diff --git a/manifests/keymaster.pp b/manifests/keymaster.pp index 45bc5725..a6e7b229 100644 --- a/manifests/keymaster.pp +++ b/manifests/keymaster.pp @@ -80,6 +80,10 @@ class swift::keymaster( include swift::deps + if $password == undef { + warning('password parameter is missing') + } + swift_keymaster_config { 'kms_keymaster/api_class': value => $api_class; 'kms_keymaster/key_id': value => $key_id; diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index ea25153a..cccfd232 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -89,7 +89,7 @@ # class swift::keystone::auth( $auth_name = 'swift', - $password = 'swift_password', + $password = undef, $tenant = 'services', $email = 'swift@localhost', $region = 'RegionOne', @@ -112,6 +112,14 @@ class swift::keystone::auth( include swift::deps + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'swift_password' + } else { + $password_real = $password + } + if $service_name == $service_name_s3 { fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.') } @@ -134,7 +142,7 @@ class swift::keystone::auth( service_description => $service_description, region => $region, auth_name => $auth_name, - password => $password, + password => $password_real, email => $email, tenant => $tenant, public_url => $public_url, diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index b2f031c0..0c3af7ab 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -94,7 +94,7 @@ class swift::proxy::authtoken( $user_domain_id = 'default', $project_name = 'services', $username = 'swift', - $password = 'password', + $password = undef, $region_name = $::os_service_default, $include_service_catalog = false, $service_token_roles = $::os_service_default, @@ -103,6 +103,14 @@ class swift::proxy::authtoken( include swift::deps + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } + if ($::os_package_type != 'debian') { file { $signing_dir: ensure => directory, @@ -127,7 +135,7 @@ class swift::proxy::authtoken( 'filter:authtoken/user_domain_id': value => $user_domain_id; 'filter:authtoken/project_name': value => $project_name; 'filter:authtoken/username': value => $username; - 'filter:authtoken/password': value => $password, secret => true; + 'filter:authtoken/password': value => $password_real, secret => true; 'filter:authtoken/region_name': value => $region_name; 'filter:authtoken/delay_auth_decision': value => $delay_auth_decision; 'filter:authtoken/cache': value => $cache; diff --git a/manifests/proxy/ceilometer.pp b/manifests/proxy/ceilometer.pp index 9a276096..330b6230 100644 --- a/manifests/proxy/ceilometer.pp +++ b/manifests/proxy/ceilometer.pp @@ -133,7 +133,7 @@ class swift::proxy::ceilometer( $user_domain_name = 'Default', $project_name = 'services', $username = 'swift', - $password = 'password', + $password = undef, $region_name = $::os_service_default, $notification_ssl_ca_file = $::os_service_default, $notification_ssl_cert_file = $::os_service_default, @@ -169,6 +169,14 @@ class swift::proxy::ceilometer( warning('The swift::proxy::ceilometer::auth_uri parameter was deperecated, and has no effect') } + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } + swift_proxy_config { 'filter:ceilometer/topic': value => $topic; 'filter:ceilometer/driver': value => $driver; @@ -183,7 +191,7 @@ class swift::proxy::ceilometer( 'filter:ceilometer/user_domain_name': value => $user_domain_name; 'filter:ceilometer/project_name': value => $project_name; 'filter:ceilometer/username': value => $username; - 'filter:ceilometer/password': value => $password, secret => true; + 'filter:ceilometer/password': value => $password_real, secret => true; 'filter:ceilometer/region_name': value => $region_name; } diff --git a/manifests/proxy/s3token.pp b/manifests/proxy/s3token.pp index c3c854a2..86edcc6c 100644 --- a/manifests/proxy/s3token.pp +++ b/manifests/proxy/s3token.pp @@ -101,7 +101,7 @@ class swift::proxy::s3token( $auth_url = 'http://127.0.0.1:5000', $auth_type = 'password', $username = 'swift', - $password = 'password', + $password = undef, $project_name = 'services', $project_domain_id = 'default', $user_domain_id = 'default' @@ -116,6 +116,13 @@ class swift::proxy::s3token( $auth_uri_real = $auth_uri } + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } swift_proxy_config { 'filter:s3token/use': value => 'egg:swift#s3token'; @@ -127,7 +134,7 @@ class swift::proxy::s3token( 'filter:s3token/auth_url': value => $auth_url; 'filter:s3token/auth_type': value => $auth_type; 'filter:s3token/username': value => $username; - 'filter:s3token/password': value => $password, secret => true; + 'filter:s3token/password': value => $password_real, secret => true; 'filter:s3token/project_name': value => $project_name; 'filter:s3token/project_domain_id': value => $project_domain_id; 'filter:s3token/user_domain_id': value => $user_domain_id; diff --git a/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml b/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml new file mode 100644 index 00000000..62835e8c --- /dev/null +++ b/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml @@ -0,0 +1,13 @@ +--- +deprecations: + - | + The following password parameters currently use the default value when the + parameters are not set in manifests, but this behavior has been deprecated. + Please set actual password explicitly to avoid failure before the default + values are removed. + + - swift::keymaster::password + - swift::keystone::auth::password + - swift::proxy::authtoken::password + - swift::proxy::ceilometer::password + - swift::proxy::s3token::password diff --git a/spec/classes/swift_proxy_ceilometer_spec.rb b/spec/classes/swift_proxy_ceilometer_spec.rb index afa3461f..40f9269c 100644 --- a/spec/classes/swift_proxy_ceilometer_spec.rb +++ b/spec/classes/swift_proxy_ceilometer_spec.rb @@ -16,6 +16,7 @@ describe 'swift::proxy::ceilometer' do } end + it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') } @@ -38,7 +39,7 @@ describe 'swift::proxy::ceilometer' do :user_domain_name => 'Default', :project_name => 'services', :username => 'swift', - :password => 'password', + :password => 'mypassword', :region_name => 'region2' } end @@ -58,7 +59,7 @@ describe 'swift::proxy::ceilometer' do it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('services') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') } - it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') } end