Accept system scope credentials for Keystone API request
This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: Id13570b8ad463250c01c7f286af25268fe29878b
This commit is contained in:
Takashi Kajinami
parent
5e00b383f0
commit
646c2e41f7
|
|
@ -23,6 +23,18 @@
|
|||
# (Optional) Tenant for Sahara user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to aodh user.
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations.
|
||||
# Defaults to 'all'
|
||||
#
|
||||
# [*system_roles*]
|
||||
# (Optional) List of system roles assigned to aodh user.
|
||||
# Defaults to []
|
||||
#
|
||||
# [*configure_endpoint*]
|
||||
# (Optional) Should Sahara endpoint be configured?
|
||||
# Defaults to true.
|
||||
|
|
@ -77,6 +89,9 @@ class sahara::keystone::auth(
|
|||
$auth_name = 'sahara',
|
||||
$email = 'sahara@localhost',
|
||||
$tenant = 'services',
|
||||
$roles = ['admin'],
|
||||
$system_scope = 'all',
|
||||
$system_roles = [],
|
||||
$service_type = 'data-processing',
|
||||
$service_description = 'Sahara Data Processing',
|
||||
$configure_endpoint = true,
|
||||
|
|
@ -102,6 +117,9 @@ class sahara::keystone::auth(
|
|||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
system_scope => $system_scope,
|
||||
system_roles => $system_roles,
|
||||
public_url => $public_url,
|
||||
admin_url => $admin_url,
|
||||
internal_url => $internal_url,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,10 @@
|
|||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*system_scope*]
|
||||
# (Optional) Scope for system operations
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
|
|
@ -195,6 +199,7 @@ class sahara::keystone::authtoken(
|
|||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$system_scope = $::os_service_default,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_section = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
|
|
@ -240,6 +245,7 @@ class sahara::keystone::authtoken(
|
|||
auth_section => $auth_section,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
system_scope => $system_scope,
|
||||
insecure => $insecure,
|
||||
cache => $cache,
|
||||
cafile => $cafile,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``system_scope`` parameter has been added to
|
||||
the ``sahara::keystone::authtoken`` class.
|
||||
|
||||
- |
|
||||
The ``sahara::keystone::auth`` class now supports customizing roles assigned
|
||||
to the sahara service user.
|
||||
|
||||
- |
|
||||
The ``sahara::keystone::auth`` class now supports defining assignmet of
|
||||
system-scoped roles to the sahara service user.
|
||||
|
|
@ -23,6 +23,9 @@ describe 'sahara::keystone::auth' do
|
|||
:password => 'sahara_password',
|
||||
:email => 'sahara@localhost',
|
||||
:tenant => 'services',
|
||||
:roles => ['admin'],
|
||||
:system_scope => 'all',
|
||||
:system_roles => [],
|
||||
:public_url => 'http://127.0.0.1:8386',
|
||||
:internal_url => 'http://127.0.0.1:8386',
|
||||
:admin_url => 'http://127.0.0.1:8386',
|
||||
|
|
@ -35,6 +38,9 @@ describe 'sahara::keystone::auth' do
|
|||
:auth_name => 'alt_sahara',
|
||||
:email => 'alt_sahara@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:configure_endpoint => false,
|
||||
:configure_user => false,
|
||||
:configure_user_role => false,
|
||||
|
|
@ -59,6 +65,9 @@ describe 'sahara::keystone::auth' do
|
|||
:password => 'sahara_password',
|
||||
:email => 'alt_sahara@alt_localhost',
|
||||
:tenant => 'alt_service',
|
||||
:roles => ['admin', 'service'],
|
||||
:system_scope => 'alt_all',
|
||||
:system_roles => ['admin', 'member', 'reader'],
|
||||
:public_url => 'https://10.10.10.10:80',
|
||||
:internal_url => 'http://10.10.10.11:81',
|
||||
:admin_url => 'http://10.10.10.12:81',
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ describe 'sahara::keystone::authtoken' do
|
|||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:system_scope => '<SERVICE DEFAULT>',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_section => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -62,6 +63,7 @@ describe 'sahara::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
@ -103,6 +105,7 @@ describe 'sahara::keystone::authtoken' do
|
|||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:system_scope => 'all',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
|
|
|
|||
Loading…
Reference in New Issue