Change swift authtoken

Update authtoken class with parameters from documentation [1] We cant use the resource because swift does not use keystone_authtoken section. deprecations: - admin_password, use password instead. - admin_user, use username instead. - admin_tenant_name, use project_name instead. - identity_uri, use auth_url instead. - admin_token, no usage. removals: - Old parameters (already deprecated) [1] http://docs.openstack.org/mitaka/config-reference/object-storage/proxy-server.html Change-Id: I1eb4b0712214c059c713001ad991cbe92cd01711
2016-08-25 01:11:45 -03:00 · 2016-08-25 01:11:45 -03:00 · a266ab91ed
commit a266ab91ed
parent e2ad11e48e
6 changed files with 154 additions and 159 deletions
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -4,64 +4,79 @@
 #
 # == Parameters
 #
-#  [*admin_token*]
+# [*delay_auth_decision*]
-#    Keystone admin token that can serve as a shared secret
+#   (Optional) Do not handle authorization requests within the middleware, but
-#    for authenticating. If this is choosen if is used instead of a user,tenant,password.
+#   delegate the authorization decision to downstream WSGI components. Boolean value
-#    Optional. Defaults to false.
+#   Defaults to 1
 #
-#  [*admin_user*]
+# [*signing_dir*]
 #    User used to authenticate service.
 #    Optional. Defaults to 'swift'.
 #
 #  [*admin_tenant_name*]
 #    Tenant used to authenticate service.
 #    Optional. Defaults to 'services'.
 #
 #  [*admin_password*]
 #    Password used with user to authenticate service.
 #    Optional. Defaults to 'password'.
 #
 #  [*delay_auth_decision*]
 #    Set to 1 to support token-less access (anonymous access, tempurl, ...)
 #    Optional, Defaults to 0
 #
 #  [*auth_host*]
 #    Host providing the keystone service API endpoint. Optional.
 #    Defaults to 127.0.0.1
 #
 #  [*auth_port*]
 #    Port where keystone service is listening. Optional.
 #    Defaults to 3557.
 #
 #  [*auth_protocol*]
 #    Protocol to use to communicate with keystone. Optional.
 #    Defaults to https.
 #
 #  [*auth_admin_prefix*]
 #    Path part of the auth url. Optional.
 #    This allows admin auth URIs like http://host/keystone/admin/v2.0.
 #    Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'.
 #
 #  [*auth_uri*]
 #    The public auth url to redirect unauthenticated requests.
 #    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
 #    Should be set to your public keystone endpoint (without version).
 #
 #  [*identity_uri*]
 #    identity_uri points to the Keystone Admin service. This information is
 #    used by the middleware to actually query Keystone about the validity of the
 #    authentication tokens. It is not necessary to append any Keystone API version
 #    number to this URI.
 #    Defaults to false.
 #
 #  [*signing_dir*]
 #    The cache directory for signing certificates.
 #    Defaults to '/var/cache/swift'
 #
-#  [*cache*]
+# [*cache*]
 #    The cache backend to use
 #    Optional. Defaults to 'swift.cache'
 #
 # [*auth_uri*]
 #   (Optional) Complete public Identity API endpoint.
 #   Defaults to 'http://127.0.0.1:5000'
 #
 # [*auth_url*]
 #   (Optional) The URL to use for authentication.
 #   Defaults to 'http://127.0.0.1:35357'
 #
 # [*auth_plugin*]
 #   (Optional) The plugin for authentication
 #   Defaults to 'password'
 #
 # [*username*]
 #   (Optional) The name of the service user
 #   Defaults to 'swift'
 #
 # [*password*]
 #   (Optional) The password for the user
 #   Defaults to 'password'
 #
 # [*project_name*]
 #   (Optional) Service project name
 #   Defaults to 'services'
 #
 # [*project_domain_id*]
 #   (Optional) id of domain for $project_name
 #   Defaults to 'default'
 #
 # [*user_domain_id*]
 #   (Optional) id of domain for $username
 #   Defaults to 'default'
 #
 # [*include_service_catalog*]
 #   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
 #   middleware will not ask for service catalog on token validation and will
 #   not set the X-Service-Catalog header. Boolean value.
 #   Defaults to false
 #
 # == DEPRECATED
 #
 # [*admin_token*]
 #   (optional) Depreated.
 #   Defaults to undef
 #
 # [*identity_uri*]
 #   (optional) Deprecated. Use auth_url instead.
 #   Defaults to undef
 #
 # [*admin_user*]
 #   (optional) Deprecated. Use username instead.
 #   Defaults to undef
 #
 # [*admin_tenant_name*]
 #   (optional) Deprecated. Use project_name instead.
 #   Defaults to undef
 #
 # [*admin_password*]
 #   (optional) Deprecated. Use password instead.
 #   Defaults to undef
 #
 # == Authors
 #
 #   Dan Bode dan@puppetlabs.com
@ -71,47 +86,53 @@
 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
 #
 class swift::proxy::authtoken(
-  $admin_user          = 'swift',
+  $delay_auth_decision     = 1,
-  $admin_tenant_name   = 'services',
+  $signing_dir             = '/var/cache/swift',
-  $admin_password      = 'password',
+  $cache                   = 'swift.cache',
-  $auth_uri            = false,
+  $auth_uri                = 'http://127.0.0.1:5000',
-  $identity_uri        = false,
+  $auth_url                = 'http://127.0.0.1:35357',
-  $delay_auth_decision = 1,
+  $auth_plugin             = 'password',
-  $admin_token         = false,
+  $project_domain_id       = 'default',
-  $signing_dir         = '/var/cache/swift',
+  $user_domain_id          = 'default',
-  $cache               = 'swift.cache',
+  $project_name            = 'services',
  $username                = 'swift',
  $password                = 'password',
  $include_service_catalog = false,
  # DEPRECATED PARAMETERS
-  $auth_host           = '127.0.0.1',
+  $admin_user              = undef,
-  $auth_port           = '35357',
+  $admin_tenant_name       = undef,
-  $auth_protocol       = 'http',
+  $admin_password          = undef,
-  $auth_admin_prefix   = false,
+  $identity_uri            = undef,
  $admin_token             = undef,
 ) {
  include ::swift::deps
-  if $auth_uri {
+  if $admin_token {
-    $auth_uri_real = $auth_uri
+    warning('admin_token is deprecated, has no usage and will be removed in the O release')
  } else {
    $auth_uri_real = "${auth_protocol}://${auth_host}:5000"
  }
-  # if both auth_uri and identity_uri are set we skip these deprecated warnings
+  if $identity_uri {
-  if !$auth_uri or !$identity_uri {
+    warning('identity_uri is deprecated and will be removed, please use auth_url instead')
    if $auth_host {
      warning('The auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_port {
      warning('The auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_protocol {
      warning('The auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_admin_prefix {
      warning('The auth_admin_prefix parameter is deprecated. Please use auth_uri and identity_uri instead.')
      validate_re($auth_admin_prefix, '^(/.+[^/])?$')
    }
  }
  if $admin_user {
    warning('admin_user is deprecated and will be removed, please use username instead')
  }
  if $admin_tenant_name {
    warning('admin_tenant_name is deprecated and will be removed, please use project_name instead')
  }
  if $admin_password {
    warning('admin_password is deprecated and will be removed, please use password isntead')
  }
  $auth_url_real = pick($identity_uri, $auth_url)
  $username_real = pick($admin_user, $username)
  $project_name_real = pick($admin_tenant_name, $project_name)
  $password_real = pick($admin_password, $password)
  file { $signing_dir:
    ensure                  => directory,
    mode                    => '0700',
--- a/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml
+++ b/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml
@ -0,0 +1,13 @@
 ---
 features:
  - add new parameters to configure authtoken for swift, like
    username, password, project_name, auth_url, auth_plugin,
    project_domain_id, user_domain_id, include_service_catalog
 deprecations:
  - admin_token
  - admin_tenant_name in favor of project_name
  - admin_password in favor of password
  - admin_user in favor of username
  - identity_uri in favor of auth_url
 fixes:
  - remove auth_host, auth_port, auth_protocol, auth_admin_prefix
--- a/spec/acceptance/basic_swift_spec.rb
+++ b/spec/acceptance/basic_swift_spec.rb
@ -57,7 +57,7 @@ describe 'basic swift' do
        account_autocreate => true,
      }
      class { '::swift::proxy::authtoken':
-        admin_password => 'a_big_secret',
+        password => 'a_big_secret',
      }
      class { '::swift::keystone::dispersion': } -> class { '::swift::dispersion': }
      class {'::swift::objectexpirer':
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -32,39 +32,27 @@ log_name = swift
 signing_dir = /var/cache/swift
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 auth_host = 127.0.0.1
 auth_port = 35357
 auth_protocol = http
 auth_uri = http://127.0.0.1:5000
-admin_tenant_name = services
+auth_url = http://127.0.0.1:35357
-admin_user = swift
+auth_plugin = password
-admin_password = password
+project_domain_id = default
 user_domain_id = default
 project_name = services
 username = swift
 password = password
 delay_auth_decision = 1
 cache = swift.cache
-include_service_catalog = False
+include_service_catalog = false
 ')
    end
  end
  describe "when overriding admin_token" do
    let :params do
      {
        :admin_token => 'ADMINTOKEN'
      }
    end
    it 'should build the fragment with correct parameters' do
      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/admin_token = ADMINTOKEN/)
    end
  end
  describe "when overriding parameters" do
    let :params do
      {
        :auth_host           => 'some.host',
        :auth_port           => '443',
        :auth_protocol       => 'https',
        :auth_admin_prefix   => '/keystone/admin',
        :admin_tenant_name   => 'admin',
        :admin_user          => 'swiftuser',
        :admin_password      => 'swiftpassword',
@ -81,17 +69,19 @@ log_name = swift
 signing_dir = /home/swift/keystone-signing
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-auth_host = some.host
+auth_uri = http://127.0.0.1:5000
-auth_port = 443
+auth_url = http://127.0.0.1:35357
-auth_protocol = https
+auth_plugin = password
-auth_admin_prefix = /keystone/admin
+project_domain_id = default
-auth_uri = https://some.host:5000
+user_domain_id = default
-admin_tenant_name = admin
+project_name = admin
-admin_user = swiftuser
+username = swiftuser
-admin_password = swiftpassword
+password = swiftpassword
 delay_auth_decision = 0
 cache = foo
-include_service_catalog = False
+include_service_catalog = false
 ')
    end
  end
@ -104,24 +94,6 @@ include_service_catalog = False
    it { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = http:\/\/public\.host\/keystone\/main/)}
  end
  [
    'keystone',
    'keystone/',
    '/keystone/',
    '/keystone/admin/',
    'keystone/admin/',
    'keystone/admin'
  ].each do |auth_admin_prefix|
    describe "when overriding auth_admin_prefix with incorrect value #{auth_admin_prefix}" do
      let :params do
        { :auth_admin_prefix => auth_admin_prefix }
      end
      it { expect { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_admin_prefix = #{auth_admin_prefix}/) }.to \
        raise_error(Puppet::Error, /validate_re\(\): "#{auth_admin_prefix}" does not match/) }
    end
  end
  describe "when identity_uri is set" do
    let :params do
      {
@ -130,7 +102,7 @@ include_service_catalog = False
    end
    it 'should build the fragment with correct parameters' do
-      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//)
+      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//)
    end
  end
@ -144,7 +116,7 @@ include_service_catalog = False
    it 'should build the fragment with correct parameters' do
      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = https:\/\/foo\.bar:5000\/v2\.0\//)
-      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//)
+      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//)
    end
  end
--- a/templates/proxy/authtoken.conf.erb
+++ b/templates/proxy/authtoken.conf.erb
@ -4,25 +4,16 @@ log_name = swift
 signing_dir = <%= @signing_dir %>
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-<% if not @identity_uri or not @auth_uri then -%>
+auth_uri = <%= @auth_uri %>
-auth_host = <%= @auth_host %>
+auth_url = <%= @auth_url_real %>
-auth_port = <%= @auth_port %>
+auth_plugin = <%= @auth_plugin %>
-auth_protocol = <%= @auth_protocol %>
+project_domain_id = <%= @project_domain_id %>
-<% if @auth_admin_prefix -%>
+user_domain_id = <%= @user_domain_id %>
-auth_admin_prefix = <%= @auth_admin_prefix %>
+project_name = <%= @project_name_real %>
-<% end -%>
+username = <%= @username_real %>
-<% end -%>
+password = <%= @password_real %>
-auth_uri = <%= @auth_uri_real %>
+
 <% if @identity_uri -%>
 identity_uri = <%= @identity_uri %>
 <% end -%>
 <% if @admin_token -%>
 admin_token = <%= @admin_token %>
 <% else -%>
 admin_tenant_name = <%= @admin_tenant_name %>
 admin_user = <%= @admin_user %>
 admin_password = <%= @admin_password %>
 <% end -%>
 delay_auth_decision = <%= @delay_auth_decision %>
 cache = <%= @cache %>
-include_service_catalog = False
+include_service_catalog = <%= @include_service_catalog %>
--- a/tests/site.pp
+++ b/tests/site.pp
@ -251,11 +251,9 @@ node /swift-proxy/ {
    operator_roles => ['admin', 'SwiftOperator'],
  }
  class { '::swift::proxy::authtoken':
-    admin_user        => 'swift',
+    password  => $swift_admin_password,
    admin_tenant_name => 'services',
    admin_password    => $swift_admin_password,
    # assume that the controller host is the swift api server
-    auth_host         => $swift_keystone_node,
+    auth_host => $swift_keystone_node,
  }
  # collect all of the resources that are needed