Added keystone config to barbican api manifest

The acceptance test now has a barbican API server that runs in a gunicorn instance that uses keystone as an authentication source. We specify the snakeoil plugin because its a more useful and realistic plugin to use in acceptance tests. Fixed barbican manifest to not require including barbican::api, and fixed typo in dogtag spec. Added option to not autocreate the database. This allows use of mysql and dbsync when creating the database. Fixed a couple of package tags. Change-Id: I7c25f8692a4388874b05ab561602553f37e4961b Depends-On: Ia79f3d1bed0c2a66ed17ae2ee91ca70c73f6c434 Depends-On: Ic36fd606fe06202b0ca5b8eeaf5c5bdc2a5708fd
2016-03-22 13:57:07 -04:00 · 2016-03-22 13:57:07 -04:00 · bf14bf1feb
commit bf14bf1feb
parent aa2165e7d7
6 changed files with 126 additions and 15 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -168,6 +168,14 @@
 #   (string value)
 #   Defaults to $::os_service_default
 #
+# [*auth_type*]
+#   (optional) authentication type
+#   Defaults to 'keystone'
+#
+# [*identity_uri*]
+#   (optional) identity server URI, needed for keystone auth
+#   Defaults to 'http://localhost:35357'
+#
 # [*manage_service*]
 #   (optional) If Puppet should manage service startup / shutdown.
 #   Defaults to true.
@ -176,6 +184,26 @@
 #   (optional) Whether to enable services.
 #   Defaults to true.
 #
+# [*keystone_password*]
+#   (required) Password used to authentication.
+#
+# [*keystone_tenant*]
+#   (optional) Tenant to authenticate to.
+#   Defaults to 'services'.
+#
+# [*keystone_user*]
+#   (optional) User to authenticate as with keystone.
+#   Defaults to 'barbican'.
+#
+# [*sync_db*]
+#   (optional) Run barbican-db-manage on api nodes.
+#   Defaults to true
+#
+# [*db_auto_create*]
+#   (optional) Barbican API server option to create the database
+#   automatically when the server starts.
+#   Defaults to $::os_service_default
+#
 class barbican::api (
  $ensure_package                                = 'present',
  $client_package_ensure                         = 'present',
@ -213,8 +241,15 @@ class barbican::api (
  $kombu_ssl_version                             = $::os_service_default,
  $kombu_reconnect_delay                         = $::os_service_default,
  $kombu_compression                             = $::os_service_default,
+  $auth_type                                     = 'keystone',
+  $identity_uri                                  = 'http://localhost:35357',
+  $keystone_password                             = undef,
+  $keystone_tenant                               = 'services',
+  $keystone_user                                 = 'barbican',
  $manage_service                                = true,
  $enabled                                       = true,
+  $sync_db                                       = true,
+  $db_auto_create                                = $::os_service_default,
 ) inherits barbican::params {

  include ::barbican::db
@ -250,7 +285,7 @@ class barbican::api (
  package { 'barbican-api':
    ensure => $ensure_package,
    name   => $::barbican::params::api_package_name,
-    tag    => ['openstack', 'barbican-api-package'],
+    tag    => ['openstack', 'barbican-package'],
  }

  File['/etc/barbican/barbican.conf']          -> Barbican_config<||>
@ -328,6 +363,30 @@ class barbican::api (
    'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins;
  }

+  # keystone config
+  if $auth_type == 'keystone' {
+    if $keystone_password == undef {
+      fail('keystone_password must be defined')
+    }
+
+    barbican_api_paste_ini {
+      'pipeline:barbican_api/pipeline':              value => 'cors keystone_authtoken context apiapp';
+      'filter:keystone_authtoken/identity_uri':      value => $identity_uri;
+      'filter:keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
+      'filter:keystone_authtoken/admin_user'       : value => $keystone_user;
+      'filter:keystone_authtoken/admin_password'   : value => $keystone_password, secret => true;
+    }
+  } else {
+    barbican_api_paste_ini {
+      'pipeline:barbican_api/pipeline':              value => 'cors unauthenticated-context apiapp';
+      'filter:keystone_authtoken/identity_uri':      ensure => 'absent';
+      'filter:keystone_authtoken/admin_tenant_name': ensure => 'absent';
+      'filter:keystone_authtoken/admin_user'       : ensure => 'absent';
+      'filter:keystone_authtoken/admin_password'   : ensure => 'absent';
+    }
+  }
+
+
  if $manage_service {
    if $enabled {
      $service_ensure = 'running'
@ -336,6 +395,14 @@ class barbican::api (
    }
  }

+  # set value to have the server auto-create the database on startup
+  # instead of using db_sync
+  barbican_config { 'DEFAULT/db_auto_create': value => $db_auto_create }
+
+  if $sync_db {
+    include ::barbican::db::sync
+  }
+
  service { 'barbican-api':
    ensure     => $service_ensure,
    name       => $::barbican::params::api_service_name,
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@ -68,9 +68,9 @@ class barbican::keystone::auth (
  $real_service_name    = pick($service_name, $auth_name)

  if $configure_user_role {
-    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-server' |>
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-api' |>
  }
-  Keystone_endpoint["${region}/${real_service_name}::${service_name}"]  ~> Service <| name == 'barbican-server' |>
+  Keystone_endpoint["${region}/${real_service_name}::${service_type}"]  ~> Service <| name == 'barbican-api' |>

  keystone::resource::service_identity { 'barbican':
    configure_user      => $configure_user,
--- a/manifests/plugins/dogtag.pp
+++ b/manifests/plugins/dogtag.pp
@ -52,7 +52,6 @@ class barbican::plugins::dogtag (
  $dogtag_plugin_plugin_working_dir = $::os_service_default,
 ) {

-  include ::barbican::api
  include ::barbican::params

  if $dogtag_plugin_nss_password == undef {
@ -62,8 +61,8 @@ class barbican::plugins::dogtag (
  package {'dogtag-client':
    ensure => $dogtag_plugin_ensure_package,
    name   => $::barbican::params::dogtag_client_package,
-    tag    => ['openstack', 'dogtag-client-package']
-  } -> Service['barbican-api']
+    tag    => ['openstack', 'barbican-package']
+  }

  barbican_config {
    'dogtag_plugin/pem_path':           value => $dogtag_plugin_pem_path;
@ -75,4 +74,6 @@ class barbican::plugins::dogtag (
    'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time;
    'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir;
  }
+
+  Package['dogtag-client'] -> Barbican_config<||>
 }
--- a/spec/acceptance/basic_barbican_spec.rb
+++ b/spec/acceptance/basic_barbican_spec.rb
@ -5,6 +5,7 @@ describe 'barbican::api class' do
      include ::openstack_integration
      include ::openstack_integration::repos
      include ::openstack_integration::mysql
+      include ::openstack_integration::keystone

      case $::osfamily {
        'Debian': {
@ -14,6 +15,10 @@ describe 'barbican::api class' do
          # Barbican resources
          include ::barbican

+          class { '::barbican::keystone::auth':
+            password => 'a_big_secret',
+          }
+
          class { '::barbican::api::logging':
            verbose => true,
          }
@ -24,9 +29,20 @@ describe 'barbican::api class' do
          class { '::barbican::keystone::notification':
          }

+          class { '::barbican::db::mysql':
+            password => 'a_big_secret',
+          }
+
+          class { '::barbican::db':
+            database_connection => 'mysql+pymysql://barbican:a_big_secret@127.0.0.1/barbican?charset=utf8',
+          }
+
          class { '::barbican::api':
-            enabled_certificate_plugins => ['simple_certificate','dogtag'],
-            host_href                   => 'http://localhost:9311'
+            host_href                         => 'http://localhost:9311',
+            auth_type                         => 'keystone',
+            keystone_password                 => 'a_big_secret',
+            enabled_certificate_plugins       => ['snakeoil_ca'],
+            db_auto_create                    => false,
          }
        }
      }
@ -35,13 +51,13 @@ describe 'barbican::api class' do
    it 'should work with no errors' do
      # Run it twice and test for idempotency
      apply_manifest(pp, :catch_failures => true)
-      apply_manifest(pp, :catch_changes => true)
+      apply_manifest(pp, :catch_changes  => true)
    end

    if os[:family].casecmp('RedHat') == 0
      describe 'store a secret' do
        it 'should store a secret' do
-          shell('barbican -N --os-project-id 12345 --endpoint http://localhost:9311 secret store --payload "my big bad secret"') do |r|
+          shell('barbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url http://127.0.0.1:5000/v2.0 --endpoint http://localhost:9311 secret store --payload "my big bad secret" --os-identity-api-version 2') do |r|
            expect(r.stdout).to match(/ACTIVE/)
          end
        end
@ -49,7 +65,7 @@ describe 'barbican::api class' do

      describe 'generate a secret' do
        it 'should generate a secret' do
-          shell('barbican -N --os-project-id 12345 --endpoint http://localhost:9311 secret order create key --name foo') do |r|
+          shell('barbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url http://127.0.0.1:5000/v2.0 --endpoint http://localhost:9311 secret order create key --name foo --os-identity-api-version 2') do |r|
            expect(r.stdout).to match(/Order href/)
          end
        end
--- a/spec/classes/barbican_api_spec.rb
+++ b/spec/classes/barbican_api_spec.rb
@ -45,12 +45,17 @@ describe 'barbican::api' do
      :enabled_crypto_plugins                        => ['<SERVICE DEFAULT>'],
      :enabled_certificate_plugins                   => ['<SERVICE DEFAULT>'],
      :enabled_certificate_event_plugins             => ['<SERVICE DEFAULT>'],
+      :auth_type                                     => 'keystone',
+      :identity_uri                                  => 'http://localhost:35357',
+      :keystone_password                             => 'foo',
      :retry_scheduler_initial_delay_seconds         => '<SERVICE DEFAULT>',
      :retry_scheduler_periodic_interval_max_seconds => '<SERVICE DEFAULT>',
    }
  end

-  [{},
+  [{
+      :keystone_password                  => 'foo',
+   },
   {
      :bind_host                                     => '127.0.0.1',
      :bind_port                                     => '9312',
@ -87,6 +92,8 @@ describe 'barbican::api' do
      :max_allowed_secret_in_bytes                   => 20000,
      :max_allowed_request_size_in_bytes             => 2000000,
      :enabled                                       => false,
+      :identity_uri                                  => 'https://keystone.example.com:35357',
+      :keystone_password                             => 'bar',
    }
  ].each do |param_set|

@ -165,11 +172,30 @@ describe 'barbican::api' do
    end
  end

+  describe 'with keystone auth' do
+    let :params do
+      {
+        :auth_type            => 'keystone',
+        :keystone_password    => 'foobar',
+      }
+    end
+
+    it 'is_expected.to set keystone params correctly' do
+      is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
+        .with_value('cors keystone_authtoken context apiapp')
+      is_expected.to contain_barbican_api_paste_ini('filter:keystone_authtoken/identity_uri')\
+        .with_value('http://localhost:35357')
+      is_expected.to contain_barbican_api_paste_ini('filter:keystone_authtoken/admin_tenant_name')\
+        .with_value('services')
+    end
+  end
+
  describe 'with disabled service managing' do
    let :params do
      {
        :manage_service => false,
        :enabled        => false,
+        :auth_type      => 'None',
      }
    end

@ -192,7 +218,7 @@ describe 'barbican::api' do
    let(:params) { default_params }

    it { is_expected.to contain_package('barbican-api').with(
-        :tag => ['openstack', 'barbican-api-package'],
+        :tag => ['openstack', 'barbican-package'],
    )}
  end

--- a/spec/classes/barbican_plugins_dogtag_spec.rb
+++ b/spec/classes/barbican_plugins_dogtag_spec.rb
@ -21,6 +21,7 @@ describe 'barbican::plugins::dogtag' do
      :dogtag_plugin_simple_cmc_profile   => '<SERVICE DEFAULT>',
      :dogtag_plugin_ca_expiration_time   => '<SERVICE DEFAULT>',
      :dogtag_plugin_plugin_working_dir   => '<SERVICE DEFAULT>',
+      :keystone_password                  => 'password',
    }
  end

@ -49,9 +50,9 @@ describe 'barbican::plugins::dogtag' do
        param_set
      end

-      it { is_expected.to contain_package('python-barbicanclient').with(
+      it { is_expected.to contain_package('dogtag-client').with(
        'ensure' => param_hash[:dogtag_plugin_ensure_package],
-        'tag'    => 'openstack',
+        'tag'    => ['openstack', 'barbican-package'],
      ) }

      it 'is_expected.to set dogtag parameters' do