Drop default password

The default password was deprecated some time ago[1].

[1] 2df992faf3

Change-Id: I517fc45081015156e71cd0c77fd2992876e1a22e

manifests/keymaster.pp

@@ -2,6 +2,9 @@
 #
 # == Parameters
 #
+# [*password*]
+#   (Required) String. The password to go with the Keystone username.
+#
 # [*api_class*]
 #   (Required) String. The api_class tells Castellan which key manager to 
 #   use to access the external key management system. The default value that
@@ -19,9 +22,6 @@
 #   from the KMS. The username shall be set to match an existing user.
 #   Defaults to swift.
 #
-# [*password*]
-#   (Required) String. The password to go with the Keystone username.
-#
 # [*project_name*]
 #   (Optional) String. The Keystone project name. For security reasons,
 #   it is recommended to set the project_name to a project separate from the
@@ -69,10 +69,10 @@
 #   Thiago da Silva thiago@redhat.com
 #
 class swift::keymaster(
+  String[1] $password,
   $api_class             = 'barbican',
   $key_id                = undef,
   $username              = 'swift',
-  $password              = undef,
   $project_name          = 'services',
   $project_id            = undef,
   $auth_endpoint         = undef,
@@ -85,10 +85,6 @@ class swift::keymaster(
 
   include swift::deps
 
-  if $password == undef {
-    warning('password parameter is missing')
-  }
-
   swift_keymaster_config {
     'kms_keymaster/api_class':             value => $api_class;
     'kms_keymaster/key_id':                value => $key_id;

manifests/keystone/auth.pp

@@ -7,14 +7,14 @@
 #
 # === Parameters:
 #
+# [*password*]
+#  String. The user's password.
+#  Required.
+#
 # [*auth_name*]
 #  String. The name of the user.
 #  Optional. Defaults to 'swift'.
 #
-# [*password*]
-#  String. The user's password.
-#  Optional. Defaults to 'swift_password'.
-#
 # [*tenant*]
 #   (Optional) The tenant to use for the swift service user
 #   Defaults to 'services'
@@ -108,8 +108,8 @@
 #   This url should *not* contain any trailing '/'.
 #
 class swift::keystone::auth(
+  String[1] $password,
   $auth_name              = 'swift',
-  $password               = undef,
   $tenant                 = 'services',
   $roles                  = ['admin'],
   $system_scope           = 'all',
@@ -137,14 +137,6 @@ class swift::keystone::auth(
 
   include swift::deps
 
-  if $password == undef {
-    warning('Usage of the default password is deprecated and will be removed in a future release. \
-Please set password parameter')
-    $password_real = 'swift_password'
-  } else {
-    $password_real = $password
-  }
-
   if $service_name == $service_name_s3 {
       fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.')
   }
@@ -165,7 +157,7 @@ Please set password parameter')
     service_description => $service_description,
     region              => $region,
     auth_name           => $auth_name,
-    password            => $password_real,
+    password            => $password,
     email               => $email,
     tenant              => $tenant,
     roles               => $roles,

manifests/proxy/authtoken.pp

@@ -4,6 +4,9 @@
 #
 # == Parameters
 #
+# [*password*]
+#   (Required) The password for the user
+#
 # [*delay_auth_decision*]
 #   (Optional) Do not handle authorization requests within the middleware, but
 #   delegate the authorization decision to downstream WSGI components. Boolean value
@@ -33,10 +36,6 @@
 #   (Optional) id of domain for $username
 #   Defaults to 'default'
 #
-# [*password*]
-#   (Optional) The password for the user
-#   Defaults to 'password'
-#
 # [*project_name*]
 #   (Optional) Service project name
 #   Defaults to 'services'
@@ -94,6 +93,7 @@
 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
 #
 class swift::proxy::authtoken(
+  String[1] $password,
   $delay_auth_decision          = 1,
   $cache                        = 'swift.cache',
   $www_authenticate_uri         = 'http://127.0.0.1:5000',
@@ -101,7 +101,6 @@ class swift::proxy::authtoken(
   $auth_type                    = 'password',
   $username                     = 'swift',
   $user_domain_id               = 'default',
-  $password                     = undef,
   $project_name                 = 'services',
   $project_domain_id            = 'default',
   $system_scope                 = $facts['os_service_default'],
@@ -115,14 +114,6 @@ class swift::proxy::authtoken(
 
   include swift::deps
 
-  if $password == undef {
-    warning('Usage of the default password is deprecated and will be removed in a future release. \
-Please set password parameter')
-    $password_real = 'password'
-  } else {
-    $password_real = $password
-  }
-
   if is_service_default($system_scope) {
     $project_name_real = $project_name
     $project_domain_id_real = $project_domain_id
@@ -139,7 +130,7 @@ Please set password parameter')
     'filter:authtoken/auth_type':                    value => $auth_type;
     'filter:authtoken/username':                     value => $username;
     'filter:authtoken/user_domain_id':               value => $user_domain_id;
-    'filter:authtoken/password':                     value => $password_real, secret => true;
+    'filter:authtoken/password':                     value => $password, secret => true;
     'filter:authtoken/project_name':                 value => $project_name_real;
     'filter:authtoken/project_domain_id':            value => $project_domain_id_real;
     'filter:authtoken/system_scope':                 value => $system_scope;

manifests/proxy/ceilometer.pp

@@ -7,6 +7,9 @@
 #
 # == Parameters
 #
+# [*password*]
+#   (Required) The password for the user
+#
 # [*default_transport_url*]
 #   (optional) A URL representing the messaging driver to use and its full
 #   configuration. Transport URLs take the form:
@@ -65,10 +68,6 @@
 #   (Optional) name of domain for $username
 #   Defaults to 'default'
 #
-# [*password*]
-#   (Optional) The password for the user
-#   Defaults to 'password'
-#
 # [*region_name*]
 #   (Optional) The region in which the identity server can be found.
 #   Defaults to $facts['os_service_default'].
@@ -162,6 +161,7 @@
 # Copyright 2013 eNovance licensing@enovance.com
 #
 class swift::proxy::ceilometer(
+  String[1] $password,
   $default_transport_url              = undef,
   $driver                             = $facts['os_service_default'],
   $topic                              = undef,
@@ -176,7 +176,6 @@ class swift::proxy::ceilometer(
   $system_scope                       = $facts['os_service_default'],
   $username                           = 'swift',
   $user_domain_name                   = 'Default',
-  $password                           = undef,
   $region_name                        = $facts['os_service_default'],
   $notification_ssl_ca_file           = $facts['os_service_default'],
   $notification_ssl_cert_file         = $facts['os_service_default'],
@@ -199,14 +198,6 @@ class swift::proxy::ceilometer(
 
   Package['python-ceilometermiddleware'] ~> Service<| title == 'swift-proxy-server' |>
 
-  if $password == undef {
-    warning('Usage of the default password is deprecated and will be removed in a future release. \
-Please set password parameter')
-    $password_real = 'password'
-  } else {
-    $password_real = $password
-  }
-
   if is_service_default($system_scope) {
     $project_name_real = $project_name
     $project_domain_name_real = $project_domain_name
@@ -230,7 +221,7 @@ Please set password parameter')
     'filter:ceilometer/system_scope':         value => $system_scope;
     'filter:ceilometer/username':             value => $username;
     'filter:ceilometer/user_domain_name':     value => $user_domain_name;
-    'filter:ceilometer/password':             value => $password_real, secret => true;
+    'filter:ceilometer/password':             value => $password, secret => true;
     'filter:ceilometer/region_name':          value => $region_name;
   }
 

manifests/proxy/s3token.pp

@@ -4,6 +4,11 @@
 #
 # === Parameters
 #
+# [*password*]
+#   (Required) Keystone credentials used for secret caching
+#   The password for the user
+#   Defaults to password
+#
 # [*auth_uri*]
 #   (optional) The Keystone server uri
 #   Defaults to http://127.0.0.1:5000
@@ -50,11 +55,6 @@
 #   id of domain for $username
 #   Defaults to default
 #
-# [*password*]
-#   (Optional) Keystone credentials used for secret caching
-#   The password for the user
-#   Defaults to password
-#
 # [*project_name*]
 #   (Optional) Keystone credentials used for secret caching
 #   Service project name
@@ -82,6 +82,7 @@
 # Copyright 2012 eNovance licensing@enovance.com
 #
 class swift::proxy::s3token(
+  String[1] $password,
   $auth_uri              = 'http://127.0.0.1:5000',
   $reseller_prefix       = 'AUTH_',
   $delay_auth_decision   = false,
@@ -91,7 +92,6 @@ class swift::proxy::s3token(
   $auth_type             = 'password',
   $username              = 'swift',
   $user_domain_id        = 'default',
-  $password              = undef,
   $project_name          = 'services',
   $project_domain_id     = 'default',
   $system_scope          = $facts['os_service_default'],
@@ -99,14 +99,6 @@ class swift::proxy::s3token(
 
   include swift::deps
 
-  if $password == undef {
-    warning('Usage of the default password is deprecated and will be removed in a future release. \
-Please set password parameter')
-    $password_real = 'password'
-  } else {
-    $password_real = $password
-  }
-
   if is_service_default($system_scope) {
     $project_name_real = $project_name
     $project_domain_id_real = $project_domain_id
@@ -126,7 +118,7 @@ Please set password parameter')
     'filter:s3token/auth_type':             value => $auth_type;
     'filter:s3token/username':              value => $username;
     'filter:s3token/user_domain_id':        value => $user_domain_id;
-    'filter:s3token/password':              value => $password_real, secret => true;
+    'filter:s3token/password':              value => $password, secret => true;
     'filter:s3token/project_name':          value => $project_name_real;
     'filter:s3token/project_domain_id':     value => $project_domain_id_real;
     'filter:s3token/system_scope':          value => $system_scope;

releasenotes/notes/require-password-a524fb4dc86a4d83.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The default password value has been removed and now the ``password``
+    parameters are required.

spec/classes/swift_keymaster_spec.rb

@@ -2,10 +2,17 @@ require 'spec_helper'
 
 describe 'swift::keymaster' do
   shared_examples 'swift::keymaster' do
+    let :params do
+      {
+        :password => 'swiftpassword'
+      }
+    end
+
     context "when using default parameters" do
       it 'configures keymaster options' do
         is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/username').with_value('swift')
+        is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('swiftpassword').with_secret(true)
         is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('services')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/project_domain_id').with_value('default')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/user_domain_id').with_value('default')
@@ -14,21 +21,19 @@ describe 'swift::keymaster' do
     end
 
     describe "when overriding default parameters" do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :api_class             => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
           :key_id                => 'dummy_key_id',
-          :password              => 'fake_password',
           :auth_endpoint         => 'http://127.0.0.1:5000',
           :project_name          => 'barbican_swift_service',
           :meta_version_to_write => 3,
-        }
+        })
       end
 
       it 'configures keymaster options' do
         is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('dummy_key_id')
-        is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password').with_secret(true)
         is_expected.to contain_swift_keymaster_config('kms_keymaster/auth_endpoint').with_value('http://127.0.0.1:5000')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('barbican_swift_service')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/meta_version_to_write').with_value('3')

spec/classes/swift_proxy_authtoken_spec.rb

@@ -2,6 +2,12 @@ require 'spec_helper'
 
 describe 'swift::proxy::authtoken' do
   shared_examples 'swift::proxy::authtoken' do
+    let :params do
+      {
+        :password => 'swiftpassword',
+      }
+    end
+
     describe "when using default parameters" do
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
@@ -10,7 +16,7 @@ describe 'swift::proxy::authtoken' do
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_type').with_value('password') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/username').with_value('swift') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/user_domain_id').with_value('default') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('password').with_secret(true) }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('swiftpassword').with_secret(true) }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('services') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_domain_id').with_value('default') }
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/system_scope').with_value('<SERVICE DEFAULT>') }
@@ -25,8 +31,8 @@ describe 'swift::proxy::authtoken' do
     end
 
     describe "when overriding parameters" do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :username                     => 'swiftuser',
           :password                     => 'swiftpassword',
           :project_name                 => 'admin',
@@ -37,7 +43,7 @@ describe 'swift::proxy::authtoken' do
           :service_token_roles_required => true,
           :service_type                 => 'identity',
           :interface                    => 'internal',
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
@@ -62,29 +68,31 @@ describe 'swift::proxy::authtoken' do
     end
 
     describe 'when overriding www_authenticate_uri' do
-      let :params do
+      before :each do
-        { :www_authenticate_uri => 'http://public.host/keystone/main' }
+        params.merge!({
+          :www_authenticate_uri => 'http://public.host/keystone/main'
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://public.host/keystone/main') }
     end
 
     describe "when auth_url is set" do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :auth_url => 'https://foo.bar:5000/'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('https://foo.bar:5000/') }
     end
 
     describe "when both www_authenticate_uri and auth_url are set" do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :www_authenticate_uri => 'https://foo.bar:5000/v3/',
           :auth_url             => 'https://foo.bar:5000/'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('https://foo.bar:5000/v3/') }
@@ -92,10 +100,10 @@ describe 'swift::proxy::authtoken' do
     end
 
     describe 'when system_scope is set' do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :system_scope => 'all'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('<SERVICE DEFAULT>') }

spec/classes/swift_proxy_ceilometer_spec.rb

@@ -9,14 +9,21 @@ describe 'swift::proxy::ceilometer' do
   end
 
   shared_examples 'swift::proxy::ceilometer' do
-    describe "when using default parameters" do
+
     let :params do
       {
-          :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
+        :password => 'swiftpassword'
       }
     end
 
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) }
+    describe "when using default parameters" do
+      before :each do
+        params.merge!({
+          :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
+        })
+      end
+
+      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('swiftpassword').with_secret(true) }
       it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
       it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) }
       it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') }
@@ -29,8 +36,9 @@ describe 'swift::proxy::ceilometer' do
     end
 
     describe "when overriding default parameters with rabbit driver" do
-      let :params do
+      before :each do
-        { :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
+        params.merge!({
+          :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
           :driver                => 'messagingv2',
           :topic                 => 'notifications',
           :control_exchange      => 'swift',
@@ -42,9 +50,8 @@ describe 'swift::proxy::ceilometer' do
           :user_domain_name      => 'Default',
           :project_name          => 'services',
           :username              => 'swift',
-          :password              => 'mypassword',
           :region_name           => 'region2'
-        }
+        })
       end
 
       context 'with single rabbit host' do
@@ -62,7 +69,6 @@ describe 'swift::proxy::ceilometer' do
         it { is_expected.to contain_swift_proxy_config('filter:ceilometer/system_scope').with_value('<SERVICE DEFAULT>') }
         it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') }
         it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') }
-        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) }
         it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') }
       end
 
@@ -116,11 +122,11 @@ describe 'swift::proxy::ceilometer' do
     end
 
     describe 'when system_scope is set' do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
           :system_scope          => 'all'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('<SERVICE DEFAULT>') }

spec/classes/swift_proxy_s3token_spec.rb

@@ -2,6 +2,12 @@ require 'spec_helper'
 
 describe 'swift::proxy::s3token' do
   shared_examples 'swift::proxy::s3token' do
+    let :params do
+      {
+        :password => 'swiftpassword'
+      }
+    end
+
     describe "when using default parameters" do
       it { is_expected.to contain_swift_proxy_config('filter:s3token/use').with_value('egg:swift#s3token') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://127.0.0.1:5000') }
@@ -13,15 +19,15 @@ describe 'swift::proxy::s3token' do
       it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('default') }
-      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('password').with_secret(true) }
+      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('services') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('default') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('<SERVICE DEFAULT>') }
     end
 
     describe "when overriding default parameters" do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :auth_uri               => 'http://192.168.24.11:5000',
           :reseller_prefix        => 'SWIFT_',
           :delay_auth_decision    => true,
@@ -30,11 +36,10 @@ describe 'swift::proxy::s3token' do
           :auth_url               => 'http://192.168.24.11:5000',
           :auth_type              => 'password',
           :username               => 'swift',
-          :password               => 'swift',
           :project_name           => 'admin',
           :project_domain_id      => '12345',
           :user_domain_id         => '12345'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://192.168.24.11:5000') }
@@ -46,17 +51,17 @@ describe 'swift::proxy::s3token' do
       it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('12345') }
-      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swift').with_secret(true) }
+      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('admin') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('12345') }
       it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('<SERVICE DEFAULT>') }
     end
 
     describe 'when system_scope is set' do
-      let :params do
+      before :each do
-        {
+        params.merge!({
           :system_scope => 'all'
-        }
+        })
       end
 
       it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('<SERVICE DEFAULT>') }