From bc10dfefdecb83c39b2309d4486cf38ad574890c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 4 Mar 2022 01:33:14 +0900 Subject: [PATCH] Globally support system scope credentials After spending huge effort to understand the exact requirements to enforce SRBAC, we learned it's very difficult to find the required scope in each credential. This requires understanding implementation of client-side as well as server-side, and requirement might be different according to the deployment architecture or features used. Instead of implementing support based on the actual implementation, this introduces support for system scope credentials to all places where keystone user credential is defined, and make all credential configurations consistent. Change-Id: I6e9a3d93f33069c2f1f7bc10c48ad61ce9357682 --- manifests/compute/nova.pp | 18 +++++++++++++++-- manifests/image/glance.pp | 18 +++++++++++++++-- manifests/network/neutron.pp | 20 +++++++++++++++++-- manifests/volume/cinder.pp | 18 +++++++++++++++-- .../system_scope-all-4a661d5cc27d448a.yaml | 9 +++++++++ spec/classes/manila_compute_nova_spec.rb | 15 ++++++++++++++ spec/classes/manila_image_glance_spec.rb | 15 ++++++++++++++ spec/classes/manila_network_neutron_spec.rb | 15 ++++++++++++++ spec/classes/manila_volume_cinder_spec.rb | 15 ++++++++++++++ 9 files changed, 135 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/system_scope-all-4a661d5cc27d448a.yaml diff --git a/manifests/compute/nova.pp b/manifests/compute/nova.pp index c41d65e6..8af6c855 100644 --- a/manifests/compute/nova.pp +++ b/manifests/compute/nova.pp @@ -33,6 +33,10 @@ # (optional) Project name to scope to # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to nova # Defaults to $::os_service_default @@ -62,6 +66,7 @@ class manila::compute::nova ( $user_domain_name = 'Default', $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $endpoint_type = $::os_service_default, $username = 'nova', @@ -71,6 +76,14 @@ class manila::compute::nova ( include manila::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + manila_config { 'nova/insecure': value => $insecure; 'nova/auth_url': value => $auth_url; @@ -81,8 +94,9 @@ class manila::compute::nova ( 'nova/username': value => $username; 'nova/user_domain_name': value => $user_domain_name; 'nova/password': value => $password, secret => true; - 'nova/project_name': value => $project_name; - 'nova/project_domain_name': value => $project_domain_name; + 'nova/project_name': value => $project_name_real; + 'nova/project_domain_name': value => $project_domain_name_real; + 'nova/system_scope': value => $system_scope; 'nova/api_microversion': value => $api_microversion; } } diff --git a/manifests/image/glance.pp b/manifests/image/glance.pp index 5fe49837..0c1b63c2 100644 --- a/manifests/image/glance.pp +++ b/manifests/image/glance.pp @@ -45,6 +45,10 @@ # (optional) Project name to scope to # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to cinder # Defaults to $::os_service_default @@ -73,6 +77,7 @@ class manila::image::glance ( $user_domain_name = 'Default', $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $endpoint_type = $::os_service_default, $username = 'glance', @@ -81,6 +86,14 @@ class manila::image::glance ( include manila::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + manila_config { 'glance/api_microversion': value => $api_microversion; 'glance/insecure': value => $insecure; @@ -90,8 +103,9 @@ class manila::image::glance ( 'glance/certfile': value => $certfile; 'glance/keyfile': value => $keyfile; 'glance/user_domain_name': value => $user_domain_name; - 'glance/project_domain_name': value => $project_domain_name; - 'glance/project_name': value => $project_name; + 'glance/project_domain_name': value => $project_domain_name_real; + 'glance/project_name': value => $project_name_real; + 'glance/system_scope': value => $system_scope; 'glance/region_name': value => $region_name; 'glance/endpoint_type': value => $endpoint_type; 'glance/username': value => $username; diff --git a/manifests/network/neutron.pp b/manifests/network/neutron.pp index bebc7b6e..daef9416 100644 --- a/manifests/network/neutron.pp +++ b/manifests/network/neutron.pp @@ -33,6 +33,10 @@ # (optional) Project name to scope to # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to neutron # Defaults to $::os_service_default @@ -70,6 +74,7 @@ class manila::network::neutron ( $user_domain_name = 'Default', $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $timeout = $::os_service_default, $endpoint_type = $::os_service_default, @@ -79,11 +84,21 @@ class manila::network::neutron ( $network_plugin_ipv6_enabled = $::os_service_default, ) { + include manila::deps + # TODO(tkajinam): Remove this after Yoga release manila_config { 'DEFAULT/network_api_class': ensure => absent; } + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + manila_config { 'neutron/insecure': value => $insecure; 'neutron/auth_url': value => $auth_url; @@ -95,8 +110,9 @@ class manila::network::neutron ( 'neutron/username': value => $username; 'neutron/user_domain_name': value => $user_domain_name; 'neutron/password': value => $password, secret => true; - 'neutron/project_name': value => $project_name; - 'neutron/project_domain_name': value => $project_domain_name; + 'neutron/project_name': value => $project_name_real; + 'neutron/project_domain_name': value => $project_domain_name_real; + 'neutron/system_scope': value => $system_scope; 'DEFAULT/network_plugin_ipv4_enabled': value => $network_plugin_ipv4_enabled; 'DEFAULT/network_plugin_ipv6_enabled': value => $network_plugin_ipv6_enabled; } diff --git a/manifests/volume/cinder.pp b/manifests/volume/cinder.pp index cbcc434d..47bc4bea 100644 --- a/manifests/volume/cinder.pp +++ b/manifests/volume/cinder.pp @@ -33,6 +33,10 @@ # (optional) Project name to scope to # Defaults to 'services' # +# [*system_scope*] +# (optional) Scope for system operations. +# Defaults to $::os_service_default +# # [*region_name*] # (optional) Region name for connecting to cinder # Defaults to $::os_service_default @@ -67,6 +71,7 @@ class manila::volume::cinder ( $user_domain_name = 'Default', $project_domain_name = 'Default', $project_name = 'services', + $system_scope = $::os_service_default, $region_name = $::os_service_default, $endpoint_type = $::os_service_default, $username = 'cinder', @@ -77,6 +82,14 @@ class manila::volume::cinder ( include manila::deps + if is_service_default($system_scope) { + $project_name_real = $project_name + $project_domain_name_real = $project_domain_name + } else { + $project_name_real = $::os_service_default + $project_domain_name_real = $::os_service_default + } + manila_config { 'cinder/insecure': value => $insecure; 'cinder/auth_url': value => $auth_url; @@ -87,8 +100,9 @@ class manila::volume::cinder ( 'cinder/username': value => $username; 'cinder/user_domain_name': value => $user_domain_name; 'cinder/password': value => $password, secret => true; - 'cinder/project_name': value => $project_name; - 'cinder/project_domain_name': value => $project_domain_name; + 'cinder/project_name': value => $project_name_real; + 'cinder/project_domain_name': value => $project_domain_name_real; + 'cinder/system_scope': value => $system_scope; 'cinder/http_retries': value => $http_retries; 'cinder/cross_az_attach': value => $cross_az_attach; } diff --git a/releasenotes/notes/system_scope-all-4a661d5cc27d448a.yaml b/releasenotes/notes/system_scope-all-4a661d5cc27d448a.yaml new file mode 100644 index 00000000..64205762 --- /dev/null +++ b/releasenotes/notes/system_scope-all-4a661d5cc27d448a.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The new ``system_scope`` parameter has been added to the following classes. + + - ``manila::compute::nova`` + - ``manila::image::glance`` + - ``manila::network::neutron`` + - ``manila::volume::cinder`` diff --git a/spec/classes/manila_compute_nova_spec.rb b/spec/classes/manila_compute_nova_spec.rb index 0165ccaa..d4b5d014 100644 --- a/spec/classes/manila_compute_nova_spec.rb +++ b/spec/classes/manila_compute_nova_spec.rb @@ -11,6 +11,7 @@ describe 'manila::compute::nova' do is_expected.to contain_manila_config('nova/user_domain_name').with_value('Default') is_expected.to contain_manila_config('nova/project_domain_name').with_value('Default') is_expected.to contain_manila_config('nova/project_name').with_value('services') + is_expected.to contain_manila_config('nova/system_scope').with_value('') is_expected.to contain_manila_config('nova/region_name').with_value('') is_expected.to contain_manila_config('nova/endpoint_type').with_value('') is_expected.to contain_manila_config('nova/username').with_value('nova') @@ -42,6 +43,7 @@ describe 'manila::compute::nova' do is_expected.to contain_manila_config('nova/user_domain_name').with_value('Default') is_expected.to contain_manila_config('nova/project_domain_name').with_value('Default') is_expected.to contain_manila_config('nova/project_name').with_value('services') + is_expected.to contain_manila_config('nova/system_scope').with_value('') is_expected.to contain_manila_config('nova/region_name').with_value('RegionOne') is_expected.to contain_manila_config('nova/endpoint_type').with_value('publicURL') is_expected.to contain_manila_config('nova/username').with_value('novav1') @@ -49,6 +51,19 @@ describe 'manila::compute::nova' do is_expected.to contain_manila_config('nova/api_microversion').with_value('2.10') end end + + context 'when system_scope is set' do + let :params do + { + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_manila_config('nova/project_domain_name').with_value('') + is_expected.to contain_manila_config('nova/project_name').with_value('') + is_expected.to contain_manila_config('nova/system_scope').with_value('all') + end + end end on_supported_os({ diff --git a/spec/classes/manila_image_glance_spec.rb b/spec/classes/manila_image_glance_spec.rb index ca8a8e67..ba7641c6 100644 --- a/spec/classes/manila_image_glance_spec.rb +++ b/spec/classes/manila_image_glance_spec.rb @@ -14,6 +14,7 @@ describe 'manila::image::glance' do is_expected.to contain_manila_config('glance/user_domain_name').with_value('Default') is_expected.to contain_manila_config('glance/project_domain_name').with_value('Default') is_expected.to contain_manila_config('glance/project_name').with_value('services') + is_expected.to contain_manila_config('glance/system_scope').with_value('') is_expected.to contain_manila_config('glance/region_name').with_value('') is_expected.to contain_manila_config('glance/endpoint_type').with_value('') is_expected.to contain_manila_config('glance/username').with_value('glance') @@ -47,12 +48,26 @@ describe 'manila::image::glance' do is_expected.to contain_manila_config('glance/user_domain_name').with_value('Default') is_expected.to contain_manila_config('glance/project_domain_name').with_value('Default') is_expected.to contain_manila_config('glance/project_name').with_value('services') + is_expected.to contain_manila_config('glance/system_scope').with_value('') is_expected.to contain_manila_config('glance/region_name').with_value('RegionOne') is_expected.to contain_manila_config('glance/endpoint_type').with_value('publicURL') is_expected.to contain_manila_config('glance/username').with_value('glancev1') is_expected.to contain_manila_config('glance/password').with_value('123123').with_secret(true) end end + + context 'when system_scope is set' do + let :params do + { + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_manila_config('glance/project_domain_name').with_value('') + is_expected.to contain_manila_config('glance/project_name').with_value('') + is_expected.to contain_manila_config('glance/system_scope').with_value('all') + end + end end on_supported_os({ diff --git a/spec/classes/manila_network_neutron_spec.rb b/spec/classes/manila_network_neutron_spec.rb index 3fe07e4e..76b7068e 100644 --- a/spec/classes/manila_network_neutron_spec.rb +++ b/spec/classes/manila_network_neutron_spec.rb @@ -11,6 +11,7 @@ describe 'manila::network::neutron' do is_expected.to contain_manila_config('neutron/user_domain_name').with_value('Default') is_expected.to contain_manila_config('neutron/project_domain_name').with_value('Default') is_expected.to contain_manila_config('neutron/project_name').with_value('services') + is_expected.to contain_manila_config('neutron/system_scope').with_value('') is_expected.to contain_manila_config('neutron/region_name').with_value('') is_expected.to contain_manila_config('neutron/timeout').with_value('') is_expected.to contain_manila_config('neutron/endpoint_type').with_value('') @@ -46,6 +47,7 @@ describe 'manila::network::neutron' do is_expected.to contain_manila_config('neutron/user_domain_name').with_value('Default') is_expected.to contain_manila_config('neutron/project_domain_name').with_value('Default') is_expected.to contain_manila_config('neutron/project_name').with_value('services') + is_expected.to contain_manila_config('neutron/system_scope').with_value('') is_expected.to contain_manila_config('neutron/region_name').with_value('RegionOne') is_expected.to contain_manila_config('neutron/timeout').with_value(30) is_expected.to contain_manila_config('neutron/endpoint_type').with_value('publicURL') @@ -55,6 +57,19 @@ describe 'manila::network::neutron' do is_expected.to contain_manila_config('DEFAULT/network_plugin_ipv6_enabled').with_value(true) end end + + context 'when system_scope is set' do + let :params do + { + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_manila_config('neutron/project_domain_name').with_value('') + is_expected.to contain_manila_config('neutron/project_name').with_value('') + is_expected.to contain_manila_config('neutron/system_scope').with_value('all') + end + end end on_supported_os({ diff --git a/spec/classes/manila_volume_cinder_spec.rb b/spec/classes/manila_volume_cinder_spec.rb index 35211bd0..49455200 100644 --- a/spec/classes/manila_volume_cinder_spec.rb +++ b/spec/classes/manila_volume_cinder_spec.rb @@ -13,6 +13,7 @@ describe 'manila::volume::cinder' do is_expected.to contain_manila_config('cinder/user_domain_name').with_value('Default') is_expected.to contain_manila_config('cinder/project_domain_name').with_value('Default') is_expected.to contain_manila_config('cinder/project_name').with_value('services') + is_expected.to contain_manila_config('cinder/system_scope').with_value('') is_expected.to contain_manila_config('cinder/username').with_value('cinder') is_expected.to contain_manila_config('cinder/password').with_value('') is_expected.to contain_manila_config('cinder/http_retries').with_value('') @@ -45,6 +46,7 @@ describe 'manila::volume::cinder' do is_expected.to contain_manila_config('cinder/project_domain_name').with_value('Default') is_expected.to contain_manila_config('cinder/project_name').with_value('services') is_expected.to contain_manila_config('cinder/region_name').with_value('RegionOne') + is_expected.to contain_manila_config('cinder/system_scope').with_value('') is_expected.to contain_manila_config('cinder/endpoint_type').with_value('publicURL') is_expected.to contain_manila_config('cinder/username').with_value('cinderv1') is_expected.to contain_manila_config('cinder/password').with_value('123123').with_secret(true) @@ -52,6 +54,19 @@ describe 'manila::volume::cinder' do is_expected.to contain_manila_config('cinder/cross_az_attach').with_value('true') end end + + context 'when system_scope is set' do + let :params do + { + :system_scope => 'all' + } + end + it 'configures system-scoped credential' do + is_expected.to contain_manila_config('cinder/project_domain_name').with_value('') + is_expected.to contain_manila_config('cinder/project_name').with_value('') + is_expected.to contain_manila_config('cinder/system_scope').with_value('all') + end + end end on_supported_os({