Globally support system scope credentials
After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I5cad33c4caf1e3b3408dba5328c8b2f67a85b555
This commit is contained in:
parent
967522885a
commit
f35dc66ff3
@ -29,6 +29,10 @@
|
|||||||
# (optional) the keystone user domain name for trove services
|
# (optional) the keystone user domain name for trove services
|
||||||
# Defaults to 'Default'
|
# Defaults to 'Default'
|
||||||
#
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (optional) Scope for system operations.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
class trove::api::service_credentials (
|
class trove::api::service_credentials (
|
||||||
$password,
|
$password,
|
||||||
$auth_url = 'http://127.0.0.1:5000',
|
$auth_url = 'http://127.0.0.1:5000',
|
||||||
@ -37,16 +41,26 @@ class trove::api::service_credentials (
|
|||||||
$project_name = 'services',
|
$project_name = 'services',
|
||||||
$project_domain_name = 'Default',
|
$project_domain_name = 'Default',
|
||||||
$user_domain_name = 'Default',
|
$user_domain_name = 'Default',
|
||||||
|
$system_scope = $::os_service_default,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include trove::deps
|
include trove::deps
|
||||||
|
|
||||||
|
if is_service_default($system_scope) {
|
||||||
|
$project_name_real = $project_name
|
||||||
|
$project_domain_name_real = $project_domain_name
|
||||||
|
} else {
|
||||||
|
$project_name_real = $::os_service_default
|
||||||
|
$project_domain_name_real = $::os_service_default
|
||||||
|
}
|
||||||
|
|
||||||
trove_config {
|
trove_config {
|
||||||
'service_credentials/auth_url': value => $auth_url;
|
'service_credentials/auth_url': value => $auth_url;
|
||||||
'service_credentials/username': value => $username;
|
'service_credentials/username': value => $username;
|
||||||
'service_credentials/password': value => $password, secret => true;
|
'service_credentials/password': value => $password, secret => true;
|
||||||
'service_credentials/project_name': value => $project_name;
|
'service_credentials/project_name': value => $project_name_real;
|
||||||
'service_credentials/project_domain_name': value => $project_domain_name;
|
'service_credentials/project_domain_name': value => $project_domain_name_real;
|
||||||
|
'service_credentials/system_scope': value => $system_scope;
|
||||||
'service_credentials/user_domain_name': value => $user_domain_name;
|
'service_credentials/user_domain_name': value => $user_domain_name;
|
||||||
'service_credentials/region_name': value => $region_name;
|
'service_credentials/region_name': value => $region_name;
|
||||||
}
|
}
|
||||||
|
@ -29,6 +29,10 @@
|
|||||||
# (optional) the keystone user domain name for trove services
|
# (optional) the keystone user domain name for trove services
|
||||||
# Defaults to 'Default'
|
# Defaults to 'Default'
|
||||||
#
|
#
|
||||||
|
# [*system_scope*]
|
||||||
|
# (optional) Scope for system operations.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
class trove::guestagent::service_credentials (
|
class trove::guestagent::service_credentials (
|
||||||
$password,
|
$password,
|
||||||
$auth_url = 'http://127.0.0.1:5000',
|
$auth_url = 'http://127.0.0.1:5000',
|
||||||
@ -37,17 +41,27 @@ class trove::guestagent::service_credentials (
|
|||||||
$project_name = 'services',
|
$project_name = 'services',
|
||||||
$project_domain_name = 'Default',
|
$project_domain_name = 'Default',
|
||||||
$user_domain_name = 'Default',
|
$user_domain_name = 'Default',
|
||||||
|
$system_scope = $::os_service_default,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include trove::deps
|
include trove::deps
|
||||||
|
|
||||||
|
if is_service_default($system_scope) {
|
||||||
|
$project_name_real = $project_name
|
||||||
|
$project_domain_name_real = $project_domain_name
|
||||||
|
} else {
|
||||||
|
$project_name_real = $::os_service_default
|
||||||
|
$project_domain_name_real = $::os_service_default
|
||||||
|
}
|
||||||
|
|
||||||
trove_guestagent_config {
|
trove_guestagent_config {
|
||||||
'service_credentials/auth_url': value => $auth_url;
|
'service_credentials/auth_url': value => $auth_url;
|
||||||
'service_credentials/username': value => $username;
|
'service_credentials/username': value => $username;
|
||||||
'service_credentials/password': value => $password, secret => true;
|
'service_credentials/password': value => $password, secret => true;
|
||||||
'service_credentials/project_name': value => $project_name;
|
'service_credentials/project_name': value => $project_name_real;
|
||||||
'service_credentials/project_domain_name': value => $project_domain_name;
|
'service_credentials/project_domain_name': value => $project_domain_name_real;
|
||||||
'service_credentials/user_domain_name': value => $user_domain_name;
|
'service_credentials/user_domain_name': value => $user_domain_name;
|
||||||
|
'service_credentials/system_scope': value => $system_scope;
|
||||||
'service_credentials/region_name': value => $region_name;
|
'service_credentials/region_name': value => $region_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The new ``system_scope`` parameter has been added to the following classes.
|
||||||
|
|
||||||
|
- ``trove::api::service_credentials``
|
||||||
|
- ``trove::guestagent::service_credentials``
|
@ -19,45 +19,58 @@ describe 'trove::api::service_credentials' do
|
|||||||
|
|
||||||
shared_examples 'trove::api::service_credentials' do
|
shared_examples 'trove::api::service_credentials' do
|
||||||
|
|
||||||
context 'with default parameters' do
|
let :params do
|
||||||
let :params do
|
{
|
||||||
{
|
:password => 'verysecrete'
|
||||||
:auth_url => 'http://127.0.0.1:5000/v3',
|
}
|
||||||
:password => 'verysecrete'
|
end
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
|
context 'with default parameters' do
|
||||||
it 'configures service credentials with default parameters' do
|
it 'configures service credentials with default parameters' do
|
||||||
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3')
|
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
|
||||||
is_expected.to contain_trove_config('service_credentials/username').with_value('trove')
|
is_expected.to contain_trove_config('service_credentials/username').with_value('trove')
|
||||||
is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true)
|
is_expected.to contain_trove_config('service_credentials/password').with_value('verysecrete').with_secret(true)
|
||||||
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services')
|
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services')
|
||||||
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne')
|
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionOne')
|
||||||
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default')
|
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('Default')
|
||||||
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default')
|
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('Default')
|
||||||
|
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when overriding defaults' do
|
context 'when overriding defaults' do
|
||||||
let :params do
|
before do
|
||||||
{
|
params.merge!({
|
||||||
:auth_url => 'http://127.0.0.1:5000/v3',
|
:auth_url => 'http://localhost:5000',
|
||||||
:password => 'verysecrete',
|
|
||||||
:username => 'trove2',
|
:username => 'trove2',
|
||||||
:project_name => 'services2',
|
:project_name => 'services2',
|
||||||
:region_name => 'RegionTwo',
|
:region_name => 'RegionTwo',
|
||||||
:user_domain_name => 'MyDomain',
|
:user_domain_name => 'MyDomain',
|
||||||
:project_domain_name => 'MyDomain',
|
:project_domain_name => 'MyDomain',
|
||||||
}
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures service credentials with default parameters' do
|
it 'configures service credentials with default parameters' do
|
||||||
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000/v3')
|
is_expected.to contain_trove_config('service_credentials/auth_url').with_value('http://localhost:5000')
|
||||||
is_expected.to contain_trove_config('service_credentials/username').with_value('trove2')
|
is_expected.to contain_trove_config('service_credentials/username').with_value('trove2')
|
||||||
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2')
|
is_expected.to contain_trove_config('service_credentials/project_name').with_value('services2')
|
||||||
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo')
|
is_expected.to contain_trove_config('service_credentials/region_name').with_value('RegionTwo')
|
||||||
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain')
|
is_expected.to contain_trove_config('service_credentials/user_domain_name').with_value('MyDomain')
|
||||||
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain')
|
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('MyDomain')
|
||||||
|
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when system_scope is set' do
|
||||||
|
before do
|
||||||
|
params.merge!(
|
||||||
|
:system_scope => 'all'
|
||||||
|
)
|
||||||
|
end
|
||||||
|
it 'configures system-scoped credential' do
|
||||||
|
is_expected.to contain_trove_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_trove_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_trove_config('service_credentials/system_scope').with_value('all')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -65,6 +78,10 @@ describe 'trove::api::service_credentials' do
|
|||||||
on_supported_os({
|
on_supported_os({
|
||||||
:supported_os => OSDefaults.get_supported_os
|
:supported_os => OSDefaults.get_supported_os
|
||||||
}).each do |os,facts|
|
}).each do |os,facts|
|
||||||
|
let (:facts) do
|
||||||
|
facts.merge!(OSDefaults.get_facts())
|
||||||
|
end
|
||||||
|
|
||||||
context "on #{os}" do
|
context "on #{os}" do
|
||||||
it_configures 'trove::api::service_credentials'
|
it_configures 'trove::api::service_credentials'
|
||||||
end
|
end
|
||||||
|
@ -19,11 +19,13 @@ describe 'trove::guestagent::service_credentials' do
|
|||||||
|
|
||||||
shared_examples 'trove::guestagent::service_credentials' do
|
shared_examples 'trove::guestagent::service_credentials' do
|
||||||
|
|
||||||
context 'with default parameters' do
|
let :params do
|
||||||
let :params do
|
{
|
||||||
{ :password => 'verysecrete' }
|
:password => 'verysecrete'
|
||||||
end
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with default parameters' do
|
||||||
it 'configures service credentials with default parameters' do
|
it 'configures service credentials with default parameters' do
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
|
is_expected.to contain_trove_guestagent_config('service_credentials/auth_url').with_value('http://127.0.0.1:5000')
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove')
|
is_expected.to contain_trove_guestagent_config('service_credentials/username').with_value('trove')
|
||||||
@ -32,20 +34,20 @@ describe 'trove::guestagent::service_credentials' do
|
|||||||
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne')
|
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionOne')
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default')
|
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('Default')
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default')
|
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('Default')
|
||||||
|
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when overriding defaults' do
|
context 'when overriding defaults' do
|
||||||
let :params do
|
before do
|
||||||
{
|
params.merge!({
|
||||||
:auth_url => 'http://localhost:5000',
|
:auth_url => 'http://localhost:5000',
|
||||||
:password => 'verysecrete',
|
|
||||||
:username => 'trove2',
|
:username => 'trove2',
|
||||||
:project_name => 'services2',
|
:project_name => 'services2',
|
||||||
:region_name => 'RegionTwo',
|
:region_name => 'RegionTwo',
|
||||||
:user_domain_name => 'MyDomain',
|
:user_domain_name => 'MyDomain',
|
||||||
:project_domain_name => 'MyDomain',
|
:project_domain_name => 'MyDomain',
|
||||||
}
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures service credentials with default parameters' do
|
it 'configures service credentials with default parameters' do
|
||||||
@ -55,6 +57,20 @@ describe 'trove::guestagent::service_credentials' do
|
|||||||
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo')
|
is_expected.to contain_trove_guestagent_config('service_credentials/region_name').with_value('RegionTwo')
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain')
|
is_expected.to contain_trove_guestagent_config('service_credentials/user_domain_name').with_value('MyDomain')
|
||||||
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain')
|
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('MyDomain')
|
||||||
|
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('<SERVICE DEFAULT>')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when system_scope is set' do
|
||||||
|
before do
|
||||||
|
params.merge!(
|
||||||
|
:system_scope => 'all'
|
||||||
|
)
|
||||||
|
end
|
||||||
|
it 'configures system-scoped credential' do
|
||||||
|
is_expected.to contain_trove_guestagent_config('service_credentials/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_trove_guestagent_config('service_credentials/project_name').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_trove_guestagent_config('service_credentials/system_scope').with_value('all')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -62,6 +78,10 @@ describe 'trove::guestagent::service_credentials' do
|
|||||||
on_supported_os({
|
on_supported_os({
|
||||||
:supported_os => OSDefaults.get_supported_os
|
:supported_os => OSDefaults.get_supported_os
|
||||||
}).each do |os,facts|
|
}).each do |os,facts|
|
||||||
|
let (:facts) do
|
||||||
|
facts.merge!(OSDefaults.get_facts())
|
||||||
|
end
|
||||||
|
|
||||||
context "on #{os}" do
|
context "on #{os}" do
|
||||||
it_configures 'trove::guestagent::service_credentials'
|
it_configures 'trove::guestagent::service_credentials'
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user