Accept system scope credential for Nova API request

Currently cinder uses the service user credential to use Nova APIs like External Events API, which is accessibly only for system admin when SRBAC is enforced. This change allows using system-scoped credential rather instead of project-scoped one for such API requests. Change-Id: Ica8972741244b18290b6e9b2b2e2f460094d0260
2021-11-26 21:55:55 +09:00 · 2021-11-26 21:55:55 +09:00 · 3b1588eb57
commit 3b1588eb57
parent 0256c26d21
3 changed files with 37 additions and 2 deletions
--- a/manifests/nova.pp
+++ b/manifests/nova.pp
@ -79,6 +79,10 @@
 #   (Optional) Nova admin project domain name.
 #   Defaults to 'Default'
 #
+# [*system_scope*]
+#   (Optional) Scope for system operations
+#   Defaults to $::os_service_default
+#
 class cinder::nova (
  $region_name         = $::os_service_default,
  $interface           = $::os_service_default,
@ -98,10 +102,19 @@ class cinder::nova (
  $password            = $::os_service_default,
  $project_name        = 'services',
  $project_domain_name = 'Default',
+  $system_scope        = $::os_service_default,
 ) {

  include cinder::deps

+  if is_service_default($system_scope) {
+    $project_name_real = $project_name
+    $project_domain_name_real = $project_domain_name
+  } else {
+    $project_name_real = $::os_service_default
+    $project_domain_name_real = $::os_service_default
+  }
+
  cinder_config {
    'nova/region_name':         value => $region_name;
    'nova/interface':           value => $interface;
@ -119,7 +132,8 @@ class cinder::nova (
    'nova/username':            value => $username;
    'nova/user_domain_name':    value => $user_domain_name;
    'nova/password':            value => $password, secret => true;
-    'nova/project_name':        value => $project_name;
-    'nova/project_domain_name': value => $project_domain_name;
+    'nova/project_name':        value => $project_name_real;
+    'nova/project_domain_name': value => $project_domain_name_real;
+    'nova/system_scope':        value => $system_scope;
  }
 }
--- a/releasenotes/notes/system_scope-nova-6507548249009928.yaml
+++ b/releasenotes/notes/system_scope-nova-6507548249009928.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``sysem_scope`` parameter has been added to the ``cinder::nova``
+    class.
--- a/spec/classes/cinder_nova_spec.rb
+++ b/spec/classes/cinder_nova_spec.rb
@ -22,6 +22,7 @@ describe 'cinder::nova' do
        is_expected.to contain_cinder_config('nova/password').with_value('<SERVICE DEFAULT>').with_secret(true)
        is_expected.to contain_cinder_config('nova/project_name').with_value('services')
        is_expected.to contain_cinder_config('nova/project_domain_name').with_value('Default')
+        is_expected.to contain_cinder_config('nova/system_scope').with_value('<SERVICE DEFAULT>')
      }
    end

@ -64,6 +65,21 @@ describe 'cinder::nova' do
        is_expected.to contain_cinder_config('nova/password').with_value('foo').with_secret(true)
        is_expected.to contain_cinder_config('nova/project_name').with_value('services')
        is_expected.to contain_cinder_config('nova/project_domain_name').with_value('Default')
+        is_expected.to contain_cinder_config('nova/system_scope').with_value('<SERVICE DEFAULT>')
+      }
+    end
+
+    context 'with system_scope set' do
+      let :params do
+        {
+          :system_scope => 'all'
+        }
+      end
+
+      it {
+        is_expected.to contain_cinder_config('nova/project_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('nova/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('nova/system_scope').with_value('all')
      }
    end
  end