openstack/puppet-swift
Code Issues Proposed changes

Drop default password

Browse Source 
The default password was deprecated some time ago[1].

[1] 2df992faf3

Change-Id: I517fc45081015156e71cd0c77fd2992876e1a22e
This commit is contained in:
Takashi Kajinami 2023-10-17 11:23:32 +09:00
parent 4d8816e804
commit e46f3b4af3
10 changed files with 97 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/keymaster.pp
View File

@ -2,6 +2,9 @@
#
# == Parameters
#
# [*password*]
# (Required) String. The password to go with the Keystone username.
#
# [*api_class*]
# (Required) String. The api_class tells Castellan which key manager to
# use to access the external key management system. The default value that
@ -19,9 +22,6 @@
# from the KMS. The username shall be set to match an existing user.
# Defaults to swift.
#
# [*password*]
# (Required) String. The password to go with the Keystone username.
#
# [*project_name*]
# (Optional) String. The Keystone project name. For security reasons,
# it is recommended to set the project_name to a project separate from the
@ -69,10 +69,10 @@
# Thiago da Silva thiago@redhat.com
#
class swift::keymaster(
String[1] $password,
$api_class = 'barbican',
$key_id = undef,
$username = 'swift',
$password = undef,
$project_name = 'services',
$project_id = undef,
$auth_endpoint = undef,
@ -85,10 +85,6 @@ class swift::keymaster(
include swift::deps
if $password == undef {
warning('password parameter is missing')
}
swift_keymaster_config {
'kms_keymaster/api_class': value => $api_class;
'kms_keymaster/key_id': value => $key_id;

20
manifests/keystone/auth.pp
View File

@ -7,14 +7,14 @@
#
# === Parameters:
#
# [*password*]
# String. The user's password.
# Required.
#
# [*auth_name*]
# String. The name of the user.
# Optional. Defaults to 'swift'.
#
# [*password*]
# String. The user's password.
# Optional. Defaults to 'swift_password'.
#
# [*tenant*]
# (Optional) The tenant to use for the swift service user
# Defaults to 'services'
@ -108,8 +108,8 @@
# This url should *not* contain any trailing '/'.
#
class swift::keystone::auth(
String[1] $password,
$auth_name = 'swift',
$password = undef,
$tenant = 'services',
$roles = ['admin'],
$system_scope = 'all',
@ -137,14 +137,6 @@ class swift::keystone::auth(
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'swift_password'
} else {
$password_real = $password
}
if $service_name == $service_name_s3 {
fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.')
}
@ -165,7 +157,7 @@ Please set password parameter')
service_description => $service_description,
region => $region,
auth_name => $auth_name,
password => $password_real,
password => $password,
email => $email,
tenant => $tenant,
roles => $roles,

19
manifests/proxy/authtoken.pp
View File

@ -4,6 +4,9 @@
#
# == Parameters
#
# [*password*]
# (Required) The password for the user
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean value
@ -33,10 +36,6 @@
# (Optional) id of domain for $username
# Defaults to 'default'
#
# [*password*]
# (Optional) The password for the user
# Defaults to 'password'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
@ -94,6 +93,7 @@
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class swift::proxy::authtoken(
String[1] $password,
$delay_auth_decision = 1,
$cache = 'swift.cache',
$www_authenticate_uri = 'http://127.0.0.1:5000',
@ -101,7 +101,6 @@ class swift::proxy::authtoken(
$auth_type = 'password',
$username = 'swift',
$user_domain_id = 'default',
$password = undef,
$project_name = 'services',
$project_domain_id = 'default',
$system_scope = $facts['os_service_default'],
@ -115,14 +114,6 @@ class swift::proxy::authtoken(
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_id_real = $project_domain_id
@ -139,7 +130,7 @@ Please set password parameter')
'filter:authtoken/auth_type': value => $auth_type;
'filter:authtoken/username': value => $username;
'filter:authtoken/user_domain_id': value => $user_domain_id;
'filter:authtoken/password': value => $password_real, secret => true;
'filter:authtoken/password': value => $password, secret => true;
'filter:authtoken/project_name': value => $project_name_real;
'filter:authtoken/project_domain_id': value => $project_domain_id_real;
'filter:authtoken/system_scope': value => $system_scope;

19
manifests/proxy/ceilometer.pp
View File

@ -7,6 +7,9 @@
#
# == Parameters
#
# [*password*]
# (Required) The password for the user
#
# [*default_transport_url*]
# (optional) A URL representing the messaging driver to use and its full
# configuration. Transport URLs take the form:
@ -65,10 +68,6 @@
# (Optional) name of domain for $username
# Defaults to 'default'
#
# [*password*]
# (Optional) The password for the user
# Defaults to 'password'
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $facts['os_service_default'].
@ -162,6 +161,7 @@
# Copyright 2013 eNovance licensing@enovance.com
#
class swift::proxy::ceilometer(
String[1] $password,
$default_transport_url = undef,
$driver = $facts['os_service_default'],
$topic = undef,
@ -176,7 +176,6 @@ class swift::proxy::ceilometer(
$system_scope = $facts['os_service_default'],
$username = 'swift',
$user_domain_name = 'Default',
$password = undef,
$region_name = $facts['os_service_default'],
$notification_ssl_ca_file = $facts['os_service_default'],
$notification_ssl_cert_file = $facts['os_service_default'],
@ -199,14 +198,6 @@ class swift::proxy::ceilometer(
Package['python-ceilometermiddleware'] ~> Service<| title == 'swift-proxy-server' |>
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_name_real = $project_domain_name
@ -230,7 +221,7 @@ Please set password parameter')
'filter:ceilometer/system_scope': value => $system_scope;
'filter:ceilometer/username': value => $username;
'filter:ceilometer/user_domain_name': value => $user_domain_name;
'filter:ceilometer/password': value => $password_real, secret => true;
'filter:ceilometer/password': value => $password, secret => true;
'filter:ceilometer/region_name': value => $region_name;
}

22
manifests/proxy/s3token.pp
View File

@ -4,6 +4,11 @@
#
# === Parameters
#
# [*password*]
# (Required) Keystone credentials used for secret caching
# The password for the user
# Defaults to password
#
# [*auth_uri*]
# (optional) The Keystone server uri
# Defaults to http://127.0.0.1:5000
@ -50,11 +55,6 @@
# id of domain for $username
# Defaults to default
#
# [*password*]
# (Optional) Keystone credentials used for secret caching
# The password for the user
# Defaults to password
#
# [*project_name*]
# (Optional) Keystone credentials used for secret caching
# Service project name
@ -82,6 +82,7 @@
# Copyright 2012 eNovance licensing@enovance.com
#
class swift::proxy::s3token(
String[1] $password,
$auth_uri = 'http://127.0.0.1:5000',
$reseller_prefix = 'AUTH_',
$delay_auth_decision = false,
@ -91,7 +92,6 @@ class swift::proxy::s3token(
$auth_type = 'password',
$username = 'swift',
$user_domain_id = 'default',
$password = undef,
$project_name = 'services',
$project_domain_id = 'default',
$system_scope = $facts['os_service_default'],
@ -99,14 +99,6 @@ class swift::proxy::s3token(
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_id_real = $project_domain_id
@ -126,7 +118,7 @@ Please set password parameter')
'filter:s3token/auth_type': value => $auth_type;
'filter:s3token/username': value => $username;
'filter:s3token/user_domain_id': value => $user_domain_id;
'filter:s3token/password': value => $password_real, secret => true;
'filter:s3token/password': value => $password, secret => true;
'filter:s3token/project_name': value => $project_name_real;
'filter:s3token/project_domain_id': value => $project_domain_id_real;
'filter:s3token/system_scope': value => $system_scope;

5
releasenotes/notes/require-password-a524fb4dc86a4d83.yaml Normal file
View File

@ -0,0 +1,5 @@
---
upgrade:
- |
The default password value has been removed and now the ``password``
parameters are required.

15
spec/classes/swift_keymaster_spec.rb
View File

@ -2,10 +2,17 @@ require 'spec_helper'
describe 'swift::keymaster' do
shared_examples 'swift::keymaster' do
let :params do
{
:password => 'swiftpassword'
}
end
context "when using default parameters" do
it 'configures keymaster options' do
is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican')
is_expected.to contain_swift_keymaster_config('kms_keymaster/username').with_value('swift')
is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('swiftpassword').with_secret(true)
is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('services')
is_expected.to contain_swift_keymaster_config('kms_keymaster/project_domain_id').with_value('default')
is_expected.to contain_swift_keymaster_config('kms_keymaster/user_domain_id').with_value('default')
@ -14,21 +21,19 @@ describe 'swift::keymaster' do
end
describe "when overriding default parameters" do
let :params do
{
before :each do
params.merge!({
:api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager',
:key_id => 'dummy_key_id',
:password => 'fake_password',
:auth_endpoint => 'http://127.0.0.1:5000',
:project_name => 'barbican_swift_service',
:meta_version_to_write => 3,
}
})
end
it 'configures keymaster options' do
is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager')
is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('dummy_key_id')
is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password').with_secret(true)
is_expected.to contain_swift_keymaster_config('kms_keymaster/auth_endpoint').with_value('http://127.0.0.1:5000')
is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('barbican_swift_service')
is_expected.to contain_swift_keymaster_config('kms_keymaster/meta_version_to_write').with_value('3')

38
spec/classes/swift_proxy_authtoken_spec.rb
View File

@ -2,6 +2,12 @@ require 'spec_helper'
describe 'swift::proxy::authtoken' do
shared_examples 'swift::proxy::authtoken' do
let :params do
{
:password => 'swiftpassword',
}
end
describe "when using default parameters" do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
@ -10,7 +16,7 @@ describe 'swift::proxy::authtoken' do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_type').with_value('password') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/username').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/user_domain_id').with_value('default') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('password').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('swiftpassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('services') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_domain_id').with_value('default') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/system_scope').with_value('<SERVICE DEFAULT>') }
@ -25,8 +31,8 @@ describe 'swift::proxy::authtoken' do
end
describe "when overriding parameters" do
let :params do
{
before :each do
params.merge!({
:username => 'swiftuser',
:password => 'swiftpassword',
:project_name => 'admin',
@ -37,7 +43,7 @@ describe 'swift::proxy::authtoken' do
:service_token_roles_required => true,
:service_type => 'identity',
:interface => 'internal',
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
@ -62,29 +68,31 @@ describe 'swift::proxy::authtoken' do
end
describe 'when overriding www_authenticate_uri' do
let :params do
{ :www_authenticate_uri => 'http://public.host/keystone/main' }
before :each do
params.merge!({
:www_authenticate_uri => 'http://public.host/keystone/main'
})
end
it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://public.host/keystone/main') }
end
describe "when auth_url is set" do
let :params do
{
before :each do
params.merge!({
:auth_url => 'https://foo.bar:5000/'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('https://foo.bar:5000/') }
end
describe "when both www_authenticate_uri and auth_url are set" do
let :params do
{
before :each do
params.merge!({
:www_authenticate_uri => 'https://foo.bar:5000/v3/',
:auth_url => 'https://foo.bar:5000/'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('https://foo.bar:5000/v3/') }
@ -92,10 +100,10 @@ describe 'swift::proxy::authtoken' do
end
describe 'when system_scope is set' do
let :params do
{
before :each do
params.merge!({
:system_scope => 'all'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('<SERVICE DEFAULT>') }

28
spec/classes/swift_proxy_ceilometer_spec.rb
View File

@ -9,14 +9,21 @@ describe 'swift::proxy::ceilometer' do
end
shared_examples 'swift::proxy::ceilometer' do
describe "when using default parameters" do
let :params do
{
:default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
:password => 'swiftpassword'
}
end
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) }
describe "when using default parameters" do
before :each do
params.merge!({
:default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
})
end
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('swiftpassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') }
@ -29,8 +36,9 @@ describe 'swift::proxy::ceilometer' do
end
describe "when overriding default parameters with rabbit driver" do
let :params do
{ :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
before :each do
params.merge!({
:default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
:driver => 'messagingv2',
:topic => 'notifications',
:control_exchange => 'swift',
@ -42,9 +50,8 @@ describe 'swift::proxy::ceilometer' do
:user_domain_name => 'Default',
:project_name => 'services',
:username => 'swift',
:password => 'mypassword',
:region_name => 'region2'
}
})
end
context 'with single rabbit host' do
@ -62,7 +69,6 @@ describe 'swift::proxy::ceilometer' do
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/system_scope').with_value('<SERVICE DEFAULT>') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') }
end
@ -116,11 +122,11 @@ describe 'swift::proxy::ceilometer' do
end
describe 'when system_scope is set' do
let :params do
{
before :each do
params.merge!({
:default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit',
:system_scope => 'all'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('<SERVICE DEFAULT>') }

23
spec/classes/swift_proxy_s3token_spec.rb
View File

@ -2,6 +2,12 @@ require 'spec_helper'
describe 'swift::proxy::s3token' do
shared_examples 'swift::proxy::s3token' do
let :params do
{
:password => 'swiftpassword'
}
end
describe "when using default parameters" do
it { is_expected.to contain_swift_proxy_config('filter:s3token/use').with_value('egg:swift#s3token') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://127.0.0.1:5000') }
@ -13,15 +19,15 @@ describe 'swift::proxy::s3token' do
it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('default') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('password').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('services') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('default') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('<SERVICE DEFAULT>') }
end
describe "when overriding default parameters" do
let :params do
{
before :each do
params.merge!({
:auth_uri => 'http://192.168.24.11:5000',
:reseller_prefix => 'SWIFT_',
:delay_auth_decision => true,
@ -30,11 +36,10 @@ describe 'swift::proxy::s3token' do
:auth_url => 'http://192.168.24.11:5000',
:auth_type => 'password',
:username => 'swift',
:password => 'swift',
:project_name => 'admin',
:project_domain_id => '12345',
:user_domain_id => '12345'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://192.168.24.11:5000') }
@ -46,17 +51,17 @@ describe 'swift::proxy::s3token' do
it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('12345') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swift').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('admin') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('12345') }
it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('<SERVICE DEFAULT>') }
end
describe 'when system_scope is set' do
let :params do
{
before :each do
params.merge!({
:system_scope => 'all'
}
})
end
it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('<SERVICE DEFAULT>') }