Adapt puppet-keystone for Fuel

Partial blueprint merge-openstack-puppet-modules

- Includes fix for rhbz#1129760 bug.
  Upstream Change-Id: I3f0102b184a484f5e5a85cadf26ed651829fbf8c

Change-Id: I46d872bc6ec1ef33243dce2588847b8be7f2df4b
Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>

deployment/puppet/keystone/manifests/db/postgresql.pp

@@ -42,6 +42,6 @@ class keystone::db::postgresql(
     password  => $password,
   }
 
-  Postgresql::Db[$dbname] ~> Exec<| title == 'keystone-manage db_sync' |>
+  Postgresql::Server::Db[$dbname] ~> Exec<| title == 'keystone-manage db_sync' |>
 
 }

deployment/puppet/keystone/manifests/roles/admin.pp

@@ -6,7 +6,6 @@
 #   * "admin" tenant (defaults to "openstack")
 #   * admin user (that defaults to the "admin" tenant)
 #   * admin role
-#   * _member_ role
 #   * adds admin role to admin user on the "admin" tenant
 #
 # [*Parameters*]
@@ -51,7 +50,7 @@ class keystone::roles::admin(
     email       => $email,
     password    => $password,
   }
-  keystone_role { ['admin', '_member_']:
+  keystone_role { 'admin':
     ensure => present,
   }
   keystone_user_role { "${admin}@${admin_tenant}":

deployment/puppet/keystone/spec/classes/keystone_roles_admin_spec.rb

@@ -28,9 +28,7 @@ describe 'keystone::roles::admin' do
       :email       => 'foo@bar',
       :password    => 'ChangeMe'
     )}
-    ['admin', '_member_'].each do |role_name|
-      it { should contain_keystone_role(role_name).with_ensure('present') }
-    end
+    it { should contain_keystone_role('admin').with_ensure('present') }
     it { should contain_keystone_user_role('admin@openstack').with(
       :roles  => 'admin',
       :ensure => 'present'

deployment/puppet/nailgun/examples/keystone-only.pp

@@ -18,9 +18,11 @@ case $production {
     class {'docker::container': }
 
     class { 'keystone':
-      admin_token     => $::fuel_settings['keystone']['admin_token'],
-      catalog_type    => 'sql',
-      sql_connection => "postgresql://${::fuel_settings['postgres']['keystone_user']}:${::fuel_settings['postgres']['keystone_password']}@${::fuel_settings['ADMIN_NETWORK']['ipaddress']}/${::fuel_settings['postgres']['keystone_dbname']}",
+      admin_token      => $::fuel_settings['keystone']['admin_token'],
+      catalog_type     => 'sql',
+      sql_connection   => "postgresql://${::fuel_settings['postgres']['keystone_user']}:${::fuel_settings['postgres']['keystone_password']}@${::fuel_settings['ADMIN_NETWORK']['ipaddress']}/${::fuel_settings['postgres']['keystone_dbname']}",
+      token_expiration => 86400,
+      token_provider   => 'keystone.token.providers.uuid.Provider',
     }
 
     #FIXME(mattymo): We should enable db_sync on every run inside keystone,
@@ -79,11 +81,6 @@ case $production {
       address   => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
     }
 
-    # Increase token expiratin to 24h
-    keystone_config {
-      'token/expiration': value => 86400;
-    }
-
     package { 'crontabs':
       ensure => latest,
     }

deployment/puppet/nailgun/manifests/auth.pp

@@ -21,7 +21,8 @@ class nailgun::auth(
   $internal_address = undef,
   $admin_address    = undef,
   $public_address   = undef,
-  $port             = '8000'
+  $port             = '8000',
+  $region           = 'RegionOne',
 ) {
   if ($internal_address == undef) {
     $internal_address_real = $address
@@ -59,7 +60,7 @@ class nailgun::auth(
     description => 'Nailgun API',
   }
 
-  keystone_endpoint { 'nailgun':
+  keystone_endpoint { "$region/nailgun":
     ensure       => present,
     public_url   => "http://${public_address_real}:${port}/api",
     admin_url    => "http://${admin_address_real}:${port}/api",

deployment/puppet/nailgun/manifests/ostf/auth.pp

@@ -21,7 +21,8 @@ class nailgun::ostf::auth(
   $internal_address = undef,
   $admin_address    = undef,
   $public_address   = undef,
-  $port             = '8000'
+  $port             = '8000',
+  $region           = 'RegionOne',
 ) {
   if ($internal_address == undef) {
     $internal_address_real = $address
@@ -59,7 +60,7 @@ class nailgun::ostf::auth(
     description => 'OSTF',
   }
 
-  keystone_endpoint { 'ostf':
+  keystone_endpoint { "$region/ostf":
     ensure       => present,
     public_url   => "http://${public_address_real}:${port}/ostf",
     admin_url    => "http://${admin_address_real}:${port}/ostf",

deployment/puppet/openstack/manifests/keystone.pp

@@ -30,6 +30,9 @@
 # [use_syslog] Rather or not service should log to syslog. Optional. Default to false.
 # [syslog_log_facility] Facility for syslog, if used. Optional. Note: duplicating conf option
 #       wouldn't have been used, but more powerfull rsyslog features managed via conf template instead
+# [max_pool_size] SQLAlchemy backend related. Default 10.
+# [max_overflow] SQLAlchemy backend related.  Default 30.
+# [max_retries] SQLAlchemy backend related. Default -1.
 #
 # === Example
 #
@@ -195,6 +198,14 @@ class openstack::keystone (
     $ceilometer_admin_real = $admin_real
   }
 
+  if $memcache_servers {
+    $memcache_servers_real = suffix($memcache_servers, inline_template(":<%= @memcache_server_port %>"))
+    $token_driver = 'keystone.token.backends.memcache.Token'
+  } else {
+    $memcache_servers_real = false
+    $token_driver = 'keystone.token.backends.sql.Token'
+  }
+
   class { '::keystone':
     verbose             => $verbose,
     debug               => $debug,
@@ -205,17 +216,83 @@ class openstack::keystone (
     bind_host           => $bind_host,
     package_ensure      => $package_ensure,
     use_syslog          => $use_syslog,
-    syslog_log_facility => $syslog_log_facility,
-    max_retries         => $max_retries,
-    max_pool_size       => $max_pool_size,
-    max_overflow        => $max_overflow,
     idle_timeout        => $idle_timeout,
     rabbit_password     => $rabbit_password,
     rabbit_userid       => $rabbit_userid,
     rabbit_hosts        => $rabbit_hosts,
     rabbit_virtual_host => $rabbit_virtual_host,
-    memcache_servers    => $memcache_servers,
-    memcache_server_port => $memcache_server_port,
+    memcache_servers    => $memcache_servers_real,
+    token_driver        => $token_driver,
+    token_provider      => 'keystone.token.providers.uuid.Provider',
+  }
+
+  if $::operatingsystem == 'Ubuntu' {
+   if $service_provider == 'pacemaker' {
+      tweaks::ubuntu_service_override { 'keystone':
+        package_name => 'keystone',
+      }
+      exec { 'remove-keystone-bootblockr':
+        command => 'rm -rf /etc/init/keystone.override',
+        path    => ['/bin', '/usr/bin'],
+        require => Package['keystone']
+      }
+    }
+  }
+
+  if $memcache_servers {
+    Service<| title == 'memcached' |> -> Service<| title == 'keystone'|>
+    keystone_config {
+      'token/caching': value => 'true';
+      'cache/enabled': value => 'true';
+      'cache/backend': value => 'dogpile.cache.memcached';
+      'cache/backend_argument': value => inline_template("url:<%= @memcache_servers.collect{|ip| ip }.join ',' %>");
+     }
+  }
+
+  Package<| title == 'keystone'|> ~> Service<| title == 'keystone'|>
+  if !defined(Service['keystone']) {
+    notify{ "Module ${module_name} cannot notify service keystone on package update": }
+  }
+
+  if $use_syslog {
+    keystone_config {
+      'DEFAULT/use_syslog_rfc_format':  value  => true;
+    }
+  }
+
+  keystone_config {
+    'DATABASE/max_pool_size':                          value => $max_pool_size;
+    'DATABASE/max_retries':                            value => $max_retries;
+    'DATABASE/max_overflow':                           value => $max_overflow;
+    'identity/driver':                                 value =>"keystone.identity.backends.sql.Identity";
+    'policy/driver':                                   value =>"keystone.policy.backends.rules.Policy";
+    'ec2/driver':                                      value =>"keystone.contrib.ec2.backends.sql.Ec2";
+    'filter:debug/paste.filter_factory':               value =>"keystone.common.wsgi:Debug.factory";
+    'filter:token_auth/paste.filter_factory':          value =>"keystone.middleware:TokenAuthMiddleware.factory";
+    'filter:admin_token_auth/paste.filter_factory':    value =>"keystone.middleware:AdminTokenAuthMiddleware.factory";
+    'filter:xml_body/paste.filter_factory':            value =>"keystone.middleware:XmlBodyMiddleware.factory";
+    'filter:json_body/paste.filter_factory':           value =>"keystone.middleware:JsonBodyMiddleware.factory";
+    'filter:user_crud_extension/paste.filter_factory': value =>"keystone.contrib.user_crud:CrudExtension.factory";
+    'filter:crud_extension/paste.filter_factory':      value =>"keystone.contrib.admin_crud:CrudExtension.factory";
+    'filter:ec2_extension/paste.filter_factory':       value =>"keystone.contrib.ec2:Ec2Extension.factory";
+    'filter:s3_extension/paste.filter_factory':        value =>"keystone.contrib.s3:S3Extension.factory";
+    'filter:url_normalize/paste.filter_factory':       value =>"keystone.middleware:NormalizingFilter.factory";
+    'filter:stats_monitoring/paste.filter_factory':    value =>"keystone.contrib.stats:StatsMiddleware.factory";
+    'filter:stats_reporting/paste.filter_factory':     value =>"keystone.contrib.stats:StatsExtension.factory";
+    'app:public_service/paste.app_factory':            value =>"keystone.service:public_app_factory";
+    'app:admin_service/paste.app_factory':             value =>"keystone.service:admin_app_factory";
+    'pipeline:public_api/pipeline':                    value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service";
+    'pipeline:admin_api/pipeline':                     value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service";
+    'app:public_version_service/paste.app_factory':    value =>"keystone.service:public_version_app_factory";
+    'app:admin_version_service/paste.app_factory':     value =>"keystone.service:admin_version_app_factory";
+    'pipeline:public_version_api/pipeline':            value =>"stats_monitoring url_normalize xml_body public_version_service";
+    'pipeline:admin_version_api/pipeline':             value =>"stats_monitoring url_normalize xml_body admin_version_service";
+    'composite:main/use':                              value =>"egg:Paste#urlmap";
+    'composite:main//v2.0':                            value =>"public_api";
+    'composite:main//':                                value =>"public_version_api";
+    'composite:admin/use':                             value =>"egg:Paste#urlmap";
+    'composite:admin//v2.0':                           value =>"admin_api";
+    'composite:admin//':                               value =>"admin_version_api";
   }
 
   if ($enabled) {

deployment/puppet/sahara/manifests/keystone/auth.pp

@@ -23,9 +23,8 @@ class sahara::keystone::auth (
     description => 'OpenStack Data Processing',
   }
 
-  keystone_endpoint { $auth_name:
+  keystone_endpoint { "$region/$auth_name":
     ensure       => present,
-    region       => $region,
     public_url   => "http://${public_address}:${sahara_port}/v1.1/%(tenant_id)s",
     internal_url => "http://${internal_address}:${sahara_port}/v1.1/%(tenant_id)s",
     admin_url    => "http://${admin_address}:${sahara_port}/v1.1/%(tenant_id)s",