diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index fda271ab..19d2c5cf 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -79,6 +79,22 @@
# (Optional) List of roles assigned to Cinder v3 user
# Defaults to ['admin']
#
+# [*system_scope*]
+# (Optional) Scope for system operations used by Cinder v3 user.
+# Defaults to 'all'
+#
+# [*system_scope_v3*]
+# (Optional) Scope for system operations used by Cinder v3 user.
+# Defaults to 'all'
+#
+# [*system_roles*]
+# (Optional) List of system roles assigned to Cinder user.
+# Defaults to []
+#
+# [*system_roles_v3*]
+# (Optional) List of system roles assigned to Cinder v3 user.
+# Defaults to []
+#
# [*public_url_v3*]
# (0ptional) The v3 endpoint's public url.
# This url should *not* contain any trailing '/'.
@@ -111,6 +127,10 @@ class cinder::keystone::auth (
$tenant_user_v3 = 'services',
$roles = ['admin'],
$roles_v3 = ['admin'],
+ $system_scope = 'all',
+ $system_scope_v3 = 'all',
+ $system_roles = [],
+ $system_roles_v3 = [],
$email = 'cinder@localhost',
$email_user_v3 = 'cinderv3@localhost',
$public_url_v3 = 'http://127.0.0.1:8776/v3/%(tenant_id)s',
@@ -129,6 +149,9 @@ class cinder::keystone::auth (
include cinder::deps
+ Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['cinder::service::end']
+ Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['cinder::service::end']
+
if $configure_endpoint_v3 {
Keystone_endpoint["${region}/${service_name_v3}::${service_type_v3}"] -> Anchor['cinder::service::end']
}
@@ -146,6 +169,8 @@ class cinder::keystone::auth (
email => $email,
tenant => $tenant,
roles => $roles,
+ system_scope => $system_scope,
+ system_roles => $system_roles,
}
keystone::resource::service_identity { 'cinderv3':
@@ -161,13 +186,11 @@ class cinder::keystone::auth (
email => $email_user_v3,
tenant => $tenant_user_v3,
roles => $roles_v3,
+ system_scope => $system_scope_v3,
+ system_roles => $system_roles_v3,
public_url => $public_url_v3,
admin_url => $admin_url_v3,
internal_url => $internal_url_v3,
}
- if $configure_user_role {
- Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['cinder::service::end']
- }
-
}
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index ea91ae3b..b36b813b 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
+# [*system_scope*]
+# (Optional) Scope for system operations
+# Defaults to $::os_service_default
+#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
@@ -203,6 +207,7 @@ class cinder::keystone::authtoken(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
+ $system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = 'password',
@@ -256,6 +261,7 @@ class cinder::keystone::authtoken(
auth_section => $auth_section,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
+ system_scope => $system_scope,
insecure => $insecure,
cache => $cache,
cafile => $cafile,
diff --git a/manifests/keystone/service_user.pp b/manifests/keystone/service_user.pp
index a8d2c279..aadeb9eb 100644
--- a/manifests/keystone/service_user.pp
+++ b/manifests/keystone/service_user.pp
@@ -28,6 +28,10 @@
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
+# [*system_scope*]
+# (Optional) Scope for system operations
+# Defaults to $::os_service_default
+#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true
# Defaults to 'false'
@@ -70,6 +74,7 @@ class cinder::keystone::service_user(
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
+ $system_scope = $::os_service_default,
$send_service_user_token = false,
$insecure = $::os_service_default,
$auth_type = 'password',
@@ -91,6 +96,7 @@ class cinder::keystone::service_user(
auth_type => $auth_type,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
+ system_scope => $system_scope,
send_service_user_token => $send_service_user_token,
insecure => $insecure,
cafile => $cafile,
diff --git a/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml b/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml
new file mode 100644
index 00000000..dd40cbfd
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml
@@ -0,0 +1,16 @@
+---
+features:
+ - |
+ The ``cinder::keystone::auth`` class now supports the following new
+ parameters to define system-scoped roles.
+
+ - ``system_scope``
+ - ``system_roles``
+ - ``system_scope_v3``
+ - ``system_roles_v3``
+
+ - |
+ The ``system_scope`` parameter has been added to the following classes.
+
+ - ``cinder::keystone::authtoken``
+ - ``cinder::keystone::service_user``
diff --git a/spec/classes/cinder_keystone_auth_spec.rb b/spec/classes/cinder_keystone_auth_spec.rb
index 068b2fcf..b578a553 100644
--- a/spec/classes/cinder_keystone_auth_spec.rb
+++ b/spec/classes/cinder_keystone_auth_spec.rb
@@ -22,6 +22,8 @@ describe 'cinder::keystone::auth' do
:email => 'cinder@localhost',
:tenant => 'services',
:roles => ['admin'],
+ :system_scope => 'all',
+ :system_roles => [],
) }
it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
@@ -36,6 +38,8 @@ describe 'cinder::keystone::auth' do
:email => 'cinderv3@localhost',
:tenant => 'services',
:roles => ['admin'],
+ :system_scope => 'all',
+ :system_roles => [],
:public_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
:internal_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
:admin_url => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
@@ -49,13 +53,17 @@ describe 'cinder::keystone::auth' do
:email => 'alt_cinder@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
+ :system_scope => 'alt_all',
+ :system_roles => ['admin', 'member', 'reader'],
:configure_user => false,
:configure_user_role => false,
:password_user_v3 => 'cinderv3_password',
:auth_name_v3 => 'alt_cinderv3',
:email_user_v3 => 'alt_cinderv3@alt_localhost',
:tenant_user_v3 => 'alt_servicev3',
- :roles_v3 => ['admin', 'service'],
+ :roles_v3 => ['adminv3', 'servicev3'],
+ :system_scope_v3 => 'alt_all_v3',
+ :system_roles_v3 => ['adminv3', 'memberv3', 'readerv3'],
:configure_user_v3 => true,
:configure_user_role_v3 => true,
:service_description_v3 => 'Alternative Cinder Service v3',
@@ -79,6 +87,8 @@ describe 'cinder::keystone::auth' do
:email => 'alt_cinder@alt_localhost',
:tenant => 'alt_service',
:roles => ['admin', 'service'],
+ :system_scope => 'alt_all',
+ :system_roles => ['admin', 'member', 'reader'],
) }
it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
@@ -93,7 +103,9 @@ describe 'cinder::keystone::auth' do
:password => 'cinderv3_password',
:email => 'alt_cinderv3@alt_localhost',
:tenant => 'alt_servicev3',
- :roles => ['admin', 'service'],
+ :roles => ['adminv3', 'servicev3'],
+ :system_scope => 'alt_all_v3',
+ :system_roles => ['adminv3', 'memberv3', 'readerv3'],
:public_url => 'https://10.10.10.10:80',
:internal_url => 'http://10.10.10.11:81',
:admin_url => 'http://10.10.10.12:81',
diff --git a/spec/classes/cinder_keystone_authtoken_spec.rb b/spec/classes/cinder_keystone_authtoken_spec.rb
index dc54db66..faeedc08 100644
--- a/spec/classes/cinder_keystone_authtoken_spec.rb
+++ b/spec/classes/cinder_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'cinder::keystone::authtoken' do
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
+ :system_scope => '<SERVICE DEFAULT>',
:insecure => '<SERVICE DEFAULT>',
:auth_section => '<SERVICE DEFAULT>',
:auth_type => 'password',
@@ -62,6 +63,7 @@ describe 'cinder::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
+ :system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',
@@ -103,6 +105,7 @@ describe 'cinder::keystone::authtoken' do
:project_name => 'service_project',
:user_domain_name => 'domainX',
:project_domain_name => 'domainX',
+ :system_scope => 'all',
:insecure => false,
:auth_section => 'new_section',
:auth_type => 'password',