From f3c8731fcd7021d6e8428181cb738f8da8c3cb65 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 25 Nov 2021 18:58:56 +0900 Subject: [PATCH] Accept system scope credentials for Keystone API request This change is the first step to support secure RBAC and allows usage of system scope credentials for Keystone API request. This change covers the following two items. - assignment of system scope roles to system user - credential parameters for authtoken middleware Depends-on: https://review.opendev.org/804325 Change-Id: Ifbe407233c0739038f23c645f2bd544a409bb1cd --- manifests/keystone/auth.pp | 25 +++++++++++++++++++ manifests/keystone/authtoken.pp | 6 +++++ ...ystem_scope-keystone-dfb7566a1f8b1eab.yaml | 13 ++++++++++ spec/classes/gnocchi_keystone_auth_spec.rb | 9 +++++++ .../gnocchi_keystone_authtoken_spec.rb | 3 +++ 5 files changed, 56 insertions(+) create mode 100644 releasenotes/notes/system_scope-keystone-dfb7566a1f8b1eab.yaml diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index 9fcfd548..bb0c2380 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -19,6 +19,18 @@ # (Optional) Tenant for gnocchi user. # Defaults to 'services'. # +# [*roles*] +# (Optional) List of roles assigned to gnocchi user. +# Defaults to ['admin'] +# +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to 'all' +# +# [*system_roles*] +# (Optional) List of system roles assigned to gnocchi user. +# Defaults to [] +# # [*configure_endpoint*] # (Optional) Should gnocchi endpoint be configured? # Defaults to true @@ -67,6 +79,9 @@ class gnocchi::keystone::auth ( $auth_name = 'gnocchi', $email = 'gnocchi@localhost', $tenant = 'services', + $roles = ['admin'], + $system_scope = 'all', + $system_roles = [], $configure_endpoint = true, $configure_user = true, $configure_user_role = true, @@ -81,6 +96,13 @@ class gnocchi::keystone::auth ( include gnocchi::deps + Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['gnocchi::service::end'] + Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['gnocchi::service::end'] + + if $configure_endpoint { + Keystone_endpoint["${region}/${service_name}::${service_type}"] -> Anchor['gnocchi::service::end'] + } + keystone::resource::service_identity { 'gnocchi': configure_user => $configure_user, configure_user_role => $configure_user_role, @@ -93,6 +115,9 @@ class gnocchi::keystone::auth ( password => $password, email => $email, tenant => $tenant, + roles => $roles, + system_scope => $system_scope, + system_roles => $system_roles, public_url => $public_url, internal_url => $internal_url, admin_url => $admin_url, diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 4d0f9d85..c21a03b1 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -28,6 +28,10 @@ # (Optional) Name of domain for $project_name # Defaults to 'Default' # +# [*system_scope*] +# (Optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*insecure*] # (Optional) If true, explicitly allow TLS without checking server cert # against any certificate authorities. WARNING: not recommended. Use with @@ -198,6 +202,7 @@ class gnocchi::keystone::authtoken( $project_name = 'services', $user_domain_name = 'Default', $project_domain_name = 'Default', + $system_scope = $::os_service_default, $insecure = $::os_service_default, $auth_section = $::os_service_default, $auth_type = 'password', @@ -251,6 +256,7 @@ class gnocchi::keystone::authtoken( auth_section => $auth_section, user_domain_name => $user_domain_name, project_domain_name => $project_domain_name, + system_scope => $system_scope, insecure => $insecure, cache => $cache, cafile => $cafile, diff --git a/releasenotes/notes/system_scope-keystone-dfb7566a1f8b1eab.yaml b/releasenotes/notes/system_scope-keystone-dfb7566a1f8b1eab.yaml new file mode 100644 index 00000000..c43ebce5 --- /dev/null +++ b/releasenotes/notes/system_scope-keystone-dfb7566a1f8b1eab.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The ``system_scope`` parameter has been added to + the ``gnocchi::keystone::authtoken`` class. + + - | + The ``gnocchi::keystone::auth`` class now supports customizing roles + assigned to the gnocchi service user. + + - | + The ``gnocchi::keystone::auth`` class now supports defining assignmet of + system-scoped roles to the gnocchi service user. diff --git a/spec/classes/gnocchi_keystone_auth_spec.rb b/spec/classes/gnocchi_keystone_auth_spec.rb index 86bd6ab7..a3420776 100644 --- a/spec/classes/gnocchi_keystone_auth_spec.rb +++ b/spec/classes/gnocchi_keystone_auth_spec.rb @@ -23,6 +23,9 @@ describe 'gnocchi::keystone::auth' do :password => 'gnocchi_password', :email => 'gnocchi@localhost', :tenant => 'services', + :roles => ['admin'], + :system_scope => 'all', + :system_roles => [], :public_url => 'http://127.0.0.1:8041', :internal_url => 'http://127.0.0.1:8041', :admin_url => 'http://127.0.0.1:8041', @@ -35,6 +38,9 @@ describe 'gnocchi::keystone::auth' do :auth_name => 'alt_gnocchi', :email => 'alt_gnocchi@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'all', + :system_roles => ['admin', 'member', 'reader'], :configure_endpoint => false, :configure_user => false, :configure_user_role => false, @@ -59,6 +65,9 @@ describe 'gnocchi::keystone::auth' do :password => 'gnocchi_password', :email => 'alt_gnocchi@alt_localhost', :tenant => 'alt_service', + :roles => ['admin', 'service'], + :system_scope => 'all', + :system_roles => ['admin', 'member', 'reader'], :public_url => 'https://10.10.10.10:80', :internal_url => 'http://10.10.10.11:81', :admin_url => 'http://10.10.10.12:81', diff --git a/spec/classes/gnocchi_keystone_authtoken_spec.rb b/spec/classes/gnocchi_keystone_authtoken_spec.rb index 2b882282..64986550 100644 --- a/spec/classes/gnocchi_keystone_authtoken_spec.rb +++ b/spec/classes/gnocchi_keystone_authtoken_spec.rb @@ -18,6 +18,7 @@ describe 'gnocchi::keystone::authtoken' do :project_name => 'services', :user_domain_name => 'Default', :project_domain_name => 'Default', + :system_scope => '', :insecure => '', :auth_section => '', :auth_type => 'password', @@ -62,6 +63,7 @@ describe 'gnocchi::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password', @@ -103,6 +105,7 @@ describe 'gnocchi::keystone::authtoken' do :project_name => 'service_project', :user_domain_name => 'domainX', :project_domain_name => 'domainX', + :system_scope => 'all', :insecure => false, :auth_section => 'new_section', :auth_type => 'password',