Merge "Allow trust roles to be overridden in the config"

openstack-archive · Mar 21, 2019 · 3132c9d · 3132c9d
2 parents e9115df + c88daaa
commit 3132c9d
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/senlin/common/config.py b/senlin/common/config.py
@@ -113,6 +113,10 @@
     cfg.IntOpt('health_manager_thread_pool_size',
                default=1000,
                help=_('Maximum number of threads to use for health manager.')),
+    cfg.ListOpt('trust_roles',
+                default=[],
+                help=_('The roles which are delegated to the trustee by the '
+                       'trustor when a cluster is created.')),
 ]
 cfg.CONF.register_opts(engine_opts)
 

diff --git a/senlin/drivers/os/keystone_v3.py b/senlin/drivers/os/keystone_v3.py
@@ -68,8 +68,10 @@ def trust_create(self, trustor, trustee, project, roles=None,
         :param impersonation: Whether the trustee is allowed to impersonate
                               the trustor.
         """
-
-        if roles:
+        # inherit the role of the trustor, unless CONF.trust_roles is set
+        if CONF.trust_roles:
+            role_list = [{'name': role} for role in CONF.trust_roles]
+        elif roles:
             role_list = [{'name': role} for role in roles]
         else:
             role_list = []

diff --git a/senlin/tests/unit/drivers/test_keystone_v3.py b/senlin/tests/unit/drivers/test_keystone_v3.py
@@ -116,6 +116,45 @@ def test_trust_create(self, mock_create):
             allow_redelegation=True, roles=[])
         self.conn.reset_mock()
 
+    def test_trust_create_conf_roles(self, mock_create):
+        cfg.CONF.set_override('trust_roles', ['r1', 'r2'])
+        self.conn.identity.create_trust.return_value = 'new_trust'
+        mock_create.return_value = self.conn
+        kc = kv3.KeystoneClient({'k': 'v'})
+
+        res = kc.trust_create('ID_JOHN', 'ID_DOE', 'PROJECT_ID', [
+            'r1', 'r2', 'r3'])
+
+        self.assertEqual('new_trust', res)
+        self.conn.identity.create_trust.assert_called_once_with(
+            trustor_user_id='ID_JOHN', trustee_user_id='ID_DOE',
+            project_id='PROJECT_ID', impersonation=True,
+            allow_redelegation=True, roles=[{'name': 'r1'}, {'name': 'r2'}])
+        self.conn.reset_mock()
+
+        cfg.CONF.set_override('trust_roles', [])
+        res = kc.trust_create('ID_JOHN', 'ID_DOE', 'PROJECT_ID',
+                              ['r1', 'r2'])
+
+        self.assertEqual('new_trust', res)
+        self.conn.identity.create_trust.assert_called_once_with(
+            trustor_user_id='ID_JOHN', trustee_user_id='ID_DOE',
+            project_id='PROJECT_ID', impersonation=True,
+            allow_redelegation=True,
+            roles=[{'name': 'r1'}, {'name': 'r2'}])
+        self.conn.reset_mock()
+
+        # impersonation
+        res = kc.trust_create('ID_JOHN', 'ID_DOE', 'PROJECT_ID',
+                              impersonation=False)
+
+        self.assertEqual('new_trust', res)
+        self.conn.identity.create_trust.assert_called_once_with(
+            trustor_user_id='ID_JOHN', trustee_user_id='ID_DOE',
+            project_id='PROJECT_ID', impersonation=False,
+            allow_redelegation=True, roles=[])
+        self.conn.reset_mock()
+
     @mock.patch.object(sdk, 'authenticate')
     def test_get_token(self, mock_auth, mock_create):
         access_info = {'token': '123', 'user_id': 'abc', 'project_id': 'xyz'}