Support identity_uri and auth_uri properly.
This change aligns this module with others like heat, neutron, et al, by not automatically generating identity_uri and forcing it to be set directly if it should be used. Anyone not generating it will get a deprecation warning from cinder but it will still work for now. Change-Id: I2eab31d1aa5e848697a266a0f85385c7e2403141
This commit is contained in:
parent
f6b83eaf56
commit
9b0ff06b6a
160
manifests/api.pp
160
manifests/api.pp
@ -20,16 +20,19 @@
|
|||||||
# Defaults to cinder
|
# Defaults to cinder
|
||||||
#
|
#
|
||||||
# [*keystone_auth_host*]
|
# [*keystone_auth_host*]
|
||||||
# (optional) The keystone host
|
# (optional) DEPRECATED The keystone host
|
||||||
# Defaults to localhost
|
# Defaults to localhost
|
||||||
|
# Use auth_uri instead.
|
||||||
#
|
#
|
||||||
# [*keystone_auth_port*]
|
# [*keystone_auth_port*]
|
||||||
# (optional) The keystone auth port
|
# (optional) DEPRECATED The keystone auth port
|
||||||
# Defaults to 35357
|
# Defaults to 35357
|
||||||
|
# Use auth_uri instead.
|
||||||
#
|
#
|
||||||
# [*keystone_auth_protocol*]
|
# [*keystone_auth_protocol*]
|
||||||
# (optional) The protocol used to access the auth host
|
# (optional) DEPRECATED The protocol used to access the auth host
|
||||||
# Defaults to http.
|
# Defaults to http.
|
||||||
|
# Use auth_uri instead.
|
||||||
#
|
#
|
||||||
# [*os_region_name*]
|
# [*os_region_name*]
|
||||||
# (optional) Some operations require cinder to make API requests
|
# (optional) Some operations require cinder to make API requests
|
||||||
@ -38,18 +41,27 @@
|
|||||||
# Defaults to undef.
|
# Defaults to undef.
|
||||||
#
|
#
|
||||||
# [*keystone_auth_admin_prefix*]
|
# [*keystone_auth_admin_prefix*]
|
||||||
# (optional) The admin_prefix used to admin endpoint of the auth host
|
# (optional) DEPRECATED The admin_prefix used to admin endpoint of the auth
|
||||||
# This allow admin auth URIs like http://auth_host:35357/keystone.
|
# host. This allow admin auth URIs like http://auth_host:35357/keystone.
|
||||||
# (where '/keystone' is the admin prefix)
|
# (where '/keystone' is the admin prefix)
|
||||||
# Defaults to false for empty. If defined, should be a string with a
|
# Defaults to false for empty. If defined, should be a string with a
|
||||||
# leading '/' and no trailing '/'.
|
# leading '/' and no trailing '/'.
|
||||||
|
# Use auth_uri instead.
|
||||||
#
|
#
|
||||||
# [*keystone_auth_uri*]
|
# [*keystone_auth_uri*]
|
||||||
|
# (optional) DEPRECATED Renamed to auth_uri
|
||||||
|
# Defaults to 'false'.
|
||||||
|
#
|
||||||
|
# [*auth_uri*]
|
||||||
# (optional) Public Identity API endpoint.
|
# (optional) Public Identity API endpoint.
|
||||||
# Defaults to 'false'.
|
# Defaults to 'false'.
|
||||||
#
|
#
|
||||||
|
# [*identity_uri*]
|
||||||
|
# (optional) Complete admin Identity API endpoint.
|
||||||
|
# Defaults to: false
|
||||||
|
#
|
||||||
# [*service_port*]
|
# [*service_port*]
|
||||||
# (optional) The cinder api port
|
# (optional) DEPRECATED The Keystone public api port
|
||||||
# Defaults to 5000
|
# Defaults to 5000
|
||||||
#
|
#
|
||||||
# [*service_workers*]
|
# [*service_workers*]
|
||||||
@ -112,13 +124,9 @@ class cinder::api (
|
|||||||
$keystone_enabled = true,
|
$keystone_enabled = true,
|
||||||
$keystone_tenant = 'services',
|
$keystone_tenant = 'services',
|
||||||
$keystone_user = 'cinder',
|
$keystone_user = 'cinder',
|
||||||
$keystone_auth_host = 'localhost',
|
$auth_uri = false,
|
||||||
$keystone_auth_port = '35357',
|
$identity_uri = false,
|
||||||
$keystone_auth_protocol = 'http',
|
|
||||||
$keystone_auth_admin_prefix = false,
|
|
||||||
$keystone_auth_uri = false,
|
|
||||||
$os_region_name = undef,
|
$os_region_name = undef,
|
||||||
$service_port = '5000',
|
|
||||||
$service_workers = $::processorcount,
|
$service_workers = $::processorcount,
|
||||||
$package_ensure = 'present',
|
$package_ensure = 'present',
|
||||||
$bind_host = '0.0.0.0',
|
$bind_host = '0.0.0.0',
|
||||||
@ -129,7 +137,14 @@ class cinder::api (
|
|||||||
$ratelimits_factory =
|
$ratelimits_factory =
|
||||||
'cinder.api.v1.limits:RateLimitingMiddleware.factory',
|
'cinder.api.v1.limits:RateLimitingMiddleware.factory',
|
||||||
$validate = false,
|
$validate = false,
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
$validation_options = {},
|
$validation_options = {},
|
||||||
|
$keystone_auth_uri = false,
|
||||||
|
$keystone_auth_host = 'localhost',
|
||||||
|
$keystone_auth_port = '35357',
|
||||||
|
$keystone_auth_protocol = 'http',
|
||||||
|
$keystone_auth_admin_prefix = false,
|
||||||
|
$service_port = '5000',
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::cinder::params
|
include ::cinder::params
|
||||||
@ -191,45 +206,120 @@ class cinder::api (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if $keystone_auth_uri {
|
if $keystone_auth_uri and $auth_uri {
|
||||||
$auth_uri = $keystone_auth_uri
|
fail('both keystone_auth_uri and auth_uri are set and they have the same meaning')
|
||||||
} else {
|
|
||||||
$auth_uri = "${keystone_auth_protocol}://${keystone_auth_host}:${service_port}/"
|
|
||||||
}
|
}
|
||||||
cinder_api_paste_ini { 'filter:authtoken/auth_uri': value => $auth_uri; }
|
elsif !$keystone_auth_uri and !$auth_uri {
|
||||||
|
warning('use of keystone_auth_protocol, keystone_auth_host, and service_port is deprecated, please set auth_uri directly')
|
||||||
|
$auth_uri_real = "${keystone_auth_protocol}://${keystone_auth_host}:${service_port}/"
|
||||||
|
}
|
||||||
|
elsif $keystone_auth_uri {
|
||||||
|
warning('keystone_auth_uri has been renamed to auth_uri')
|
||||||
|
$auth_uri_real = $keystone_auth_uri
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$auth_uri_real = $auth_uri
|
||||||
|
}
|
||||||
|
cinder_api_paste_ini { 'filter:authtoken/auth_uri': value => $auth_uri_real; }
|
||||||
|
|
||||||
if $keystone_enabled {
|
if $keystone_enabled {
|
||||||
cinder_config {
|
cinder_config {
|
||||||
'DEFAULT/auth_strategy': value => 'keystone' ;
|
'DEFAULT/auth_strategy': value => 'keystone' ;
|
||||||
}
|
}
|
||||||
|
|
||||||
$identity_uri = "${keystone_auth_protocol}://${keystone_auth_host}:${keystone_auth_port}"
|
|
||||||
if $keystone_auth_admin_prefix {
|
|
||||||
validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$')
|
|
||||||
# a leading slash on keystone_auth_admin_prefix is already required,
|
|
||||||
# don't add it here
|
|
||||||
$identity_uri_real = "${identity_uri}${keystone_auth_admin_prefix}"
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$identity_uri_real = $identity_uri
|
|
||||||
}
|
|
||||||
|
|
||||||
cinder_api_paste_ini {
|
cinder_api_paste_ini {
|
||||||
'filter:authtoken/service_protocol': value => $keystone_auth_protocol;
|
|
||||||
'filter:authtoken/service_host': value => $keystone_auth_host;
|
|
||||||
'filter:authtoken/service_port': value => $service_port;
|
|
||||||
'filter:authtoken/identity_uri': value => $identity_uri_real;
|
|
||||||
'filter:authtoken/admin_tenant_name': value => $keystone_tenant;
|
'filter:authtoken/admin_tenant_name': value => $keystone_tenant;
|
||||||
'filter:authtoken/admin_user': value => $keystone_user;
|
'filter:authtoken/admin_user': value => $keystone_user;
|
||||||
'filter:authtoken/admin_password': value => $keystone_password, secret => true;
|
'filter:authtoken/admin_password': value => $keystone_password, secret => true;
|
||||||
|
}
|
||||||
|
|
||||||
# deprecated parameters - replaced with identity_uri
|
# if both auth_uri and identity_uri are set we skip these deprecated settings entirely
|
||||||
'filter:authtoken/auth_protocol': ensure => absent;
|
if !$auth_uri or !$identity_uri {
|
||||||
|
if $keystone_auth_host {
|
||||||
|
warning('The keystone_auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_host': value => $keystone_auth_host;
|
||||||
|
'filter:authtoken/auth_host': value => $keystone_auth_host;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_host': ensure => absent;
|
||||||
'filter:authtoken/auth_host': ensure => absent;
|
'filter:authtoken/auth_host': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if $keystone_auth_protocol {
|
||||||
|
warning('The keystone_auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_protocol': value => $keystone_auth_protocol;
|
||||||
|
'filter:authtoken/auth_protocol': value => $keystone_auth_protocol;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_protocol': ensure => absent;
|
||||||
|
'filter:authtoken/auth_protocol': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if $keystone_auth_port {
|
||||||
|
warning('The keystone_auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/auth_port': value => $keystone_auth_port;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
'filter:authtoken/auth_port': ensure => absent;
|
'filter:authtoken/auth_port': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if $service_port {
|
||||||
|
warning('The service_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_port': value => $service_port;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_port': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if $keystone_auth_admin_prefix {
|
||||||
|
warning('The keystone_auth_admin_prefix parameter is deprecated. Please use auth_uri and identity_uri instead.')
|
||||||
|
validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$')
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
'filter:authtoken/auth_admin_prefix': ensure => absent;
|
'filter:authtoken/auth_admin_prefix': ensure => absent;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/auth_admin_prefix': ensure => absent;
|
||||||
|
}
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/service_port': ensure => absent;
|
||||||
|
'filter:authtoken/auth_port': ensure => absent;
|
||||||
|
'filter:authtoken/service_host': ensure => absent;
|
||||||
|
'filter:authtoken/auth_host': ensure => absent;
|
||||||
|
'filter:authtoken/service_protocol': ensure => absent;
|
||||||
|
'filter:authtoken/auth_protocol': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if $identity_uri {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/identity_uri': value => $identity_uri;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
cinder_api_paste_ini {
|
||||||
|
'filter:authtoken/identity_uri': ensure => absent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ($ratelimits != undef) {
|
if ($ratelimits != undef) {
|
||||||
cinder_api_paste_ini {
|
cinder_api_paste_ini {
|
||||||
@ -251,7 +341,7 @@ class cinder::api (
|
|||||||
if $validate {
|
if $validate {
|
||||||
$defaults = {
|
$defaults = {
|
||||||
'cinder-api' => {
|
'cinder-api' => {
|
||||||
'command' => "cinder --os-auth-url ${auth_uri} --os-tenant-name ${keystone_tenant} --os-username ${keystone_user} --os-password ${keystone_password} list",
|
'command' => "cinder --os-auth-url ${auth_uri_real} --os-tenant-name ${keystone_tenant} --os-username ${keystone_user} --os-password ${keystone_password} list",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$validation_options_hash = merge ($defaults, $validation_options)
|
$validation_options_hash = merge ($defaults, $validation_options)
|
||||||
|
@ -42,17 +42,14 @@ describe 'cinder::api' do
|
|||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/service_port').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/service_port').with(
|
||||||
:value => '5000'
|
:value => '5000'
|
||||||
)
|
)
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/identity_uri').with(
|
|
||||||
:value => 'http://localhost:35357'
|
|
||||||
)
|
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_protocol').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_protocol').with(
|
||||||
:ensure => 'absent'
|
:value => 'http'
|
||||||
)
|
)
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_host').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_host').with(
|
||||||
:ensure => 'absent'
|
:value => 'localhost'
|
||||||
)
|
)
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_port').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_port').with(
|
||||||
:ensure => 'absent'
|
:value => '35357'
|
||||||
)
|
)
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix').with(
|
||||||
:ensure => 'absent'
|
:ensure => 'absent'
|
||||||
@ -67,7 +64,6 @@ describe 'cinder::api' do
|
|||||||
:value => 'foo',
|
:value => 'foo',
|
||||||
:secret => true
|
:secret => true
|
||||||
)
|
)
|
||||||
|
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_uri').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_uri').with(
|
||||||
:value => 'http://localhost:5000/'
|
:value => 'http://localhost:5000/'
|
||||||
)
|
)
|
||||||
@ -101,11 +97,11 @@ describe 'cinder::api' do
|
|||||||
|
|
||||||
describe 'with custom auth_uri' do
|
describe 'with custom auth_uri' do
|
||||||
let :params do
|
let :params do
|
||||||
req_params.merge({'keystone_auth_uri' => 'http://foo.bar:8080/v2.0/'})
|
req_params.merge({'keystone_auth_uri' => 'http://localhost:8080/v2.0/'})
|
||||||
end
|
end
|
||||||
it 'should configure cinder auth_uri correctly' do
|
it 'should configure cinder auth_uri correctly' do
|
||||||
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_uri').with(
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_uri').with(
|
||||||
:value => 'http://foo.bar:8080/v2.0/'
|
:value => 'http://localhost:8080/v2.0/'
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -121,8 +117,8 @@ describe 'cinder::api' do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
[ '/keystone', '/keystone/admin', '' ].each do |keystone_auth_admin_prefix|
|
[ '/keystone', '/keystone/admin' ].each do |keystone_auth_admin_prefix|
|
||||||
describe "with keystone_auth_admin_prefix containing incorrect value #{keystone_auth_admin_prefix}" do
|
describe "with keystone_auth_admin_prefix containing correct value #{keystone_auth_admin_prefix}" do
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:keystone_auth_admin_prefix => keystone_auth_admin_prefix,
|
:keystone_auth_admin_prefix => keystone_auth_admin_prefix,
|
||||||
@ -130,12 +126,23 @@ describe 'cinder::api' do
|
|||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it { is_expected.to contain_cinder_api_paste_ini('filter:authtoken/identity_uri').with(
|
it { is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix').with(
|
||||||
:value => "http://localhost:35357#{keystone_auth_admin_prefix}"
|
:value => "#{keystone_auth_admin_prefix}"
|
||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "with keystone_auth_admin_prefix containing correct value ''" do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:keystone_auth_admin_prefix => '',
|
||||||
|
:keystone_password => 'dummy'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix').with(:value => nil)}
|
||||||
|
end
|
||||||
|
|
||||||
[
|
[
|
||||||
'/keystone/',
|
'/keystone/',
|
||||||
'keystone/',
|
'keystone/',
|
||||||
@ -152,7 +159,7 @@ describe 'cinder::api' do
|
|||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it { expect { is_expected.to contain_cinder_api_paste_ini('filter:authtoken/identity_uri') }.to \
|
it { expect { is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix') }.to \
|
||||||
raise_error(Puppet::Error, /validate_re\(\): "#{keystone_auth_admin_prefix}" does not match/) }
|
raise_error(Puppet::Error, /validate_re\(\): "#{keystone_auth_admin_prefix}" does not match/) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -227,4 +234,34 @@ describe 'cinder::api' do
|
|||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "with custom keystone identity_uri and auth_uri" do
|
||||||
|
let :params do
|
||||||
|
req_params.merge({
|
||||||
|
:identity_uri => 'https://localhost:35357/',
|
||||||
|
:auth_uri => 'https://localhost:5000/v2.0/',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
it 'configures identity_uri and auth_uri but deprecates old auth settings' do
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/identity_uri').with_value("https://localhost:35357/");
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_uri').with_value("https://localhost:5000/v2.0/");
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_admin_prefix').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_port').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/service_port').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_protocol').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/service_protocol').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/auth_host').with(:ensure => 'absent')
|
||||||
|
is_expected.to contain_cinder_api_paste_ini('filter:authtoken/service_host').with(:ensure => 'absent')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when someone sets keystone_auth_uri and auth_uri' do
|
||||||
|
let :params do
|
||||||
|
req_params.merge({
|
||||||
|
:keystone_auth_uri => 'http://thisis',
|
||||||
|
:auth_uri => 'http://broken',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
it_raises 'a Puppet::Error', /both keystone_auth_uri and auth_uri are set and they have the same meaning/
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user