diff --git a/deployment/puppet/keystone/manifests/db/postgresql.pp b/deployment/puppet/keystone/manifests/db/postgresql.pp index 3d7eb73d78..efe1422b50 100644 --- a/deployment/puppet/keystone/manifests/db/postgresql.pp +++ b/deployment/puppet/keystone/manifests/db/postgresql.pp @@ -42,6 +42,6 @@ class keystone::db::postgresql( password => $password, } - Postgresql::Db[$dbname] ~> Exec<| title == 'keystone-manage db_sync' |> + Postgresql::Server::Db[$dbname] ~> Exec<| title == 'keystone-manage db_sync' |> } diff --git a/deployment/puppet/keystone/manifests/roles/admin.pp b/deployment/puppet/keystone/manifests/roles/admin.pp index eed03c74a9..499cc13361 100644 --- a/deployment/puppet/keystone/manifests/roles/admin.pp +++ b/deployment/puppet/keystone/manifests/roles/admin.pp @@ -6,7 +6,6 @@ # * "admin" tenant (defaults to "openstack") # * admin user (that defaults to the "admin" tenant) # * admin role -# * _member_ role # * adds admin role to admin user on the "admin" tenant # # [*Parameters*] @@ -51,7 +50,7 @@ class keystone::roles::admin( email => $email, password => $password, } - keystone_role { ['admin', '_member_']: + keystone_role { 'admin': ensure => present, } keystone_user_role { "${admin}@${admin_tenant}": diff --git a/deployment/puppet/keystone/spec/classes/keystone_roles_admin_spec.rb b/deployment/puppet/keystone/spec/classes/keystone_roles_admin_spec.rb index 7605a450d2..99db80f772 100644 --- a/deployment/puppet/keystone/spec/classes/keystone_roles_admin_spec.rb +++ b/deployment/puppet/keystone/spec/classes/keystone_roles_admin_spec.rb @@ -28,9 +28,7 @@ describe 'keystone::roles::admin' do :email => 'foo@bar', :password => 'ChangeMe' )} - ['admin', '_member_'].each do |role_name| - it { should contain_keystone_role(role_name).with_ensure('present') } - end + it { should contain_keystone_role('admin').with_ensure('present') } it { should contain_keystone_user_role('admin@openstack').with( :roles => 'admin', :ensure => 'present' diff --git a/deployment/puppet/nailgun/examples/keystone-only.pp b/deployment/puppet/nailgun/examples/keystone-only.pp index ee9e3f8e02..e746b79bce 100644 --- a/deployment/puppet/nailgun/examples/keystone-only.pp +++ b/deployment/puppet/nailgun/examples/keystone-only.pp @@ -18,9 +18,11 @@ case $production { class {'docker::container': } class { 'keystone': - admin_token => $::fuel_settings['keystone']['admin_token'], - catalog_type => 'sql', - sql_connection => "postgresql://${::fuel_settings['postgres']['keystone_user']}:${::fuel_settings['postgres']['keystone_password']}@${::fuel_settings['ADMIN_NETWORK']['ipaddress']}/${::fuel_settings['postgres']['keystone_dbname']}", + admin_token => $::fuel_settings['keystone']['admin_token'], + catalog_type => 'sql', + sql_connection => "postgresql://${::fuel_settings['postgres']['keystone_user']}:${::fuel_settings['postgres']['keystone_password']}@${::fuel_settings['ADMIN_NETWORK']['ipaddress']}/${::fuel_settings['postgres']['keystone_dbname']}", + token_expiration => 86400, + token_provider => 'keystone.token.providers.uuid.Provider', } #FIXME(mattymo): We should enable db_sync on every run inside keystone, @@ -79,11 +81,6 @@ case $production { address => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], } - # Increase token expiratin to 24h - keystone_config { - 'token/expiration': value => 86400; - } - package { 'crontabs': ensure => latest, } diff --git a/deployment/puppet/nailgun/manifests/auth.pp b/deployment/puppet/nailgun/manifests/auth.pp index 65fbd09ecb..c0da26a323 100644 --- a/deployment/puppet/nailgun/manifests/auth.pp +++ b/deployment/puppet/nailgun/manifests/auth.pp @@ -21,7 +21,8 @@ class nailgun::auth( $internal_address = undef, $admin_address = undef, $public_address = undef, - $port = '8000' + $port = '8000', + $region = 'RegionOne', ) { if ($internal_address == undef) { $internal_address_real = $address @@ -59,7 +60,7 @@ class nailgun::auth( description => 'Nailgun API', } - keystone_endpoint { 'nailgun': + keystone_endpoint { "$region/nailgun": ensure => present, public_url => "http://${public_address_real}:${port}/api", admin_url => "http://${admin_address_real}:${port}/api", diff --git a/deployment/puppet/nailgun/manifests/ostf/auth.pp b/deployment/puppet/nailgun/manifests/ostf/auth.pp index 4745cb460b..041eba5c36 100644 --- a/deployment/puppet/nailgun/manifests/ostf/auth.pp +++ b/deployment/puppet/nailgun/manifests/ostf/auth.pp @@ -21,7 +21,8 @@ class nailgun::ostf::auth( $internal_address = undef, $admin_address = undef, $public_address = undef, - $port = '8000' + $port = '8000', + $region = 'RegionOne', ) { if ($internal_address == undef) { $internal_address_real = $address @@ -59,7 +60,7 @@ class nailgun::ostf::auth( description => 'OSTF', } - keystone_endpoint { 'ostf': + keystone_endpoint { "$region/ostf": ensure => present, public_url => "http://${public_address_real}:${port}/ostf", admin_url => "http://${admin_address_real}:${port}/ostf", diff --git a/deployment/puppet/openstack/manifests/keystone.pp b/deployment/puppet/openstack/manifests/keystone.pp index caa4252a3d..3d2e524e6f 100644 --- a/deployment/puppet/openstack/manifests/keystone.pp +++ b/deployment/puppet/openstack/manifests/keystone.pp @@ -30,6 +30,9 @@ # [use_syslog] Rather or not service should log to syslog. Optional. Default to false. # [syslog_log_facility] Facility for syslog, if used. Optional. Note: duplicating conf option # wouldn't have been used, but more powerfull rsyslog features managed via conf template instead +# [max_pool_size] SQLAlchemy backend related. Default 10. +# [max_overflow] SQLAlchemy backend related. Default 30. +# [max_retries] SQLAlchemy backend related. Default -1. # # === Example # @@ -195,6 +198,14 @@ class openstack::keystone ( $ceilometer_admin_real = $admin_real } + if $memcache_servers { + $memcache_servers_real = suffix($memcache_servers, inline_template(":<%= @memcache_server_port %>")) + $token_driver = 'keystone.token.backends.memcache.Token' + } else { + $memcache_servers_real = false + $token_driver = 'keystone.token.backends.sql.Token' + } + class { '::keystone': verbose => $verbose, debug => $debug, @@ -205,17 +216,83 @@ class openstack::keystone ( bind_host => $bind_host, package_ensure => $package_ensure, use_syslog => $use_syslog, - syslog_log_facility => $syslog_log_facility, - max_retries => $max_retries, - max_pool_size => $max_pool_size, - max_overflow => $max_overflow, idle_timeout => $idle_timeout, rabbit_password => $rabbit_password, rabbit_userid => $rabbit_userid, rabbit_hosts => $rabbit_hosts, rabbit_virtual_host => $rabbit_virtual_host, - memcache_servers => $memcache_servers, - memcache_server_port => $memcache_server_port, + memcache_servers => $memcache_servers_real, + token_driver => $token_driver, + token_provider => 'keystone.token.providers.uuid.Provider', + } + + if $::operatingsystem == 'Ubuntu' { + if $service_provider == 'pacemaker' { + tweaks::ubuntu_service_override { 'keystone': + package_name => 'keystone', + } + exec { 'remove-keystone-bootblockr': + command => 'rm -rf /etc/init/keystone.override', + path => ['/bin', '/usr/bin'], + require => Package['keystone'] + } + } + } + + if $memcache_servers { + Service<| title == 'memcached' |> -> Service<| title == 'keystone'|> + keystone_config { + 'token/caching': value => 'true'; + 'cache/enabled': value => 'true'; + 'cache/backend': value => 'dogpile.cache.memcached'; + 'cache/backend_argument': value => inline_template("url:<%= @memcache_servers.collect{|ip| ip }.join ',' %>"); + } + } + + Package<| title == 'keystone'|> ~> Service<| title == 'keystone'|> + if !defined(Service['keystone']) { + notify{ "Module ${module_name} cannot notify service keystone on package update": } + } + + if $use_syslog { + keystone_config { + 'DEFAULT/use_syslog_rfc_format': value => true; + } + } + + keystone_config { + 'DATABASE/max_pool_size': value => $max_pool_size; + 'DATABASE/max_retries': value => $max_retries; + 'DATABASE/max_overflow': value => $max_overflow; + 'identity/driver': value =>"keystone.identity.backends.sql.Identity"; + 'policy/driver': value =>"keystone.policy.backends.rules.Policy"; + 'ec2/driver': value =>"keystone.contrib.ec2.backends.sql.Ec2"; + 'filter:debug/paste.filter_factory': value =>"keystone.common.wsgi:Debug.factory"; + 'filter:token_auth/paste.filter_factory': value =>"keystone.middleware:TokenAuthMiddleware.factory"; + 'filter:admin_token_auth/paste.filter_factory': value =>"keystone.middleware:AdminTokenAuthMiddleware.factory"; + 'filter:xml_body/paste.filter_factory': value =>"keystone.middleware:XmlBodyMiddleware.factory"; + 'filter:json_body/paste.filter_factory': value =>"keystone.middleware:JsonBodyMiddleware.factory"; + 'filter:user_crud_extension/paste.filter_factory': value =>"keystone.contrib.user_crud:CrudExtension.factory"; + 'filter:crud_extension/paste.filter_factory': value =>"keystone.contrib.admin_crud:CrudExtension.factory"; + 'filter:ec2_extension/paste.filter_factory': value =>"keystone.contrib.ec2:Ec2Extension.factory"; + 'filter:s3_extension/paste.filter_factory': value =>"keystone.contrib.s3:S3Extension.factory"; + 'filter:url_normalize/paste.filter_factory': value =>"keystone.middleware:NormalizingFilter.factory"; + 'filter:stats_monitoring/paste.filter_factory': value =>"keystone.contrib.stats:StatsMiddleware.factory"; + 'filter:stats_reporting/paste.filter_factory': value =>"keystone.contrib.stats:StatsExtension.factory"; + 'app:public_service/paste.app_factory': value =>"keystone.service:public_app_factory"; + 'app:admin_service/paste.app_factory': value =>"keystone.service:admin_app_factory"; + 'pipeline:public_api/pipeline': value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service"; + 'pipeline:admin_api/pipeline': value =>"stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service"; + 'app:public_version_service/paste.app_factory': value =>"keystone.service:public_version_app_factory"; + 'app:admin_version_service/paste.app_factory': value =>"keystone.service:admin_version_app_factory"; + 'pipeline:public_version_api/pipeline': value =>"stats_monitoring url_normalize xml_body public_version_service"; + 'pipeline:admin_version_api/pipeline': value =>"stats_monitoring url_normalize xml_body admin_version_service"; + 'composite:main/use': value =>"egg:Paste#urlmap"; + 'composite:main//v2.0': value =>"public_api"; + 'composite:main//': value =>"public_version_api"; + 'composite:admin/use': value =>"egg:Paste#urlmap"; + 'composite:admin//v2.0': value =>"admin_api"; + 'composite:admin//': value =>"admin_version_api"; } if ($enabled) { diff --git a/deployment/puppet/sahara/manifests/keystone/auth.pp b/deployment/puppet/sahara/manifests/keystone/auth.pp index 16dfb92261..27f61bdcdd 100644 --- a/deployment/puppet/sahara/manifests/keystone/auth.pp +++ b/deployment/puppet/sahara/manifests/keystone/auth.pp @@ -23,9 +23,8 @@ class sahara::keystone::auth ( description => 'OpenStack Data Processing', } - keystone_endpoint { $auth_name: + keystone_endpoint { "$region/$auth_name": ensure => present, - region => $region, public_url => "http://${public_address}:${sahara_port}/v1.1/%(tenant_id)s", internal_url => "http://${internal_address}:${sahara_port}/v1.1/%(tenant_id)s", admin_url => "http://${admin_address}:${sahara_port}/v1.1/%(tenant_id)s",