From 978502cbdc84e8c9eef0ec99dcd9077e9e2a9f3e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 4 Mar 2022 11:12:28 +0900 Subject: [PATCH] Globally support system scope credentials After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I1515d077c7cdd3cddb805a0b68199ee913975704 --- manifests/watcher_clients_auth.pp | 16 ++++++++++++++-- .../notes/system_scope-all-8c56342fed47d232.yaml | 5 +++++ .../classes/watcher_watcher_clients_auth_spec.rb | 15 +++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/system_scope-all-8c56342fed47d232.yaml diff --git a/manifests/watcher_clients_auth.pp b/manifests/watcher_clients_auth.pp index 6985cb8..3fa5a6c 100644 --- a/manifests/watcher_clients_auth.pp +++ b/manifests/watcher_clients_auth.pp @@ -27,6 +27,10 @@ # (Optional) User Domain name. # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*auth_type*] # (Optional) Authentication type to load. # Defaults to 'password' @@ -55,6 +59,7 @@ class watcher::watcher_clients_auth ( $project_name = 'services', $project_domain_name = 'Default', $user_domain_name = 'Default', + $system_scope = $::os_service_default, $auth_type = 'password', $insecure = $::os_service_default, $certfile = $::os_service_default, @@ -69,10 +74,16 @@ class watcher::watcher_clients_auth ( fail('password is required') } + if is_service_default($system_scope) { + $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name) + $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name) + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + $auth_url_real = pick($::watcher::api::watcher_client_auth_url, $auth_url) $username_real = pick($::watcher::api::watcher_client_username, $username) - $project_name_real = pick($::watcher::api::watcher_client_project_name, $project_name) - $project_domain_name_real = pick($::watcher::api::watcher_client_project_domain_name, $project_domain_name) $user_domain_name_real = pick($::watcher::api::watcher_client_user_domain_name, $user_domain_name) $auth_type_real = pick($::watcher::api::watcher_client_auth_type, $auth_type) $insecure_real = pick($::watcher::api::watcher_client_insecure, $insecure) @@ -87,6 +98,7 @@ class watcher::watcher_clients_auth ( 'watcher_clients_auth/project_name': value => $project_name_real; 'watcher_clients_auth/project_domain_name': value => $project_domain_name_real; 'watcher_clients_auth/user_domain_name': value => $user_domain_name_real; + 'watcher_clients_auth/system_scope': value => $system_scope; 'watcher_clients_auth/insecure': value => $insecure_real; 'watcher_clients_auth/auth_type': value => $auth_type_real; 'watcher_clients_auth/cafile': value => $cafile_real; diff --git a/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml b/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml new file mode 100644 index 0000000..1cfa095 --- /dev/null +++ b/releasenotes/notes/system_scope-all-8c56342fed47d232.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The new ``watcher::watcher_clients_auth::system_scope`` parameter has been + added. diff --git a/spec/classes/watcher_watcher_clients_auth_spec.rb b/spec/classes/watcher_watcher_clients_auth_spec.rb index a35e904..6c4e7a8 100644 --- a/spec/classes/watcher_watcher_clients_auth_spec.rb +++ b/spec/classes/watcher_watcher_clients_auth_spec.rb @@ -15,6 +15,7 @@ describe 'watcher::watcher_clients_auth' do should contain_watcher_config('watcher_clients_auth/project_name').with_value('services') should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('Default') should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('Default') + should contain_watcher_config('watcher_clients_auth/system_scope').with_value('') should contain_watcher_config('watcher_clients_auth/insecure').with_value('') should contain_watcher_config('watcher_clients_auth/certfile').with_value('') should contain_watcher_config('watcher_clients_auth/cafile').with_value('') @@ -43,12 +44,26 @@ describe 'watcher::watcher_clients_auth' do should contain_watcher_config('watcher_clients_auth/project_name').with_value('alt_services') should contain_watcher_config('watcher_clients_auth/user_domain_name').with_value('user_domain') should contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('project_domain') + should contain_watcher_config('watcher_clients_auth/system_scope').with_value('') should contain_watcher_config('watcher_clients_auth/insecure').with_value(false) should contain_watcher_config('watcher_clients_auth/certfile').with_value('path_to_cert') should contain_watcher_config('watcher_clients_auth/cafile').with_value('path_to_ca') should contain_watcher_config('watcher_clients_auth/keyfile').with_value('path_to_key') end end + + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + it 'configures system-scoped credential' do + is_expected.to contain_watcher_config('watcher_clients_auth/project_domain_name').with_value('') + is_expected.to contain_watcher_config('watcher_clients_auth/project_name').with_value('') + is_expected.to contain_watcher_config('watcher_clients_auth/system_scope').with_value('all') + end + end end on_supported_os({