From fe7da441a6512558f13c142dabfa349fcae9770c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 3 Jan 2022 15:02:16 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: I2a54b0d0c03a98b3fe7a3a4a28051247eea7e70a --- manifests/keystone/auth.pp | 24 ++++++++++++++----- manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-ce89823e072150ce.yaml | 9 +++++++ spec/classes/zaqar_keystone_auth_spec.rb | 13 +++++++--- spec/classes/zaqar_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 46 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/system_scope-keystone-ce89823e072150ce.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 4e6c2fd..64dc32c 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for zaqar user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to neutron user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to neutron user. +# Defaults to [] +# # [*configure_endpoint*] # (Optional) Should zaqar endpoint be configured? # Defaults to true. @@ -63,10 +75,6 @@ # (Optional) Whether to configure the admin role for the service user. # Defaults to true # -# [*roles*] -# (Optional) Roles to give the service user. -# Defaults to undef -# class zaqar::keystone::auth( $password, $email = 'zaqar@localhost', @@ -78,12 +86,14 @@ class zaqar::keystone::auth( $internal_url = 'http://127.0.0.1:8888', $region = 'RegionOne', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_endpoint = true, $configure_service = true, $configure_user = true, $configure_user_role = true, $service_description = 'OpenStack Messaging Service', - $roles = undef, ) { include zaqar::deps @@ -102,9 +112,11 @@ class zaqar::keystone::auth( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, admin_url => $admin_url, internal_url => $internal_url, - roles => $roles, } } diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index beec8db..467658d 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class zaqar::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class zaqar::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-ce89823e072150ce.yaml b/releasenotes/notes/system_scope-keystone-ce89823e072150ce.yaml new file mode 100644 index 0000000..fad332a --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-ce89823e072150ce.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``zaqar::keystone::authtoken`` class. + + - | + The ``zaqar::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the zaqar service user. diff --git a/spec/classes/zaqar_keystone_auth_spec.rb b/spec/classes/zaqar_keystone_auth_spec.rb index a0979b5..d647c8b 100644 --- a/spec/classes/zaqar_keystone_auth_spec.rb +++ b/spec/classes/zaqar_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'zaqar::keystone::auth' do :password => 'zaqar_password', :email => 'zaqar@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:8888', :internal_url => 'http://127.0.0.1:8888', :admin_url => 'http://127.0.0.1:8888', @@ -35,6 +38,9 @@ describe 'zaqar::keystone::auth' do :auth_name => 'alt_zaqar', :email => 'alt_zaqar@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -44,8 +50,7 @@ describe 'zaqar::keystone::auth' do :region => 'RegionTwo', :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', - :admin_url => 'http://10.10.10.12:81', - :roles => ['admin', 'ResellerAdmin'] } + :admin_url => 'http://10.10.10.12:81' } end it { is_expected.to contain_keystone__resource__service_identity('zaqar').with( @@ -60,10 +65,12 @@ describe 'zaqar::keystone::auth' do :password => 'zaqar_password', :email => 'alt_zaqar@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'alt_all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', - :roles => ['admin', 'ResellerAdmin'], ) } end end diff --git a/spec/classes/zaqar_keystone_authtoken_spec.rb b/spec/classes/zaqar_keystone_authtoken_spec.rb index 3e2d795..a52986a 100644 --- a/spec/classes/zaqar_keystone_authtoken_spec.rb +++ b/spec/classes/zaqar_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'zaqar::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'zaqar::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'zaqar::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',