From 95f516939391a0e0747348cf391c496103c39497 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Tue, 25 Jan 2022 10:43:40 +0900
Subject: [PATCH] Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I6907dd4b41dfe009a69fecd3ee5d8332c4c6a424
---
 manifests/keystone/auth.pp                     | 18 ++++++++++++++++++
 manifests/keystone/authtoken.pp                |  6 ++++++
 ...system_scope-keystone-527142cfc221fa2b.yaml | 13 +++++++++++++
 spec/classes/trove_keystone_auth_spec.rb       |  9 +++++++++
 spec/classes/trove_keystone_authtoken_spec.rb  |  3 +++
 5 files changed, 49 insertions(+)
 create mode 100644 releasenotes/notes/system_scope-keystone-527142cfc221fa2b.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 4cdedca1..4a7960ab 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -36,6 +36,18 @@
 #   (Optional) Tenant for Trove user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to trove user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to trove user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should Trove endpoint be configured?
 #   Defaults to true.
@@ -92,6 +104,9 @@ class trove::keystone::auth (
   $auth_name           = 'trove',
   $email               = 'trove@localhost',
   $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
   $configure_user      = true,
   $configure_user_role = true,
   $configure_endpoint  = true,
@@ -123,6 +138,9 @@ class trove::keystone::auth (
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
     public_url          => $public_url,
     internal_url        => $internal_url,
     admin_url           => $admin_url,
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index aaea1b3b..1eef5f53 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@@ -199,6 +203,7 @@ class trove::keystone::authtoken(
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
   $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
   $insecure                       = $::os_service_default,
   $auth_section                   = $::os_service_default,
   $auth_type                      = 'password',
@@ -241,6 +246,7 @@ class trove::keystone::authtoken(
     username                       => $username,
     password                       => $password,
     project_name                   => $project_name,
+    system_scope                   => $system_scope,
     auth_url                       => $auth_url,
     www_authenticate_uri           => $www_authenticate_uri,
     auth_version                   => $auth_version,
diff --git a/releasenotes/notes/system_scope-keystone-527142cfc221fa2b.yaml b/releasenotes/notes/system_scope-keystone-527142cfc221fa2b.yaml
new file mode 100644
index 00000000..297a9ab3
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-527142cfc221fa2b.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``trove::keystone::authtoken`` class.
+
+  - |
+    The ``trove::keystone::auth`` class now supports customizing roles assigned
+    to the trove service user.
+
+  - |
+    The ``trove::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the trove service user.
diff --git a/spec/classes/trove_keystone_auth_spec.rb b/spec/classes/trove_keystone_auth_spec.rb
index d47df92c..94bddc61 100644
--- a/spec/classes/trove_keystone_auth_spec.rb
+++ b/spec/classes/trove_keystone_auth_spec.rb
@@ -23,6 +23,9 @@ describe 'trove::keystone::auth' do
         :password            => 'trove_password',
         :email               => 'trove@localhost',
         :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
         :public_url          => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
         :internal_url        => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
         :admin_url           => 'http://127.0.0.1:8779/v1.0/%(tenant_id)s',
@@ -35,6 +38,9 @@ describe 'trove::keystone::auth' do
           :auth_name           => 'alt_trove',
           :email               => 'alt_trove@alt_localhost',
           :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
           :configure_endpoint  => false,
           :configure_user      => false,
           :configure_user_role => false,
@@ -59,6 +65,9 @@ describe 'trove::keystone::auth' do
         :password            => 'trove_password',
         :email               => 'alt_trove@alt_localhost',
         :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',
         :internal_url        => 'http://10.10.10.11:81',
         :admin_url           => 'http://10.10.10.12:81',
diff --git a/spec/classes/trove_keystone_authtoken_spec.rb b/spec/classes/trove_keystone_authtoken_spec.rb
index 2e8a4dc9..ab013170 100644
--- a/spec/classes/trove_keystone_authtoken_spec.rb
+++ b/spec/classes/trove_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'trove::keystone::authtoken' do
           :project_name                   => 'services',
           :user_domain_name               => 'Default',
           :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
           :insecure                       => '<SERVICE DEFAULT>',
           :auth_section                   => '<SERVICE DEFAULT>',
           :auth_type                      => 'password',
@@ -62,6 +63,7 @@ describe 'trove::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',
@@ -103,6 +105,7 @@ describe 'trove::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',