Scope various client requests to a project #44
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #44 +/- ##
======================================
Coverage ? 0.88%
======================================
Files ? 27
Lines ? 3834
Branches ? 0
======================================
Hits ? 34
Misses ? 3796
Partials ? 4 ☔ View full report in Codecov by Sentry. |
yankcrime
force-pushed
the
client_project_scoping
branch
2 times, most recently
from
22ac03a
to
ca39ad1
Compare
yankcrime
force-pushed
the
client_project_scoping
branch
2 times, most recently
from
6eefda3
to
42220e1
Compare
|
So why does this work for me... diff --git a/charts/region/Chart.yaml b/charts/region/Chart.yaml
index 6021edd..1d02d6c 100644
--- a/charts/region/Chart.yaml
+++ b/charts/region/Chart.yaml
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's Region Controller
type: application
-version: v0.1.29
-appVersion: v0.1.29
+version: v0.1.30
+appVersion: v0.1.30
icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
diff --git a/pkg/providers/openstack/client.go b/pkg/providers/openstack/client.go
index df86ee3..176e896 100644
--- a/pkg/providers/openstack/client.go
+++ b/pkg/providers/openstack/client.go
@@ -118,18 +118,8 @@ type DomainScopedPasswordProvider struct {
domainID string
}
-// ProjectScopedPasswordProvider allows use of an application credential.
-type ProjectScopedPasswordProvider struct {
- endpoint string
- userID string
- password string
- projectName string
- domainID string
-}
-
// Ensure the interface is implemented.
var _ CredentialProvider = &DomainScopedPasswordProvider{}
-var _ CredentialProvider = &ProjectScopedPasswordProvider{}
// NewDomainScopedPasswordProvider creates a client that consumes passwords
// for authentication.
@@ -157,15 +147,25 @@ func (p *DomainScopedPasswordProvider) Client(ctx context.Context) (*gophercloud
return authenticatedClient(ctx, options)
}
+// ProjectScopedPasswordProvider allows use of an application credential.
+type ProjectScopedPasswordProvider struct {
+ endpoint string
+ userID string
+ password string
+ projectID string
+}
+
+// Ensure the interface is implemented.
+var _ CredentialProvider = &ProjectScopedPasswordProvider{}
+
// NewProjectScopedPasswordProvider creates a project-scoped client that consumes passwords
// for authentication.
-func NewProjectScopedPasswordProvider(endpoint, userID, password, projectName, domainID string) *ProjectScopedPasswordProvider {
+func NewProjectScopedPasswordProvider(endpoint, userID, password, projectID string) *ProjectScopedPasswordProvider {
return &ProjectScopedPasswordProvider{
- endpoint: endpoint,
- userID: userID,
- password: password,
- projectName: projectName,
- domainID: domainID,
+ endpoint: endpoint,
+ userID: userID,
+ password: password,
+ projectID: projectID,
}
}
@@ -176,8 +176,7 @@ func (p *ProjectScopedPasswordProvider) Client(ctx context.Context) (*gopherclou
UserID: p.userID,
Password: p.password,
Scope: &gophercloud.AuthScope{
- DomainID: p.domainID,
- ProjectName: p.projectName,
+ ProjectID: p.projectID,
},
AllowReauth: true,
}
diff --git a/pkg/providers/openstack/provider.go b/pkg/providers/openstack/provider.go
index bd645b1..795445f 100644
--- a/pkg/providers/openstack/provider.go
+++ b/pkg/providers/openstack/provider.go
@@ -61,10 +61,10 @@ type Provider struct {
// secret is the current region secret.
secret *corev1.Secret
- domainID string
- projectName string
- userID string
- password string
+ domainID string
+ projectID string
+ userID string
+ password string
// DO NOT USE DIRECTLY, CALL AN ACCESSOR.
_identity *IdentityClient
@@ -142,20 +142,24 @@ func (p *Provider) serviceClientRefresh(ctx context.Context) error {
return fmt.Errorf("%w: password", ErrKeyUndefined)
}
- projectName, ok := secret.Data["project-name"]
+ projectID, ok := secret.Data["project-id"]
if !ok {
return fmt.Errorf("%w: project-id", ErrKeyUndefined)
}
- // Pass in an empty string to use the default project.
- providerClient := NewProjectScopedPasswordProvider(region.Spec.Openstack.Endpoint, string(userID), string(password), string(projectName), string(domainID))
-
// Create the clients.
+ // The identity client needs to have "manager" powers, so it create projects and
+ // users without full admin.
identity, err := NewIdentityClient(ctx, NewDomainScopedPasswordProvider(region.Spec.Openstack.Endpoint, string(userID), string(password), string(domainID)))
if err != nil {
return err
}
+ // Everything else gets the default view when bound to project, as domain scoped
+ // accesses do not work. When provisioning in an identity's project, you will
+ // need to create a new scoped client
+ providerClient := NewProjectScopedPasswordProvider(region.Spec.Openstack.Endpoint, string(userID), string(password), string(projectID))
+
compute, err := NewComputeClient(ctx, providerClient, region.Spec.Openstack.Compute)
if err != nil {
return err
@@ -176,7 +180,7 @@ func (p *Provider) serviceClientRefresh(ctx context.Context) error {
p.secret = secret
p.domainID = string(domainID)
- p.projectName = string(projectName)
+ p.projectID = string(projectID)
p.userID = string(userID)
p.password = string(password)
and then run and add the project ID to the secret? This is as I'd have expected, I'm not getting any unauthorized errors. |
yankcrime
force-pushed
the
client_project_scoping
branch
2 times, most recently
from
78c8636
to
e61f543
Compare
|
Turns out the role assignment for the user I was testing with wasn't correctly specified, so have simplified this change. |
yankcrime
force-pushed
the
client_project_scoping
branch
3 times, most recently
from
1c61592
to
402f25f
Compare
spjmurray
requested changes
Aug 1, 2024
|
Also bump the version to |
yankcrime
force-pushed
the
client_project_scoping
branch
from
402f25f
to
2c13098
Compare
The default API policies for OpenStack were amended almost unversally (across projects) with the 2023.1 release to limit information returned from client requests that are not scoped to a project, see the Glance release notes for example: https://docs.openstack.org/releasenotes/glance/2023.1.html#upgrade-notes
yankcrime
force-pushed
the
client_project_scoping
branch
from
2c13098
to
a2b7223
Compare
spjmurray
approved these changes
Aug 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The default API policies for OpenStack were amended almost unversally
(across projects) with the 2023.1 release to limit information returned
from client requests that are not scoped to a project, see the Glance
release notes for example:
https://docs.openstack.org/releasenotes/glance/2023.1.html#upgrade-notes
This commit introduces a new client that is scoped to a project and
updates the onboarding docs with the new OpenStack pre-reqs.