openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Assign project-scoped service role for token validation 

When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
 1) The user has the service role assigned
 2) The user is a system reader
 3) The user generated the token

When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.

This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.

(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)

(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.

Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
This commit is contained in:
Takashi Kajinami 2021-11-25 13:01:28 +09:00
parent 65c005cf9a
commit 3b80985e56
14 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
deployment/aodh/aodh-api-container-puppet.yaml
View File

@ -152,6 +152,9 @@ outputs:
users:
aodh:
password: {get_param: AodhPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'alarming'
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}

3
deployment/barbican/barbican-api-container-puppet.yaml
View File

@ -212,6 +212,9 @@ outputs:
users:
barbican:
password: {get_param: BarbicanPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'key-manager'
roles:

1
deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
View File

@ -80,6 +80,7 @@ outputs:
password: {get_param: CeilometerPassword}
roles:
- admin
- service
config_settings:
map_merge:
- get_attr: [CeilometerServiceBase, role_data, config_settings]

3
deployment/designate/designate-api-container-puppet.yaml
View File

@ -94,6 +94,9 @@ outputs:
users:
designate:
password: {get_param: DesignatePassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'dns'
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}

3
deployment/glance/glance-api-container-puppet.yaml
View File

@ -443,6 +443,9 @@ outputs:
users:
glance:
password: {get_param: GlancePassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'image'
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}

3
deployment/gnocchi/gnocchi-api-container-puppet.yaml
View File

@ -178,6 +178,9 @@ outputs:
users:
gnocchi:
password: {get_param: GnocchiPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'metric'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}

3
deployment/heat/heat-api-cfn-container-puppet.yaml
View File

@ -108,6 +108,9 @@ outputs:
users:
heat-cfn:
password: {get_param: HeatPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'cloudformation'
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}

3
deployment/heat/heat-api-container-puppet.yaml
View File

@ -126,6 +126,9 @@ outputs:
users:
heat:
password: {get_param: HeatPassword}
roles:
- admin
- service
heat_stack_domain_admin:
password: {get_param: HeatStackDomainAdminPassword}
roles:

3
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -270,6 +270,9 @@ outputs:
users:
ironic-inspector:
password: {get_param: IronicPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'baremetal-introspection'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}

6
deployment/manila/manila-api-container-puppet.yaml
View File

@ -153,6 +153,9 @@ outputs:
users:
manila:
password: {get_param: ManilaPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'share'
manilav2:
@ -163,6 +166,9 @@ outputs:
users:
manilav2:
password: {get_param: ManilaPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'sharev2'
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}

3
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -290,6 +290,9 @@ outputs:
users:
neutron:
password: {get_param: NeutronPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'network'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}

3
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -157,6 +157,9 @@ outputs:
name: {get_param: OctaviaUserName}
password: {get_param: OctaviaPassword}
project: {get_param: OctaviaProjectName}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'load-balancer'
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}

3
deployment/placement/placement-api-container-puppet.yaml
View File

@ -141,6 +141,9 @@ outputs:
users:
placement:
password: {get_param: PlacementPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'placement'
monitoring_subscription: {get_param: MonitoringSubscriptionPlacement}

3
deployment/swift/swift-proxy-container-puppet.yaml
View File

@ -137,6 +137,9 @@ outputs:
users:
swift:
password: {get_param: SwiftPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'object-store'
roles: