Browse Source

Do not update barbican_api pipeline when keystone auth is used

The barbican_api pipeline is not longer used by default and the current
default pipeline, barbican-api, includes the required middleware to
use keystone auth.
This change removes the logic to tweak the barbican_api pipeline when
keystone auth is used.

One remaining knwon issue is that current barbican_api_paste_ini
doesn't support updating the root composite to replace the pipeline
used by the one without keystoneauth.
Currently usage of auth_strategy != 'keystone' just shows warning and
users should manually edit the pipeline.

Closes-Bug: #1946378
Change-Id: I34fecc5265cbc9bc6d5b46b5a96f056b47b64c59
changes/41/813041/3
Takashi Kajinami 2 months ago
parent
commit
e983630199
  1. 35
      manifests/api.pp
  2. 7
      spec/classes/barbican_api_spec.rb

35
manifests/api.pp

@ -407,30 +407,25 @@ class barbican::api (
'secretstore/stores_lookup_suffix': value => $enabled_secret_stores;
}
# TODO(tkajinam): Make sure the barbican_api pipeline is reset from the wrong
# value defined because of bug 1946378.
# This logic should be removed after Yoga cycle
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors http_proxy_to_wsgi unauthenticated-context apiapp';
}
# keystone config
if $auth_strategy == 'keystone' {
include barbican::keystone::authtoken
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors authtoken context apiapp';
}
} else {
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors unauthenticated-context apiapp';
}
barbican_config {
'keystone_authtoken/auth_plugin': ensure => 'absent';
'keystone_authtoken/auth_type': ensure => 'absent';
'keystone_authtoken/www_authenticate_uri': ensure => 'absent';
'keystone_authtoken/project_name': ensure => 'absent';
'keystone_authtoken/username': ensure => 'absent';
'keystone_authtoken/password': ensure => 'absent';
'keystone_authtoken/user_domain_id': ensure => 'absent';
'keystone_authtoken/project_domain_id': ensure => 'absent';
}
# TODO(tkajinam): We need to fix the barbican_api_paste_ini provider to
# support the following configuration.
#
# [composite:main]
# ...
# /v1: barbican_api
#
warning('The pipeline definiton should be updated manually when keystone is not used')
}

7
spec/classes/barbican_api_spec.rb

@ -197,6 +197,11 @@ describe 'barbican::api' do
is_expected.to contain_barbican_config('secretstore/enable_multiple_secret_stores') \
.with_value(param_hash[:multiple_secret_stores_enabled])
end
it 'resets the barbican_api pipeline' do
is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
.with_value('cors http_proxy_to_wsgi unauthenticated-context apiapp')
end
end
end
@ -297,8 +302,6 @@ describe 'barbican::api' do
end
it 'is_expected.to set keystone params correctly' do
is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
.with_value('cors authtoken context apiapp')
is_expected.to contain_class('barbican::keystone::authtoken')
end
end

Loading…
Cancel
Save