keystone: pki-setup should be run regardless of token provider

The puppet-keystone module currently will only execute 'keystone-manage pki_setup'
to create the signing key if the PKI token provider is being used. The signing
key/cert is still used for signing the token revocation list, even when the UUID
token provider is being used. We should be running 'keystone-manage pki_setup'
if enable_pki_setup=true, regardless of token provider.

Closes-Bug: 1374349
Upstream commit: I2817fbde74cbd50cae31f681503816e576cc7b60

Change-Id: I293593194a7545aecd3ebd825d108b4b1c20ba29
This commit is contained in:
Bartłomiej Piotrowski 2015-04-12 19:59:51 +02:00
parent 867028fe78
commit 0b0234f48a
2 changed files with 109 additions and 20 deletions

View File

@ -41,7 +41,6 @@
# [enabled] If the keystone services should be enabled. Optional. Default to true.
# [sql_connection] Url used to connect to database.
# [idle_timeout] Timeout when db connections should be reaped.
# [enable_pki_setup] Enable call to pki_setup.
# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
@ -118,6 +117,28 @@
# Tested versions include 0.9 and 2.2
# Default to '0.9'
#
# [enable_pki_setup]
# Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key
# stored in file locations based on the signing_certfile and signing_keyfile
# paramters below. If you are providing your own signing cert, make this false.
#
# [signing_certfile]
# Location of the cert file for signing pki tokens and revocation lists.
# Optional. Note that if this file already exists (i.e. you are providing your
# own signing cert), the file will not be overwritten, even if enable_pki_setup
# is set to true.
#
# [signing_ca_certs]
# Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists.
# Optional. Default: /etc/keystone/ssl/certs/ca.pem
#
# [signing_ca_key]
# Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists.
# Optional. Default: /etc/keystone/ssl/private/cakey.pem
#
# == Dependencies
# None
#
@ -172,6 +193,10 @@ class keystone(
$sql_connection = 'sqlite:////var/lib/keystone/keystone.db',
$idle_timeout = '200',
$enable_pki_setup = true,
$signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
$signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
$signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
$signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
$mysql_module = '0.9',
$rabbit_host = 'localhost',
$rabbit_hosts = false,
@ -345,42 +370,57 @@ class keystone(
warning('token_format parameter is deprecated. Use token_provider instead.')
}
# remove the old format in case of an upgrade
keystone_config { 'signing/token_format': ensure => absent }
# Set the signing key/cert configuration values.
keystone_config {
'signing/certfile': value => $signing_certfile;
'signing/keyfile': value => $signing_keyfile;
'signing/ca_certs': value => $signing_ca_certs;
'signing/ca_key': value => $signing_ca_key;
}
if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
# Create cache directory used for signing.
file { $cache_dir:
ensure => directory,
}
# Only do pki_setup if we were asked to do so. This is needed
# regardless of the token provider since token revocation lists
# are always signed.
if $enable_pki_setup {
exec { 'keystone-manage pki_setup':
path => '/usr/bin',
user => 'keystone',
refreshonly => true,
creates => '/etc/keystone/ssl/private/signing_key.pem',
creates => $signing_keyfile,
notify => Service['keystone'],
subscribe => Package['keystone'],
require => User['keystone'],
}
}
if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
} elsif $token_format == 'UUID' {
keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
} else {
keystone_config { 'token/provider': value => $token_provider }
}
# remove the old format in case of an upgrade
keystone_config { 'signing/token_format': ensure => absent }
if $notification_driver {
keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
} else {
keystone_config { 'DEFAULT/notification_driver': ensure => absent }
}
if $notification_topics {
keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
} else {
keystone_config { 'DEFAULT/notification_topics': ensure => absent }
}
if $control_exchange {
keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
} else {

View File

@ -179,8 +179,25 @@ describe 'keystone' do
'token_provider' => 'keystone.token.providers.uuid.Provider'
}
end
it { should contain_exec('keystone-manage pki_setup').with(
:creates => '/etc/keystone/ssl/private/signing_key.pem'
) }
it { should contain_file('/var/cache/keystone').with_ensure('directory') }
describe 'when overriding the cache dir' do
before do
params.merge!(:cache_dir => '/var/lib/cache/keystone')
end
it { should contain_file('/var/lib/cache/keystone') }
end
describe 'when disable pki_setup' do
before do
params.merge!(:enable_pki_setup => false)
end
it { should_not contain_exec('keystone-manage pki_setup') }
end
end
describe 'when configuring as PKI' do
let :params do
@ -209,6 +226,38 @@ describe 'keystone' do
end
end
describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'keystone.token.providers.uuid.Provider',
'enable_pki_setup' => false,
'signing_certfile' => 'signing_certfile',
'signing_keyfile' => 'signing_keyfile',
'signing_ca_certs' => 'signing_ca_certs',
'signing_ca_key' => 'signing_ca_key'
}
end
it { should_not contain_exec('keystone-manage pki_setup') }
it 'should contain correct PKI certfile config' do
should contain_keystone_config('signing/certfile').with_value('signing_certfile')
end
it 'should contain correct PKI keyfile config' do
should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
end
it 'should contain correct PKI ca_certs config' do
should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
end
it 'should contain correct PKI ca_key config' do
should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
end
end
describe 'with invalid catalog_type' do
let :params do
{ :admin_token => 'service_token',
@ -234,7 +283,7 @@ describe 'keystone' do
'token_format' => 'UUID'
}
end
it { should_not contain_exec('keystone-manage pki_setup') }
it { should contain_exec('keystone-manage pki_setup') }
end
describe 'when configuring deprecated token_format as PKI' do