Globally support system scope credentials

After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I1515d077c7cdd3cddb805a0b68199ee913975704
2022-03-04 11:12:28 +09:00 · 2022-03-04 11:12:28 +09:00 · 978502cbdc
commit 978502cbdc
parent 16bcc44238
3 changed files with 34 additions and 2 deletions
--- a/manifests/watcher_clients_auth.pp
+++ b/manifests/watcher_clients_auth.pp
@ -27,6 +27,10 @@
 #   (Optional) User Domain name.
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations.
+#   Defaults to $::os_service_default
+#
 # [*auth_type*]
 #   (Optional) Authentication type to load.
 #   Defaults to 'password'
@ -55,6 +59,7 @@ class watcher::watcher_clients_auth (
  $project_name        = 'services',
  $project_domain_name = 'Default',
  $user_domain_name    = 'Default',
+  $system_scope        = $::os_service_default,
  $auth_type           = 'password',
  $insecure            = $::os_service_default,
  $certfile            = $::os_service_default,
@ -69,10 +74,16 @@ class watcher::watcher_clients_auth (
    fail('password is required')
  }

+  if is_service_default($system_scope) {
+    $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name)
+    $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name)
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  $auth_url_real = pick($::watcher::api::watcher_client_auth_url, $auth_url)
  $username_real = pick($::watcher::api::watcher_client_username, $username)
-  $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name)
-  $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name)
  $user_domain_name_real = pick($::watcher::api::watcher_client_user_domain_name, $user_domain_name)
  $auth_type_real = pick($::watcher::api::watcher_client_auth_type, $auth_type)
  $insecure_real = pick($::watcher::api::watcher_client_insecure, $insecure)
@ -87,6 +98,7 @@ class watcher::watcher_clients_auth (
    'watcher_clients_auth/project_name':        value => $project_name_real;
    'watcher_clients_auth/project_domain_name': value => $project_domain_name_real;
    'watcher_clients_auth/user_domain_name':    value => $user_domain_name_real;
+    'watcher_clients_auth/system_scope':        value => $system_scope;
    'watcher_clients_auth/insecure':            value => $insecure_real;
    'watcher_clients_auth/auth_type':           value => $auth_type_real;
    'watcher_clients_auth/cafile':              value => $cafile_real;
--- a/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml
+++ b/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``watcher::watcher_clients_auth::system_scope`` parameter has been
+    added.
--- a/spec/classes/watcher_watcher_clients_auth_spec.rb
+++ b/spec/classes/watcher_watcher_clients_auth_spec.rb
@ -15,6 +15,7 @@ describe 'watcher::watcher_clients_auth' do
        should contain_watcher_config('watcher_clients_auth/project_name').with_value('services')
        should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default')
        should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default')
+        should contain_watcher_config('watcher_clients_auth/system_scope').with_value('<SERVICE DEFAULT>')
        should contain_watcher_config('watcher_clients_auth/insecure').with_value('<SERVICE DEFAULT>')
        should contain_watcher_config('watcher_clients_auth/certfile').with_value('<SERVICE DEFAULT>')
        should contain_watcher_config('watcher_clients_auth/cafile').with_value('<SERVICE DEFAULT>')
@ -43,12 +44,26 @@ describe 'watcher::watcher_clients_auth' do
        should contain_watcher_config('watcher_clients_auth/project_name').with_value('alt_services')
        should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('user_domain')
        should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('project_domain')
+        should contain_watcher_config('watcher_clients_auth/system_scope').with_value('<SERVICE DEFAULT>')
        should contain_watcher_config('watcher_clients_auth/insecure').with_value(false)
        should contain_watcher_config('watcher_clients_auth/certfile').with_value('path_to_cert')
        should contain_watcher_config('watcher_clients_auth/cafile').with_value('path_to_ca')
        should contain_watcher_config('watcher_clients_auth/keyfile').with_value('path_to_key')
      end
    end
+
+    context 'when system_scope is set' do
+      before do
+        params.merge!(
+          :system_scope => 'all'
+        )
+      end
+      it 'configures system-scoped credential' do
+        is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_watcher_config('watcher_clients_auth/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_watcher_config('watcher_clients_auth/system_scope').with_value('all')
+      end
+    end
  end

  on_supported_os({