Skip to content

RBAC: Support system-scoped tokens in pcdctl config/auth#428

Merged
tyler-pf9 merged 1 commit into
masterfrom
private/tyler/dynamic_rbac_roles
Jun 29, 2026
Merged

RBAC: Support system-scoped tokens in pcdctl config/auth#428
tyler-pf9 merged 1 commit into
masterfrom
private/tyler/dynamic_rbac_roles

Conversation

@tyler-pf9

Copy link
Copy Markdown
Contributor

ISSUE(S):

SUMMARY

config set could only request project-scoped keystone tokens. A system-scoped
user (e.g. platform_admin, which has only a system=all role binding and no
project role) got a 401 at token issuance, before any policy ran — so host
onboarding was impossible for them. Separately, the user identity domain was
hardcoded to default, so any user outside the default domain also got a 401
and could not authenticate at all.

ISSUE TYPE

  • New feature (adds -s/-d system-scope support; end-user/project-scoped behavior unchanged)
  • Breaking change (Go API: GetAuth signature change breaks downstream importers, e.g. pcdctl, until updated)
  • This change requires a documentation update (README flag list updated in this PR)

IMPACTED FEATURES/COMPONENTS:

  • pkg/keystoneGetAuth (+systemScope,userDomain); new projects.go/users.go (project name→ID and user default-project lookups)
  • pkg/objectsConfig gains SystemScope bool, UserDomain string
  • pkg/configvalidateConfigFields (tenant optional under system scope); suppress service default under -s
  • cmd/config.go-s/--system, -d/--domain flags; 9 GetAuth call sites updated for the new signature
  • Downstream: platform9/pcdctl (imports pf9ctl/pkg/keystone) — needs a companion update

TESTING DONE

Automated

  • New unit tests: pkg/keystone/keystone_scope_test.go (auth-body construction —
    project/system × mfa × domain, all valid JSON) and keystone_resolve_test.go
    (project name→ID, UUID short-circuit, user default-project present/absent).
  • Project-scoped request bodies proven byte-identical to the pre-refactor bodies
    (no regression for existing users).
  • go build ./..., go test ./..., go vet ./..., gofmt -s all clean.

Manual

Live-validated on a CE DU (pcd-community.pf9.io) as platform_admin@pf9.user:

  • config set -s (previously 401) → succeeds; system-scoped token issued.
  • Target-project precedence: no -t → user default_project_id (81ae47…);
    -t service → name lookup; -t <uuid> → short-circuit; -t <nonexistent>
    clean "Unable to resolve target project" error (config left untouched).
  • prep-node onboarded a host; resmgr authorized the system-scoped token
    (GET host → 200; the pf9-kube role 404 is a PCD-V DU not offering that role,
    not an auth failure).
  • -d domain handling + default-domain back-compat verified.
  • Project-only scope (no -s) confirmed unchanged (correct path taken; keystone
    returned 401 only on stale test creds, i.e. the body was well-formed).

Before:

./pf9ctl config set -u https://pcd-community.pf9.io -e platform_admin@pf9.user -p 'Pf9Persona!' -r Community -t service --no-prompt --verbose
Error checking versions  open /usr/bin/pf9ctl: no such file or directory
2026-06-24T22:20:47.1525Z       DEBUG   ==========Running set config==========
2026-06-24T22:20:47.1526Z       DEBUG   Using local executor
2026-06-24T22:20:47.1526Z       DEBUG   Received a call to fetch keystone authentication for fqdn: https://pcd-community.pf9.io and user: platform_admin@pf9.user and tenant: service, mfa_token: , system_scope: false, user_domain: 

2026-06-24T22:20:47.5747Z       DEBUG   Error in StatusCode:401

2026-06-24T22:20:47.5748Z       DEBUG   Unable to get keystone token, status: 401
2026-06-24T22:20:47.5749Z       FATAL   x Invalid Credentials

After (system scope support):

./pf9ctl config set -u https://pcd-community.pf9.io -e platform_admin@pf9.user -p 'Pf9Persona!' -r Community -s --no-prompt --verbose
Error checking versions  open /usr/bin/pf9ctl: no such file or directory
2026-06-24T20:54:13.9839Z       DEBUG   ==========Running set config==========
2026-06-24T20:54:13.9841Z       DEBUG   Using local executor
2026-06-24T20:54:13.9841Z       DEBUG   Received a call to fetch keystone authentication for fqdn: https://pcd-community.pf9.io and user: platform_admin@pf9.user and tenant: , mfa_token: , system_scope: true, user_domain: 

2026-06-24T20:54:14.4172Z       DEBUG   Fetching default project for user
2026-06-24T20:54:14.6104Z       DEBUG   default project ID: 81ae47585ea74aa4b9f40de503b062b4
2026-06-24T20:54:14.6105Z       DEBUG   Using user default project 81ae47585ea74aa4b9f40de503b062b4 as target
2026-06-24T20:54:14.6105Z       DEBUG   returning successfully

2026-06-24T20:54:14.6105Z       DEBUG   Fetching service ID for service: regionInfo
2026-06-24T20:54:14.612Z        DEBUG   Fetching service ID for regionInfo
2026-06-24T20:54:14.7879Z       DEBUG   service ID : .f739a2c9c6fc45dd9013101e7620b8d3
2026-06-24T20:54:14.788Z        DEBUG   service ID : f739a2c9c6fc45dd9013101e7620b8d3
2026-06-24T20:54:14.7882Z       DEBUG   Service ID fetched : f739a2c9c6fc45dd9013101e7620b8d3
2026-06-24T20:54:14.7882Z       DEBUG   Fetching endpoint for region: Community
2026-06-24T20:54:14.7898Z       DEBUG   Fetching endpoints for region Community
2026-06-24T20:54:14.975Z        DEBUG   endpoint: https://pcd-community.pf9.io/download-links
2026-06-24T20:54:14.9751Z       DEBUG   FQDN: pcd-community.pf9.io
2026-06-24T20:54:14.9751Z       DEBUG   Endpoint found: pcd-community.pf9.io
2026-06-24T20:54:14.9751Z       DEBUG   endpointURL fetched : pcd-community.pf9.io
2026-06-24T20:54:14.9751Z       DEBUG   Storing configuration details
✓ Stored configuration details successfully
2026-06-24T20:54:14.9754Z       DEBUG   ==========Finished running set config=========

@kgunjikar kgunjikar self-requested a review June 29, 2026 18:14
@tyler-pf9 tyler-pf9 merged commit 3d58330 into master Jun 29, 2026
5 checks passed
@tyler-pf9 tyler-pf9 deleted the private/tyler/dynamic_rbac_roles branch June 29, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants