From a266ab91ed8a15ec6c9706c0affced780663f78d Mon Sep 17 00:00:00 2001 From: Iury Gregory Melo Ferreira Date: Thu, 25 Aug 2016 01:11:45 -0300 Subject: [PATCH] Change swift authtoken Update authtoken class with parameters from documentation [1] We cant use the resource because swift does not use keystone_authtoken section. deprecations: - admin_password, use password instead. - admin_user, use username instead. - admin_tenant_name, use project_name instead. - identity_uri, use auth_url instead. - admin_token, no usage. removals: - Old parameters (already deprecated) [1] http://docs.openstack.org/mitaka/config-reference/object-storage/proxy-server.html Change-Id: I1eb4b0712214c059c713001ad991cbe92cd01711 --- manifests/proxy/authtoken.pp | 187 ++++++++++-------- .../notes/authtoken-b49c75db4b7429cb.yaml | 13 ++ spec/acceptance/basic_swift_spec.rb | 2 +- spec/classes/swift_proxy_authtoken_spec.rb | 74 +++---- templates/proxy/authtoken.conf.erb | 31 ++- tests/site.pp | 6 +- 6 files changed, 154 insertions(+), 159 deletions(-) create mode 100644 releasenotes/notes/authtoken-b49c75db4b7429cb.yaml diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index 792d0b45..a6add383 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -4,64 +4,79 @@ # # == Parameters # -# [*admin_token*] -# Keystone admin token that can serve as a shared secret -# for authenticating. If this is choosen if is used instead of a user,tenant,password. -# Optional. Defaults to false. +# [*delay_auth_decision*] +# (Optional) Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. Boolean value +# Defaults to 1 # -# [*admin_user*] -# User used to authenticate service. -# Optional. Defaults to 'swift'. -# -# [*admin_tenant_name*] -# Tenant used to authenticate service. -# Optional. Defaults to 'services'. -# -# [*admin_password*] -# Password used with user to authenticate service. -# Optional. Defaults to 'password'. -# -# [*delay_auth_decision*] -# Set to 1 to support token-less access (anonymous access, tempurl, ...) -# Optional, Defaults to 0 -# -# [*auth_host*] -# Host providing the keystone service API endpoint. Optional. -# Defaults to 127.0.0.1 -# -# [*auth_port*] -# Port where keystone service is listening. Optional. -# Defaults to 3557. -# -# [*auth_protocol*] -# Protocol to use to communicate with keystone. Optional. -# Defaults to https. -# -# [*auth_admin_prefix*] -# Path part of the auth url. Optional. -# This allows admin auth URIs like http://host/keystone/admin/v2.0. -# Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'. -# -# [*auth_uri*] -# The public auth url to redirect unauthenticated requests. -# Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'. -# Should be set to your public keystone endpoint (without version). -# -# [*identity_uri*] -# identity_uri points to the Keystone Admin service. This information is -# used by the middleware to actually query Keystone about the validity of the -# authentication tokens. It is not necessary to append any Keystone API version -# number to this URI. -# Defaults to false. -# -# [*signing_dir*] +# [*signing_dir*] # The cache directory for signing certificates. # Defaults to '/var/cache/swift' # -# [*cache*] +# [*cache*] # The cache backend to use # Optional. Defaults to 'swift.cache' # +# [*auth_uri*] +# (Optional) Complete public Identity API endpoint. +# Defaults to 'http://127.0.0.1:5000' +# +# [*auth_url*] +# (Optional) The URL to use for authentication. +# Defaults to 'http://127.0.0.1:35357' +# +# [*auth_plugin*] +# (Optional) The plugin for authentication +# Defaults to 'password' +# +# [*username*] +# (Optional) The name of the service user +# Defaults to 'swift' +# +# [*password*] +# (Optional) The password for the user +# Defaults to 'password' +# +# [*project_name*] +# (Optional) Service project name +# Defaults to 'services' +# +# [*project_domain_id*] +# (Optional) id of domain for $project_name +# Defaults to 'default' +# +# [*user_domain_id*] +# (Optional) id of domain for $username +# Defaults to 'default' +# +# [*include_service_catalog*] +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will +# not set the X-Service-Catalog header. Boolean value. +# Defaults to false +# +# == DEPRECATED +# +# [*admin_token*] +# (optional) Depreated. +# Defaults to undef +# +# [*identity_uri*] +# (optional) Deprecated. Use auth_url instead. +# Defaults to undef +# +# [*admin_user*] +# (optional) Deprecated. Use username instead. +# Defaults to undef +# +# [*admin_tenant_name*] +# (optional) Deprecated. Use project_name instead. +# Defaults to undef +# +# [*admin_password*] +# (optional) Deprecated. Use password instead. +# Defaults to undef +# # == Authors # # Dan Bode dan@puppetlabs.com @@ -71,47 +86,53 @@ # Copyright 2012 Puppetlabs Inc, unless otherwise noted. # class swift::proxy::authtoken( - $admin_user = 'swift', - $admin_tenant_name = 'services', - $admin_password = 'password', - $auth_uri = false, - $identity_uri = false, - $delay_auth_decision = 1, - $admin_token = false, - $signing_dir = '/var/cache/swift', - $cache = 'swift.cache', + $delay_auth_decision = 1, + $signing_dir = '/var/cache/swift', + $cache = 'swift.cache', + $auth_uri = 'http://127.0.0.1:5000', + $auth_url = 'http://127.0.0.1:35357', + $auth_plugin = 'password', + $project_domain_id = 'default', + $user_domain_id = 'default', + $project_name = 'services', + $username = 'swift', + $password = 'password', + $include_service_catalog = false, # DEPRECATED PARAMETERS - $auth_host = '127.0.0.1', - $auth_port = '35357', - $auth_protocol = 'http', - $auth_admin_prefix = false, + $admin_user = undef, + $admin_tenant_name = undef, + $admin_password = undef, + $identity_uri = undef, + $admin_token = undef, ) { include ::swift::deps - if $auth_uri { - $auth_uri_real = $auth_uri - } else { - $auth_uri_real = "${auth_protocol}://${auth_host}:5000" + if $admin_token { + warning('admin_token is deprecated, has no usage and will be removed in the O release') } - # if both auth_uri and identity_uri are set we skip these deprecated warnings - if !$auth_uri or !$identity_uri { - if $auth_host { - warning('The auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.') - } - if $auth_port { - warning('The auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.') - } - if $auth_protocol { - warning('The auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.') - } - if $auth_admin_prefix { - warning('The auth_admin_prefix parameter is deprecated. Please use auth_uri and identity_uri instead.') - validate_re($auth_admin_prefix, '^(/.+[^/])?$') - } + if $identity_uri { + warning('identity_uri is deprecated and will be removed, please use auth_url instead') } + if $admin_user { + warning('admin_user is deprecated and will be removed, please use username instead') + } + + if $admin_tenant_name { + warning('admin_tenant_name is deprecated and will be removed, please use project_name instead') + } + + if $admin_password { + warning('admin_password is deprecated and will be removed, please use password isntead') + } + + $auth_url_real = pick($identity_uri, $auth_url) + $username_real = pick($admin_user, $username) + $project_name_real = pick($admin_tenant_name, $project_name) + $password_real = pick($admin_password, $password) + file { $signing_dir: ensure => directory, mode => '0700', diff --git a/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml b/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml new file mode 100644 index 00000000..578620e4 --- /dev/null +++ b/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml @@ -0,0 +1,13 @@ +--- +features: + - add new parameters to configure authtoken for swift, like + username, password, project_name, auth_url, auth_plugin, + project_domain_id, user_domain_id, include_service_catalog +deprecations: + - admin_token + - admin_tenant_name in favor of project_name + - admin_password in favor of password + - admin_user in favor of username + - identity_uri in favor of auth_url +fixes: + - remove auth_host, auth_port, auth_protocol, auth_admin_prefix diff --git a/spec/acceptance/basic_swift_spec.rb b/spec/acceptance/basic_swift_spec.rb index 4c36022a..10d6584f 100644 --- a/spec/acceptance/basic_swift_spec.rb +++ b/spec/acceptance/basic_swift_spec.rb @@ -57,7 +57,7 @@ describe 'basic swift' do account_autocreate => true, } class { '::swift::proxy::authtoken': - admin_password => 'a_big_secret', + password => 'a_big_secret', } class { '::swift::keystone::dispersion': } -> class { '::swift::dispersion': } class {'::swift::objectexpirer': diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb index 56aa7c1b..7243aff6 100644 --- a/spec/classes/swift_proxy_authtoken_spec.rb +++ b/spec/classes/swift_proxy_authtoken_spec.rb @@ -32,39 +32,27 @@ log_name = swift signing_dir = /var/cache/swift paste.filter_factory = keystonemiddleware.auth_token:filter_factory -auth_host = 127.0.0.1 -auth_port = 35357 -auth_protocol = http auth_uri = http://127.0.0.1:5000 -admin_tenant_name = services -admin_user = swift -admin_password = password +auth_url = http://127.0.0.1:35357 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = services +username = swift +password = password + delay_auth_decision = 1 + cache = swift.cache -include_service_catalog = False +include_service_catalog = false ') end end - describe "when overriding admin_token" do - let :params do - { - :admin_token => 'ADMINTOKEN' - } - end - - it 'should build the fragment with correct parameters' do - is_expected.to contain_concat_fragment('swift_authtoken').with_content(/admin_token = ADMINTOKEN/) - end - end describe "when overriding parameters" do let :params do { - :auth_host => 'some.host', - :auth_port => '443', - :auth_protocol => 'https', - :auth_admin_prefix => '/keystone/admin', :admin_tenant_name => 'admin', :admin_user => 'swiftuser', :admin_password => 'swiftpassword', @@ -81,17 +69,19 @@ log_name = swift signing_dir = /home/swift/keystone-signing paste.filter_factory = keystonemiddleware.auth_token:filter_factory -auth_host = some.host -auth_port = 443 -auth_protocol = https -auth_admin_prefix = /keystone/admin -auth_uri = https://some.host:5000 -admin_tenant_name = admin -admin_user = swiftuser -admin_password = swiftpassword +auth_uri = http://127.0.0.1:5000 +auth_url = http://127.0.0.1:35357 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = admin +username = swiftuser +password = swiftpassword + delay_auth_decision = 0 + cache = foo -include_service_catalog = False +include_service_catalog = false ') end end @@ -104,24 +94,6 @@ include_service_catalog = False it { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = http:\/\/public\.host\/keystone\/main/)} end - [ - 'keystone', - 'keystone/', - '/keystone/', - '/keystone/admin/', - 'keystone/admin/', - 'keystone/admin' - ].each do |auth_admin_prefix| - describe "when overriding auth_admin_prefix with incorrect value #{auth_admin_prefix}" do - let :params do - { :auth_admin_prefix => auth_admin_prefix } - end - - it { expect { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_admin_prefix = #{auth_admin_prefix}/) }.to \ - raise_error(Puppet::Error, /validate_re\(\): "#{auth_admin_prefix}" does not match/) } - end - end - describe "when identity_uri is set" do let :params do { @@ -130,7 +102,7 @@ include_service_catalog = False end it 'should build the fragment with correct parameters' do - is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//) + is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//) end end @@ -144,7 +116,7 @@ include_service_catalog = False it 'should build the fragment with correct parameters' do is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = https:\/\/foo\.bar:5000\/v2\.0\//) - is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//) + is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//) end end diff --git a/templates/proxy/authtoken.conf.erb b/templates/proxy/authtoken.conf.erb index f3102f66..ebee3c0a 100644 --- a/templates/proxy/authtoken.conf.erb +++ b/templates/proxy/authtoken.conf.erb @@ -4,25 +4,16 @@ log_name = swift signing_dir = <%= @signing_dir %> paste.filter_factory = keystonemiddleware.auth_token:filter_factory -<% if not @identity_uri or not @auth_uri then -%> -auth_host = <%= @auth_host %> -auth_port = <%= @auth_port %> -auth_protocol = <%= @auth_protocol %> -<% if @auth_admin_prefix -%> -auth_admin_prefix = <%= @auth_admin_prefix %> -<% end -%> -<% end -%> -auth_uri = <%= @auth_uri_real %> -<% if @identity_uri -%> -identity_uri = <%= @identity_uri %> -<% end -%> -<% if @admin_token -%> -admin_token = <%= @admin_token %> -<% else -%> -admin_tenant_name = <%= @admin_tenant_name %> -admin_user = <%= @admin_user %> -admin_password = <%= @admin_password %> -<% end -%> +auth_uri = <%= @auth_uri %> +auth_url = <%= @auth_url_real %> +auth_plugin = <%= @auth_plugin %> +project_domain_id = <%= @project_domain_id %> +user_domain_id = <%= @user_domain_id %> +project_name = <%= @project_name_real %> +username = <%= @username_real %> +password = <%= @password_real %> + delay_auth_decision = <%= @delay_auth_decision %> + cache = <%= @cache %> -include_service_catalog = False +include_service_catalog = <%= @include_service_catalog %> diff --git a/tests/site.pp b/tests/site.pp index 8942d832..e1a38af0 100644 --- a/tests/site.pp +++ b/tests/site.pp @@ -251,11 +251,9 @@ node /swift-proxy/ { operator_roles => ['admin', 'SwiftOperator'], } class { '::swift::proxy::authtoken': - admin_user => 'swift', - admin_tenant_name => 'services', - admin_password => $swift_admin_password, + password => $swift_admin_password, # assume that the controller host is the swift api server - auth_host => $swift_keystone_node, + auth_host => $swift_keystone_node, } # collect all of the resources that are needed