Do not update barbican_api pipeline when keystone auth is used

The barbican_api pipeline is not longer used by default and the current
default pipeline, barbican-api, includes the required middleware to
use keystone auth.
This change removes the logic to tweak the barbican_api pipeline when
keystone auth is used.

One remaining knwon issue is that current barbican_api_paste_ini
doesn't support updating the root composite to replace the pipeline
used by the one without keystoneauth.
Currently usage of auth_strategy != 'keystone' just shows warning and
users should manually edit the pipeline.

Closes-Bug: #1946378
Change-Id: I34fecc5265cbc9bc6d5b46b5a96f056b47b64c59
Takashi Kajinami 2021-10-08 00:06:11 +09:00
parent deeac557a9
commit e983630199
2 changed files with 20 additions and 22 deletions

View File

@ -407,30 +407,25 @@ class barbican::api (
'secretstore/stores_lookup_suffix': value => $enabled_secret_stores;
# TODO(tkajinam): Make sure the barbican_api pipeline is reset from the wrong
# value defined because of bug 1946378.
# This logic should be removed after Yoga cycle
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors http_proxy_to_wsgi unauthenticated-context apiapp';
# keystone config
if $auth_strategy == 'keystone' {
include barbican::keystone::authtoken
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors authtoken context apiapp';
} else {
barbican_api_paste_ini {
'pipeline:barbican_api/pipeline': value => 'cors unauthenticated-context apiapp';
barbican_config {
'keystone_authtoken/auth_plugin': ensure => 'absent';
'keystone_authtoken/auth_type': ensure => 'absent';
'keystone_authtoken/www_authenticate_uri': ensure => 'absent';
'keystone_authtoken/project_name': ensure => 'absent';
'keystone_authtoken/username': ensure => 'absent';
'keystone_authtoken/password': ensure => 'absent';
'keystone_authtoken/user_domain_id': ensure => 'absent';
'keystone_authtoken/project_domain_id': ensure => 'absent';
# TODO(tkajinam): We need to fix the barbican_api_paste_ini provider to
# support the following configuration.
# [composite:main]
# ...
# /v1: barbican_api
warning('The pipeline definiton should be updated manually when keystone is not used')

View File

@ -197,6 +197,11 @@ describe 'barbican::api' do contain_barbican_config('secretstore/enable_multiple_secret_stores') \
it 'resets the barbican_api pipeline' do contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
.with_value('cors http_proxy_to_wsgi unauthenticated-context apiapp')
@ -297,8 +302,6 @@ describe 'barbican::api' do
it ' set keystone params correctly' do contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
.with_value('cors authtoken context apiapp') contain_class('barbican::keystone::authtoken')