Skip to content

Commit

Permalink
engine: configure deferred authentication method
Browse files Browse the repository at this point in the history
The default deferred_auth_method of password is deprecated as of
Icehouse, so although it is still the default, deployers are strongly
encouraged to move to using deferred_auth_method=trusts, which is
planned to become the default for Juno.

* It avoids storing user credentials in the heat database
* It removes the need to provide a password as well as a token on stack create
* It limits the actions the heat service user can perform on a users behalf.

This patch aims to:
* Set deferred_auth_method = trusts in /etc/heat/heat.conf for engine
* Specify the roles to be delegated to the heat service user
   (trusts_delegated_roles in heat.conf, defaults to heat_stack_owner
   which will be referred to in the following instructions. You may wish
   to modify this list of roles to suit your local RBAC policies)
* Create the role(s) in Keystone (optional and enabled by default).

Change-Id: I99eaf29473bc4e70017580b3b340c24093aa0619
  • Loading branch information
Emilien Macchi committed Oct 8, 2014
1 parent e9e1ba0 commit 0e6d7ea
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
27 changes: 25 additions & 2 deletions manifests/engine.pp
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,19 @@
# used for stack locking
# Defaults to '2'
#

# [*trusts_delegated_roles*]
# (optional) Array of trustor roles to be delegated to heat.
# Defaults to ['heat_stack_owner']
#
# [*deferred_auth_method*]
# (optional) Select deferred auth method.
# Can be "password" or "trusts".
# Defaults to 'trusts'
#
# [*configure_delegated_roles*]
# (optional) Whether to configure the delegated roles.
# Defaults to true
#
class heat::engine (
$auth_encryption_key,
$manage_service = true,
Expand All @@ -44,7 +56,10 @@
$heat_metadata_server_url = 'http://127.0.0.1:8000',
$heat_waitcondition_server_url = 'http://127.0.0.1:8000/v1/waitcondition',
$heat_watch_server_url = 'http://127.0.0.1:8003',
$engine_life_check_timeout = '2'
$engine_life_check_timeout = '2',
$trusts_delegated_roles = ['heat_stack_owner'],
$deferred_auth_method = 'trusts',
$configure_delegated_roles = true,
) {

include heat::params
Expand All @@ -66,6 +81,12 @@
}
}

if $configure_delegated_roles {
keystone_role { $trusts_delegated_roles:
ensure => present,
}
}

service { 'heat-engine':
ensure => $service_ensure,
name => $::heat::params::engine_service_name,
Expand All @@ -85,5 +106,7 @@
'DEFAULT/heat_waitcondition_server_url': value => $heat_waitcondition_server_url;
'DEFAULT/heat_watch_server_url' : value => $heat_watch_server_url;
'DEFAULT/engine_life_check_timeout' : value => $engine_life_check_timeout;
'DEFAULT/trusts_delegated_roles' : value => $trusts_delegated_roles;
'DEFAULT/deferred_auth_method' : value => $deferred_auth_method;
}
}
16 changes: 16 additions & 0 deletions spec/classes/heat_engine_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
:heat_waitcondition_server_url => 'http://127.0.0.1:8000/v1/waitcondition',
:heat_watch_server_url => 'http://128.0.0.1:8003',
:engine_life_check_timeout => '2',
:trusts_delegated_roles => ['heat_stack_owner'],
:deferred_auth_method => 'trusts',
}
end

Expand All @@ -24,6 +26,9 @@
:heat_waitcondition_server_url => 'http://127.0.0.1:8000/v1/waitcondition',
:heat_watch_server_url => 'http://128.0.0.1:8003',
:engine_life_check_timeout => '2',
:trusts_delegated_roles => ['role1', 'role2'],
:deferred_auth_method => 'trusts',
:configure_delegated_roles => true,
}
].each do |new_params|
describe 'when #{param_set == {} ? "using default" : "specifying"} parameters'
Expand Down Expand Up @@ -56,6 +61,17 @@
it { should contain_heat_config('DEFAULT/heat_waitcondition_server_url').with_value( expected_params[:heat_waitcondition_server_url] ) }
it { should contain_heat_config('DEFAULT/heat_watch_server_url').with_value( expected_params[:heat_watch_server_url] ) }
it { should contain_heat_config('DEFAULT/engine_life_check_timeout').with_value( expected_params[:engine_life_check_timeout] ) }
it { should contain_heat_config('DEFAULT/trusts_delegated_roles').with_value( expected_params[:trusts_delegated_roles] ) }
it { should contain_heat_config('DEFAULT/deferred_auth_method').with_value( expected_params[:deferred_auth_method] ) }

it 'configures delegated roles' do
should contain_keystone_role("role1").with(
:ensure => 'present'
)
should contain_keystone_role("role2").with(
:ensure => 'present'
)
end
end

context 'with disabled service managing' do
Expand Down

0 comments on commit 0e6d7ea

Please sign in to comment.