openstack/puppet-cinder
Code Issues Proposed changes

Customize roles assigned to cinder user

Browse Source 
This patch introduces a new hieradata cinder::keystone::auth::roles,
to configure customized role assigned to cinder user.

This is required to configure service token feature, as it requires
special role is assigned to the user who uses the feature.

Change-Id: I02786009cf59cc113c390aa59a9297575ceb328c
This commit is contained in:
Takashi Kajinami 2019-06-25 09:11:15 +09:00
parent fabf8c9f33
commit 0e78a0faae
5 changed files with 82 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
manifests/keystone/auth.pp
View File

@ -111,6 +111,18 @@
# (Optional) Tenant for Cinder v3 user. # (Optional) Tenant for Cinder v3 user.
# Defaults to 'services'. # Defaults to 'services'.
# #
# [*roles*]
# (Optional) List of roles assigned to Cinder user
# Defaults to ['admin']
#
# [*roles_v2*]
# (Optional) List of roles assigned to Cinder v2 user
# Defaults to ['admin']
#
# [*roles_v3*]
# (Optional) List of roles assigned to Cinder v3 user
# Defaults to ['admin']
#
# [*public_url_v2*] # [*public_url_v2*]
# (Optional) The v2 endpoint's public url. # (Optional) The v2 endpoint's public url.
# This url should *not* contain any trailing '/'. # This url should *not* contain any trailing '/'.
@ -193,6 +205,9 @@ class cinder::keystone::auth (
$tenant = 'services', $tenant = 'services',
$tenant_user_v2 = 'services', $tenant_user_v2 = 'services',
$tenant_user_v3 = 'services', $tenant_user_v3 = 'services',
$roles = ['admin'],
$roles_v2 = ['admin'],
$roles_v3 = ['admin'],
$email = 'cinder@localhost', $email = 'cinder@localhost',
$email_user_v2 = 'cinderv2@localhost', $email_user_v2 = 'cinderv2@localhost',
$email_user_v3 = 'cinderv3@localhost', $email_user_v3 = 'cinderv3@localhost',
@ -264,6 +279,7 @@ class cinder::keystone::auth (
password => $password, password => $password,
email => $email, email => $email,
tenant => $tenant, tenant => $tenant,
roles => $roles,
} }
keystone::resource::service_identity { 'cinderv2': keystone::resource::service_identity { 'cinderv2':
@ -278,6 +294,7 @@ class cinder::keystone::auth (
password => $password_user_v2, password => $password_user_v2,
email => $email_user_v2, email => $email_user_v2,
tenant => $tenant_user_v2, tenant => $tenant_user_v2,
roles => $roles_v2,
public_url => $public_url_v2, public_url => $public_url_v2,
admin_url => $admin_url_v2, admin_url => $admin_url_v2,
internal_url => $internal_url_v2, internal_url => $internal_url_v2,
@ -295,6 +312,7 @@ class cinder::keystone::auth (
password => $password_user_v3, password => $password_user_v3,
email => $email_user_v3, email => $email_user_v3,
tenant => $tenant_user_v3, tenant => $tenant_user_v3,
roles => $roles_v3,
public_url => $public_url_v3, public_url => $public_url_v3,
admin_url => $admin_url_v3, admin_url => $admin_url_v3,
internal_url => $internal_url_v3, internal_url => $internal_url_v3,

12
manifests/keystone/authtoken.pp
View File

@ -165,6 +165,16 @@
# (in seconds). Set to -1 to disable caching completely. Integer value # (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default. # Defaults to $::os_service_default.
# #
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
#
# [*service_token_roles_required*] # [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are # (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity # compared against a list of possible roles for validity
@ -224,6 +234,7 @@ class cinder::keystone::authtoken(
$manage_memcache_package = false, $manage_memcache_package = false,
$region_name = $::os_service_default, $region_name = $::os_service_default,
$token_cache_time = $::os_service_default, $token_cache_time = $::os_service_default,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default, $service_token_roles_required = $::os_service_default,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$check_revocations_for_cached = undef, $check_revocations_for_cached = undef,
@ -277,6 +288,7 @@ class cinder::keystone::authtoken(
manage_memcache_package => $manage_memcache_package, manage_memcache_package => $manage_memcache_package,
region_name => $region_name, region_name => $region_name,
token_cache_time => $token_cache_time, token_cache_time => $token_cache_time,
service_token_roles => $service_token_roles,
service_token_roles_required => $service_token_roles_required, service_token_roles_required => $service_token_roles_required,
} }
} }

10
releasenotes/notes/keystone_authtoken-service_token_roles-e698dd87b9cd2598.yaml Normal file
View File

@ -0,0 +1,10 @@
---
features:
- |
New hieradata, cinder::keystone::authtoken::service_token_roles, is
introduced so that specific role can be assigned to the service user
who can use service token feature.
- |
New hieradata, cinder::keystone::roles, roles_v2 and roles_v3 are
introduced to configure customized role for cinder user in keystone
identity.

6
spec/classes/cinder_keystone_auth_spec.rb
View File

@ -48,6 +48,7 @@ describe 'cinder::keystone::auth' do
context 'when overriding parameters' do context 'when overriding parameters' do
before do before do
params.merge!({ params.merge!({
:roles => ['admin', 'service'],
:region => 'RegionThree', :region => 'RegionThree',
:public_url_v2 => 'https://10.0.42.1:4242/v42/%(tenant_id)s', :public_url_v2 => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
:admin_url_v2 => 'https://10.0.42.2:4242/v42/%(tenant_id)s', :admin_url_v2 => 'https://10.0.42.2:4242/v42/%(tenant_id)s',
@ -58,6 +59,11 @@ describe 'cinder::keystone::auth' do
}) })
end end
it { is_expected.to contain_keystone_user_role('cinder@services').with(
:ensure => 'present',
:roles => ['admin', 'service']
)}
it { is_expected.to contain_keystone_endpoint('RegionThree/cinderv2::volumev2').with( it { is_expected.to contain_keystone_endpoint('RegionThree/cinderv2::volumev2').with(
:ensure => 'present', :ensure => 'present',
:public_url => 'https://10.0.42.1:4242/v42/%(tenant_id)s', :public_url => 'https://10.0.42.1:4242/v42/%(tenant_id)s',

69
spec/classes/cinder_keystone_authtoken_spec.rb
View File

@ -41,6 +41,7 @@ describe 'cinder::keystone::authtoken' do
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>') is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>') is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>') is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>') is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
end end
end end
@ -48,39 +49,40 @@ describe 'cinder::keystone::authtoken' do
context 'when overriding parameters' do context 'when overriding parameters' do
before do before do
params.merge!({ params.merge!({
:www_authenticate_uri => 'https://10.0.0.1:9999/', :www_authenticate_uri => 'https://10.0.0.1:9999/',
:username => 'myuser', :username => 'myuser',
:password => 'mypasswd', :password => 'mypasswd',
:auth_url => 'https://127.0.0.1:5000', :auth_url => 'https://127.0.0.1:5000',
:project_name => 'service_project', :project_name => 'service_project',
:user_domain_name => 'domainX', :user_domain_name => 'domainX',
:project_domain_name => 'domainX', :project_domain_name => 'domainX',
:insecure => false, :insecure => false,
:auth_section => 'new_section', :auth_section => 'new_section',
:auth_type => 'password', :auth_type => 'password',
:auth_version => 'v3', :auth_version => 'v3',
:cache => 'somevalue', :cache => 'somevalue',
:cafile => '/opt/stack/data/cafile.pem', :cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt', :certfile => 'certfile.crt',
:delay_auth_decision => false, :delay_auth_decision => false,
:enforce_token_bind => 'permissive', :enforce_token_bind => 'permissive',
:http_connect_timeout => '300', :http_connect_timeout => '300',
:http_request_max_retries => '3', :http_request_max_retries => '3',
:include_service_catalog => true, :include_service_catalog => true,
:keyfile => 'keyfile', :keyfile => 'keyfile',
:memcache_pool_conn_get_timeout => '9', :memcache_pool_conn_get_timeout => '9',
:memcache_pool_dead_retry => '302', :memcache_pool_dead_retry => '302',
:memcache_pool_maxsize => '11', :memcache_pool_maxsize => '11',
:memcache_pool_socket_timeout => '2', :memcache_pool_socket_timeout => '2',
:memcache_pool_unused_timeout => '61', :memcache_pool_unused_timeout => '61',
:memcache_secret_key => 'secret_key', :memcache_secret_key => 'secret_key',
:memcache_security_strategy => 'ENCRYPT', :memcache_security_strategy => 'ENCRYPT',
:memcache_use_advanced_pool => true, :memcache_use_advanced_pool => true,
:memcached_servers => ['memcached01:11211','memcached02:11211'], :memcached_servers => ['memcached01:11211','memcached02:11211'],
:manage_memcache_package => true, :manage_memcache_package => true,
:region_name => 'region2', :region_name => 'region2',
:token_cache_time => '301', :token_cache_time => '301',
:service_token_roles_required => false, :service_token_roles => ['admin'],
:service_token_roles_required => true,
}) })
end end
@ -116,6 +118,7 @@ describe 'cinder::keystone::authtoken' do
is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211') is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value(params[:region_name]) is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required]) is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
end end