From 5f52d0d0e754cc781df18d9350542d888b36b200 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 4 Mar 2022 00:41:56 +0900 Subject: [PATCH] Globally support system scope credentials After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I3a659a6b43d9c47e88334c24fb866a73a8f24a24 --- manifests/agent/service_credentials.pp | 18 ++++++++++++++++-- .../system_scope-all-7766304aa60b50d1.yaml | 5 +++++ ...eilometer_agent_service_credentials_spec.rb | 14 ++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/system_scope-all-7766304aa60b50d1.yaml diff --git a/manifests/agent/service_credentials.pp b/manifests/agent/service_credentials.pp index 54bc58ab..0f486d51 100644 --- a/manifests/agent/service_credentials.pp +++ b/manifests/agent/service_credentials.pp @@ -24,6 +24,10 @@ # (Optional) the keystone project name for ceilometer services # Defaults to 'services'. # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*cafile*] # (Optional) Certificate chain for SSL validation. # Defaults to $::os_service_default. @@ -51,6 +55,7 @@ class ceilometer::agent::service_credentials ( $region_name = $::os_service_default, $username = 'ceilometer', $project_name = 'services', + $system_scope = $::os_service_default, $cafile = $::os_service_default, $interface = $::os_service_default, $user_domain_name = 'Default', @@ -60,16 +65,25 @@ class ceilometer::agent::service_credentials ( include ceilometer::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + ceilometer_config { 'service_credentials/auth_url' : value => $auth_url; 'service_credentials/region_name' : value => $region_name; 'service_credentials/username' : value => $username; 'service_credentials/password' : value => $password, secret => true; - 'service_credentials/project_name' : value => $project_name; + 'service_credentials/project_name' : value => $project_name_real; + 'service_credentials/system_scope' : value => $system_scope; 'service_credentials/cafile' : value => $cafile; 'service_credentials/interface' : value => $interface; 'service_credentials/user_domain_name' : value => $user_domain_name; - 'service_credentials/project_domain_name': value => $project_domain_name; + 'service_credentials/project_domain_name': value => $project_domain_name_real; 'service_credentials/auth_type' : value => $auth_type; } } diff --git a/releasenotes/notes/system_scope-all-7766304aa60b50d1.yaml b/releasenotes/notes/system_scope-all-7766304aa60b50d1.yaml new file mode 100644 index 00000000..7fe459ea --- /dev/null +++ b/releasenotes/notes/system_scope-all-7766304aa60b50d1.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The ``ceilometer::agent::service_credentials::system_scope`` parameter has + been added. diff --git a/spec/classes/ceilometer_agent_service_credentials_spec.rb b/spec/classes/ceilometer_agent_service_credentials_spec.rb index 4a20621f..141eaaf3 100644 --- a/spec/classes/ceilometer_agent_service_credentials_spec.rb +++ b/spec/classes/ceilometer_agent_service_credentials_spec.rb @@ -19,6 +19,7 @@ describe 'ceilometer::agent::service_credentials' do is_expected.to contain_ceilometer_config('service_credentials/username').with_value('ceilometer') is_expected.to contain_ceilometer_config('service_credentials/password').with_value('password').with_secret(true) is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('services') + is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('') is_expected.to contain_ceilometer_config('service_credentials/cafile').with_value('') is_expected.to contain_ceilometer_config('service_credentials/interface').with_value('') is_expected.to contain_ceilometer_config('service_credentials/user_domain_name').with_value('Default') @@ -48,6 +49,7 @@ describe 'ceilometer::agent::service_credentials' do is_expected.to contain_ceilometer_config('service_credentials/username').with_value('ceilometer2') is_expected.to contain_ceilometer_config('service_credentials/password').with_value('password').with_secret(true) is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('services2') + is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('') is_expected.to contain_ceilometer_config('service_credentials/cafile').with_value('/tmp/dummy.pem') is_expected.to contain_ceilometer_config('service_credentials/interface').with_value('internalURL') is_expected.to contain_ceilometer_config('service_credentials/user_domain_name').with_value('MyDomain') @@ -56,6 +58,18 @@ describe 'ceilometer::agent::service_credentials' do end end + context 'when system_scope is set' do + before do + params.merge!( + :system_scope => 'all' + ) + end + it 'configures system-scoped credential' do + is_expected.to contain_ceilometer_config('service_credentials/project_name').with_value('') + is_expected.to contain_ceilometer_config('service_credentials/project_domain_name').with_value('') + is_expected.to contain_ceilometer_config('service_credentials/system_scope').with_value('all') + end + end end on_supported_os({