Customize roles assigned to cinder user
This patch introduces a new hieradata cinder::keystone::auth::roles, to configure customized role assigned to cinder user. This is required to configure service token feature, as it requires special role is assigned to the user who uses the feature. Change-Id: I02786009cf59cc113c390aa59a9297575ceb328c
This commit is contained in:
Takashi Kajinami
parent
fabf8c9f33
commit
0e78a0faae
@ -111,6 +111,18 @@
|
||||
# (Optional) Tenant for Cinder v3 user.
|
||||
# Defaults to 'services'.
|
||||
#
|
||||
# [*roles*]
|
||||
# (Optional) List of roles assigned to Cinder user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*roles_v2*]
|
||||
# (Optional) List of roles assigned to Cinder v2 user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*roles_v3*]
|
||||
# (Optional) List of roles assigned to Cinder v3 user
|
||||
# Defaults to ['admin']
|
||||
#
|
||||
# [*public_url_v2*]
|
||||
# (Optional) The v2 endpoint's public url.
|
||||
# This url should *not* contain any trailing '/'.
|
||||
@ -193,6 +205,9 @@ class cinder::keystone::auth (
|
||||
$tenant = 'services',
|
||||
$tenant_user_v2 = 'services',
|
||||
$tenant_user_v3 = 'services',
|
||||
$roles = ['admin'],
|
||||
$roles_v2 = ['admin'],
|
||||
$roles_v3 = ['admin'],
|
||||
$email = 'cinder@localhost',
|
||||
$email_user_v2 = 'cinderv2@localhost',
|
||||
$email_user_v3 = 'cinderv3@localhost',
|
||||
@ -264,6 +279,7 @@ class cinder::keystone::auth (
|
||||
password => $password,
|
||||
email => $email,
|
||||
tenant => $tenant,
|
||||
roles => $roles,
|
||||
}
|
||||
|
||||
keystone::resource::service_identity { 'cinderv2':
|
||||
@ -278,6 +294,7 @@ class cinder::keystone::auth (
|
||||
password => $password_user_v2,
|
||||
email => $email_user_v2,
|
||||
tenant => $tenant_user_v2,
|
||||
roles => $roles_v2,
|
||||
public_url => $public_url_v2,
|
||||
admin_url => $admin_url_v2,
|
||||
internal_url => $internal_url_v2,
|
||||
@ -295,6 +312,7 @@ class cinder::keystone::auth (
|
||||
password => $password_user_v3,
|
||||
email => $email_user_v3,
|
||||
tenant => $tenant_user_v3,
|
||||
roles => $roles_v3,
|
||||
public_url => $public_url_v3,
|
||||
admin_url => $admin_url_v3,
|
||||
internal_url => $internal_url_v3,
|
||||
|
||||
@ -165,6 +165,16 @@
|
||||
# (in seconds). Set to -1 to disable caching completely. Integer value
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles*]
|
||||
# (Optional) A choice of roles that must be present in a service token.
|
||||
# Service tokens are allowed to request that an expired token
|
||||
# can be used and so this check should tightly control that
|
||||
# only actual services should be sending this token. Roles
|
||||
# here are applied as an ANY check so any role in this list
|
||||
# must be present. For backwards compatibility reasons this
|
||||
# currently only affects the allow_expired check. (list value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*service_token_roles_required*]
|
||||
# (optional) backwards compatibility to ensure that the service tokens are
|
||||
# compared against a list of possible roles for validity
|
||||
@ -224,6 +234,7 @@ class cinder::keystone::authtoken(
|
||||
$manage_memcache_package = false,
|
||||
$region_name = $::os_service_default,
|
||||
$token_cache_time = $::os_service_default,
|
||||
$service_token_roles = $::os_service_default,
|
||||
$service_token_roles_required = $::os_service_default,
|
||||
# DEPRECATED PARAMETERS
|
||||
$check_revocations_for_cached = undef,
|
||||
@ -277,6 +288,7 @@ class cinder::keystone::authtoken(
|
||||
manage_memcache_package => $manage_memcache_package,
|
||||
region_name => $region_name,
|
||||
token_cache_time => $token_cache_time,
|
||||
service_token_roles => $service_token_roles,
|
||||
service_token_roles_required => $service_token_roles_required,
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
New hieradata, cinder::keystone::authtoken::service_token_roles, is
|
||||
introduced so that specific role can be assigned to the service user
|
||||
who can use service token feature.
|
||||
- |
|
||||
New hieradata, cinder::keystone::roles, roles_v2 and roles_v3 are
|
||||
introduced to configure customized role for cinder user in keystone
|
||||
identity.
|
||||
@ -48,6 +48,7 @@ describe 'cinder::keystone::auth' do
|
||||
context 'when overriding parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:roles => ['admin', 'service'],
|
||||
:region => 'RegionThree',
|
||||
:public_url_v2 => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
|
||||
:admin_url_v2 => 'https://10.0.42.2:4242/v42/%(tenant_id)s',
|
||||
@ -58,6 +59,11 @@ describe 'cinder::keystone::auth' do
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_keystone_user_role('cinder@services').with(
|
||||
:ensure => 'present',
|
||||
:roles => ['admin', 'service']
|
||||
)}
|
||||
|
||||
it { is_expected.to contain_keystone_endpoint('RegionThree/cinderv2::volumev2').with(
|
||||
:ensure => 'present',
|
||||
:public_url => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
|
||||
|
||||
@ -41,6 +41,7 @@ describe 'cinder::keystone::authtoken' do
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
@ -48,39 +49,40 @@ describe 'cinder::keystone::authtoken' do
|
||||
context 'when overriding parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:www_authenticate_uri => 'https://10.0.0.1:9999/',
|
||||
:username => 'myuser',
|
||||
:password => 'mypasswd',
|
||||
:auth_url => 'https://127.0.0.1:5000',
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
:auth_version => 'v3',
|
||||
:cache => 'somevalue',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:delay_auth_decision => false,
|
||||
:enforce_token_bind => 'permissive',
|
||||
:http_connect_timeout => '300',
|
||||
:http_request_max_retries => '3',
|
||||
:include_service_catalog => true,
|
||||
:keyfile => 'keyfile',
|
||||
:memcache_pool_conn_get_timeout => '9',
|
||||
:memcache_pool_dead_retry => '302',
|
||||
:memcache_pool_maxsize => '11',
|
||||
:memcache_pool_socket_timeout => '2',
|
||||
:memcache_pool_unused_timeout => '61',
|
||||
:memcache_secret_key => 'secret_key',
|
||||
:memcache_security_strategy => 'ENCRYPT',
|
||||
:memcache_use_advanced_pool => true,
|
||||
:memcached_servers => ['memcached01:11211','memcached02:11211'],
|
||||
:manage_memcache_package => true,
|
||||
:region_name => 'region2',
|
||||
:token_cache_time => '301',
|
||||
:service_token_roles_required => false,
|
||||
:www_authenticate_uri => 'https://10.0.0.1:9999/',
|
||||
:username => 'myuser',
|
||||
:password => 'mypasswd',
|
||||
:auth_url => 'https://127.0.0.1:5000',
|
||||
:project_name => 'service_project',
|
||||
:user_domain_name => 'domainX',
|
||||
:project_domain_name => 'domainX',
|
||||
:insecure => false,
|
||||
:auth_section => 'new_section',
|
||||
:auth_type => 'password',
|
||||
:auth_version => 'v3',
|
||||
:cache => 'somevalue',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:delay_auth_decision => false,
|
||||
:enforce_token_bind => 'permissive',
|
||||
:http_connect_timeout => '300',
|
||||
:http_request_max_retries => '3',
|
||||
:include_service_catalog => true,
|
||||
:keyfile => 'keyfile',
|
||||
:memcache_pool_conn_get_timeout => '9',
|
||||
:memcache_pool_dead_retry => '302',
|
||||
:memcache_pool_maxsize => '11',
|
||||
:memcache_pool_socket_timeout => '2',
|
||||
:memcache_pool_unused_timeout => '61',
|
||||
:memcache_secret_key => 'secret_key',
|
||||
:memcache_security_strategy => 'ENCRYPT',
|
||||
:memcache_use_advanced_pool => true,
|
||||
:memcached_servers => ['memcached01:11211','memcached02:11211'],
|
||||
:manage_memcache_package => true,
|
||||
:region_name => 'region2',
|
||||
:token_cache_time => '301',
|
||||
:service_token_roles => ['admin'],
|
||||
:service_token_roles_required => true,
|
||||
})
|
||||
end
|
||||
|
||||
@ -116,6 +118,7 @@ describe 'cinder::keystone::authtoken' do
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value(params[:region_name])
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
|
||||
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
|
||||
end
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user