From ee082367f8a2fbb180e93d4d120d28c53b10a570 Mon Sep 17 00:00:00 2001 From: Iury Gregory Melo Ferreira Date: Sat, 5 Nov 2016 15:44:52 -0300 Subject: [PATCH] Remove old authtoken options Since we are in ocata lets remove all old parameters in api to configure the keystone_authtoken section Change-Id: I7d833d2223a67e6226afc27c154011748e9747e4 --- manifests/api.pp | 79 +++---------------- manifests/keystone/authtoken.pp | 24 ++---- ...ld_authtoken_options-e619dc4773a373af.yaml | 9 +++ spec/classes/cinder_api_spec.rb | 62 ++++----------- 4 files changed, 41 insertions(+), 133 deletions(-) create mode 100644 releasenotes/notes/remove_old_authtoken_options-e619dc4773a373af.yaml diff --git a/manifests/api.pp b/manifests/api.pp index 360742f6..29009e82 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -146,36 +146,13 @@ # (optional) Type of authentication to be used. # Defaults to 'keystone' # +# [*osapi_volume_listen_port*] +# (optional) What port the API listens on. Defaults to $::os_service_default +# If this value is modified the catalog URLs in the keystone::auth class +# will also need to be changed to match. +# # DEPRECATED PARAMETERS # -# [*keystone_enabled*] -# (optional) Deprecated. Use auth_strategy instead. -# Defaults to undef -# -# [*keystone_tenant*] -# (optional) Deprecated. Use cinder::keystone::authtoken::project_name instead. -# Defaults to undef. -# -# [*keystone_user*] -# (optional) Deprecated. Use cinder::keystone::authtoken::username instead. -# Defaults to undef. -# -# [*keystone_password*] -# (optional) Deprecated. Use cinder::keystone::authtoken::password instead. -# Defaults to undef. -# -# [*identity_uri*] -# (optional) Deprecated. Use cinder::keystone::authtoken::auth_url instead. -# Defaults to undef. -# -# [*auth_uri*] -# (optional) Deprecated. Use cinder::keystone::authtoken::auth_uri instead. -# Defaults to undef. -# -# [*memcached_servers*] -# (Optional) Deprecated. Use cinder::keystone::authtoken::memcached_servers. -# Defaults to undef. -# # [*validation_options*] # (optional) Service validation options # Should be a hash of options defined in openstacklib::service_validation @@ -192,13 +169,7 @@ # try_sleep: 10 # Defaults to {} # -# [*osapi_volume_listen_port*] -# (optional) What port the API listens on. Defaults to $::os_service_default -# If this value is modified the catalog URLs in the keystone::auth class -# will also need to be changed to match. -# class cinder::api ( - $keystone_enabled = true, $nova_catalog_info = 'compute:Compute Service:publicURL', $nova_catalog_admin_info = 'compute:Compute Service:adminURL', $os_region_name = $::os_service_default, @@ -234,12 +205,6 @@ class cinder::api ( $osapi_volume_listen_port = $::os_service_default, # DEPRECATED PARAMETERS $validation_options = {}, - $keystone_tenant = undef, - $keystone_user = undef, - $keystone_password = undef, - $identity_uri = undef, - $auth_uri = undef, - $memcached_servers = undef, ) inherits cinder::params { include ::cinder::deps @@ -255,32 +220,6 @@ class cinder::api ( $key_file_real = pick($::cinder::key_file, $key_file) $ca_file_real = pick($::cinder::ca_file, $ca_file) - if $identity_uri { - warning('cinder::api::identity_uri is deprecated, use cinder::keystone::authtoken::auth_url instead.') - } - if $auth_uri { - warning('cinder::api::auth_uri is deprecated, use cinder::keystone::authtoken::auth_uri instead.') - } - if $keystone_tenant { - warning('cinder::api::keystone_tenant is deprecated, use cinder::keystone::authtoken::project_name instead.') - } - if $keystone_user { - warning('cinder::api::keystone_user is deprecated, use cinder::keystone::authtoken::username instead.') - } - if $keystone_password { - warning('cinder::api::keystone_password is deprecated, use cinder::keystone::authtoken::password instead.') - } - if $memcached_servers { - warning('cinder::api::memcached_servers is deprecated, use cinder::keystone::authtoken::memcached_servers instead.') - } - - if $keystone_enabled { - warning('keystone_enabled is deprecated, use auth_strategy instead.') - $auth_strategy_real = $keystone_enabled - } else { - $auth_strategy_real = $auth_strategy - } - if $use_ssl_real { if is_service_default($cert_file_real) { fail('The cert_file parameter is required when use_ssl is set to true') @@ -382,7 +321,7 @@ running as a standalone service, or httpd for being run by a httpd server") 'barbican/auth_endpoint': value => $keymgr_encryption_auth_url; } - if $auth_strategy_real { + if $auth_strategy == 'keystone' { include ::cinder::keystone::authtoken } @@ -403,9 +342,9 @@ running as a standalone service, or httpd for being run by a httpd server") } if $validate { - $keystone_tenant_real = pick($keystone_tenant, $::cinder::keystone::authtoken::project_name) - $keystone_username_real = pick($keystone_user, $::cinder::keystone::authtoken::username) - $keystone_password_real = pick($keystone_password, $::cinder::keystone::authtoken::password) + $keystone_tenant_real = $::cinder::keystone::authtoken::project_name + $keystone_username_real = $::cinder::keystone::authtoken::username + $keystone_password_real = $::cinder::keystone::authtoken::password $defaults = { 'cinder-api' => { diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index 219cd97c..41fde4c5 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -82,12 +82,12 @@ # server and ignore it if not. "strict" like "permissive" but if the bind # type is unknown the token will be rejected. "required" any form of token # binding is needed to be allowed. Finally the name of a binding method that -# must be present in tokens. String value. # Defaults to $::os_service_default. # # [*hash_algorithms*] # (Optional) Hash algorithms to use for hashing PKI tokens. This may be a # single algorithm or multiple. The algorithms are those supported by Python +# must be present in tokens. String value. # standard hashlib.new(). The hashes will be tried in the order given, so put # the preferred one first for performance. The result of the first hash will # be stored in the cache. This will typically be set to multiple values only @@ -230,23 +230,16 @@ class cinder::keystone::authtoken( include ::cinder::deps - if is_service_default($password) and ! $::cinder::api::keystone_password { + if is_service_default($password) { fail('Please set password for cinder service user') } - $username_real = pick($::cinder::api::keystone_user,$username) - $password_real = pick($::cinder::api::keystone_password,$password) - $project_name_real = pick($::cinder::api::keystone_tenant,$project_name) - $auth_uri_real = pick($::cinder::api::auth_uri,$auth_uri) - $auth_url_real = pick($::cinder::api::identity_uri,$auth_url) - $memcached_servers_real = pick($::cinder::api::memcached_servers,$memcached_servers) - keystone::resource::authtoken { 'cinder_config': - username => $username_real, - password => $password_real, - project_name => $project_name_real, - auth_url => $auth_url_real, - auth_uri => $auth_uri_real, + username => $username, + password => $password, + project_name => $project_name, + auth_url => $auth_url, + auth_uri => $auth_uri, auth_version => $auth_version, auth_type => $auth_type, auth_section => $auth_section, @@ -272,11 +265,10 @@ class cinder::keystone::authtoken( memcache_security_strategy => $memcache_security_strategy, memcache_use_advanced_pool => $memcache_use_advanced_pool, memcache_pool_unused_timeout => $memcache_pool_unused_timeout, - memcached_servers => $memcached_servers_real, + memcached_servers => $memcached_servers, region_name => $region_name, revocation_cache_time => $revocation_cache_time, signing_dir => $signing_dir, token_cache_time => $token_cache_time, } } - diff --git a/releasenotes/notes/remove_old_authtoken_options-e619dc4773a373af.yaml b/releasenotes/notes/remove_old_authtoken_options-e619dc4773a373af.yaml new file mode 100644 index 00000000..36392c3c --- /dev/null +++ b/releasenotes/notes/remove_old_authtoken_options-e619dc4773a373af.yaml @@ -0,0 +1,9 @@ +--- +other: + - removed deprecated cinder::api::keystone_user + - removed deprecated cinder::api::keystone_password + - removed deprecated cinder::api::keystone_tenant + - removed deprecated cinder::api::auth_uri + - removed deprecated cinder::api::identity_uri + - removed deprecated cinder::api::memcached_servers + - removed deprecated cinder::api::keystone_enabled diff --git a/spec/classes/cinder_api_spec.rb b/spec/classes/cinder_api_spec.rb index 6455fa4d..d780b63a 100644 --- a/spec/classes/cinder_api_spec.rb +++ b/spec/classes/cinder_api_spec.rb @@ -3,8 +3,14 @@ require 'spec_helper' describe 'cinder::api' do shared_examples_for 'cinder api' do + let :pre_condition do + "class { '::cinder::keystone::authtoken': + password => 'foo', + }" + end + let :req_params do - {:keystone_password => 'foo'} + {} end describe 'with only required params' do @@ -46,22 +52,6 @@ describe 'cinder::api' do is_expected.to contain_cinder_config('DEFAULT/os_region_name').with( :value => '' ) - is_expected.to contain_cinder_config('keystone_authtoken/auth_uri').with( - :value => 'http://localhost:5000' - ) - is_expected.to contain_cinder_config('keystone_authtoken/auth_url').with( - :value => 'http://localhost:35357' - ) - is_expected.to contain_cinder_config('keystone_authtoken/project_name').with( - :value => 'services' - ) - is_expected.to contain_cinder_config('keystone_authtoken/username').with( - :value => 'cinder' - ) - is_expected.to contain_cinder_config('keystone_authtoken/password').with( - :value => 'foo' - ) - is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('') is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_value('') is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('') @@ -86,22 +76,6 @@ describe 'cinder::api' do it { is_expected.to contain_cinder_config('DEFAULT/nova_catalog_info').with_value('compute:nova:publicURL') } end - describe 'without deprecated keystone_authtoken parameters' do - let :params do - req_params.merge({ - 'keystone_user' => 'dummy', - 'keystone_tenant' => 'mytenant', - 'identity_uri' => 'https://127.0.0.1:35357/deprecated', - 'auth_uri' => 'https://127.0.0.1:5000/deprecated', - }) - end - - it { is_expected.to contain_cinder_config('keystone_authtoken/auth_url').with_value('https://127.0.0.1:35357/deprecated') } - it { is_expected.to contain_cinder_config('keystone_authtoken/username').with_value('dummy') } - it { is_expected.to contain_cinder_config('keystone_authtoken/project_name').with_value('mytenant') } - it { is_expected.to contain_cinder_config('keystone_authtoken/auth_uri').with_value('https://127.0.0.1:5000/deprecated') } - end - describe 'with a custom region for nova' do let :params do req_params.merge({'os_region_name' => 'MyRegion'}) @@ -218,7 +192,6 @@ describe 'cinder::api' do describe 'with sync_db set to false' do let :params do { - :keystone_password => 'dummy', :enabled => true, :sync_db => false, } @@ -309,17 +282,6 @@ describe 'cinder::api' do )} end - describe "with deprecated memcached servers for keystone authtoken" do - let :params do - req_params.merge({ - :memcached_servers => '1.1.1.1:11211', - }) - end - it 'configures memcached servers' do - is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('1.1.1.1:11211') - end - end - describe 'with a custom osapi_max_limit' do let :params do req_params.merge({'osapi_max_limit' => '10000'}) @@ -337,7 +299,10 @@ describe 'cinder::api' do let :pre_condition do "include ::apache - class { 'cinder': rabbit_password => 'secret' }" + class { 'cinder': rabbit_password => 'secret' } + class { '::cinder::keystone::authtoken': + password => 'foo', + }" end it 'configures cinder-api service with Apache' do @@ -356,7 +321,10 @@ describe 'cinder::api' do let :pre_condition do "include ::apache - class { 'cinder': rabbit_password => 'secret' }" + class { 'cinder': rabbit_password => 'secret' } + class { '::cinder::keystone::authtoken': + password => 'foo', + }" end it_raises 'a Puppet::Error', /Invalid service_name/