From 9f113400cc69632d6eb43fdbc91399ed6fbf67c6 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Tue, 25 Jan 2022 10:59:38 +0900
Subject: [PATCH] Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following two items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I7675e58508a00979a3c26908c4449be24a98a206
---
 manifests/keystone/auth.pp                     | 18 ++++++++++++++++++
 manifests/keystone/authtoken.pp                |  6 ++++++
 ...system_scope-keystone-54ba872a490ebc74.yaml | 13 +++++++++++++
 spec/classes/watcher_keystone_auth_spec.rb     |  9 +++++++++
 .../classes/watcher_keystone_authtoken_spec.rb |  3 +++
 5 files changed, 49 insertions(+)
 create mode 100644 releasenotes/notes/system_scope-keystone-54ba872a490ebc74.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 5c97857..3db5af2 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -19,6 +19,18 @@
 #   (Optional) Tenant for watcher user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to watcher user.
+#   Defaults to ['admin']
+#
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to watcher user.
+#   Defaults to []
+#
 # [*configure_endpoint*]
 #   (Optional) Should watcher endpoint be configured?
 #   Defaults to true.
@@ -67,6 +79,9 @@ class watcher::keystone::auth (
   $auth_name           = 'watcher',
   $email               = 'watcher@localhost',
   $tenant              = 'services',
+  $roles               = ['admin'],
+  $system_scope        = 'all',
+  $system_roles        = [],
   $configure_endpoint  = true,
   $configure_user      = true,
   $configure_user_role = true,
@@ -103,6 +118,9 @@ class watcher::keystone::auth (
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
     public_url          => $public_url,
     internal_url        => $internal_url,
     admin_url           => $admin_url,
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index 6e70242..5a5d504 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #   (Optional) If true, explicitly allow TLS without checking server cert
 #   against any certificate authorities.  WARNING: not recommended.  Use with
@@ -196,6 +200,7 @@ class watcher::keystone::authtoken (
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
   $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
   $insecure                       = $::os_service_default,
   $auth_section                   = $::os_service_default,
   $auth_type                      = 'password',
@@ -247,6 +252,7 @@ class watcher::keystone::authtoken (
     auth_section                   => $auth_section,
     user_domain_name               => $user_domain_name,
     project_domain_name            => $project_domain_name,
+    system_scope                   => $system_scope,
     insecure                       => $insecure,
     cache                          => $cache,
     cafile                         => $cafile,
diff --git a/releasenotes/notes/system_scope-keystone-54ba872a490ebc74.yaml b/releasenotes/notes/system_scope-keystone-54ba872a490ebc74.yaml
new file mode 100644
index 0000000..60fb01a
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-54ba872a490ebc74.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The ``system_scope`` parameter has been added to
+    the ``watcher::keystone::authtoken`` class.
+
+  - |
+    The ``watcher::keystone::auth`` class now supports customizing roles
+    assigned to the watcher service user.
+
+  - |
+    The ``watcher::keystone::auth`` class now supports defining assignmet of
+    system-scoped roles to the watcher service user.
diff --git a/spec/classes/watcher_keystone_auth_spec.rb b/spec/classes/watcher_keystone_auth_spec.rb
index f813d53..10938b5 100644
--- a/spec/classes/watcher_keystone_auth_spec.rb
+++ b/spec/classes/watcher_keystone_auth_spec.rb
@@ -23,6 +23,9 @@ describe 'watcher::keystone::auth' do
         :password            => 'watcher_password',
         :email               => 'watcher@localhost',
         :tenant              => 'services',
+        :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
         :public_url          => 'http://127.0.0.1:9322',
         :internal_url        => 'http://127.0.0.1:9322',
         :admin_url           => 'http://127.0.0.1:9322',
@@ -35,6 +38,9 @@ describe 'watcher::keystone::auth' do
           :auth_name           => 'alt_watcher',
           :email               => 'alt_watcher@alt_localhost',
           :tenant              => 'alt_service',
+          :roles               => ['admin', 'service'],
+          :system_scope        => 'alt_all',
+          :system_roles        => ['admin', 'member', 'reader'],
           :configure_endpoint  => false,
           :configure_user      => false,
           :configure_user_role => false,
@@ -59,6 +65,9 @@ describe 'watcher::keystone::auth' do
         :password            => 'watcher_password',
         :email               => 'alt_watcher@alt_localhost',
         :tenant              => 'alt_service',
+        :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',
         :internal_url        => 'http://10.10.10.11:81',
         :admin_url           => 'http://10.10.10.12:81',
diff --git a/spec/classes/watcher_keystone_authtoken_spec.rb b/spec/classes/watcher_keystone_authtoken_spec.rb
index f0ac9a3..4276b0f 100644
--- a/spec/classes/watcher_keystone_authtoken_spec.rb
+++ b/spec/classes/watcher_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'watcher::keystone::authtoken' do
           :project_name                   => 'services',
           :user_domain_name               => 'Default',
           :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
           :insecure                       => '<SERVICE DEFAULT>',
           :auth_section                   => '<SERVICE DEFAULT>',
           :auth_type                      => 'password',
@@ -62,6 +63,7 @@ describe 'watcher::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',
@@ -103,6 +105,7 @@ describe 'watcher::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',