Globally support system scope credentials

After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.

Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
configurations consistent.

Change-Id: I5cad33c4caf1e3b3408dba5328c8b2f67a85b555
This commit is contained in:
Takashi Kajinami 2022-03-04 08:33:27 +09:00
parent 967522885a
commit f35dc66ff3
5 changed files with 98 additions and 26 deletions

View File

@ -29,6 +29,10 @@
# (optional) the keystone user domain name for trove services # (optional) the keystone user domain name for trove services
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
class trove::api::service_credentials ( class trove::api::service_credentials (
$password, $password,
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
@ -37,16 +41,26 @@ class trove::api::service_credentials (
$project_name = 'services', $project_name = 'services',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$system_scope = $::os_service_default,
) { ) {
include trove::deps include trove::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
trove_config { trove_config {
'service_credentials/auth_url': value => $auth_url; 'service_credentials/auth_url': value => $auth_url;
'service_credentials/username': value => $username; 'service_credentials/username': value => $username;
'service_credentials/password': value => $password, secret => true; 'service_credentials/password': value => $password, secret => true;
'service_credentials/project_name': value => $project_name; 'service_credentials/project_name': value => $project_name_real;
'service_credentials/project_domain_name': value => $project_domain_name; 'service_credentials/project_domain_name': value => $project_domain_name_real;
'service_credentials/system_scope': value => $system_scope;
'service_credentials/user_domain_name': value => $user_domain_name; 'service_credentials/user_domain_name': value => $user_domain_name;
'service_credentials/region_name': value => $region_name; 'service_credentials/region_name': value => $region_name;
} }

View File

@ -29,6 +29,10 @@
# (optional) the keystone user domain name for trove services # (optional) the keystone user domain name for trove services
# Defaults to 'Default' # Defaults to 'Default'
# #
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
class trove::guestagent::service_credentials ( class trove::guestagent::service_credentials (
$password, $password,
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
@ -37,17 +41,27 @@ class trove::guestagent::service_credentials (
$project_name = 'services', $project_name = 'services',
$project_domain_name = 'Default', $project_domain_name = 'Default',
$user_domain_name = 'Default', $user_domain_name = 'Default',
$system_scope = $::os_service_default,
) { ) {
include trove::deps include trove::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
trove_guestagent_config { trove_guestagent_config {
'service_credentials/auth_url': value => $auth_url; 'service_credentials/auth_url': value => $auth_url;
'service_credentials/username': value => $username; 'service_credentials/username': value => $username;
'service_credentials/password': value => $password, secret => true; 'service_credentials/password': value => $password, secret => true;
'service_credentials/project_name': value => $project_name; 'service_credentials/project_name': value => $project_name_real;
'service_credentials/project_domain_name': value => $project_domain_name; 'service_credentials/project_domain_name': value => $project_domain_name_real;
'service_credentials/user_domain_name': value => $user_domain_name; 'service_credentials/user_domain_name': value => $user_domain_name;
'service_credentials/system_scope': value => $system_scope;
'service_credentials/region_name': value => $region_name; 'service_credentials/region_name': value => $region_name;
} }

View File

@ -0,0 +1,7 @@
---
features:
- |
The new ``system_scope`` parameter has been added to the following classes.
- ``trove::api::service_credentials``
- ``trove::guestagent::service_credentials``

View File

@ -19,45 +19,58 @@ describe 'trove::api::service_credentials' do
shared_examples 'trove::api::service_credentials' do shared_examples 'trove::api::service_credentials' do
context 'with default parameters' do let :params do
let :params do {
{ :password => 'verysecrete'
:auth_url => 'http://127.0.0.1:5000/v3', }
:password => 'verysecrete' end
}
end
context 'with default parameters' do
it 'configures service credentials with default parameters' do it 'configures service credentials with default parameters' do
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3') is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
is_expected.to contain_trove_config('service_credentials/username').with_value('trove') is_expected.to contain_trove_config('service_credentials/username').with_value('trove')
is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true) is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true)
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services') is_expected.to contain_trove_config('service_credentials/project_name').with_value('services')
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne')
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default') is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default')
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default') is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default')
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
end end
end end
context 'when overriding defaults' do context 'when overriding defaults' do
let :params do before do
{ params.merge!({
:auth_url => 'http://127.0.0.1:5000/v3', :auth_url => 'http://localhost:5000',
:password => 'verysecrete',
:username => 'trove2', :username => 'trove2',
:project_name => 'services2', :project_name => 'services2',
:region_name => 'RegionTwo', :region_name => 'RegionTwo',
:user_domain_name => 'MyDomain', :user_domain_name => 'MyDomain',
:project_domain_name => 'MyDomain', :project_domain_name => 'MyDomain',
} })
end end
it 'configures service credentials with default parameters' do it 'configures service credentials with default parameters' do
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3') is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://localhost:5000')
is_expected.to contain_trove_config('service_credentials/username').with_value('trove2') is_expected.to contain_trove_config('service_credentials/username').with_value('trove2')
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2') is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2')
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo') is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo')
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain') is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain')
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain') is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain')
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_trove_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('all')
end end
end end
end end
@ -65,6 +78,10 @@ describe 'trove::api::service_credentials' do
on_supported_os({ on_supported_os({
:supported_os => OSDefaults.get_supported_os :supported_os => OSDefaults.get_supported_os
}).each do |os,facts| }).each do |os,facts|
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
context "on #{os}" do context "on #{os}" do
it_configures 'trove::api::service_credentials' it_configures 'trove::api::service_credentials'
end end

View File

@ -19,11 +19,13 @@ describe 'trove::guestagent::service_credentials' do
shared_examples 'trove::guestagent::service_credentials' do shared_examples 'trove::guestagent::service_credentials' do
context 'with default parameters' do let :params do
let :params do {
{ :password => 'verysecrete' } :password => 'verysecrete'
end }
end
context 'with default parameters' do
it 'configures service credentials with default parameters' do it 'configures service credentials with default parameters' do
is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000') is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove') is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove')
@ -32,20 +34,20 @@ describe 'trove::guestagent::service_credentials' do
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne') is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne')
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default') is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default')
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default') is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default')
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
end end
end end
context 'when overriding defaults' do context 'when overriding defaults' do
let :params do before do
{ params.merge!({
:auth_url => 'http://localhost:5000', :auth_url => 'http://localhost:5000',
:password => 'verysecrete',
:username => 'trove2', :username => 'trove2',
:project_name => 'services2', :project_name => 'services2',
:region_name => 'RegionTwo', :region_name => 'RegionTwo',
:user_domain_name => 'MyDomain', :user_domain_name => 'MyDomain',
:project_domain_name => 'MyDomain', :project_domain_name => 'MyDomain',
} })
end end
it 'configures service credentials with default parameters' do it 'configures service credentials with default parameters' do
@ -55,6 +57,20 @@ describe 'trove::guestagent::service_credentials' do
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo') is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo')
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain') is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain')
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain') is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain')
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
end
end
context 'when system_scope is set' do
before do
params.merge!(
:system_scope => 'all'
)
end
it 'configures system-scoped credential' do
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_trove_guestagent_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('all')
end end
end end
end end
@ -62,6 +78,10 @@ describe 'trove::guestagent::service_credentials' do
on_supported_os({ on_supported_os({
:supported_os => OSDefaults.get_supported_os :supported_os => OSDefaults.get_supported_os
}).each do |os,facts| }).each do |os,facts|
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
context "on #{os}" do context "on #{os}" do
it_configures 'trove::guestagent::service_credentials' it_configures 'trove::guestagent::service_credentials'
end end