openstack/puppet-heat
Code Issues Proposed changes

Support preferred Keystone auth methods

Browse Source 
Key moments:
  * fill "trustee" section in heat.conf
  * add auth_plugin support (for interaction
    with keystone)
  * deprecate keystone_authtoken options
    (all options not for auth_plugin settings)
  * use versionless keystone urls
  * create "clients_keystone" section to prevent
    "keystone_authtoken/auth_uri" usage

Change-Id: Iade6c0736e57b8e752244badd540eb3d605714f5
Closes-bug: #1528963
Closes-bug: #1529016
This commit is contained in:
dmburmistrov 2016-03-22 14:13:56 +03:00
parent bd2cd8997c
commit 48b80077e8
3 changed files with 123 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
manifests/init.pp
View File

@ -118,19 +118,40 @@
# [*auth_uri*]
# (Optional) Specifies the public Identity URI for Heat to use.
# Located in heat.conf.
# Defaults to: false
# Defaults to: 'http://127.0.0.1:5000/'.
#
# [*identity_uri*]
# (Optional) Specifies the admin Identity URI for Heat to use.
# Located in heat.conf.
# Defaults to: false
# Defaults to: 'http://127.0.0.1:35357/'.
#
# [*auth_plugin*]
# Specifies the plugin used for authentication.
# Defaults to undef.
#
# [*keystone_user*]
# Defaults to 'heat'.
#
# [*keystone_tenant*]
# Defaults to 'services'.
#
# [*keystone_password*]
#
# [*keystone_project_domain_name*]
# Specifies the project domain of Keystone account for "password" auth_plugin.
# Defaults to 'Default'.
#
# [*keystone_user_domain_id*]
# (Optional) Domain ID of the principal if the principal has a domain.
# Defaults to: 'Default'.
#
# [*keystone_user_domain_name*]
# Defaults to 'Default'.
#
# [*keystone_project_domain_id*]
# (Optional) Domain ID of the scoped project if auth is project-scoped.
# Defaults to: 'Default'.
#
# [*keystone_ec2_uri*]
#
# [*database_connection*]
@ -211,18 +232,6 @@
# [*sql_connection*]
# Deprecated. Use database_connection instead.
#
# [*keystone_host*]
# (Optional) DEPRECATED The keystone host.
# Defaults to localhost.
#
# [*keystone_port*]
# (Optional) DEPRECATED The port used to access the keystone host.
# Defaults to 35357.
#
# [*keystone_protocol*]
# (Optional) DEPRECATED. The protocol used to access the keystone host
# Defaults to http.
#
# [*qpid_hostname*]
#
# [*qpid_port*]
@ -250,16 +259,21 @@
# [*qpid_reconnect_interval_max*]
#
class heat(
$auth_uri = false,
$identity_uri = false,
$auth_uri = 'http://127.0.0.1:5000/',
$identity_uri = 'http://127.0.0.1:35357/',
$package_ensure = 'present',
$verbose = undef,
$debug = undef,
$log_dir = undef,
$auth_plugin = undef,
$keystone_user = 'heat',
$keystone_tenant = 'services',
$keystone_password = false,
$keystone_ec2_uri = 'http://127.0.0.1:5000/v2.0/ec2tokens',
$keystone_project_domain_id = 'Default',
$keystone_project_domain_name = 'Default',
$keystone_user_domain_id = 'Default',
$keystone_user_domain_name = 'Default',
$rpc_backend = $::os_service_default,
$rpc_response_timeout = $::os_service_default,
$rabbit_host = $::os_service_default,
@ -298,9 +312,6 @@ class heat(
# Deprecated parameters
$mysql_module = undef,
$sql_connection = undef,
$keystone_host = '127.0.0.1',
$keystone_port = '35357',
$keystone_protocol = 'http',
$instance_user = undef,
$qpid_hostname = undef,
$qpid_port = undef,
@ -395,62 +406,40 @@ class heat(
warning('Qpid driver is removed from Oslo.messaging in the Mitaka release')
}
# if both auth_uri and identity_uri are set we skip these deprecated settings entirely
if !$auth_uri or !$identity_uri {
if $keystone_host {
warning('The keystone_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
if $auth_plugin {
if $auth_plugin == 'password' {
heat_config {
'keystone_authtoken/auth_host': value => $keystone_host;
'keystone_authtoken/auth_url': value => $identity_uri;
'keystone_authtoken/auth_plugin': value => $auth_plugin;
'keystone_authtoken/username': value => $keystone_user;
'keystone_authtoken/password': value => $keystone_password, secret => true;
'keystone_authtoken/user_domain_id': value => $keystone_user_domain_id;
'keystone_authtoken/project_name': value => $keystone_tenant;
'keystone_authtoken/project_domain_id': value => $keystone_project_domain_id;
}
} else {
heat_config {
'keystone_authtoken/auth_host': ensure => absent;
}
}
if $keystone_port {
warning('The keystone_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
heat_config {
'keystone_authtoken/auth_port': value => $keystone_port;
fail('Currently only "password" auth_plugin is supported.')
}
} else {
warning('"admin_user", "admin_password", "admin_tenant_name" configuration options are deprecated in favor of auth_plugin and related options')
heat_config {
'keystone_authtoken/auth_port': ensure => absent;
}
}
if $keystone_protocol {
warning('The keystone_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
heat_config {
'keystone_authtoken/auth_protocol': value => $keystone_protocol;
}
} else {
heat_config {
'keystone_authtoken/auth_protocol': ensure => absent;
}
}
} else {
heat_config {
'keystone_authtoken/auth_host': ensure => absent;
'keystone_authtoken/auth_port': ensure => absent;
'keystone_authtoken/auth_protocol': ensure => absent;
}
}
if $auth_uri {
heat_config { 'keystone_authtoken/auth_uri': value => $auth_uri; }
} else {
heat_config { 'keystone_authtoken/auth_uri': value => "${keystone_protocol}://${keystone_host}:5000/v2.0"; }
}
if $identity_uri {
heat_config {
'keystone_authtoken/auth_uri': value => $auth_uri;
'keystone_authtoken/identity_uri': value => $identity_uri;
'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
'keystone_authtoken/admin_user': value => $keystone_user;
'keystone_authtoken/admin_password': value => $keystone_password, secret => true;
}
} else {
}
heat_config {
'keystone_authtoken/identity_uri': ensure => absent;
}
'trustee/auth_plugin': value => 'password';
'trustee/auth_url': value => $identity_uri;
'trustee/username': value => $keystone_user;
'trustee/password': value => $keystone_password, secret => true;
'trustee/project_domain_id': value => $keystone_project_domain_id;
'trustee/user_domain_id': value => $keystone_user_domain_id;
'clients_keystone/auth_uri': value => $identity_uri;
}
if (!is_service_default($enable_stack_adopt)) {
@ -471,10 +460,6 @@ class heat(
'DEFAULT/enable_stack_abandon': value => $enable_stack_abandon;
'DEFAULT/enable_stack_adopt': value => $enable_stack_adopt;
'ec2authtoken/auth_uri': value => $keystone_ec2_uri;
'keystone_authtoken/region_name': value => $region_name;
'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
'keystone_authtoken/admin_user': value => $keystone_user;
'keystone_authtoken/admin_password': value => $keystone_password, secret => true;
'paste_deploy/flavor': value => $flavor;
}

11
releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml Normal file
View File

@ -0,0 +1,11 @@
---
features:
- Configure "trustee" and "clients_keystone" sections.
Support auth_plugin and versionless auth urls.
upgrade:
- Removed deprecated options "keystone_host",
"keystone_port", "keystone_protocol".
deprecations:
- Deprecated "admin_user", "admin_password" and
"admin_tenant_name" options in favour of auth_plugin
auth method.

98
spec/classes/heat_init_spec.rb
View File

@ -16,7 +16,6 @@ describe 'heat' do
:rabbit_virtual_host => '<SERVICE DEFAULT>',
:database_connection => 'mysql+pymysql://user@host/database',
:database_idle_timeout => 3600,
:auth_uri => 'http://127.0.0.1:5000/v2.0',
:keystone_ec2_uri => 'http://127.0.0.1:5000/v2.0/ec2tokens',
:flavor => 'keystone',
:keystone_password => 'secretpassword',
@ -58,8 +57,7 @@ describe 'heat' do
it_configures 'with SSL enabled without kombu'
it_configures 'with SSL disabled'
it_configures 'with SSL wrongly configured'
it_configures "with custom keystone identity_uri"
it_configures "with custom keystone identity_uri and auth_uri"
it_configures "with auth_plugin"
it_configures 'with enable_stack_adopt and enable_stack_abandon set'
it_configures 'with notification_driver set to a string'
end
@ -89,8 +87,32 @@ describe 'heat' do
is_expected.to contain_heat_config('DEFAULT/max_json_body_size').with_value('<SERVICE DEFAULT>')
end
it 'configures auth_uri' do
is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value( params[:auth_uri] )
it 'configures project_domain_id' do
is_expected.to contain_heat_config('trustee/project_domain_id').with_value( 'Default' )
end
it 'configures user_domain_id' do
is_expected.to contain_heat_config('trustee/user_domain_id').with_value( 'Default' )
end
it 'configures auth_plugin' do
is_expected.to contain_heat_config('trustee/auth_plugin').with_value( 'password' )
end
it 'configures auth_url' do
is_expected.to contain_heat_config('trustee/auth_url').with_value( 'http://127.0.0.1:35357/' )
end
it 'configures username' do
is_expected.to contain_heat_config('trustee/username').with_value( 'heat' )
end
it 'configures ' do
is_expected.to contain_heat_config('trustee/password').with_secret( true )
end
it 'configures auth_uri for clients_keystone' do
is_expected.to contain_heat_config('clients_keystone/auth_uri').with_value( 'http://127.0.0.1:35357/' )
end
it 'configures keystone_ec2_uri' do
@ -99,14 +121,11 @@ describe 'heat' do
it { is_expected.to contain_heat_config('paste_deploy/flavor').with_value('keystone') }
it 'keeps keystone secrets secret' do
is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret(true)
end
it 'configures notification_driver' do
is_expected.to contain_heat_config('DEFAULT/notification_driver').with_value('<SERVICE DEFAULT>')
end
it_configures "with default auth method"
end
shared_examples_for 'rabbit without HA support (with backward compatibility)' do
@ -304,18 +323,6 @@ describe 'heat' do
end
end
shared_examples_for 'with auth uri set' do
before do
params.merge!(
:auth_uri => 'http://1.2.3.4:35357/v2.0'
)
end
it do
is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value('http://1.2.3.4:35357/v2.0')
end
end
shared_examples_for 'with region_name set' do
before do
params.merge!(
@ -325,41 +332,52 @@ describe 'heat' do
it 'has region_name set when specified' do
is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('East')
is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('East')
end
end
shared_examples_for 'without region_name set' do
it 'doesnt have region_name set by default' do
is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('<SERVICE DEFAULT>')
is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
end
end
shared_examples_for "with custom keystone identity_uri" do
before do
params.merge!({
:identity_uri => 'https://foo.bar:1234/',
})
end
it 'configures identity_uri' do
is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:1234/");
shared_examples_for "with default auth method" do
it 'configures auth_uri, identity_uri, admin_tenant_name, admin_user, admin_password' do
is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("http://127.0.0.1:5000/")
is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("http://127.0.0.1:35357/")
is_expected.to contain_heat_config('keystone_authtoken/admin_tenant_name').with_value("services")
is_expected.to contain_heat_config('keystone_authtoken/admin_user').with_value("heat")
is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret( true )
end
end
shared_examples_for "with custom keystone identity_uri and auth_uri" do
shared_examples_for "with auth_plugin" do
before do
params.merge!({
:identity_uri => 'https://foo.bar:35357/',
:auth_uri => 'https://foo.bar:5000/v2.0/',
:auth_plugin => 'password',
})
end
it 'configures identity_uri and auth_uri but deprecates old auth settings' do
is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/");
is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/");
is_expected.to contain_heat_config('keystone_authtoken/auth_port').with(:ensure => 'absent')
is_expected.to contain_heat_config('keystone_authtoken/auth_protocol').with(:ensure => 'absent')
is_expected.to contain_heat_config('keystone_authtoken/auth_host').with(:ensure => 'absent')
it 'configures ' do
is_expected.to contain_heat_config('keystone_authtoken/auth_plugin').with_value("password")
is_expected.to contain_heat_config('keystone_authtoken/auth_url').with_value("http://127.0.0.1:35357/")
is_expected.to contain_heat_config('keystone_authtoken/username').with_value("heat")
is_expected.to contain_heat_config('keystone_authtoken/password').with_secret( true )
is_expected.to contain_heat_config('keystone_authtoken/project_name').with_value("services")
is_expected.to contain_heat_config('keystone_authtoken/user_domain_id').with_value('Default')
is_expected.to contain_heat_config('keystone_authtoken/project_domain_id').with_value('Default')
end
end
shared_examples_for "with custom keystone project_domain_id and user_domain_id" do
before do
params.merge!({
:keystone_project_domain_id => 'domain1',
:keystone_user_domain_id => 'domain1',
})
end
it 'configures project_domain_id and user_domain_id' do
is_expected.to contain_heat_config('trustee/project_domain_id').with_value("domain1");
is_expected.to contain_heat_config('trustee/user_domain_id').with_value("domain1");
end
end