openstack/puppet-manila
Code Issues Proposed changes

Globally support system scope credentials

Browse Source 
After spending huge effort to understand the exact requirements to
enforce SRBAC, we learned it's very difficult to find the required
scope in each credential. This requires understanding implementation of
client-side as well as server-side, and requirement might be different
according to the deployment architecture or features used.

Instead of implementing support based on the actual implementation,
this introduces support for system scope credentials to all places
where keystone user credential is defined, and make all credential
configurations consistent.

Change-Id: I6e9a3d93f33069c2f1f7bc10c48ad61ce9357682
This commit is contained in:
Takashi Kajinami 2022-03-04 01:33:14 +09:00
parent b90d8510ec
commit bc10dfefde
9 changed files with 135 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
manifests/compute/nova.pp
View File

@ -33,6 +33,10 @@
# (optional) Project name to scope to
# Defaults to 'services'
#
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to nova
# Defaults to $::os_service_default
@ -62,6 +66,7 @@ class manila::compute::nova (
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$project_name = 'services',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$username = 'nova',
@ -71,6 +76,14 @@ class manila::compute::nova (
include manila::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
manila_config {
'nova/insecure': value => $insecure;
'nova/auth_url': value => $auth_url;
@ -81,8 +94,9 @@ class manila::compute::nova (
'nova/username': value => $username;
'nova/user_domain_name': value => $user_domain_name;
'nova/password': value => $password, secret => true;
'nova/project_name': value => $project_name;
'nova/project_domain_name': value => $project_domain_name;
'nova/project_name': value => $project_name_real;
'nova/project_domain_name': value => $project_domain_name_real;
'nova/system_scope': value => $system_scope;
'nova/api_microversion': value => $api_microversion;
}
}

18
manifests/image/glance.pp
View File

@ -45,6 +45,10 @@
# (optional) Project name to scope to
# Defaults to 'services'
#
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to cinder
# Defaults to $::os_service_default
@ -73,6 +77,7 @@ class manila::image::glance (
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$project_name = 'services',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$username = 'glance',
@ -81,6 +86,14 @@ class manila::image::glance (
include manila::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
manila_config {
'glance/api_microversion': value => $api_microversion;
'glance/insecure': value => $insecure;
@ -90,8 +103,9 @@ class manila::image::glance (
'glance/certfile': value => $certfile;
'glance/keyfile': value => $keyfile;
'glance/user_domain_name': value => $user_domain_name;
'glance/project_domain_name': value => $project_domain_name;
'glance/project_name': value => $project_name;
'glance/project_domain_name': value => $project_domain_name_real;
'glance/project_name': value => $project_name_real;
'glance/system_scope': value => $system_scope;
'glance/region_name': value => $region_name;
'glance/endpoint_type': value => $endpoint_type;
'glance/username': value => $username;

20
manifests/network/neutron.pp
View File

@ -33,6 +33,10 @@
# (optional) Project name to scope to
# Defaults to 'services'
#
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to neutron
# Defaults to $::os_service_default
@ -70,6 +74,7 @@ class manila::network::neutron (
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$project_name = 'services',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$timeout = $::os_service_default,
$endpoint_type = $::os_service_default,
@ -79,11 +84,21 @@ class manila::network::neutron (
$network_plugin_ipv6_enabled = $::os_service_default,
) {
include manila::deps
# TODO(tkajinam): Remove this after Yoga release
manila_config {
'DEFAULT/network_api_class': ensure => absent;
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
manila_config {
'neutron/insecure': value => $insecure;
'neutron/auth_url': value => $auth_url;
@ -95,8 +110,9 @@ class manila::network::neutron (
'neutron/username': value => $username;
'neutron/user_domain_name': value => $user_domain_name;
'neutron/password': value => $password, secret => true;
'neutron/project_name': value => $project_name;
'neutron/project_domain_name': value => $project_domain_name;
'neutron/project_name': value => $project_name_real;
'neutron/project_domain_name': value => $project_domain_name_real;
'neutron/system_scope': value => $system_scope;
'DEFAULT/network_plugin_ipv4_enabled': value => $network_plugin_ipv4_enabled;
'DEFAULT/network_plugin_ipv6_enabled': value => $network_plugin_ipv6_enabled;
}

18
manifests/volume/cinder.pp
View File

@ -33,6 +33,10 @@
# (optional) Project name to scope to
# Defaults to 'services'
#
# [*system_scope*]
# (optional) Scope for system operations.
# Defaults to $::os_service_default
#
# [*region_name*]
# (optional) Region name for connecting to cinder
# Defaults to $::os_service_default
@ -67,6 +71,7 @@ class manila::volume::cinder (
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$project_name = 'services',
$system_scope = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$username = 'cinder',
@ -77,6 +82,14 @@ class manila::volume::cinder (
include manila::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
} else {
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
}
manila_config {
'cinder/insecure': value => $insecure;
'cinder/auth_url': value => $auth_url;
@ -87,8 +100,9 @@ class manila::volume::cinder (
'cinder/username': value => $username;
'cinder/user_domain_name': value => $user_domain_name;
'cinder/password': value => $password, secret => true;
'cinder/project_name': value => $project_name;
'cinder/project_domain_name': value => $project_domain_name;
'cinder/project_name': value => $project_name_real;
'cinder/project_domain_name': value => $project_domain_name_real;
'cinder/system_scope': value => $system_scope;
'cinder/http_retries': value => $http_retries;
'cinder/cross_az_attach': value => $cross_az_attach;
}

9
releasenotes/notes/system_scope-all-4a661d5cc27d448a.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
The new ``system_scope`` parameter has been added to the following classes.
- ``manila::compute::nova``
- ``manila::image::glance``
- ``manila::network::neutron``
- ``manila::volume::cinder``

15
spec/classes/manila_compute_nova_spec.rb
View File

@ -11,6 +11,7 @@ describe 'manila::compute::nova' do
is_expected.to contain_manila_config('nova/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('nova/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('nova/project_name').with_value('services')
is_expected.to contain_manila_config('nova/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/username').with_value('nova')
@ -42,6 +43,7 @@ describe 'manila::compute::nova' do
is_expected.to contain_manila_config('nova/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('nova/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('nova/project_name').with_value('services')
is_expected.to contain_manila_config('nova/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/region_name').with_value('RegionOne')
is_expected.to contain_manila_config('nova/endpoint_type').with_value('publicURL')
is_expected.to contain_manila_config('nova/username').with_value('novav1')
@ -49,6 +51,19 @@ describe 'manila::compute::nova' do
is_expected.to contain_manila_config('nova/api_microversion').with_value('2.10')
end
end
context 'when system_scope is set' do
let :params do
{
:system_scope => 'all'
}
end
it 'configures system-scoped credential' do
is_expected.to contain_manila_config('nova/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('nova/system_scope').with_value('all')
end
end
end
on_supported_os({

15
spec/classes/manila_image_glance_spec.rb
View File

@ -14,6 +14,7 @@ describe 'manila::image::glance' do
is_expected.to contain_manila_config('glance/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('glance/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('glance/project_name').with_value('services')
is_expected.to contain_manila_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/username').with_value('glance')
@ -47,12 +48,26 @@ describe 'manila::image::glance' do
is_expected.to contain_manila_config('glance/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('glance/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('glance/project_name').with_value('services')
is_expected.to contain_manila_config('glance/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/region_name').with_value('RegionOne')
is_expected.to contain_manila_config('glance/endpoint_type').with_value('publicURL')
is_expected.to contain_manila_config('glance/username').with_value('glancev1')
is_expected.to contain_manila_config('glance/password').with_value('123123').with_secret(true)
end
end
context 'when system_scope is set' do
let :params do
{
:system_scope => 'all'
}
end
it 'configures system-scoped credential' do
is_expected.to contain_manila_config('glance/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('glance/system_scope').with_value('all')
end
end
end
on_supported_os({

15
spec/classes/manila_network_neutron_spec.rb
View File

@ -11,6 +11,7 @@ describe 'manila::network::neutron' do
is_expected.to contain_manila_config('neutron/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('neutron/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('neutron/project_name').with_value('services')
is_expected.to contain_manila_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/endpoint_type').with_value('<SERVICE DEFAULT>')
@ -46,6 +47,7 @@ describe 'manila::network::neutron' do
is_expected.to contain_manila_config('neutron/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('neutron/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('neutron/project_name').with_value('services')
is_expected.to contain_manila_config('neutron/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/region_name').with_value('RegionOne')
is_expected.to contain_manila_config('neutron/timeout').with_value(30)
is_expected.to contain_manila_config('neutron/endpoint_type').with_value('publicURL')
@ -55,6 +57,19 @@ describe 'manila::network::neutron' do
is_expected.to contain_manila_config('DEFAULT/network_plugin_ipv6_enabled').with_value(true)
end
end
context 'when system_scope is set' do
let :params do
{
:system_scope => 'all'
}
end
it 'configures system-scoped credential' do
is_expected.to contain_manila_config('neutron/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('neutron/system_scope').with_value('all')
end
end
end
on_supported_os({

15
spec/classes/manila_volume_cinder_spec.rb
View File

@ -13,6 +13,7 @@ describe 'manila::volume::cinder' do
is_expected.to contain_manila_config('cinder/user_domain_name').with_value('Default')
is_expected.to contain_manila_config('cinder/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('cinder/project_name').with_value('services')
is_expected.to contain_manila_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('cinder/username').with_value('cinder')
is_expected.to contain_manila_config('cinder/password').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('cinder/http_retries').with_value('<SERVICE DEFAULT>')
@ -45,6 +46,7 @@ describe 'manila::volume::cinder' do
is_expected.to contain_manila_config('cinder/project_domain_name').with_value('Default')
is_expected.to contain_manila_config('cinder/project_name').with_value('services')
is_expected.to contain_manila_config('cinder/region_name').with_value('RegionOne')
is_expected.to contain_manila_config('cinder/system_scope').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('cinder/endpoint_type').with_value('publicURL')
is_expected.to contain_manila_config('cinder/username').with_value('cinderv1')
is_expected.to contain_manila_config('cinder/password').with_value('123123').with_secret(true)
@ -52,6 +54,19 @@ describe 'manila::volume::cinder' do
is_expected.to contain_manila_config('cinder/cross_az_attach').with_value('true')
end
end
context 'when system_scope is set' do
let :params do
{
:system_scope => 'all'
}
end
it 'configures system-scoped credential' do
is_expected.to contain_manila_config('cinder/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('cinder/project_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_manila_config('cinder/system_scope').with_value('all')
end
end
end
on_supported_os({