From e9836301999d7baf134139b6e00021cceb3e969f Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 8 Oct 2021 00:06:11 +0900 Subject: [PATCH] Do not update barbican_api pipeline when keystone auth is used The barbican_api pipeline is not longer used by default and the current default pipeline, barbican-api, includes the required middleware to use keystone auth. This change removes the logic to tweak the barbican_api pipeline when keystone auth is used. One remaining knwon issue is that current barbican_api_paste_ini doesn't support updating the root composite to replace the pipeline used by the one without keystoneauth. Currently usage of auth_strategy != 'keystone' just shows warning and users should manually edit the pipeline. Closes-Bug: #1946378 Change-Id: I34fecc5265cbc9bc6d5b46b5a96f056b47b64c59 --- manifests/api.pp | 35 +++++++++++++------------------ spec/classes/barbican_api_spec.rb | 7 +++++-- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/manifests/api.pp b/manifests/api.pp index 5cf5c50b..00b17686 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -407,30 +407,25 @@ class barbican::api ( 'secretstore/stores_lookup_suffix': value => $enabled_secret_stores; } + # TODO(tkajinam): Make sure the barbican_api pipeline is reset from the wrong + # value defined because of bug 1946378. + # This logic should be removed after Yoga cycle + barbican_api_paste_ini { + 'pipeline:barbican_api/pipeline': value => 'cors http_proxy_to_wsgi unauthenticated-context apiapp'; + } + # keystone config if $auth_strategy == 'keystone' { - include barbican::keystone::authtoken - - barbican_api_paste_ini { - 'pipeline:barbican_api/pipeline': value => 'cors authtoken context apiapp'; - } - } else { - barbican_api_paste_ini { - 'pipeline:barbican_api/pipeline': value => 'cors unauthenticated-context apiapp'; - } - - barbican_config { - 'keystone_authtoken/auth_plugin': ensure => 'absent'; - 'keystone_authtoken/auth_type': ensure => 'absent'; - 'keystone_authtoken/www_authenticate_uri': ensure => 'absent'; - 'keystone_authtoken/project_name': ensure => 'absent'; - 'keystone_authtoken/username': ensure => 'absent'; - 'keystone_authtoken/password': ensure => 'absent'; - 'keystone_authtoken/user_domain_id': ensure => 'absent'; - 'keystone_authtoken/project_domain_id': ensure => 'absent'; - } + # TODO(tkajinam): We need to fix the barbican_api_paste_ini provider to + # support the following configuration. + # + # [composite:main] + # ... + # /v1: barbican_api + # + warning('The pipeline definiton should be updated manually when keystone is not used') } diff --git a/spec/classes/barbican_api_spec.rb b/spec/classes/barbican_api_spec.rb index adb9ba5f..d8d62e2f 100644 --- a/spec/classes/barbican_api_spec.rb +++ b/spec/classes/barbican_api_spec.rb @@ -197,6 +197,11 @@ describe 'barbican::api' do is_expected.to contain_barbican_config('secretstore/enable_multiple_secret_stores') \ .with_value(param_hash[:multiple_secret_stores_enabled]) end + + it 'resets the barbican_api pipeline' do + is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\ + .with_value('cors http_proxy_to_wsgi unauthenticated-context apiapp') + end end end @@ -297,8 +302,6 @@ describe 'barbican::api' do end it 'is_expected.to set keystone params correctly' do - is_expected.to contain_barbican_api_paste_ini('pipeline:barbican_api/pipeline')\ - .with_value('cors authtoken context apiapp') is_expected.to contain_class('barbican::keystone::authtoken') end end