openstack/ironic
Code Issues Proposed changes

SRBAC - Prepare for additional services

Browse Source 
In order to effectively handle cross-service integrations, we need to
evaluate two separate items which are not standardized in devstack.

Names, and common service references. Unfortunately, only a couple
services presently have support in devstack for these settings, and
cases where it was previously supported has been removed for unknown
reasons, but this seems to be the overall plan.

Sets the stage, so we can be early to the cross-service testing party
of secure rbac.

Change-Id: I8794374c02a24185b6e24a675ad9cb7b3dfd69df
This commit is contained in:
Julia Kreger 2021-10-04 16:39:31 -07:00
parent 044091c146
commit 371313214a
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
devstack/lib/ironic
View File

@ -1616,14 +1616,25 @@ function configure_ironic_api {
function configure_client_for { function configure_client_for {
local service_config_section local service_config_section
service_config_section=$1 service_config_section=$1
local use_system_scope="False"
# keystoneauth auth plugin options # keystoneauth auth plugin options
iniset $IRONIC_CONF_FILE $service_config_section auth_type password iniset $IRONIC_CONF_FILE $service_config_section auth_type password
iniset $IRONIC_CONF_FILE $service_config_section auth_url $KEYSTONE_SERVICE_URI iniset $IRONIC_CONF_FILE $service_config_section auth_url $KEYSTONE_SERVICE_URI
# NOTE(TheJulia): This list is likely to become long as we turn on
# support for system scoped enforcement of other services, but for now, # NOTE(TheJulia): Below are services which we know, as of late 2021, which support
# we really only care about inspector and we can figure out the others # explicit scope based ops *and* have knobs.
# as time and their devstack code supports it. # Needed: Neutron, swift, nova ?service_catalog?
# Neutron - https://review.opendev.org/c/openstack/devstack/+/797450
if [[ "$service_config_section" == "inspector" ]] && [[ "$IRONIC_INSPECTOR_ENFORCE_SCOPE" == "True" ]]; then if [[ "$service_config_section" == "inspector" ]] && [[ "$IRONIC_INSPECTOR_ENFORCE_SCOPE" == "True" ]]; then
use_system_scope="True"
elif [[ "$service_config_section" == "cinder" ]] && [[ "${CINDER_ENFORCE_SCOPE:-False}" == "True" ]]; then
use_system_scope="True"
elif [[ "$service_config_section" == "glance" ]] && [[ "${GLANCE_ENFORCE_SCOPE:-False}" == "True" ]]; then
use_system_scope="True"
fi
if [[ "$use_system_scope" == "True" ]]; then
iniset $IRONIC_CONF_FILE $service_config_section system_scope all iniset $IRONIC_CONF_FILE $service_config_section system_scope all
iniset $IRONIC_CONF_FILE $service_config_section username admin iniset $IRONIC_CONF_FILE $service_config_section username admin
iniset $IRONIC_CONF_FILE $service_config_section password $ADMIN_PASSWORD iniset $IRONIC_CONF_FILE $service_config_section password $ADMIN_PASSWORD