From 0256c26d21705d4c04dd66732e08d25db687948b Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 25 Nov 2021 20:28:20 +0900
Subject: [PATCH] Accept system scope credentials for Keystone API request

This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following three items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware
 - credential parameters for service token feature

Note that the credential parameters for authtoken middleware are
used in some providers, and these providers still require a project
scope credential. This will be fixed by the subsequent change.

Depends-on: https://review.opendev.org/804325
Change-Id: I33f912aeb058fd269d4a0eda57438051a2f094ff
---
 manifests/keystone/auth.pp                    | 31 ++++++++++++++++---
 manifests/keystone/authtoken.pp               |  6 ++++
 manifests/keystone/service_user.pp            |  6 ++++
 ...ystem_scope-keystone-d9a9cc0c614cd433.yaml | 16 ++++++++++
 spec/classes/cinder_keystone_auth_spec.rb     | 16 ++++++++--
 .../classes/cinder_keystone_authtoken_spec.rb |  3 ++
 6 files changed, 72 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml

diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index fda271ab..19d2c5cf 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -79,6 +79,22 @@
 #   (Optional) List of roles assigned to Cinder v3 user
 #   Defaults to ['admin']
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations used by Cinder v3 user.
+#   Defaults to 'all'
+#
+# [*system_scope_v3*]
+#   (Optional) Scope for system operations used by Cinder v3 user.
+#   Defaults to 'all'
+#
+# [*system_roles*]
+#   (Optional) List of system roles assigned to Cinder user.
+#   Defaults to []
+#
+# [*system_roles_v3*]
+#   (Optional) List of system roles assigned to Cinder v3 user.
+#   Defaults to []
+#
 # [*public_url_v3*]
 #   (0ptional) The v3 endpoint's public url.
 #   This url should *not* contain any trailing '/'.
@@ -111,6 +127,10 @@ class cinder::keystone::auth (
   $tenant_user_v3         = 'services',
   $roles                  = ['admin'],
   $roles_v3               = ['admin'],
+  $system_scope           = 'all',
+  $system_scope_v3        = 'all',
+  $system_roles           = [],
+  $system_roles_v3        = [],
   $email                  = 'cinder@localhost',
   $email_user_v3          = 'cinderv3@localhost',
   $public_url_v3          = 'http://127.0.0.1:8776/v3/%(tenant_id)s',
@@ -129,6 +149,9 @@ class cinder::keystone::auth (
 
   include cinder::deps
 
+  Keystone_user_role<| name == "${auth_name}@${tenant}" |> -> Anchor['cinder::service::end']
+  Keystone_user_role<| name == "${auth_name}@::::${system_scope}" |> -> Anchor['cinder::service::end']
+
   if $configure_endpoint_v3 {
     Keystone_endpoint["${region}/${service_name_v3}::${service_type_v3}"] -> Anchor['cinder::service::end']
   }
@@ -146,6 +169,8 @@ class cinder::keystone::auth (
     email               => $email,
     tenant              => $tenant,
     roles               => $roles,
+    system_scope        => $system_scope,
+    system_roles        => $system_roles,
   }
 
   keystone::resource::service_identity { 'cinderv3':
@@ -161,13 +186,11 @@ class cinder::keystone::auth (
     email               => $email_user_v3,
     tenant              => $tenant_user_v3,
     roles               => $roles_v3,
+    system_scope        => $system_scope_v3,
+    system_roles        => $system_roles_v3,
     public_url          => $public_url_v3,
     admin_url           => $admin_url_v3,
     internal_url        => $internal_url_v3,
   }
 
-  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] -> Anchor['cinder::service::end']
-  }
-
 }
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index ea91ae3b..b36b813b 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*insecure*]
 #  (Optional) If true, explicitly allow TLS without checking server cert
 #  against any certificate authorities.  WARNING: not recommended.  Use with
@@ -203,6 +207,7 @@ class cinder::keystone::authtoken(
   $project_name                   = 'services',
   $user_domain_name               = 'Default',
   $project_domain_name            = 'Default',
+  $system_scope                   = $::os_service_default,
   $insecure                       = $::os_service_default,
   $auth_section                   = $::os_service_default,
   $auth_type                      = 'password',
@@ -256,6 +261,7 @@ class cinder::keystone::authtoken(
       auth_section                   => $auth_section,
       user_domain_name               => $user_domain_name,
       project_domain_name            => $project_domain_name,
+      system_scope                   => $system_scope,
       insecure                       => $insecure,
       cache                          => $cache,
       cafile                         => $cafile,
diff --git a/manifests/keystone/service_user.pp b/manifests/keystone/service_user.pp
index a8d2c279..aadeb9eb 100644
--- a/manifests/keystone/service_user.pp
+++ b/manifests/keystone/service_user.pp
@@ -28,6 +28,10 @@
 #   (Optional) Name of domain for $project_name
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 # [*send_service_user_token*]
 #   (Optional) The service uses service token feature when this is set as true
 #   Defaults to 'false'
@@ -70,6 +74,7 @@ class cinder::keystone::service_user(
   $project_name            = 'services',
   $user_domain_name        = 'Default',
   $project_domain_name     = 'Default',
+  $system_scope            = $::os_service_default,
   $send_service_user_token = false,
   $insecure                = $::os_service_default,
   $auth_type               = 'password',
@@ -91,6 +96,7 @@ class cinder::keystone::service_user(
     auth_type               => $auth_type,
     user_domain_name        => $user_domain_name,
     project_domain_name     => $project_domain_name,
+    system_scope            => $system_scope,
     send_service_user_token => $send_service_user_token,
     insecure                => $insecure,
     cafile                  => $cafile,
diff --git a/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml b/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml
new file mode 100644
index 00000000..dd40cbfd
--- /dev/null
+++ b/releasenotes/notes/system_scope-keystone-d9a9cc0c614cd433.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    The ``cinder::keystone::auth`` class now supports the following new
+    parameters to define system-scoped roles.
+
+    - ``system_scope``
+    - ``system_roles``
+    - ``system_scope_v3``
+    - ``system_roles_v3``
+
+  - |
+    The ``system_scope`` parameter has been added to the following classes.
+
+    - ``cinder::keystone::authtoken``
+    - ``cinder::keystone::service_user``
diff --git a/spec/classes/cinder_keystone_auth_spec.rb b/spec/classes/cinder_keystone_auth_spec.rb
index 068b2fcf..b578a553 100644
--- a/spec/classes/cinder_keystone_auth_spec.rb
+++ b/spec/classes/cinder_keystone_auth_spec.rb
@@ -22,6 +22,8 @@ describe 'cinder::keystone::auth' do
         :email               => 'cinder@localhost',
         :tenant              => 'services',
         :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
       ) }
 
       it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
@@ -36,6 +38,8 @@ describe 'cinder::keystone::auth' do
         :email               => 'cinderv3@localhost',
         :tenant              => 'services',
         :roles               => ['admin'],
+        :system_scope        => 'all',
+        :system_roles        => [],
         :public_url          => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
         :internal_url        => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
         :admin_url           => 'http://127.0.0.1:8776/v3/%(tenant_id)s',
@@ -49,13 +53,17 @@ describe 'cinder::keystone::auth' do
           :email                  => 'alt_cinder@alt_localhost',
           :tenant                 => 'alt_service',
           :roles                  => ['admin', 'service'],
+          :system_scope           => 'alt_all',
+          :system_roles           => ['admin', 'member', 'reader'],
           :configure_user         => false,
           :configure_user_role    => false,
           :password_user_v3       => 'cinderv3_password',
           :auth_name_v3           => 'alt_cinderv3',
           :email_user_v3          => 'alt_cinderv3@alt_localhost',
           :tenant_user_v3         => 'alt_servicev3',
-          :roles_v3               => ['admin', 'service'],
+          :roles_v3               => ['adminv3', 'servicev3'],
+          :system_scope_v3        => 'alt_all_v3',
+          :system_roles_v3        => ['adminv3', 'memberv3', 'readerv3'],
           :configure_user_v3      => true,
           :configure_user_role_v3 => true,
           :service_description_v3 => 'Alternative Cinder Service v3',
@@ -79,6 +87,8 @@ describe 'cinder::keystone::auth' do
         :email               => 'alt_cinder@alt_localhost',
         :tenant              => 'alt_service',
         :roles               => ['admin', 'service'],
+        :system_scope        => 'alt_all',
+        :system_roles        => ['admin', 'member', 'reader'],
       ) }
 
       it { is_expected.to contain_keystone__resource__service_identity('cinderv3').with(
@@ -93,7 +103,9 @@ describe 'cinder::keystone::auth' do
         :password            => 'cinderv3_password',
         :email               => 'alt_cinderv3@alt_localhost',
         :tenant              => 'alt_servicev3',
-        :roles               => ['admin', 'service'],
+        :roles               => ['adminv3', 'servicev3'],
+        :system_scope        => 'alt_all_v3',
+        :system_roles        => ['adminv3', 'memberv3', 'readerv3'],
         :public_url          => 'https://10.10.10.10:80',
         :internal_url        => 'http://10.10.10.11:81',
         :admin_url           => 'http://10.10.10.12:81',
diff --git a/spec/classes/cinder_keystone_authtoken_spec.rb b/spec/classes/cinder_keystone_authtoken_spec.rb
index dc54db66..faeedc08 100644
--- a/spec/classes/cinder_keystone_authtoken_spec.rb
+++ b/spec/classes/cinder_keystone_authtoken_spec.rb
@@ -18,6 +18,7 @@ describe 'cinder::keystone::authtoken' do
           :project_name                   => 'services',
           :user_domain_name               => 'Default',
           :project_domain_name            => 'Default',
+          :system_scope                   => '<SERVICE DEFAULT>',
           :insecure                       => '<SERVICE DEFAULT>',
           :auth_section                   => '<SERVICE DEFAULT>',
           :auth_type                      => 'password',
@@ -62,6 +63,7 @@ describe 'cinder::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',
@@ -103,6 +105,7 @@ describe 'cinder::keystone::authtoken' do
           :project_name                   => 'service_project',
           :user_domain_name               => 'domainX',
           :project_domain_name            => 'domainX',
+          :system_scope                   => 'all',
           :insecure                       => false,
           :auth_section                   => 'new_section',
           :auth_type                      => 'password',