Allow cinder authtoken settings to be configurable
This patch is for allowing cafile, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and hash_algorithms to be configurable. Change-Id: If4e75092f969bb6b5df29d715e1cff696e41a9a3 Closes-Bug: #1370906
This commit is contained in:
parent
43553e0e17
commit
5641af2512
@ -4,6 +4,7 @@ This file is used to list changes made in each version of the openstack-block-st
|
||||
## 10.0.1
|
||||
# Update cinder.conf mode from 0644 to 0640
|
||||
* Add attribute for ibmnas_platform_type
|
||||
* Allow cafile, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and hash_algorithms to be configurable
|
||||
|
||||
## 10.0.0
|
||||
* Upgrading to Juno
|
||||
|
@ -49,8 +49,13 @@ Attributes
|
||||
* `openstack["block-storage"]["db"]["username"]` - cinder username for database
|
||||
* `openstack["block-storage"]["volume_name_template"]` - Template string to be used to generate volume names
|
||||
* `openstack["block-storage"]["snapshot_name_template"]` - Template string to be used to generate snapshot names
|
||||
* `openstack['block-storage']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0 inherited from common cookbook. The default auth API version used to interact with identity service.
|
||||
|
||||
* `openstack['block-storage']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0 inherited from common cookbook. The default auth API version used to interact with identity service
|
||||
* `openstack['block-storage']['api']['auth']['memcached_servers']` - A list of memcached server(s) to use for caching
|
||||
* `openstack['block-storage']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
|
||||
* `openstack['block-storage']['api']['auth']['memcache_secret_key']` - This string is used for key derivation
|
||||
* `openstack['block-storage']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens
|
||||
* `openstack['block-storage']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections
|
||||
* `openstack['block-storage']['api']['auth']['insecure']` - Set whether to verify HTTPS connections
|
||||
MQ attributes
|
||||
-------------
|
||||
* `openstack["block-storage"]["mq"]["service_type"]` - Select qpid or rabbitmq. default rabbitmq
|
||||
|
@ -71,6 +71,24 @@ default['openstack']['block-storage']['api']['auth']['cache_dir'] = '/var/cache/
|
||||
|
||||
default['openstack']['block-storage']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
|
||||
|
||||
# A list of memcached server(s) to use for caching
|
||||
default['openstack']['block-storage']['api']['auth']['memcached_servers'] = nil
|
||||
|
||||
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
|
||||
default['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] = nil
|
||||
|
||||
# This string is used for key derivation
|
||||
default['openstack']['block-storage']['api']['auth']['memcache_secret_key'] = nil
|
||||
|
||||
# Hash algorithms to use for hashing PKI tokens
|
||||
default['openstack']['block-storage']['api']['auth']['hash_algorithms'] = 'md5'
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
|
||||
default['openstack']['block-storage']['api']['auth']['cafile'] = nil
|
||||
|
||||
# Verify HTTPS connections
|
||||
default['openstack']['block-storage']['api']['auth']['insecure'] = false
|
||||
|
||||
# Maximum allocatable gigabytes
|
||||
# Should equal total backend storage, default is 10TB
|
||||
default['openstack']['block-storage']['max_gigabytes'] = '10000'
|
||||
|
@ -75,13 +75,69 @@ describe 'openstack-block-storage::cinder-common' do
|
||||
expect(sprintf('%o', file.mode)).to eq '640'
|
||||
end
|
||||
|
||||
context 'template keystone contents' do
|
||||
context 'keystone authtoken attributes with default values' do
|
||||
it 'sets memcached server(s)' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcached_servers = $/)
|
||||
end
|
||||
|
||||
it 'sets memcache security strategy' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_security_strategy = $/)
|
||||
end
|
||||
|
||||
it 'sets memcache secret key' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_secret_key = $/)
|
||||
end
|
||||
|
||||
it 'sets cafile' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^cafile = $/)
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/)
|
||||
end
|
||||
|
||||
it 'sets token hash algorithms' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'keystone authtoken attributes' do
|
||||
it 'has signing_dir' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
|
||||
end
|
||||
|
||||
it 'sets memcached server(s)' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['memcached_servers'] = 'localhost:11211'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/)
|
||||
end
|
||||
|
||||
it 'sets memcache security strategy' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] = 'MAC'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/)
|
||||
end
|
||||
|
||||
it 'sets memcache secret key' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/)
|
||||
end
|
||||
|
||||
it 'sets cafile' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['cafile'] = 'dir/to/path'
|
||||
expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$})
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['insecure'] = true
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
|
||||
end
|
||||
|
||||
it 'sets token hash algorithms' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['hash_algorithms'] = 'sha2'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/)
|
||||
end
|
||||
|
||||
context 'endpoint related' do
|
||||
|
||||
it 'has auth_uri' do
|
||||
|
@ -1095,9 +1095,13 @@ admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"
|
||||
# A PEM encoded Certificate Authority to use when verifying
|
||||
# HTTPs connections. Defaults to system CAs. (string value)
|
||||
#cafile=<None>
|
||||
<% if node['openstack']['block-storage']['api']['auth']['cafile'] %>
|
||||
cafile = <%= node['openstack']['block-storage']['api']['auth']['cafile'] %>
|
||||
<% end %>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
#insecure=false
|
||||
insecure = <%= node['openstack']['block-storage']['api']['auth']['insecure'] %>
|
||||
|
||||
# Directory used to cache files related to PKI tokens (string
|
||||
# value)
|
||||
@ -1108,6 +1112,9 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
|
||||
# in-process. (list value)
|
||||
# Deprecated group/name - [DEFAULT]/memcache_servers
|
||||
#memcached_servers=<None>
|
||||
<% if node['openstack']['block-storage']['api']['auth']['memcached_servers'] %>
|
||||
memcached_servers = <%= node['openstack']['block-storage']['api']['auth']['memcached_servers'] %>
|
||||
<% end %>
|
||||
|
||||
# In order to prevent excessive effort spent validating
|
||||
# tokens, the middleware caches previously-seen tokens for a
|
||||
@ -1130,11 +1137,17 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
|
||||
# value is not one of these options or empty, auth_token will
|
||||
# raise an exception on initialization. (string value)
|
||||
#memcache_security_strategy=<None>
|
||||
<% if node['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] %>
|
||||
memcache_security_strategy = <%= node['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] %>
|
||||
<% end %>
|
||||
|
||||
# (optional, mandatory if memcache_security_strategy is
|
||||
# defined) this string is used for key derivation. (string
|
||||
# value)
|
||||
#memcache_secret_key=<None>
|
||||
<% if node['openstack']['block-storage']['api']['auth']['memcache_secret_key'] %>
|
||||
memcache_secret_key = <%= node['openstack']['block-storage']['api']['auth']['memcache_secret_key'] %>
|
||||
<% end %>
|
||||
|
||||
# (optional) indicate whether to set the X-Service-Catalog
|
||||
# header. If False, middleware will not ask for service
|
||||
@ -1169,3 +1182,4 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
|
||||
# should be set to a single value for better performance.
|
||||
# (list value)
|
||||
#hash_algorithms=md5
|
||||
hash_algorithms = <%= node['openstack']['block-storage']['api']['auth']['hash_algorithms'] %>
|
||||
|
Loading…
Reference in New Issue
Block a user