Do not update barbican_api pipeline when keystone auth is used

The barbican_api pipeline is not longer used by default and the current default pipeline, barbican-api, includes the required middleware to use keystone auth. This change removes the logic to tweak the barbican_api pipeline when keystone auth is used. One remaining knwon issue is that current barbican_api_paste_ini doesn't support updating the root composite to replace the pipeline used by the one without keystoneauth. Currently usage of auth_strategy != 'keystone' just shows warning and users should manually edit the pipeline. Closes-Bug: #1946378 Change-Id: I34fecc5265cbc9bc6d5b46b5a96f056b47b64c59
2021-10-08 00:06:11 +09:00 · 2021-10-08 00:06:11 +09:00 · e983630199
parent deeac557a9
commit e983630199
2 changed files with 20 additions and 22 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -407,30 +407,25 @@ class barbican::api (
    'secretstore/stores_lookup_suffix':          value => $enabled_secret_stores;
  }

+  # TODO(tkajinam): Make sure the barbican_api pipeline is reset from the wrong
+  #                 value defined because of bug 1946378.
+  #                 This logic should be removed after Yoga cycle
+  barbican_api_paste_ini {
+    'pipeline:barbican_api/pipeline': value => 'cors http_proxy_to_wsgi unauthenticated-context apiapp';
+  }
+
  # keystone config
  if $auth_strategy == 'keystone' {
-
    include barbican::keystone::authtoken
-
-    barbican_api_paste_ini {
-      'pipeline:barbican_api/pipeline': value => 'cors authtoken context apiapp';
-    }
-
  } else {
-    barbican_api_paste_ini {
-      'pipeline:barbican_api/pipeline': value => 'cors unauthenticated-context apiapp';
-    }
-
-    barbican_config {
-      'keystone_authtoken/auth_plugin':          ensure => 'absent';
-      'keystone_authtoken/auth_type':            ensure => 'absent';
-      'keystone_authtoken/www_authenticate_uri': ensure => 'absent';
-      'keystone_authtoken/project_name':         ensure => 'absent';
-      'keystone_authtoken/username':             ensure => 'absent';
-      'keystone_authtoken/password':             ensure => 'absent';
-      'keystone_authtoken/user_domain_id':       ensure => 'absent';
-      'keystone_authtoken/project_domain_id':    ensure => 'absent';
-    }
+    # TODO(tkajinam): We need to fix the barbican_api_paste_ini provider to
+    #                 support the following configuration.
+    #
+    #                 [composite:main]
+    #                 ...
+    #                 /v1: barbican_api
+    #
+    warning('The pipeline definiton should be updated manually when keystone is not used')
  }


--- a/spec/classes/barbican_api_spec.rb
+++ b/spec/classes/barbican_api_spec.rb
@ -197,6 +197,11 @@ describe 'barbican::api' do
          is_expected.to contain_barbican_config('secretstore/enable_multiple_secret_stores') \
            .with_value(param_hash[:multiple_secret_stores_enabled])
        end
+
+        it 'resets the barbican_api pipeline' do
+          is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
+            .with_value('cors http_proxy_to_wsgi unauthenticated-context apiapp')
+        end
      end
    end

@ -297,8 +302,6 @@ describe 'barbican::api' do
      end

      it 'is_expected.to set keystone params correctly' do
-        is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\
-          .with_value('cors authtoken context apiapp')
        is_expected.to contain_class('barbican::keystone::authtoken')
      end
    end