 'alt_placement@alt_localhost',
        :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
        :public_url          => 'https://10.10.10.10:80',
        :internal_url        => 'http://10.10.10.11:81',
        :admin_url           => 'http://10.10.10.12:81',
--- a/spec/classes/placement_keystone_authtoken_spec.rb
+++ b/spec/classes/placement_keystone_authtoken_spec.rb
@ -18,6 +18,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'services',
          :user_domain_name               => 'Default',
          :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
          :insecure                       => '<SERVICE DEFAULT>',
          :auth_section                   => '<SERVICE DEFAULT>',
          :auth_type                      => 'password',
@ -62,6 +63,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',
@ -103,6 +105,7 @@ describe 'placement::keystone::authtoken' do
          :project_name                   => 'service_project',
          :user_domain_name               => 'domainX',
          :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
          :insecure                       => false,
          :auth_section                   => 'new_section',
          :auth_type                      => 'password',