Enable validation of project id in quotas
New pillar is `designate.server.api.quotas_verify_project_id`,
default in service reclass level is `False`.
Change-Id: I9ebebc1837aecfa0cc522e41e1ee4d2250df75e9
Closes-Issue: PROD-22079
diff --git a/README.rst b/README.rst
index 2ba22ba..5f80bef 100644
--- a/README.rst
+++ b/README.rst
@@ -24,6 +24,7 @@
rndc_algorithm: hmac-sha512
api:
base_uri: 'http://127.0.0.1:9001'
+ quotas_verify_project_id: False
admin_api:
enabled: true
enabled_extensions_admin: quotas
@@ -113,6 +114,10 @@
In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all
tests can pass.
+.. note::
+ *server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas
+ for project, when Designate will ask Keystone if the project id is valid
+
Pools pillar for BIND9 master and multiple slaves setup:
.. code:: yaml
diff --git a/designate/files/ocata/designate.conf.Debian b/designate/files/ocata/designate.conf.Debian
index a89914c..89ed2ca 100644
--- a/designate/files/ocata/designate.conf.Debian
+++ b/designate/files/ocata/designate.conf.Debian
@@ -204,6 +204,10 @@
# if an error occurs
#pecan_debug = False
+# Verify that the requested Project ID for quota target
+# is a valid project in Keystone.
+quotas_verify_project_id = {{ server.api.get('quotas_verify_project_id', False) }}
+
#-----------------------
# Keystone Middleware
#-----------------------
@@ -640,3 +644,10 @@
# hostname = 127.0.0.1
# Statsd server UDP port
# port = 8125
+
+[keystone]
+interface = {{ server.identity.get('endpoint_type', 'internal') }}
+region_name = {{ server.region }}
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile = {{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
diff --git a/designate/files/pike/designate.conf.Debian b/designate/files/pike/designate.conf.Debian
index bcf5570..c14e003 100644
--- a/designate/files/pike/designate.conf.Debian
+++ b/designate/files/pike/designate.conf.Debian
@@ -204,6 +204,10 @@
# if an error occurs
#pecan_debug = False
+# Verify that the requested Project ID for quota target
+# is a valid project in Keystone.
+quotas_verify_project_id = {{ server.api.get('quotas_verify_project_id', False) }}
+
#-----------------------
# Keystone Middleware
#-----------------------
@@ -641,3 +645,10 @@
# hostname = 127.0.0.1
# Statsd server UDP port
# port = 8125
+
+[keystone]
+valid_interfaces = {{ server.identity.get('endpoint_type', 'internal') }}
+region_name = {{ server.region }}
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile = {{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
diff --git a/designate/files/queens/designate.conf.Debian b/designate/files/queens/designate.conf.Debian
index ca73a27..47630b6 100644
--- a/designate/files/queens/designate.conf.Debian
+++ b/designate/files/queens/designate.conf.Debian
@@ -731,6 +731,9 @@
# was set by an SSL terminating proxy. (string value)
#override_proto = <None>
+# Verify that the requested Project ID for quota target
+# is a valid project in Keystone.
+quotas_verify_project_id = {{ server.api.get('quotas_verify_project_id', False) }}
[service:central]
@@ -1074,6 +1077,12 @@
# Reason: Migrated to designate-worker
#export_synchronous = true
+[keystone]
+valid_interfaces = {{ server.identity.get('endpoint_type', 'internal') }}
+region_name = {{ server.region }}
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile = {{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
[ssl]
{%- include "oslo_templates/files/queens/oslo/service/_ssl.conf" %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 6080424..064cfd7 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -13,6 +13,8 @@
region: RegionOne
domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
version: ${_param:designate_version}
+ api:
+ quotas_verify_project_id: False
bind:
api:
address: ${_param:cluster_local_address}
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index a3796ef..2cf8bfe 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -13,6 +13,8 @@
region: RegionOne
domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
version: ${_param:designate_version}
+ api:
+ quotas_verify_project_id: False
bind:
api:
address: ${_param:single_address}
diff --git a/tests/pillar/designate_ocata.sls b/tests/pillar/designate_ocata.sls
index 048756f..93e7e7a 100644
--- a/tests/pillar/designate_ocata.sls
+++ b/tests/pillar/designate_ocata.sls
@@ -7,6 +7,8 @@
region: RegionOne
domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
version: ocata
+ api:
+ quotas_verify_project_id: false
bind:
api:
address: 127.0.0.1