Support preferred Keystone auth methods

Key moments: * fill "trustee" section in heat.conf * add auth_plugin support (for interaction with keystone) * deprecate keystone_authtoken options (all options not for auth_plugin settings) * use versionless keystone urls * create "clients_keystone" section to prevent "keystone_authtoken/auth_uri" usage Change-Id: Iade6c0736e57b8e752244badd540eb3d605714f5 Closes-bug: #1528963 Closes-bug: #1529016
2016-03-22 14:13:56 +03:00 · 2016-03-22 14:13:56 +03:00 · 48b80077e8
commit 48b80077e8
parent bd2cd8997c
3 changed files with 123 additions and 109 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -118,19 +118,40 @@
 # [*auth_uri*]
 #   (Optional) Specifies the public Identity URI for Heat to use.
 #   Located in heat.conf.
-#   Defaults to: false
+#   Defaults to: 'http://127.0.0.1:5000/'.
 #
 # [*identity_uri*]
 #   (Optional) Specifies the admin Identity URI for Heat to use.
 #   Located in heat.conf.
-#   Defaults to: false
+#   Defaults to: 'http://127.0.0.1:35357/'.
 #
 # [*auth_plugin*]
 #   Specifies the plugin used for authentication.
 #   Defaults to undef.
 #
 # [*keystone_user*]
 #   Defaults to 'heat'.
 #
 # [*keystone_tenant*]
 #   Defaults to 'services'.
 #
 # [*keystone_password*]
 #
 # [*keystone_project_domain_name*]
 #   Specifies the project domain of Keystone account for "password" auth_plugin.
 #   Defaults to 'Default'.
 #
 # [*keystone_user_domain_id*]
 #   (Optional) Domain ID of the principal if the principal has a domain.
 #   Defaults to: 'Default'.
 #
 # [*keystone_user_domain_name*]
 #   Defaults to 'Default'.
 #
 # [*keystone_project_domain_id*]
 #   (Optional) Domain ID of the scoped project if auth is project-scoped.
 #   Defaults to: 'Default'.
 #
 # [*keystone_ec2_uri*]
 #
 # [*database_connection*]
@ -211,18 +232,6 @@
 # [*sql_connection*]
 #   Deprecated. Use database_connection instead.
 #
 # [*keystone_host*]
 #   (Optional) DEPRECATED The keystone host.
 #   Defaults to localhost.
 #
 # [*keystone_port*]
 #   (Optional) DEPRECATED The port used to access the keystone host.
 #   Defaults to 35357.
 #
 # [*keystone_protocol*]
 #   (Optional) DEPRECATED. The protocol used to access the keystone host
 #   Defaults to http.
 #
 # [*qpid_hostname*]
 #
 # [*qpid_port*]
@ -250,16 +259,21 @@
 # [*qpid_reconnect_interval_max*]
 #
 class heat(
-  $auth_uri                           = false,
+  $auth_uri                           = 'http://127.0.0.1:5000/',
-  $identity_uri                       = false,
+  $identity_uri                       = 'http://127.0.0.1:35357/',
  $package_ensure                     = 'present',
  $verbose                            = undef,
  $debug                              = undef,
  $log_dir                            = undef,
  $auth_plugin                        = undef,
  $keystone_user                      = 'heat',
  $keystone_tenant                    = 'services',
  $keystone_password                  = false,
  $keystone_ec2_uri                   = 'http://127.0.0.1:5000/v2.0/ec2tokens',
  $keystone_project_domain_id         = 'Default',
  $keystone_project_domain_name       = 'Default',
  $keystone_user_domain_id            = 'Default',
  $keystone_user_domain_name          = 'Default',
  $rpc_backend                        = $::os_service_default,
  $rpc_response_timeout               = $::os_service_default,
  $rabbit_host                        = $::os_service_default,
@ -298,9 +312,6 @@ class heat(
  # Deprecated parameters
  $mysql_module                       = undef,
  $sql_connection                     = undef,
  $keystone_host                      = '127.0.0.1',
  $keystone_port                      = '35357',
  $keystone_protocol                  = 'http',
  $instance_user                      = undef,
  $qpid_hostname                      = undef,
  $qpid_port                          = undef,
@ -395,62 +406,40 @@ class heat(
    warning('Qpid driver is removed from Oslo.messaging in the Mitaka release')
  }
-  # if both auth_uri and identity_uri are set we skip these deprecated settings entirely
+  if $auth_plugin {
-  if !$auth_uri or !$identity_uri {
+    if $auth_plugin == 'password' {
    if $keystone_host {
      warning('The keystone_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
      heat_config {
-        'keystone_authtoken/auth_host': value => $keystone_host;
+        'keystone_authtoken/auth_url':          value => $identity_uri;
        'keystone_authtoken/auth_plugin':       value => $auth_plugin;
        'keystone_authtoken/username':          value => $keystone_user;
        'keystone_authtoken/password':          value => $keystone_password, secret => true;
        'keystone_authtoken/user_domain_id':    value => $keystone_user_domain_id;
        'keystone_authtoken/project_name':      value => $keystone_tenant;
        'keystone_authtoken/project_domain_id': value => $keystone_project_domain_id;
      }
    } else {
-      heat_config {
+      fail('Currently only "password" auth_plugin is supported.')
        'keystone_authtoken/auth_host': ensure => absent;
      }
    }
    if $keystone_port {
      warning('The keystone_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
      heat_config {
        'keystone_authtoken/auth_port': value => $keystone_port;
      }
    } else {
      heat_config {
        'keystone_authtoken/auth_port': ensure => absent;
      }
    }
    if $keystone_protocol {
      warning('The keystone_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
      heat_config {
        'keystone_authtoken/auth_protocol': value => $keystone_protocol;
      }
    } else {
      heat_config {
        'keystone_authtoken/auth_protocol': ensure => absent;
      }
    }
  } else {
    warning('"admin_user", "admin_password", "admin_tenant_name" configuration options are deprecated in favor of auth_plugin and related options')
    heat_config {
-      'keystone_authtoken/auth_host': ensure => absent;
+      'keystone_authtoken/auth_uri':          value => $auth_uri;
-      'keystone_authtoken/auth_port': ensure => absent;
+      'keystone_authtoken/identity_uri':      value => $identity_uri;
-      'keystone_authtoken/auth_protocol': ensure => absent;
+      'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
      'keystone_authtoken/admin_user':        value => $keystone_user;
      'keystone_authtoken/admin_password':    value => $keystone_password, secret => true;
    }
  }
-  if $auth_uri {
+  heat_config {
-    heat_config { 'keystone_authtoken/auth_uri': value => $auth_uri; }
+    'trustee/auth_plugin':       value => 'password';
-  } else {
+    'trustee/auth_url':          value => $identity_uri;
-    heat_config { 'keystone_authtoken/auth_uri': value => "${keystone_protocol}://${keystone_host}:5000/v2.0"; }
+    'trustee/username':          value => $keystone_user;
-  }
+    'trustee/password':          value => $keystone_password, secret => true;
    'trustee/project_domain_id': value => $keystone_project_domain_id;
    'trustee/user_domain_id':    value => $keystone_user_domain_id;
-  if $identity_uri {
+    'clients_keystone/auth_uri': value => $identity_uri;
    heat_config {
      'keystone_authtoken/identity_uri': value => $identity_uri;
    }
  } else {
    heat_config {
      'keystone_authtoken/identity_uri': ensure => absent;
    }
  }
  if (!is_service_default($enable_stack_adopt)) {
@ -471,10 +460,6 @@ class heat(
    'DEFAULT/enable_stack_abandon':         value => $enable_stack_abandon;
    'DEFAULT/enable_stack_adopt':           value => $enable_stack_adopt;
    'ec2authtoken/auth_uri':                value => $keystone_ec2_uri;
    'keystone_authtoken/region_name':       value => $region_name;
    'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
    'keystone_authtoken/admin_user':        value => $keystone_user;
    'keystone_authtoken/admin_password':    value => $keystone_password, secret => true;
    'paste_deploy/flavor':                  value => $flavor;
  }
--- a/releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml
+++ b/releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml
@ -0,0 +1,11 @@
 ---
 features:
  - Configure "trustee" and "clients_keystone" sections.
    Support auth_plugin and versionless auth urls.
 upgrade:
  - Removed deprecated options "keystone_host",
    "keystone_port", "keystone_protocol".
 deprecations:
  - Deprecated "admin_user", "admin_password" and
    "admin_tenant_name" options in favour of auth_plugin
    auth method.
--- a/spec/classes/heat_init_spec.rb
+++ b/spec/classes/heat_init_spec.rb
@ -16,7 +16,6 @@ describe 'heat' do
      :rabbit_virtual_host   => '<SERVICE DEFAULT>',
      :database_connection   => 'mysql+pymysql://user@host/database',
      :database_idle_timeout => 3600,
      :auth_uri              => 'http://127.0.0.1:5000/v2.0',
      :keystone_ec2_uri      => 'http://127.0.0.1:5000/v2.0/ec2tokens',
      :flavor                => 'keystone',
      :keystone_password     => 'secretpassword',
@ -58,8 +57,7 @@ describe 'heat' do
    it_configures 'with SSL enabled without kombu'
    it_configures 'with SSL disabled'
    it_configures 'with SSL wrongly configured'
-    it_configures "with custom keystone identity_uri"
+    it_configures "with auth_plugin"
    it_configures "with custom keystone identity_uri and auth_uri"
    it_configures 'with enable_stack_adopt and enable_stack_abandon set'
    it_configures 'with notification_driver set to a string'
  end
@ -89,8 +87,32 @@ describe 'heat' do
      is_expected.to contain_heat_config('DEFAULT/max_json_body_size').with_value('<SERVICE DEFAULT>')
    end
-    it 'configures auth_uri' do
+    it 'configures project_domain_id' do
-      is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value( params[:auth_uri] )
+      is_expected.to contain_heat_config('trustee/project_domain_id').with_value( 'Default' )
    end
    it 'configures user_domain_id' do
      is_expected.to contain_heat_config('trustee/user_domain_id').with_value( 'Default' )
    end
    it 'configures auth_plugin' do
      is_expected.to contain_heat_config('trustee/auth_plugin').with_value( 'password' )
    end
    it 'configures auth_url' do
      is_expected.to contain_heat_config('trustee/auth_url').with_value( 'http://127.0.0.1:35357/' )
    end
    it 'configures username' do
      is_expected.to contain_heat_config('trustee/username').with_value( 'heat' )
    end
    it 'configures ' do
      is_expected.to contain_heat_config('trustee/password').with_secret( true )
    end
    it 'configures auth_uri for clients_keystone' do
      is_expected.to contain_heat_config('clients_keystone/auth_uri').with_value( 'http://127.0.0.1:35357/' )
    end
    it 'configures keystone_ec2_uri' do
@ -99,14 +121,11 @@ describe 'heat' do
    it { is_expected.to contain_heat_config('paste_deploy/flavor').with_value('keystone') }
    it 'keeps keystone secrets secret' do
      is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret(true)
    end
    it 'configures notification_driver' do
        is_expected.to contain_heat_config('DEFAULT/notification_driver').with_value('<SERVICE DEFAULT>')
    end
    it_configures "with default auth method"
  end
  shared_examples_for 'rabbit without HA support (with backward compatibility)' do
@ -304,18 +323,6 @@ describe 'heat' do
    end
  end
  shared_examples_for 'with auth uri set' do
    before do
      params.merge!(
        :auth_uri => 'http://1.2.3.4:35357/v2.0'
      )
    end
    it do
      is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value('http://1.2.3.4:35357/v2.0')
    end
  end
  shared_examples_for 'with region_name set' do
    before do
      params.merge!(
@ -325,41 +332,52 @@ describe 'heat' do
    it 'has region_name set when specified' do
      is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('East')
      is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('East')
    end
  end
  shared_examples_for 'without region_name set' do
    it 'doesnt have region_name set by default' do
      is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('<SERVICE DEFAULT>')
      is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
    end
  end
-  shared_examples_for "with custom keystone identity_uri" do
+  shared_examples_for "with default auth method" do
-    before do
+    it 'configures auth_uri, identity_uri, admin_tenant_name, admin_user, admin_password' do
-      params.merge!({
+      is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("http://127.0.0.1:5000/")
-        :identity_uri => 'https://foo.bar:1234/',
+      is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("http://127.0.0.1:35357/")
-      })
+      is_expected.to contain_heat_config('keystone_authtoken/admin_tenant_name').with_value("services")
-    end
+      is_expected.to contain_heat_config('keystone_authtoken/admin_user').with_value("heat")
-    it 'configures identity_uri' do
+      is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret( true )
      is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:1234/");
    end
  end
-  shared_examples_for "with custom keystone identity_uri and auth_uri" do
+  shared_examples_for "with auth_plugin" do
    before do
      params.merge!({
-        :identity_uri => 'https://foo.bar:35357/',
+        :auth_plugin => 'password',
        :auth_uri => 'https://foo.bar:5000/v2.0/',
      })
    end
-    it 'configures identity_uri and auth_uri but deprecates old auth settings' do
+    it 'configures ' do
-      is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/");
+      is_expected.to contain_heat_config('keystone_authtoken/auth_plugin').with_value("password")
-      is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/");
+      is_expected.to contain_heat_config('keystone_authtoken/auth_url').with_value("http://127.0.0.1:35357/")
-      is_expected.to contain_heat_config('keystone_authtoken/auth_port').with(:ensure => 'absent')
+      is_expected.to contain_heat_config('keystone_authtoken/username').with_value("heat")
-      is_expected.to contain_heat_config('keystone_authtoken/auth_protocol').with(:ensure => 'absent')
+      is_expected.to contain_heat_config('keystone_authtoken/password').with_secret( true )
-      is_expected.to contain_heat_config('keystone_authtoken/auth_host').with(:ensure => 'absent')
+      is_expected.to contain_heat_config('keystone_authtoken/project_name').with_value("services")
      is_expected.to contain_heat_config('keystone_authtoken/user_domain_id').with_value('Default')
      is_expected.to contain_heat_config('keystone_authtoken/project_domain_id').with_value('Default')
    end
  end
  shared_examples_for "with custom keystone project_domain_id and user_domain_id" do
    before do
      params.merge!({
        :keystone_project_domain_id => 'domain1',
        :keystone_user_domain_id => 'domain1',
      })
    end
    it 'configures project_domain_id and user_domain_id' do
      is_expected.to contain_heat_config('trustee/project_domain_id').with_value("domain1");
      is_expected.to contain_heat_config('trustee/user_domain_id').with_value("domain1");
    end
  end