openstack/puppet-swift
Code Issues Proposed changes
2df992faf3
puppet-swift/manifests/keystone/auth.pp
Takashi Kajinami 2df992faf3 Deprecate the default values for password parameters 
Currently puppet-swift provides default values for some password
parameters, but this is not ideal from security perspective and we
should expect operators to set their own password explicitly.

This patch deprecates the usage of these default values and adds
warning message which appears for missing password defined, so that
we can remove current default values in next cycle.

Change-Id: I6e7721d04ae2bf2e2a2ea3f02ebfcbded58692e2
2020-05-13 08:53:14 +09:00

178 lines
5.7 KiB
Puppet
Raw Blame History

# == Class: swift::keystone::auth
#
# This class creates keystone users, services, endpoints, and roles
# for swift services.
#
# The user is given the admin role in the services tenant.
#
# === Parameters:
#
# [*auth_name*]
# String. The name of the user.
# Optional. Defaults to 'swift'.
#
# [*password*]
# String. The user's password.
# Optional. Defaults to 'swift_password'.
#
# [*tenant*]
# (Optional) The tenant to use for the swift service user
# Defaults to 'services'
#
# [*email*]
# (Optional) The email address for the swift service user
# Defaults to 'swift@localhost'
#
# [*region*]
# (Optional) The region in which to place the endpoints
# Defaults to 'RegionOne'
#
# [*operator_roles*]
# (Optional) Array of strings. List of roles Swift considers as admin.
# Defaults to '['admin', 'SwiftOperator']'
#
# [*configure_endpoint*]
# (optional) Whether to create the endpoint.
# Defaults to true
#
# [*configure_s3_endpoint*]
# (optional) Whether to create the S3 endpoint.
# Defaults to true
#
# [*configure_user*]
# (Optional) Whether to create the service user.
# Defaults to 'true'.
#
# [*configure_user_role*]
# (Optional) Whether to configure the admin role for the service user.
# Defaults to 'true'.
#
# [*service_name*]
# (optional) Name of the service.
# Defaults to 'swift'
#
# [*service_name_s3*]
# (optional) Name of the s3 service.
# Defaults to 'swift_s3'
#
# [*service_description*]
# (optional) Description for keystone service.
# Defaults to 'Openstack Object-Store Service'.
#
# [*service_description_s3*]
# (optional) Description for keystone s3 service.
# Defaults to 'Openstack S3 Service'.
#
# [*public_url*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s')
# This url should *not* contain any trailing '/'.
#
# [*admin_url*]
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:8080')
# This url should *not* contain any trailing '/'.
#
# [*internal_url*]
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s')
# This url should *not* contain any trailing '/'.
#
# [*public_url_s3*]
# (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:8080')
# This url should *not* contain any trailing '/'.
#
# [*admin_url_s3*]
# (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:8080')
# This url should *not* contain any trailing '/'.
#
# [*internal_url_s3*]
# (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:8080')
# This url should *not* contain any trailing '/'.
#
class swift::keystone::auth(
$auth_name = 'swift',
$password = undef,
$tenant = 'services',
$email = 'swift@localhost',
$region = 'RegionOne',
$operator_roles = ['admin', 'SwiftOperator'],
$service_name = 'swift',
$service_name_s3 = 'swift_s3',
$service_description = 'Openstack Object-Store Service',
$service_description_s3 = 'Openstack S3 Service',
$configure_endpoint = true,
$configure_s3_endpoint = true,
$configure_user = true,
$configure_user_role = true,
$public_url = 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s',
$admin_url = 'http://127.0.0.1:8080',
$internal_url = 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s',
$public_url_s3 = 'http://127.0.0.1:8080',
$admin_url_s3 = 'http://127.0.0.1:8080',
$internal_url_s3 = 'http://127.0.0.1:8080',
) {
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'swift_password'
} else {
$password_real = $password
}
if $service_name == $service_name_s3 {
fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.')
}
# Establish that keystone auth and endpoints are properly setup before
# managing any type of swift related service.
if $configure_endpoint {
Keystone_endpoint["${region}/${service_name}::object-store"] -> Swift::Service<||>
}
if $configure_s3_endpoint {
Keystone_endpoint["${region}/${service_name_s3}::s3"] -> Swift::Service<||>
}
keystone::resource::service_identity { 'swift':
configure_endpoint => $configure_endpoint,
configure_user => $configure_user,
configure_user_role => $configure_user_role,
service_name => $service_name,
service_type => 'object-store',
service_description => $service_description,
region => $region,
auth_name => $auth_name,
password => $password_real,
email => $email,
tenant => $tenant,
public_url => $public_url,
admin_url => $admin_url,
internal_url => $internal_url,
}
keystone::resource::service_identity { 'swift_s3':
configure_user => false,
configure_user_role => false,
configure_endpoint => $configure_s3_endpoint,
configure_service => $configure_s3_endpoint,
service_name => $service_name_s3,
service_type => 's3',
service_description => $service_description_s3,
region => $region,
public_url => $public_url_s3,
admin_url => $admin_url_s3,
internal_url => $internal_url_s3,
}
if $operator_roles {
#Roles like "admin" may be defined elsewhere, so use ensure_resource
ensure_resource('keystone_role', $operator_roles, { 'ensure' => 'present' })
}
# Backward compatibility
if $configure_user {
Keystone_user[$auth_name] -> Keystone_user_role["${auth_name}@${tenant}"]
}
}
View Git Blame Copy Permalink