From f62deec1dad453e0d3d01942646ccbea43353190 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 25 Nov 2021 21:06:09 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I587f94d909ed393eb6aea74f7110abaece13269c --- manifests/keystone/auth.pp | 23 ++++++++++++++++--- manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-221e082242e370cb.yaml | 13 +++++++++++ spec/classes/placement_keystone_auth_spec.rb | 9 ++++++++ .../placement_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index cacbebb..9c41255 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -23,6 +23,18 @@ # (Optional) Tenant for placement user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to placement user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to placement user. +# Defaults to [] +# # [*configure_endpoint*] # (Optional) Should placement endpoint be configured? # Defaults to true. @@ -71,6 +83,9 @@ class placement::keystone::auth ( $auth_name = 'placement', $email = 'placement@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -85,9 +100,8 @@ class placement::keystone::auth ( include placement::deps - if $configure_user_role { - Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['placement::service::end'] - } + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['barbican::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['barbican::service::end'] if $configure_endpoint { Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['placement::service::end'] @@ -106,6 +120,9 @@ class placement::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 31e1f33..8364921 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class placement::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class placement::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml b/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml new file mode 100644 index 0000000..e522ad0 --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-221e082242e370cb.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``placement::keystone::authtoken`` class. + + - | + The ``placement::keystone::auth`` class now supports customizing roles + assigned to the placement service user. + + - | + The ``placement::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the placement service user. diff --git a/spec/classes/placement_keystone_auth_spec.rb b/spec/classes/placement_keystone_auth_spec.rb index 89d487a..80edc98 100644 --- a/spec/classes/placement_keystone_auth_spec.rb +++ b/spec/classes/placement_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'placement::keystone::auth' do :password => 'placement_password', :email => 'placement@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:8778', :internal_url => 'http://127.0.0.1:8778', :admin_url => 'http://127.0.0.1:8778', @@ -35,6 +38,9 @@ describe 'placement::keystone::auth' do :auth_name => 'alt_placement', :email => 'alt_placement@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'placement::keystone::auth' do :password => 'placement_password', :email => 'alt_placement@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/placement_keystone_authtoken_spec.rb b/spec/classes/placement_keystone_authtoken_spec.rb index c1eddbd..0022301 100644 --- a/spec/classes/placement_keystone_authtoken_spec.rb +++ b/spec/classes/placement_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'placement::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'placement::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'placement::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',