From bf14bf1feb11f6a318780a208ec2a24822af7eb1 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 22 Mar 2016 13:57:07 -0400 Subject: [PATCH] Added keystone config to barbican api manifest The acceptance test now has a barbican API server that runs in a gunicorn instance that uses keystone as an authentication source. We specify the snakeoil plugin because its a more useful and realistic plugin to use in acceptance tests. Fixed barbican manifest to not require including barbican::api, and fixed typo in dogtag spec. Added option to not autocreate the database. This allows use of mysql and dbsync when creating the database. Fixed a couple of package tags. Change-Id: I7c25f8692a4388874b05ab561602553f37e4961b Depends-On: Ia79f3d1bed0c2a66ed17ae2ee91ca70c73f6c434 Depends-On: Ic36fd606fe06202b0ca5b8eeaf5c5bdc2a5708fd --- manifests/api.pp | 69 +++++++++++++++++++- manifests/keystone/auth.pp | 4 +- manifests/plugins/dogtag.pp | 7 +- spec/acceptance/basic_barbican_spec.rb | 26 ++++++-- spec/classes/barbican_api_spec.rb | 30 ++++++++- spec/classes/barbican_plugins_dogtag_spec.rb | 5 +- 6 files changed, 126 insertions(+), 15 deletions(-) diff --git a/manifests/api.pp b/manifests/api.pp index e59dac37..679fbad5 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -168,6 +168,14 @@ # (string value) # Defaults to $::os_service_default # +# [*auth_type*] +# (optional) authentication type +# Defaults to 'keystone' +# +# [*identity_uri*] +# (optional) identity server URI, needed for keystone auth +# Defaults to 'http://localhost:35357' +# # [*manage_service*] # (optional) If Puppet should manage service startup / shutdown. # Defaults to true. @@ -176,6 +184,26 @@ # (optional) Whether to enable services. # Defaults to true. # +# [*keystone_password*] +# (required) Password used to authentication. +# +# [*keystone_tenant*] +# (optional) Tenant to authenticate to. +# Defaults to 'services'. +# +# [*keystone_user*] +# (optional) User to authenticate as with keystone. +# Defaults to 'barbican'. +# +# [*sync_db*] +# (optional) Run barbican-db-manage on api nodes. +# Defaults to true +# +# [*db_auto_create*] +# (optional) Barbican API server option to create the database +# automatically when the server starts. +# Defaults to $::os_service_default +# class barbican::api ( $ensure_package = 'present', $client_package_ensure = 'present', @@ -213,8 +241,15 @@ class barbican::api ( $kombu_ssl_version = $::os_service_default, $kombu_reconnect_delay = $::os_service_default, $kombu_compression = $::os_service_default, + $auth_type = 'keystone', + $identity_uri = 'http://localhost:35357', + $keystone_password = undef, + $keystone_tenant = 'services', + $keystone_user = 'barbican', $manage_service = true, $enabled = true, + $sync_db = true, + $db_auto_create = $::os_service_default, ) inherits barbican::params { include ::barbican::db @@ -250,7 +285,7 @@ class barbican::api ( package { 'barbican-api': ensure => $ensure_package, name => $::barbican::params::api_package_name, - tag => ['openstack', 'barbican-api-package'], + tag => ['openstack', 'barbican-package'], } File['/etc/barbican/barbican.conf'] -> Barbican_config<||> @@ -328,6 +363,30 @@ class barbican::api ( 'certificate_event/enabled_certificate_event_plugins': value => $enabled_certificate_event_plugins; } + # keystone config + if $auth_type == 'keystone' { + if $keystone_password == undef { + fail('keystone_password must be defined') + } + + barbican_api_paste_ini { + 'pipeline:barbican_api/pipeline': value => 'cors keystone_authtoken context apiapp'; + 'filter:keystone_authtoken/identity_uri': value => $identity_uri; + 'filter:keystone_authtoken/admin_tenant_name': value => $keystone_tenant; + 'filter:keystone_authtoken/admin_user' : value => $keystone_user; + 'filter:keystone_authtoken/admin_password' : value => $keystone_password, secret => true; + } + } else { + barbican_api_paste_ini { + 'pipeline:barbican_api/pipeline': value => 'cors unauthenticated-context apiapp'; + 'filter:keystone_authtoken/identity_uri': ensure => 'absent'; + 'filter:keystone_authtoken/admin_tenant_name': ensure => 'absent'; + 'filter:keystone_authtoken/admin_user' : ensure => 'absent'; + 'filter:keystone_authtoken/admin_password' : ensure => 'absent'; + } + } + + if $manage_service { if $enabled { $service_ensure = 'running' @@ -336,6 +395,14 @@ class barbican::api ( } } + # set value to have the server auto-create the database on startup + # instead of using db_sync + barbican_config { 'DEFAULT/db_auto_create': value => $db_auto_create } + + if $sync_db { + include ::barbican::db::sync + } + service { 'barbican-api': ensure => $service_ensure, name => $::barbican::params::api_service_name, diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index b2f544f6..75e1d95e 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -68,9 +68,9 @@ class barbican::keystone::auth ( $real_service_name = pick($service_name, $auth_name) if $configure_user_role { - Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-server' |> + Keystone_user_role["${auth_name}@${tenant}"] ~> Service <| name == 'barbican-api' |> } - Keystone_endpoint["${region}/${real_service_name}::${service_name}"] ~> Service <| name == 'barbican-server' |> + Keystone_endpoint["${region}/${real_service_name}::${service_type}"] ~> Service <| name == 'barbican-api' |> keystone::resource::service_identity { 'barbican': configure_user => $configure_user, diff --git a/manifests/plugins/dogtag.pp b/manifests/plugins/dogtag.pp index 29c898e4..1ffb4878 100644 --- a/manifests/plugins/dogtag.pp +++ b/manifests/plugins/dogtag.pp @@ -52,7 +52,6 @@ class barbican::plugins::dogtag ( $dogtag_plugin_plugin_working_dir = $::os_service_default, ) { - include ::barbican::api include ::barbican::params if $dogtag_plugin_nss_password == undef { @@ -62,8 +61,8 @@ class barbican::plugins::dogtag ( package {'dogtag-client': ensure => $dogtag_plugin_ensure_package, name => $::barbican::params::dogtag_client_package, - tag => ['openstack', 'dogtag-client-package'] - } -> Service['barbican-api'] + tag => ['openstack', 'barbican-package'] + } barbican_config { 'dogtag_plugin/pem_path': value => $dogtag_plugin_pem_path; @@ -75,4 +74,6 @@ class barbican::plugins::dogtag ( 'dogtag_plugin/ca_expiration_time': value => $dogtag_plugin_ca_expiration_time; 'dogtag_plugin/plugin_working_dir': value => $dogtag_plugin_plugin_working_dir; } + + Package['dogtag-client'] -> Barbican_config<||> } diff --git a/spec/acceptance/basic_barbican_spec.rb b/spec/acceptance/basic_barbican_spec.rb index d0d5073b..23ba7197 100644 --- a/spec/acceptance/basic_barbican_spec.rb +++ b/spec/acceptance/basic_barbican_spec.rb @@ -5,6 +5,7 @@ describe 'barbican::api class' do include ::openstack_integration include ::openstack_integration::repos include ::openstack_integration::mysql + include ::openstack_integration::keystone case $::osfamily { 'Debian': { @@ -14,6 +15,10 @@ describe 'barbican::api class' do # Barbican resources include ::barbican + class { '::barbican::keystone::auth': + password => 'a_big_secret', + } + class { '::barbican::api::logging': verbose => true, } @@ -24,9 +29,20 @@ describe 'barbican::api class' do class { '::barbican::keystone::notification': } + class { '::barbican::db::mysql': + password => 'a_big_secret', + } + + class { '::barbican::db': + database_connection => 'mysql+pymysql://barbican:a_big_secret@127.0.0.1/barbican?charset=utf8', + } + class { '::barbican::api': - enabled_certificate_plugins => ['simple_certificate','dogtag'], - host_href => 'http://localhost:9311' + host_href => 'http://localhost:9311', + auth_type => 'keystone', + keystone_password => 'a_big_secret', + enabled_certificate_plugins => ['snakeoil_ca'], + db_auto_create => false, } } } @@ -35,13 +51,13 @@ describe 'barbican::api class' do it 'should work with no errors' do # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - apply_manifest(pp, :catch_changes => true) + apply_manifest(pp, :catch_changes => true) end if os[:family].casecmp('RedHat') == 0 describe 'store a secret' do it 'should store a secret' do - shell('barbican -N --os-project-id 12345 --endpoint http://localhost:9311 secret store --payload "my big bad secret"') do |r| + shell('barbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url http://127.0.0.1:5000/v2.0 --endpoint http://localhost:9311 secret store --payload "my big bad secret" --os-identity-api-version 2') do |r| expect(r.stdout).to match(/ACTIVE/) end end @@ -49,7 +65,7 @@ describe 'barbican::api class' do describe 'generate a secret' do it 'should generate a secret' do - shell('barbican -N --os-project-id 12345 --endpoint http://localhost:9311 secret order create key --name foo') do |r| + shell('barbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url http://127.0.0.1:5000/v2.0 --endpoint http://localhost:9311 secret order create key --name foo --os-identity-api-version 2') do |r| expect(r.stdout).to match(/Order href/) end end diff --git a/spec/classes/barbican_api_spec.rb b/spec/classes/barbican_api_spec.rb index a1333928..e13634b9 100644 --- a/spec/classes/barbican_api_spec.rb +++ b/spec/classes/barbican_api_spec.rb @@ -45,12 +45,17 @@ describe 'barbican::api' do :enabled_crypto_plugins => [''], :enabled_certificate_plugins => [''], :enabled_certificate_event_plugins => [''], + :auth_type => 'keystone', + :identity_uri => 'http://localhost:35357', + :keystone_password => 'foo', :retry_scheduler_initial_delay_seconds => '', :retry_scheduler_periodic_interval_max_seconds => '', } end - [{}, + [{ + :keystone_password => 'foo', + }, { :bind_host => '127.0.0.1', :bind_port => '9312', @@ -87,6 +92,8 @@ describe 'barbican::api' do :max_allowed_secret_in_bytes => 20000, :max_allowed_request_size_in_bytes => 2000000, :enabled => false, + :identity_uri => 'https://keystone.example.com:35357', + :keystone_password => 'bar', } ].each do |param_set| @@ -165,11 +172,30 @@ describe 'barbican::api' do end end + describe 'with keystone auth' do + let :params do + { + :auth_type => 'keystone', + :keystone_password => 'foobar', + } + end + + it 'is_expected.to set keystone params correctly' do + is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\ + .with_value('cors keystone_authtoken context apiapp') + is_expected.to contain_barbican_api_paste_ini('filter:keystone_authtoken/identity_uri')\ + .with_value('http://localhost:35357') + is_expected.to contain_barbican_api_paste_ini('filter:keystone_authtoken/admin_tenant_name')\ + .with_value('services') + end + end + describe 'with disabled service managing' do let :params do { :manage_service => false, :enabled => false, + :auth_type => 'None', } end @@ -192,7 +218,7 @@ describe 'barbican::api' do let(:params) { default_params } it { is_expected.to contain_package('barbican-api').with( - :tag => ['openstack', 'barbican-api-package'], + :tag => ['openstack', 'barbican-package'], )} end diff --git a/spec/classes/barbican_plugins_dogtag_spec.rb b/spec/classes/barbican_plugins_dogtag_spec.rb index 643a455b..266c91a9 100644 --- a/spec/classes/barbican_plugins_dogtag_spec.rb +++ b/spec/classes/barbican_plugins_dogtag_spec.rb @@ -21,6 +21,7 @@ describe 'barbican::plugins::dogtag' do :dogtag_plugin_simple_cmc_profile => '', :dogtag_plugin_ca_expiration_time => '', :dogtag_plugin_plugin_working_dir => '', + :keystone_password => 'password', } end @@ -49,9 +50,9 @@ describe 'barbican::plugins::dogtag' do param_set end - it { is_expected.to contain_package('python-barbicanclient').with( + it { is_expected.to contain_package('dogtag-client').with( 'ensure' => param_hash[:dogtag_plugin_ensure_package], - 'tag' => 'openstack', + 'tag' => ['openstack', 'barbican-package'], ) } it 'is_expected.to set dogtag parameters' do