Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / opencontrail / ce984119561dd1e943d8ee31141d1454ec39a34e^1..ce984119561dd1e943d8ee31141d1454ec39a34e / .
commitce984119561dd1e943d8ee31141d1454ec39a34e[log] [tgz]
authormcp-jenkins <mcp-jenkins@mirantis.com>Mon Feb 12 13:41:02 2018 +0000
committerGerrit Code Review <gerrit2@56fc70e46927>Mon Feb 12 13:41:02 2018 +0000
tree4038737b827d71fd514d901530c9330fa5baddb6
parent8632e3a4a60daf49a80a01cf6db71764fa656e24 [diff]
parentae98c64ecd76b31be27c9f095e87311955a7c11e [diff]
Merge "add RBAC support"
diff --git a/README.rst b/README.rst
index f672f8f..5612133 100644
--- a/README.rst
+++ b/README.rst

@@ -781,6 +781,20 @@
         multi_tenancy: false
       ...
 
+Enable RBAC
+-----------
+
+
+.. code-block:: yaml
+
+    opencontrail:
+      ...
+      config:
+        aaa_mode: rbac
+        cloud_admin_role: admin
+        global_read_only_role: member
+      ...
+
 Switch from on demand to periodic keystone sync
 -----------------------------------------------
 

diff --git a/opencontrail/files/3.0/contrail-api.conf b/opencontrail/files/3.0/contrail-api.conf
index be686aa..0e2e097 100644
--- a/opencontrail/files/3.0/contrail-api.conf
+++ b/opencontrail/files/3.0/contrail-api.conf

@@ -7,7 +7,15 @@
 cassandra_server_list={% for member in config.database.members %}{{ member.host }}:9160 {% endfor %}
 listen_ip_addr=0.0.0.0
 listen_port={{ config.bind.get('api_port', '8082') }}
+{%- if config.aaa_mode is defined %}
+aaa_mode={{ config.aaa_mode }}
+cloud_admin_role={{ config.get('cloud_admin_role', 'admin') }}
+{%- if config.global_read_only_role is defined %}
+global_read_only_role={{ config.global_read_only_role }}
+{%- endif %}
+{%- else %}
 multi_tenancy={{ config.get('multi_tenancy', 'true')|lower }}
+{%- endif %}
 log_file=/var/log/contrail/contrail-api.log
 log_local=1
 log_level=SYS_NOTICE

diff --git a/opencontrail/files/4.0/contrail-api.conf b/opencontrail/files/4.0/contrail-api.conf
index b51dec0..ad6962c 100644
--- a/opencontrail/files/4.0/contrail-api.conf
+++ b/opencontrail/files/4.0/contrail-api.conf

@@ -6,6 +6,9 @@
 listen_port={{ config.bind.get('api_port', '8082') }}
 aaa_mode={{ config.get('aaa_mode', 'cloud-admin') }}
 cloud_admin_role={{ config.get('cloud_admin_role', 'admin') }}
+{%- if config.global_read_only_role is defined %}
+global_read_only_role={{ config.global_read_only_role }}
+{%- endif %}
 log_file=/var/log/contrail/contrail-api.log
 log_local=1
 log_level=SYS_NOTICE

diff --git a/tests/pillar/control3.sls b/tests/pillar/control3.sls
index 4c580df..2587f2a 100644
--- a/tests/pillar/control3.sls
+++ b/tests/pillar/control3.sls

@@ -15,6 +15,8 @@
     version: 3.0
     enabled: true
     multi_tenancy: false
+    aaa_mode: rbac
+    global_read_only_role: demo
     network:
       engine: neutron
       host: 127.0.0.1