From 3b80985e56bc0d42170d15c03154241bee95b740 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 25 Nov 2021 13:01:28 +0900 Subject: [PATCH] Assign project-scoped service role for token validation When SRBAC is enforced(*1), keystone requires one of the following conditions for validate token api. 1) The user has the service role assigned 2) The user is a system reader 3) The user generated the token When authtoken middleware validates tokens in requests, it uses service users to call the validate_token API of Keystone. In this case the condition 3 is never met(The token is generated by an external user while it is validated by the service user used in API). In addition, currently all credentials used for authtoken middleware are project-scoped, not system-scoped, so condition 2 is never met(*2) if SRBAC is enforced. This change adds the project-scoped service role to all service users so that all service users can use the validate_token API even if SRBAC is enforced. An alternative approach would be assign the system-scoped reader role for these users and replace credentials for authtoken middleware by system scoped one, but we are likely to need additional considerations to establish proper design of system-scoped role assignment. (*1) When scope evaluation is enforced(enforce_scope=True) and new rules are enforced(enforce_new_defaults=True) (*2) There are a few exceptions like the nova user which already have the project-scoped service role to use the service token feature. Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24 --- deployment/aodh/aodh-api-container-puppet.yaml | 3 +++ deployment/barbican/barbican-api-container-puppet.yaml | 3 +++ .../ceilometer-agent-central-container-puppet.yaml | 1 + deployment/designate/designate-api-container-puppet.yaml | 3 +++ deployment/glance/glance-api-container-puppet.yaml | 3 +++ deployment/gnocchi/gnocchi-api-container-puppet.yaml | 3 +++ deployment/heat/heat-api-cfn-container-puppet.yaml | 3 +++ deployment/heat/heat-api-container-puppet.yaml | 3 +++ deployment/ironic/ironic-inspector-container-puppet.yaml | 3 +++ deployment/manila/manila-api-container-puppet.yaml | 6 ++++++ deployment/neutron/neutron-api-container-puppet.yaml | 3 +++ deployment/octavia/octavia-api-container-puppet.yaml | 3 +++ deployment/placement/placement-api-container-puppet.yaml | 3 +++ deployment/swift/swift-proxy-container-puppet.yaml | 3 +++ 14 files changed, 43 insertions(+) diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index 89d8917919..8455f526c3 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -152,6 +152,9 @@ outputs: users: aodh: password: {get_param: AodhPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'alarming' monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi} diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index b8a0ba27b0..85b52368f7 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -212,6 +212,9 @@ outputs: users: barbican: password: {get_param: BarbicanPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'key-manager' roles: diff --git a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml index 1fb79da23a..4f60e81e69 100644 --- a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml @@ -80,6 +80,7 @@ outputs: password: {get_param: CeilometerPassword} roles: - admin + - service config_settings: map_merge: - get_attr: [CeilometerServiceBase, role_data, config_settings] diff --git a/deployment/designate/designate-api-container-puppet.yaml b/deployment/designate/designate-api-container-puppet.yaml index fff7fa0d8a..2153b8e828 100644 --- a/deployment/designate/designate-api-container-puppet.yaml +++ b/deployment/designate/designate-api-container-puppet.yaml @@ -94,6 +94,9 @@ outputs: users: designate: password: {get_param: DesignatePassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'dns' monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi} diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index a2c0834734..59a0505f4e 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -443,6 +443,9 @@ outputs: users: glance: password: {get_param: GlancePassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'image' monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 0c471ac394..9c7c173695 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -178,6 +178,9 @@ outputs: users: gnocchi: password: {get_param: GnocchiPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'metric' monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi} diff --git a/deployment/heat/heat-api-cfn-container-puppet.yaml b/deployment/heat/heat-api-cfn-container-puppet.yaml index cc94aaadd2..b7d1c60fea 100644 --- a/deployment/heat/heat-api-cfn-container-puppet.yaml +++ b/deployment/heat/heat-api-cfn-container-puppet.yaml @@ -108,6 +108,9 @@ outputs: users: heat-cfn: password: {get_param: HeatPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'cloudformation' monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf} diff --git a/deployment/heat/heat-api-container-puppet.yaml b/deployment/heat/heat-api-container-puppet.yaml index 7049173261..5e348be515 100644 --- a/deployment/heat/heat-api-container-puppet.yaml +++ b/deployment/heat/heat-api-container-puppet.yaml @@ -126,6 +126,9 @@ outputs: users: heat: password: {get_param: HeatPassword} + roles: + - admin + - service heat_stack_domain_admin: password: {get_param: HeatStackDomainAdminPassword} roles: diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index dc1e6cc933..0997535d8c 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -270,6 +270,9 @@ outputs: users: ironic-inspector: password: {get_param: IronicPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'baremetal-introspection' monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index e76aef5542..abe10b9705 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -153,6 +153,9 @@ outputs: users: manila: password: {get_param: ManilaPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'share' manilav2: @@ -163,6 +166,9 @@ outputs: users: manilav2: password: {get_param: ManilaPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'sharev2' monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi} diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index d682be31ba..ee2462fabb 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -290,6 +290,9 @@ outputs: users: neutron: password: {get_param: NeutronPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'network' monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer} diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 4daf0073da..e21d549d7b 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -157,6 +157,9 @@ outputs: name: {get_param: OctaviaUserName} password: {get_param: OctaviaPassword} project: {get_param: OctaviaProjectName} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'load-balancer' monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index af29a74ba2..8bbb8fdfb3 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -141,6 +141,9 @@ outputs: users: placement: password: {get_param: PlacementPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'placement' monitoring_subscription: {get_param: MonitoringSubscriptionPlacement} diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index 6a0936ea3c..f24797065a 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -137,6 +137,9 @@ outputs: users: swift: password: {get_param: SwiftPassword} + roles: + - admin + - service region: {get_param: KeystoneRegion} service: 'object-store' roles: