keystone: pki-setup should be run regardless of token provider
The puppet-keystone module currently will only execute 'keystone-manage pki_setup' to create the signing key if the PKI token provider is being used. The signing key/cert is still used for signing the token revocation list, even when the UUID token provider is being used. We should be running 'keystone-manage pki_setup' if enable_pki_setup=true, regardless of token provider. Closes-Bug: 1374349 Upstream commit: I2817fbde74cbd50cae31f681503816e576cc7b60 Change-Id: I293593194a7545aecd3ebd825d108b4b1c20ba29
This commit is contained in:
parent
867028fe78
commit
0b0234f48a
@ -41,7 +41,6 @@
|
||||
# [enabled] If the keystone services should be enabled. Optional. Default to true.
|
||||
# [sql_connection] Url used to connect to database.
|
||||
# [idle_timeout] Timeout when db connections should be reaped.
|
||||
# [enable_pki_setup] Enable call to pki_setup.
|
||||
# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
|
||||
# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
|
||||
# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
|
||||
@ -118,6 +117,28 @@
|
||||
# Tested versions include 0.9 and 2.2
|
||||
# Default to '0.9'
|
||||
#
|
||||
# [enable_pki_setup]
|
||||
# Enable call to pki_setup to generate the cert for signing pki tokens and
|
||||
# revocation lists if it doesn't already exist. This generates a cert and key
|
||||
# stored in file locations based on the signing_certfile and signing_keyfile
|
||||
# paramters below. If you are providing your own signing cert, make this false.
|
||||
#
|
||||
# [signing_certfile]
|
||||
# Location of the cert file for signing pki tokens and revocation lists.
|
||||
# Optional. Note that if this file already exists (i.e. you are providing your
|
||||
# own signing cert), the file will not be overwritten, even if enable_pki_setup
|
||||
# is set to true.
|
||||
#
|
||||
# [signing_ca_certs]
|
||||
# Use this CA certs file along with signing_certfile/signing_keyfile for
|
||||
# signing pki tokens and revocation lists.
|
||||
# Optional. Default: /etc/keystone/ssl/certs/ca.pem
|
||||
#
|
||||
# [signing_ca_key]
|
||||
# Use this CA key file along with signing_certfile/signing_keyfile for signing
|
||||
# pki tokens and revocation lists.
|
||||
# Optional. Default: /etc/keystone/ssl/private/cakey.pem
|
||||
#
|
||||
# == Dependencies
|
||||
# None
|
||||
#
|
||||
@ -172,6 +193,10 @@ class keystone(
|
||||
$sql_connection = 'sqlite:////var/lib/keystone/keystone.db',
|
||||
$idle_timeout = '200',
|
||||
$enable_pki_setup = true,
|
||||
$signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
|
||||
$signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
|
||||
$signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
|
||||
$signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
|
||||
$mysql_module = '0.9',
|
||||
$rabbit_host = 'localhost',
|
||||
$rabbit_hosts = false,
|
||||
@ -345,42 +370,57 @@ class keystone(
|
||||
warning('token_format parameter is deprecated. Use token_provider instead.')
|
||||
}
|
||||
|
||||
# remove the old format in case of an upgrade
|
||||
keystone_config { 'signing/token_format': ensure => absent }
|
||||
# Set the signing key/cert configuration values.
|
||||
keystone_config {
|
||||
'signing/certfile': value => $signing_certfile;
|
||||
'signing/keyfile': value => $signing_keyfile;
|
||||
'signing/ca_certs': value => $signing_ca_certs;
|
||||
'signing/ca_key': value => $signing_ca_key;
|
||||
}
|
||||
|
||||
if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
|
||||
keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
|
||||
# Create cache directory used for signing.
|
||||
file { $cache_dir:
|
||||
ensure => directory,
|
||||
}
|
||||
|
||||
# Only do pki_setup if we were asked to do so. This is needed
|
||||
# regardless of the token provider since token revocation lists
|
||||
# are always signed.
|
||||
if $enable_pki_setup {
|
||||
exec { 'keystone-manage pki_setup':
|
||||
path => '/usr/bin',
|
||||
user => 'keystone',
|
||||
refreshonly => true,
|
||||
creates => '/etc/keystone/ssl/private/signing_key.pem',
|
||||
creates => $signing_keyfile,
|
||||
notify => Service['keystone'],
|
||||
subscribe => Package['keystone'],
|
||||
require => User['keystone'],
|
||||
}
|
||||
}
|
||||
|
||||
if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
|
||||
keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
|
||||
} elsif $token_format == 'UUID' {
|
||||
keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
|
||||
} else {
|
||||
keystone_config { 'token/provider': value => $token_provider }
|
||||
}
|
||||
|
||||
# remove the old format in case of an upgrade
|
||||
keystone_config { 'signing/token_format': ensure => absent }
|
||||
|
||||
if $notification_driver {
|
||||
keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
|
||||
} else {
|
||||
keystone_config { 'DEFAULT/notification_driver': ensure => absent }
|
||||
}
|
||||
|
||||
if $notification_topics {
|
||||
keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
|
||||
} else {
|
||||
keystone_config { 'DEFAULT/notification_topics': ensure => absent }
|
||||
}
|
||||
|
||||
if $control_exchange {
|
||||
keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
|
||||
} else {
|
||||
|
@ -179,8 +179,25 @@ describe 'keystone' do
|
||||
'token_provider' => 'keystone.token.providers.uuid.Provider'
|
||||
}
|
||||
end
|
||||
it { should contain_exec('keystone-manage pki_setup').with(
|
||||
:creates => '/etc/keystone/ssl/private/signing_key.pem'
|
||||
) }
|
||||
it { should contain_file('/var/cache/keystone').with_ensure('directory') }
|
||||
|
||||
describe 'when overriding the cache dir' do
|
||||
before do
|
||||
params.merge!(:cache_dir => '/var/lib/cache/keystone')
|
||||
end
|
||||
it { should contain_file('/var/lib/cache/keystone') }
|
||||
end
|
||||
|
||||
describe 'when disable pki_setup' do
|
||||
before do
|
||||
params.merge!(:enable_pki_setup => false)
|
||||
end
|
||||
it { should_not contain_exec('keystone-manage pki_setup') }
|
||||
end
|
||||
end
|
||||
|
||||
describe 'when configuring as PKI' do
|
||||
let :params do
|
||||
@ -209,6 +226,38 @@ describe 'keystone' do
|
||||
end
|
||||
end
|
||||
|
||||
describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
|
||||
let :params do
|
||||
{
|
||||
'admin_token' => 'service_token',
|
||||
'token_provider' => 'keystone.token.providers.uuid.Provider',
|
||||
'enable_pki_setup' => false,
|
||||
'signing_certfile' => 'signing_certfile',
|
||||
'signing_keyfile' => 'signing_keyfile',
|
||||
'signing_ca_certs' => 'signing_ca_certs',
|
||||
'signing_ca_key' => 'signing_ca_key'
|
||||
}
|
||||
end
|
||||
|
||||
it { should_not contain_exec('keystone-manage pki_setup') }
|
||||
|
||||
it 'should contain correct PKI certfile config' do
|
||||
should contain_keystone_config('signing/certfile').with_value('signing_certfile')
|
||||
end
|
||||
|
||||
it 'should contain correct PKI keyfile config' do
|
||||
should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
|
||||
end
|
||||
|
||||
it 'should contain correct PKI ca_certs config' do
|
||||
should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
|
||||
end
|
||||
|
||||
it 'should contain correct PKI ca_key config' do
|
||||
should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with invalid catalog_type' do
|
||||
let :params do
|
||||
{ :admin_token => 'service_token',
|
||||
@ -234,7 +283,7 @@ describe 'keystone' do
|
||||
'token_format' => 'UUID'
|
||||
}
|
||||
end
|
||||
it { should_not contain_exec('keystone-manage pki_setup') }
|
||||
it { should contain_exec('keystone-manage pki_setup') }
|
||||
end
|
||||
|
||||
describe 'when configuring deprecated token_format as PKI' do
|
||||
|
Loading…
Reference in New Issue
Block a user