Add some authtoken related attributes
This change adds some attributes into the cookbook so that they are configurable. It mainly includes: cafile, memcached_servers, memcache_security_strategy, memcache_secret_key, insecure and hash_algorithms. Change-Id: I6d38db321da2d86265bace3d36c68ddcb196ed61 Closes-Bug: #1372315
This commit is contained in:
parent
eea627edda
commit
6e534d6070
|
@ -7,6 +7,7 @@ This file is used to list changes made in each version of cookbook-openstack-orc
|
|||
* Sync conf files with Juno
|
||||
* Upgrading berkshelf from 2.0.18 to 3.1.5
|
||||
* Update mode for heat.conf from 644 to 640
|
||||
* Add cafile, memcached_servers, memcache_security_strategy, memcache_secret_key, insecure and hash_algorithms so that they are configurable.
|
||||
|
||||
## 9.2.0
|
||||
* python_packages database client attributes have been migrated to
|
||||
|
|
|
@ -76,6 +76,12 @@ Attributes for the Heat service are in the ['openstack']['orchestration'] namesp
|
|||
* `openstack['orchestration']['rpc_response_timeout']` - seconds to wait for a response from call or multicall
|
||||
* `openstack['orchestration']['platform']` - hash of platform specific package/service names and options
|
||||
* `openstack['orchestration']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
|
||||
* `openstack['orchestration']['api']['auth']['memcached_servers']` - A list of memcached server(s) for caching
|
||||
* `openstack['orchestration']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
|
||||
* `openstack['orchestration']['api']['auth']['memcache_secret_key']` - This string is used for key derivation.
|
||||
* `openstack['orchestration']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens.
|
||||
* `openstack['orchestration']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections.
|
||||
* `openstack['orchestration']['api']['auth']['insecure']` - Whether to allow the client to perform insecure SSL (https) requests.
|
||||
|
||||
Notification definitions
|
||||
------------------------
|
||||
|
|
|
@ -42,6 +42,24 @@ default['openstack']['orchestration']['service_role'] = 'admin'
|
|||
|
||||
default['openstack']['orchestration']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
|
||||
|
||||
# A list of memcached server(s) for caching
|
||||
default['openstack']['orchestration']['api']['auth']['memcached_servers'] = nil
|
||||
|
||||
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
|
||||
default['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = nil
|
||||
|
||||
# This string is used for key derivation
|
||||
default['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = nil
|
||||
|
||||
# Hash algorithms to use for hashing PKI tokens
|
||||
default['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'md5'
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
|
||||
default['openstack']['orchestration']['api']['auth']['cafile'] = nil
|
||||
|
||||
# Whether to allow the client to perform insecure SSL (https) requests
|
||||
default['openstack']['orchestration']['api']['auth']['insecure'] = false
|
||||
|
||||
# If set, heat API service will bind to the address on this interface,
|
||||
# otherwise it will bind to the API endpoint's host.
|
||||
default['openstack']['orchestration']['api']['bind_interface'] = nil
|
||||
|
|
|
@ -142,6 +142,47 @@ shared_examples 'expects to create heat conf' do
|
|||
)
|
||||
end
|
||||
|
||||
it 'uses default values for these attributes and they are not set' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(
|
||||
/^memcached_servers=/)
|
||||
expect(chef_run).not_to render_file(file.name).with_content(
|
||||
/^memcache_security_strategy=/)
|
||||
expect(chef_run).not_to render_file(file.name).with_content(
|
||||
/^memcache_secret_key=/)
|
||||
expect(chef_run).not_to render_file(file.name).with_content(
|
||||
/^cafile=/)
|
||||
end
|
||||
|
||||
it 'sets memcached server(s)' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['memcached_servers'] = 'localhost:11211'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers=localhost:11211$/)
|
||||
end
|
||||
|
||||
it 'sets memcache security strategy' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] = 'MAC'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy=MAC$/)
|
||||
end
|
||||
|
||||
it 'sets memcache secret key' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key=0123456789ABCDEF$/)
|
||||
end
|
||||
|
||||
it 'sets cafile' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['cafile'] = 'dir/to/path'
|
||||
expect(chef_run).to render_file(file.name).with_content(%r{^cafile=dir/to/path$})
|
||||
end
|
||||
|
||||
it 'sets token hash algorithms' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['hash_algorithms'] = 'sha2'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms=sha2$/)
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
node.set['openstack']['orchestration']['api']['auth']['insecure'] = false
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure=false$/)
|
||||
end
|
||||
|
||||
describe 'default values' do
|
||||
it 'has default conf values' do
|
||||
[
|
||||
|
@ -175,6 +216,8 @@ shared_examples 'expects to create heat conf' do
|
|||
/^auth_protocol=http$/,
|
||||
%r{^auth_uri=http://127.0.0.1:5000/v2.0$},
|
||||
/^auth_version=v2.0$/,
|
||||
/^hash_algorithms=md5$/,
|
||||
/^insecure=false$/,
|
||||
/^admin_user=heat$/,
|
||||
/^admin_password=heat-pass$/,
|
||||
/^admin_tenant_name=service$/,
|
||||
|
|
|
@ -1170,9 +1170,13 @@ admin_tenant_name=<%= node["openstack"]["orchestration"]["service_tenant_name"]
|
|||
# A PEM encoded Certificate Authority to use when verifying
|
||||
# HTTPs connections. Defaults to system CAs. (string value)
|
||||
#cafile=<None>
|
||||
<% unless node['openstack']['orchestration']['api']['auth']['cafile'].nil? %>
|
||||
cafile=<%= node['openstack']['orchestration']['api']['auth']['cafile'] %>
|
||||
<% end %>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
#insecure=false
|
||||
insecure=<%= node['openstack']['orchestration']['api']['auth']['insecure'] %>
|
||||
|
||||
# Directory used to cache files related to PKI tokens (string
|
||||
# value)
|
||||
|
@ -1183,6 +1187,9 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
|
|||
# in-process. (list value)
|
||||
# Deprecated group/name - [DEFAULT]/memcache_servers
|
||||
#memcached_servers=<None>
|
||||
<% unless node['openstack']['orchestration']['api']['auth']['memcached_servers'].nil? %>
|
||||
memcached_servers=<%= node['openstack']['orchestration']['api']['auth']['memcached_servers'] %>
|
||||
<% end %>
|
||||
|
||||
# In order to prevent excessive effort spent validating
|
||||
# tokens, the middleware caches previously-seen tokens for a
|
||||
|
@ -1205,11 +1212,17 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
|
|||
# value is not one of these options or empty, auth_token will
|
||||
# raise an exception on initialization. (string value)
|
||||
#memcache_security_strategy=<None>
|
||||
<% unless node['openstack']['orchestration']['api']['auth']['memcache_security_strategy'].nil? %>
|
||||
memcache_security_strategy=<%= node['openstack']['orchestration']['api']['auth']['memcache_security_strategy'] %>
|
||||
<% end %>
|
||||
|
||||
# (optional, mandatory if memcache_security_strategy is
|
||||
# defined) this string is used for key derivation. (string
|
||||
# value)
|
||||
#memcache_secret_key=<None>
|
||||
<% unless node['openstack']['orchestration']['api']['auth']['memcache_secret_key'].nil? %>
|
||||
memcache_secret_key=<%= node['openstack']['orchestration']['api']['auth']['memcache_secret_key'] %>
|
||||
<% end %>
|
||||
|
||||
# (optional) indicate whether to set the X-Service-Catalog
|
||||
# header. If False, middleware will not ask for service
|
||||
|
@ -1244,6 +1257,7 @@ signing_dir=<%= node['openstack']['orchestration']['api']['auth']['cache_dir']
|
|||
# should be set to a single value for better performance.
|
||||
# (list value)
|
||||
#hash_algorithms=md5
|
||||
hash_algorithms=<%= node['openstack']['orchestration']['api']['auth']['hash_algorithms'] %>
|
||||
|
||||
[matchmaker_ring]
|
||||
|
||||
|
|
Loading…
Reference in New Issue