From ddfd2150b9cb55964bd961dcecfb802ae9299dc1 Mon Sep 17 00:00:00 2001 From: Iury Gregory Melo Ferreira Date: Sat, 5 Nov 2016 23:22:10 -0300 Subject: [PATCH] Remove old authtoken options Since we are in ocata lets remove all old parameters in api to configure the keystone_authtoken section Change-Id: I4dc0bd544f91fd52ad437b4c3ebbd16a43895726 --- manifests/api.pp | 121 +-------- manifests/api/authtoken.pp | 231 ++++++++---------- manifests/glare.pp | 110 --------- manifests/glare/authtoken.pp | 229 ++++++++--------- manifests/registry.pp | 100 +------- manifests/registry/authtoken.pp | 231 ++++++++---------- ...ld_authtoken_options-954b592223d48e6e.yaml | 29 +++ spec/classes/glance_api_spec.rb | 47 +--- spec/classes/glance_backend_cinder_spec.rb | 2 +- spec/classes/glance_backend_swift_spec.rb | 3 +- spec/classes/glance_backend_vsphere_spec.rb | 2 +- spec/classes/glance_glare_spec.rb | 56 ++--- spec/classes/glance_keystone_auth_spec.rb | 3 +- .../glance_keystone_glare_auth_spec.rb | 2 +- spec/classes/glance_registry_spec.rb | 46 +--- 15 files changed, 400 insertions(+), 812 deletions(-) create mode 100644 releasenotes/notes/remove_old_authtoken_options-954b592223d48e6e.yaml diff --git a/manifests/api.pp b/manifests/api.pp index d3c92521..46020e9b 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -256,60 +256,6 @@ # Defaults to false. # Example: ['file','http'] # -# [*auth_region*] -# (optional) The region for the authentication service. -# If "use_user_token" is not in effect and using keystone auth, -# then region name can be specified. -# Defaults to undef -# -# [*keystone_password*] -# (Optional) Password used to authentication. -# Deprecated and will be replaced by ::glance::api::authtoken::password -# Defaults to undef. -# -# [*auth_type*] -# (optional) Type is authorization being used. -# Deprecated and replaced by ::glance::api::auth_strategy -# Defaults to undef. -# -# [*auth_uri*] -# (optional) Complete public Identity API endpoint. -# Deprecated and will be replaced by ::glance::api::authtoken::auth_uri -# Defaults to undef. -# -# [*identity_uri*] -# (optional) Complete admin Identity API endpoint. -# Deprecated and will be replaced by ::glance::api::authtoken::auth_url -# Defaults to undef. -# -# [*keystone_tenant*] -# (optional) Tenant to authenticate to. -# Deprecated and will be replaced by ::glance::api::authtoken::project_name -# Defaults to undef. -# -# [*keystone_user*] -# (optional) User to authenticate as with keystone. -# Deprecated and will be replaced by ::glance::api::authtoken::username -# Defaults to undef. -# -# [*signing_dir*] -# (optional) Directory used to cache files related to PKI tokens. -# Deprecated and will be replaced by ::glance::api::authtoken::signing_dir -# Defaults to undef. -# -# [*memcached_servers*] -# (optinal) a list of memcached server(s) to use for caching. If left undefined, -# tokens will instead be cached in-process. -# Deprecated and will be replaced by ::glance::api::authtoken::memcached_servers -# Defaults to undef. -# -# [*token_cache_time*] -# (optional) In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration (in seconds). -# Set to -1 to disable caching completely. -# Deprecated and will be replaced by ::glance::api::authtoken::token_cache_time -# Defaults to undef. -# class glance::api( $package_ensure = 'present', $debug = undef, @@ -366,16 +312,6 @@ class glance::api( $validation_options = {}, # DEPRECATED PARAMETERS $known_stores = false, - $auth_region = undef, - $keystone_password = undef, - $auth_type = undef, - $auth_uri = undef, - $identity_uri = undef, - $keystone_tenant = undef, - $keystone_user = undef, - $memcached_servers = undef, - $signing_dir = undef, - $token_cache_time = undef, ) inherits glance { include ::glance::deps @@ -384,49 +320,6 @@ class glance::api( include ::glance::api::logging include ::glance::cache::logging - if $auth_region { - warning('auth_region is deprecated, has no effect and and will be removed in the O release.') - } - - if $keystone_password { - warning('glance::api::keystone_password is deprecated, please use glance::api::authtoken::password') - } - - if $auth_type { - warning('glance::api::auth_type is deprecated, please use glance::api::auth_strategy') - $auth_strategy_real = $auth_type - } else { - $auth_strategy_real = $auth_strategy - } - - if $auth_uri { - warning('glance::api::auth_uri is deprecated, please use glance::api::authtoken::auth_uri') - } - - if $identity_uri { - warning('glance::api::identity_uri is deprecated, please use glance::api::authtoken::auth_url') - } - - if $keystone_tenant { - warning('glance::api::keystone_tenant is deprecated, please use glance::api::authtoken::project_name') - } - - if $keystone_user { - warning('glance::api::keystone_user is deprecated, please use glance::api::authtoken::username') - } - - if $memcached_servers { - warning('glance::api::memcached_servers is deprecated, please use glance::api::authtoken::memcached_servers') - } - - if $signing_dir { - warning('glance::api::signing_dir is deprecated, please use glance::api::authtoken::signing_dir') - } - - if $token_cache_time { - warning('glance::api::token_cache_time is deprecated, please use glance::api::authtoken::token_cache_time') - } - if ( $glance::params::api_package_name != $glance::params::registry_package_name ) { ensure_packages('glance-api', { @@ -473,8 +366,8 @@ class glance::api( if $default_store { $default_store_real = $default_store } - # determine value for glance_store/stores if !empty($stores_real) { + # determine value for glance_store/stores if size(any2array($stores_real)) > 1 { $final_stores_real = join($stores_real, ',') } else { @@ -548,7 +441,7 @@ class glance::api( } # keystone config - if $auth_strategy_real == 'keystone' { + if $auth_strategy == 'keystone' { include ::glance::api::authtoken } @@ -584,14 +477,14 @@ class glance::api( } if $validate { - $keystone_tenant_real = pick($keystone_tenant, $::glance::api::authtoken::project_name) - $keystone_username_real = pick($keystone_user, $::glance::api::authtoken::username) - $keystone_password_real = pick($keystone_password, $::glance::api::authtoken::password) - $auth_uri_real = pick($auth_uri, $::glance::api::authtoken::auth_uri) + $keystone_project_name = $::glance::api::authtoken::project_name + $keystone_username = $::glance::api::authtoken::username + $keystone_password = $::glance::api::authtoken::password + $auth_uri = $::glance::api::authtoken::auth_uri $defaults = { 'glance-api' => { # lint:ignore:140chars - 'command' => "glance --os-auth-url ${auth_uri_real} --os-project-name ${keystone_tenant_real} --os-username ${keystone_username_real} --os-password ${keystone_password_real} image-list", + 'command' => "glance --os-auth-url ${auth_uri} --os-project-name ${keystone_project_name} --os-username ${keystone_username} --os-password ${keystone_password} image-list", # lint:endignore } } diff --git a/manifests/api/authtoken.pp b/manifests/api/authtoken.pp index 47cd01cc..5799d889 100644 --- a/manifests/api/authtoken.pp +++ b/manifests/api/authtoken.pp @@ -29,166 +29,161 @@ # Defaults to $::os_service_default # # [*insecure*] -# (Optional) If true, explicitly allow TLS without checking server cert -# against any certificate authorities. WARNING: not recommended. Use with -# caution. -# Defaults to $:os_service_default +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. WARNING: not recommended. Use with +# caution. +# Defaults to $:os_service_default # # [*auth_section*] -# (Optional) Config Section from which to load plugin specific options -# Defaults to $::os_service_default. +# (Optional) Config Section from which to load plugin specific options +# Defaults to $::os_service_default. # # [*auth_type*] -# (Optional) Authentication type to load -# Defaults to 'password' +# (Optional) Authentication type to load +# Defaults to 'password' # # [*auth_uri*] -# (Optional) Complete public Identity API endpoint. -# Defaults to 'http://127.0.0.1:5000'. +# (Optional) Complete public Identity API endpoint. +# Defaults to 'http://127.0.0.1:5000'. # # [*auth_version*] -# (Optional) API version of the admin Identity API endpoint. -# Defaults to $::os_service_default. +# (Optional) API version of the admin Identity API endpoint. +# Defaults to $::os_service_default. # # [*cache*] -# (Optional) Env key for the swift cache. -# Defaults to $::os_service_default. +# (Optional) Env key for the swift cache. +# Defaults to $::os_service_default. # # [*cafile*] -# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs -# connections. -# Defaults to $::os_service_default. +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. # # [*certfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to $::os_service_default. # # [*delay_auth_decision*] -# (Optional) Do not handle authorization requests within the middleware, but -# delegate the authorization decision to downstream WSGI components. Boolean -# value -# Defaults to $::os_service_default. +# (Optional) Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. Boolean +# value +# Defaults to $::os_service_default. # # [*enforce_token_bind*] -# (Optional) Used to control the use and type of token binding. Can be set -# to: "disabled" to not check token binding. "permissive" (default) to -# validate binding information if the bind type is of a form known to the -# server and ignore it if not. "strict" like "permissive" but if the bind -# type is unknown the token will be rejected. "required" any form of token -# binding is needed to be allowed. Finally the name of a binding method that -# must be present in tokens. String value. -# Defaults to $::os_service_default. +# (Optional) Used to control the use and type of token binding. Can be set +# to: "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to the +# server and ignore it if not. "strict" like "permissive" but if the bind +# type is unknown the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a binding method that +# must be present in tokens. String value. +# Defaults to $::os_service_default. # # [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to $::os_service_default. # # [*http_connect_timeout*] -# (Optional) Request timeout value for communicating with Identity API -# server. -# Defaults to $::os_service_default. +# (Optional) Request timeout value for communicating with Identity API +# server. +# Defaults to $::os_service_default. # # [*http_request_max_retries*] -# (Optional) How many times are we trying to reconnect when communicating -# with Identity API Server. Integer value -# Defaults to $::os_service_default. +# (Optional) How many times are we trying to reconnect when communicating +# with Identity API Server. Integer value +# Defaults to $::os_service_default. # # [*include_service_catalog*] -# (Optional) Indicate whether to set the X-Service-Catalog header. If False, -# middleware will not ask for service catalog on token validation and will -# not -# set the X-Service-Catalog header. Boolean value. -# Defaults to $::os_service_default. +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will +# not set the X-Service-Catalog header. Boolean value. +# Defaults to $::os_service_default. # # [*keyfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*memcache_pool_conn_get_timeout*] -# (Optional) Number of seconds that an operation will wait to get a memcached -# client connection from the pool. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_dead_retry*] -# (Optional) Number of seconds memcached server is considered dead before it -# is tried again. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds memcached server is considered dead before it +# is tried again. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_maxsize*] -# (Optional) Maximum total number of open connections to every memcached -# server. Integer value -# Defaults to $::os_service_default. +# (Optional) Maximum total number of open connections to every memcached +# server. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_socket_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_unused_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_secret_key*] -# (Optional, mandatory if memcache_security_strategy is defined) This string -# is used for key derivation. -# Defaults to $::os_service_default. +# (Optional, mandatory if memcache_security_strategy is defined) This string +# is used for key derivation. +# Defaults to $::os_service_default. # # [*memcache_security_strategy*] -# (Optional) If defined, indicate whether token data should be authenticated -# or -# authenticated and encrypted. If MAC, token data is authenticated (with -# HMAC) -# in the cache. If ENCRYPT, token data is encrypted and authenticated in the -# cache. If the value is not one of these options or empty, auth_token will -# raise an exception on initialization. -# Defaults to $::os_service_default. +# (Optional) If defined, indicate whether token data should be authenticated +# or authenticated and encrypted. If MAC, token data is authenticated (with +# HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated +# in the cache. If the value is not one of these options or empty, +# auth_token will raise an exception on initialization. +# Defaults to $::os_service_default. # # [*memcache_use_advanced_pool*] -# (Optional) Use the advanced (eventlet safe) memcached client pool. The -# advanced pool will only work under python 2.x Boolean value -# Defaults to $::os_service_default. +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x Boolean value +# Defaults to $::os_service_default. # # [*memcached_servers*] -# (Optional) Optionally specify a list of memcached server(s) to use for -# caching. If left undefined, tokens will instead be cached in-process. -# Defaults to $::os_service_default. +# (Optional) Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached in-process. +# Defaults to $::os_service_default. # # [*region_name*] -# (Optional) The region in which the identity server can be found. -# Defaults to $::os_service_default. +# (Optional) The region in which the identity server can be found. +# Defaults to $::os_service_default. # # [*revocation_cache_time*] -# (Optional) Determines the frequency at which the list of revoked tokens is -# retrieved from the Identity service (in seconds). A high number of -# revocation events combined with a low cache duration may significantly -# reduce performance. Only valid for PKI tokens. Integer value -# Defaults to $::os_service_default. +# (Optional) Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of +# revocation events combined with a low cache duration may significantly +# reduce performance. Only valid for PKI tokens. Integer value +# Defaults to $::os_service_default. # # [*signing_dir*] -# (Optional) Directory used to cache files related to PKI tokens. -# Defaults to $::os_service_default. +# (Optional) Directory used to cache files related to PKI tokens. +# Defaults to $::os_service_default. # # [*token_cache_time*] -# (Optional) In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration -# (in seconds). Set to -1 to disable caching completely. Integer value -# Defaults to $::os_service_default. +# (Optional) In order to prevent excessive effort spent validating tokens, +# the middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. Integer value +# Defaults to $::os_service_default. # class glance::api::authtoken( $username = 'glance', @@ -228,26 +223,16 @@ class glance::api::authtoken( $token_cache_time = $::os_service_default, ) { - if is_service_default($password) and $::glance::api::keystone_password == undef { + if is_service_default($password) { fail('Please set password for Glance service user') } - #NOTE(degorenko): Use pick to keep backward compatibility - $username_real = pick($::glance::api::keystone_user, $username) - $password_real = pick($::glance::api::keystone_password, $password) - $project_name_real = pick($::glance::api::keystone_tenant, $project_name) - $auth_url_real = pick($::glance::api::identity_uri, $auth_url) - $auth_uri_real = pick($::glance::api::auth_uri, $auth_uri) - $memcached_servers_real = pick($::glance::api::memcached_servers, $memcached_servers) - $token_cache_time_real = pick($::glance::api::token_cache_time, $token_cache_time) - $signing_dir_real = pick($::glance::api::signing_dir, $signing_dir) - keystone::resource::authtoken { 'glance_api_config': - username => $username_real, - password => $password_real, - project_name => $project_name_real, - auth_url => $auth_url_real, - auth_uri => $auth_uri_real, + username => $username, + password => $password, + project_name => $project_name, + auth_url => $auth_url, + auth_uri => $auth_uri, auth_version => $auth_version, auth_type => $auth_type, auth_section => $auth_section, @@ -273,10 +258,10 @@ class glance::api::authtoken( memcache_security_strategy => $memcache_security_strategy, memcache_use_advanced_pool => $memcache_use_advanced_pool, memcache_pool_unused_timeout => $memcache_pool_unused_timeout, - memcached_servers => $memcached_servers_real, + memcached_servers => $memcached_servers, region_name => $region_name, revocation_cache_time => $revocation_cache_time, - signing_dir => $signing_dir_real, - token_cache_time => $token_cache_time_real, + signing_dir => $signing_dir, + token_cache_time => $token_cache_time, } } diff --git a/manifests/glare.pp b/manifests/glare.pp index ab35db6c..be3849f7 100644 --- a/manifests/glare.pp +++ b/manifests/glare.pp @@ -73,62 +73,6 @@ # (optional) Sets the keystone region to use. # Defaults to 'RegionOne'. # -# == DEPRECATED PARAMETERS -# -# [*auth_region*] -# (optional) The region for the authentication service. -# If "use_user_token" is not in effect and using keystone auth, -# then region name can be specified. -# Defaults to $::os_service_default. -# -# [*auth_type*] -# (optional) Type is authorization being used. -# Deprecated and replaced by ::glance::glare::auth_strategy -# Defaults to undef. -# -# [*auth_uri*] -# (optional) Complete public Identity API endpoint. -# Deprecated and will be replaced by ::glance::glare::authtoken::auth_uri -# Defaults to undef. -# -# [*identity_uri*] -# (optional) Complete admin Identity API endpoint. -# Deprecated and will be replaced by ::glance::glare::authtoken::auth_url -# Defaults to undef. -# -# [*keystone_tenant*] -# (optional) Tenant to authenticate to. -# Deprecated and will be replaced by ::glance::glare::authtoken::project_name -# Defaults to undef. -# -# [*keystone_user*] -# (optional) User to authenticate as with keystone. -# Deprecated and will be replaced by ::glance::glare::authtoken::username -# Defaults to undef. -# -# [*keystone_password*] -# (optional) Password used to authentication. -# Deprecated and will be replaced by ::glance::glare::authtoken::password -# Defaults to undef. -# -# [*signing_dir*] -# (optional) Directory used to cache files related to PKI tokens. -# Deprecated and will be replaced by ::glance::glare::authtoken::signing_dir -# Defaults to undef. -# -# [*memcached_servers*] -# (optinal) a list of memcached server(s) to use for caching. If left undefined, -# tokens will instead be cached in-process. -# Deprecated and will be replaced by ::glance::glare::authtoken::memcached_servers -# Defaults to undef. -# -# [*token_cache_time*] -# (optional) In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration (in seconds). -# Set to -1 to disable caching completely. -# Deprecated and will be replaced by ::glance::glare::authtoken::token_cache_time -# Defaults to undef. -# class glance::glare( $package_ensure = 'present', $bind_host = '0.0.0.0', @@ -146,17 +90,6 @@ class glance::glare( $default_store = undef, $multi_store = false, $os_region_name = 'RegionOne', - # DEPRECATED PARAMETERS - $auth_region = undef, - $auth_type = undef, - $auth_uri = undef, - $identity_uri = undef, - $memcached_servers = undef, - $keystone_tenant = undef, - $keystone_user = undef, - $keystone_password = undef, - $signing_dir = undef, - $token_cache_time = undef, ) inherits glance { include ::glance::deps @@ -164,49 +97,6 @@ class glance::glare( include ::glance::glare::db include ::glance::glare::logging - if $auth_region { - warning('auth_region is deprecated, has no effect and and will be removed in the O release.') - } - - if $keystone_password { - warning('glance::glare::keystone_password is deprecated, please use glance::glare::authtoken::password') - } - - if $auth_type { - warning('glance::glare::auth_type is deprecated, please use glance::glare::auth_strategy') - $auth_strategy_real = $auth_type - } else { - $auth_strategy_real = $auth_strategy - } - - if $auth_uri { - warning('glance::glare::auth_uri is deprecated, please use glance::glare::authtoken::auth_uri') - } - - if $identity_uri { - warning('glance::glare::identity_uri is deprecated, please use glance::glare::authtoken::auth_url') - } - - if $keystone_tenant { - warning('glance::glare::keystone_tenant is deprecated, please use glance::glare::authtoken::project_name') - } - - if $keystone_user { - warning('glance::glare::keystone_user is deprecated, please use glance::glare::authtoken::username') - } - - if $memcached_servers { - warning('glance::glare::memcached_servers is deprecated, please use glance::glare::authtoken::memcached_servers') - } - - if $signing_dir { - warning('glance::glare::signing_dir is deprecated, please use glance::glare::authtoken::signing_dir') - } - - if $token_cache_time { - warning('glance::glare::token_cache_time is deprecated, please use glance::glare::authtoken::token_cache_time') - } - if ( $glance::params::glare_package_name != $glance::params::registry_package_name ) { ensure_packages('glance-glare', { ensure => $package_ensure, diff --git a/manifests/glare/authtoken.pp b/manifests/glare/authtoken.pp index 351b3166..9ca09b1f 100644 --- a/manifests/glare/authtoken.pp +++ b/manifests/glare/authtoken.pp @@ -29,166 +29,161 @@ # Defaults to $::os_service_default # # [*insecure*] -# (Optional) If true, explicitly allow TLS without checking server cert -# against any certificate authorities. WARNING: not recommended. Use with -# caution. -# Defaults to $:os_service_default +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. WARNING: not recommended. Use with +# caution. +# Defaults to $:os_service_default # # [*auth_section*] -# (Optional) Config Section from which to load plugin specific options -# Defaults to $::os_service_default. +# (Optional) Config Section from which to load plugin specific options +# Defaults to $::os_service_default. # # [*auth_type*] -# (Optional) Authentication type to load -# Defaults to 'password' +# (Optional) Authentication type to load +# Defaults to 'password' # # [*auth_uri*] -# (Optional) Complete public Identity API endpoint. -# Defaults to 'http://127.0.0.1:5000'. +# (Optional) Complete public Identity API endpoint. +# Defaults to 'http://127.0.0.1:5000'. # # [*auth_version*] -# (Optional) API version of the admin Identity API endpoint. -# Defaults to $::os_service_default. +# (Optional) API version of the admin Identity API endpoint. +# Defaults to $::os_service_default. # # [*cache*] -# (Optional) Env key for the swift cache. -# Defaults to $::os_service_default. +# (Optional) Env key for the swift cache. +# Defaults to $::os_service_default. # # [*cafile*] -# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs -# connections. -# Defaults to $::os_service_default. +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. # # [*certfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to $::os_service_default. # # [*delay_auth_decision*] -# (Optional) Do not handle authorization requests within the middleware, but -# delegate the authorization decision to downstream WSGI components. Boolean -# value -# Defaults to $::os_service_default. +# (Optional) Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. Boolean +# value +# Defaults to $::os_service_default. # # [*enforce_token_bind*] -# (Optional) Used to control the use and type of token binding. Can be set -# to: "disabled" to not check token binding. "permissive" (default) to -# validate binding information if the bind type is of a form known to the -# server and ignore it if not. "strict" like "permissive" but if the bind -# type is unknown the token will be rejected. "required" any form of token -# binding is needed to be allowed. Finally the name of a binding method that -# must be present in tokens. String value. -# Defaults to $::os_service_default. +# (Optional) Used to control the use and type of token binding. Can be set +# to: "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to the +# server and ignore it if not. "strict" like "permissive" but if the bind +# type is unknown the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a binding method that +# must be present in tokens. String value. +# Defaults to $::os_service_default. # # [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to $::os_service_default. # # [*http_connect_timeout*] -# (Optional) Request timeout value for communicating with Identity API -# server. -# Defaults to $::os_service_default. +# (Optional) Request timeout value for communicating with Identity API +# server. +# Defaults to $::os_service_default. # # [*http_request_max_retries*] -# (Optional) How many times are we trying to reconnect when communicating -# with Identity API Server. Integer value -# Defaults to $::os_service_default. +# (Optional) How many times are we trying to reconnect when communicating +# with Identity API Server. Integer value +# Defaults to $::os_service_default. # # [*include_service_catalog*] -# (Optional) Indicate whether to set the X-Service-Catalog header. If False, -# middleware will not ask for service catalog on token validation and will -# not -# set the X-Service-Catalog header. Boolean value. -# Defaults to $::os_service_default. +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will +# not set the X-Service-Catalog header. Boolean value. +# Defaults to $::os_service_default. # # [*keyfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*memcache_pool_conn_get_timeout*] -# (Optional) Number of seconds that an operation will wait to get a memcached -# client connection from the pool. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_dead_retry*] -# (Optional) Number of seconds memcached server is considered dead before it -# is tried again. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds memcached server is considered dead before it +# is tried again. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_maxsize*] -# (Optional) Maximum total number of open connections to every memcached -# server. Integer value -# Defaults to $::os_service_default. +# (Optional) Maximum total number of open connections to every memcached +# server. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_socket_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_unused_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_secret_key*] -# (Optional, mandatory if memcache_security_strategy is defined) This string -# is used for key derivation. -# Defaults to $::os_service_default. +# (Optional, mandatory if memcache_security_strategy is defined) This string +# is used for key derivation. +# Defaults to $::os_service_default. # # [*memcache_security_strategy*] -# (Optional) If defined, indicate whether token data should be authenticated -# or -# authenticated and encrypted. If MAC, token data is authenticated (with -# HMAC) -# in the cache. If ENCRYPT, token data is encrypted and authenticated in the -# cache. If the value is not one of these options or empty, auth_token will -# raise an exception on initialization. -# Defaults to $::os_service_default. +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. +# Defaults to $::os_service_default. # # [*memcache_use_advanced_pool*] -# (Optional) Use the advanced (eventlet safe) memcached client pool. The -# advanced pool will only work under python 2.x Boolean value -# Defaults to $::os_service_default. +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x Boolean value +# Defaults to $::os_service_default. # # [*memcached_servers*] -# (Optional) Optionally specify a list of memcached server(s) to use for -# caching. If left undefined, tokens will instead be cached in-process. -# Defaults to $::os_service_default. +# (Optional) Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached in-process. +# Defaults to $::os_service_default. # # [*region_name*] -# (Optional) The region in which the identity server can be found. -# Defaults to $::os_service_default. +# (Optional) The region in which the identity server can be found. +# Defaults to $::os_service_default. # # [*revocation_cache_time*] -# (Optional) Determines the frequency at which the list of revoked tokens is -# retrieved from the Identity service (in seconds). A high number of -# revocation events combined with a low cache duration may significantly -# reduce performance. Only valid for PKI tokens. Integer value -# Defaults to $::os_service_default. +# (Optional) Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of +# revocation events combined with a low cache duration may significantly +# reduce performance. Only valid for PKI tokens. Integer value +# Defaults to $::os_service_default. # # [*signing_dir*] -# (Optional) Directory used to cache files related to PKI tokens. -# Defaults to $::os_service_default. +# (Optional) Directory used to cache files related to PKI tokens. +# Defaults to $::os_service_default. # # [*token_cache_time*] -# (Optional) In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration -# (in seconds). Set to -1 to disable caching completely. Integer value -# Defaults to $::os_service_default. +# (Optional) In order to prevent excessive effort spent validating tokens, +# the middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. Integer value +# Defaults to $::os_service_default. # class glance::glare::authtoken( $username = 'glance', @@ -232,22 +227,12 @@ class glance::glare::authtoken( fail('Please set password for Glance service user') } - #NOTE(degorenko): Use pick to keep backward compatibility - $username_real = pick($::glance::glare::keystone_user, $username) - $password_real = pick($::glance::glare::keystone_password, $password) - $project_name_real = pick($::glance::glare::keystone_tenant, $project_name) - $auth_url_real = pick($::glance::glare::identity_uri, $auth_url) - $auth_uri_real = pick($::glance::glare::auth_uri, $auth_uri) - $memcached_servers_real = pick($::glance::glare::memcached_servers, $memcached_servers) - $token_cache_time_real = pick($::glance::glare::token_cache_time, $token_cache_time) - $signing_dir_real = pick($::glance::glare::signing_dir, $signing_dir) - keystone::resource::authtoken { 'glance_glare_config': - username => $username_real, - password => $password_real, - project_name => $project_name_real, - auth_url => $auth_url_real, - auth_uri => $auth_uri_real, + username => $username, + password => $password, + project_name => $project_name, + auth_url => $auth_url, + auth_uri => $auth_uri, auth_version => $auth_version, auth_type => $auth_type, auth_section => $auth_section, @@ -273,10 +258,10 @@ class glance::glare::authtoken( memcache_security_strategy => $memcache_security_strategy, memcache_use_advanced_pool => $memcache_use_advanced_pool, memcache_pool_unused_timeout => $memcache_pool_unused_timeout, - memcached_servers => $memcached_servers_real, + memcached_servers => $memcached_servers, region_name => $region_name, revocation_cache_time => $revocation_cache_time, - signing_dir => $signing_dir_real, - token_cache_time => $token_cache_time_real, + signing_dir => $signing_dir, + token_cache_time => $token_cache_time, } } diff --git a/manifests/registry.pp b/manifests/registry.pp index 3ddf9ca5..667fab53 100644 --- a/manifests/registry.pp +++ b/manifests/registry.pp @@ -117,55 +117,6 @@ # (optional) Sets the keystone region to use. # Defaults to $::os_service_default. # -# DEPRECATED PARAMETERS -# -# [*keystone_password*] -# (optional) The keystone password for administrative user. -# Deprecated and will be replaced by ::glance::registry::authtoken::password -# Default to undef. -# -# [*auth_type*] -# (optional) Authentication type. Defaults to undef. -# Deprecated and will be replaced by ::glance::registry::auth_strategy -# -# [*auth_uri*] -# (optional) Complete public Identity API endpoint. -# Deprecated and will be replaced by ::glance::registry::authtoken::auth_uri -# Defaults to undef. -# -# [*identity_uri*] -# (optional) Complete admin Identity API endpoint. -# Deprecated and will be replaced by ::glance::registry::authtoken::auth_url -# Defaults to undef. -# -# [*keystone_tenant*] -# (optional) administrative tenant name to connect to keystone. -# Deprecated and will be replaced by ::glance::registry::authtoken::project_name -# Defaults to undef. -# -# [*keystone_user*] -# (optional) administrative user name to connect to keystone. -# Deprecated and will be replaced by ::glance::registry::authtoken::username -# Defaults to undef. -# -# [*signing_dir*] -# Directory used to cache files related to PKI tokens. -# Deprecated and will be replaced by ::glance::registry::authtoken::signing_dir -# Defaults to undef. -# -# [*memcached_servers*] -# (optinal) a list of memcached server(s) to use for caching. If left undefined, -# tokens will instead be cached in-process. -# Deprecated and will be replaced by ::glance::registry::authtoken::memcached_servers -# Defaults to undef. -# -# [*token_cache_time*] -# In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration (in seconds). -# Set to -1 to disable caching completely. -# Deprecated and will be replaced by ::glance::registry::authtoken::token_cache_time -# Defaults to undef. -# class glance::registry( $package_ensure = 'present', $debug = undef, @@ -194,61 +145,12 @@ class glance::registry( $ca_file = $::os_service_default, $sync_db = true, $os_region_name = $::os_service_default, - # Deprecated - $keystone_password = undef, - $auth_type = undef, - $auth_uri = undef, - $identity_uri = undef, - $keystone_tenant = undef, - $keystone_user = undef, - $signing_dir = undef, - $memcached_servers = undef, - $token_cache_time = undef, ) inherits glance { include ::glance::deps include ::glance::registry::logging include ::glance::registry::db - if $keystone_password { - warning('glance::registry::keystone_password is deprecated, please use glance::registry::authtoken::password') - } - - if $auth_type { - warning('glance::registry::auth_type is deprecated, please use glance::registry::auth_strategy') - $auth_strategy_real = $auth_type - } else { - $auth_strategy_real = $auth_strategy - } - - if $auth_uri { - warning('glance::registry::auth_uri is deprecated, please use glance::registry::authtoken::auth_uri') - } - - if $identity_uri { - warning('glance::registry::identity_uri is deprecated, please use glance::registry::authtoken::auth_url') - } - - if $keystone_tenant { - warning('glance::registry::keystone_tenant is deprecated, please use glance::registry::authtoken::project_name') - } - - if $keystone_user { - warning('glance::registry::keystone_user is deprecated, please use glance::registry::authtoken::username') - } - - if $memcached_servers { - warning('glance::registry::memcached_servers is deprecated, please use glance::registry::authtoken::memcached_servers') - } - - if $signing_dir { - warning('glance::registry::signing_dir is deprecated, please use glance::registry::authtoken::signing_dir') - } - - if $token_cache_time { - warning('glance::registry::token_cache_time is deprecated, please use glance::registry::authtoken::token_cache_time') - } - if ( $glance::params::api_package_name != $glance::params::registry_package_name ) { ensure_packages( 'glance-registry', { @@ -282,7 +184,7 @@ class glance::registry( } # keystone config - if $auth_strategy_real == 'keystone' { + if $auth_strategy == 'keystone' { include ::glance::registry::authtoken } diff --git a/manifests/registry/authtoken.pp b/manifests/registry/authtoken.pp index 1587cf4b..9fe3ea91 100644 --- a/manifests/registry/authtoken.pp +++ b/manifests/registry/authtoken.pp @@ -29,166 +29,161 @@ # Defaults to $::os_service_default # # [*insecure*] -# (Optional) If true, explicitly allow TLS without checking server cert -# against any certificate authorities. WARNING: not recommended. Use with -# caution. -# Defaults to $:os_service_default +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. WARNING: not recommended. Use with +# caution. +# Defaults to $:os_service_default # # [*auth_section*] -# (Optional) Config Section from which to load plugin specific options -# Defaults to $::os_service_default. +# (Optional) Config Section from which to load plugin specific options +# Defaults to $::os_service_default. # # [*auth_type*] -# (Optional) Authentication type to load -# Defaults to 'password'. +# (Optional) Authentication type to load +# Defaults to 'password'. # # [*auth_uri*] -# (Optional) Complete public Identity API endpoint. -# Defaults to 'http://127.0.0.1:5000'. +# (Optional) Complete public Identity API endpoint. +# Defaults to 'http://127.0.0.1:5000'. # # [*auth_version*] -# (Optional) API version of the admin Identity API endpoint. -# Defaults to $::os_service_default. +# (Optional) API version of the admin Identity API endpoint. +# Defaults to $::os_service_default. # # [*cache*] -# (Optional) Env key for the swift cache. -# Defaults to $::os_service_default. +# (Optional) Env key for the swift cache. +# Defaults to $::os_service_default. # # [*cafile*] -# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs -# connections. -# Defaults to $::os_service_default. +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. # # [*certfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*check_revocations_for_cached*] -# (Optional) If true, the revocation list will be checked for cached tokens. -# This requires that PKI tokens are configured on the identity server. -# boolean value. -# Defaults to $::os_service_default. +# (Optional) If true, the revocation list will be checked for cached tokens. +# This requires that PKI tokens are configured on the identity server. +# boolean value. +# Defaults to $::os_service_default. # # [*delay_auth_decision*] -# (Optional) Do not handle authorization requests within the middleware, but -# delegate the authorization decision to downstream WSGI components. Boolean -# value -# Defaults to $::os_service_default. +# (Optional) Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. Boolean +# value +# Defaults to $::os_service_default. # # [*enforce_token_bind*] -# (Optional) Used to control the use and type of token binding. Can be set -# to: "disabled" to not check token binding. "permissive" (default) to -# validate binding information if the bind type is of a form known to the -# server and ignore it if not. "strict" like "permissive" but if the bind -# type is unknown the token will be rejected. "required" any form of token -# binding is needed to be allowed. Finally the name of a binding method that -# must be present in tokens. String value. -# Defaults to $::os_service_default. +# (Optional) Used to control the use and type of token binding. Can be set +# to: "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to the +# server and ignore it if not. "strict" like "permissive" but if the bind +# type is unknown the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a binding method that +# must be present in tokens. String value. +# Defaults to $::os_service_default. # # [*hash_algorithms*] -# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those supported by Python -# standard hashlib.new(). The hashes will be tried in the order given, so put -# the preferred one first for performance. The result of the first hash will -# be stored in the cache. This will typically be set to multiple values only -# while migrating from a less secure algorithm to a more secure one. Once all -# the old tokens are expired this option should be set to a single value for -# better performance. List value. -# Defaults to $::os_service_default. +# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those supported by Python +# standard hashlib.new(). The hashes will be tried in the order given, so put +# the preferred one first for performance. The result of the first hash will +# be stored in the cache. This will typically be set to multiple values only +# while migrating from a less secure algorithm to a more secure one. Once all +# the old tokens are expired this option should be set to a single value for +# better performance. List value. +# Defaults to $::os_service_default. # # [*http_connect_timeout*] -# (Optional) Request timeout value for communicating with Identity API -# server. -# Defaults to $::os_service_default. +# (Optional) Request timeout value for communicating with Identity API +# server. +# Defaults to $::os_service_default. # # [*http_request_max_retries*] -# (Optional) How many times are we trying to reconnect when communicating -# with Identity API Server. Integer value -# Defaults to $::os_service_default. +# (Optional) How many times are we trying to reconnect when communicating +# with Identity API Server. Integer value +# Defaults to $::os_service_default. # # [*include_service_catalog*] -# (Optional) Indicate whether to set the X-Service-Catalog header. If False, -# middleware will not ask for service catalog on token validation and will -# not -# set the X-Service-Catalog header. Boolean value. -# Defaults to $::os_service_default. +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will +# not set the X-Service-Catalog header. Boolean value. +# Defaults to $::os_service_default. # # [*keyfile*] -# (Optional) Required if identity server requires client certificate -# Defaults to $::os_service_default. +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. # # [*memcache_pool_conn_get_timeout*] -# (Optional) Number of seconds that an operation will wait to get a memcached -# client connection from the pool. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_dead_retry*] -# (Optional) Number of seconds memcached server is considered dead before it -# is tried again. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds memcached server is considered dead before it +# is tried again. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_maxsize*] -# (Optional) Maximum total number of open connections to every memcached -# server. Integer value -# Defaults to $::os_service_default. +# (Optional) Maximum total number of open connections to every memcached +# server. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_socket_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_pool_unused_timeout*] -# (Optional) Number of seconds a connection to memcached is held unused in -# the -# pool before it is closed. Integer value -# Defaults to $::os_service_default. +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. # # [*memcache_secret_key*] -# (Optional, mandatory if memcache_security_strategy is defined) This string -# is used for key derivation. -# Defaults to $::os_service_default. +# (Optional, mandatory if memcache_security_strategy is defined) This string +# is used for key derivation. +# Defaults to $::os_service_default. # # [*memcache_security_strategy*] -# (Optional) If defined, indicate whether token data should be authenticated -# or -# authenticated and encrypted. If MAC, token data is authenticated (with -# HMAC) -# in the cache. If ENCRYPT, token data is encrypted and authenticated in the -# cache. If the value is not one of these options or empty, auth_token will -# raise an exception on initialization. -# Defaults to $::os_service_default. +# (Optional) If defined, indicate whether token data should be authenticated +# or authenticated and encrypted. If MAC, token data is authenticated (with +# HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. +# Defaults to $::os_service_default. # # [*memcache_use_advanced_pool*] -# (Optional) Use the advanced (eventlet safe) memcached client pool. The -# advanced pool will only work under python 2.x Boolean value -# Defaults to $::os_service_default. +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x Boolean value +# Defaults to $::os_service_default. # # [*memcached_servers*] -# (Optional) Optionally specify a list of memcached server(s) to use for -# caching. If left undefined, tokens will instead be cached in-process. -# Defaults to $::os_service_default. +# (Optional) Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached in-process. +# Defaults to $::os_service_default. # # [*region_name*] -# (Optional) The region in which the identity server can be found. -# Defaults to $::os_service_default. +# (Optional) The region in which the identity server can be found. +# Defaults to $::os_service_default. # # [*revocation_cache_time*] -# (Optional) Determines the frequency at which the list of revoked tokens is -# retrieved from the Identity service (in seconds). A high number of -# revocation events combined with a low cache duration may significantly -# reduce performance. Only valid for PKI tokens. Integer value -# Defaults to $::os_service_default. +# (Optional) Determines the frequency at which the list of revoked tokens is +# retrieved from the Identity service (in seconds). A high number of +# revocation events combined with a low cache duration may significantly +# reduce performance. Only valid for PKI tokens. Integer value +# Defaults to $::os_service_default. # # [*signing_dir*] -# (Optional) Directory used to cache files related to PKI tokens. -# Defaults to $::os_service_default. +# (Optional) Directory used to cache files related to PKI tokens. +# Defaults to $::os_service_default. # # [*token_cache_time*] -# (Optional) In order to prevent excessive effort spent validating tokens, -# the middleware caches previously-seen tokens for a configurable duration -# (in seconds). Set to -1 to disable caching completely. Integer value -# Defaults to $::os_service_default. +# (Optional) In order to prevent excessive effort spent validating tokens, +# the middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. Integer value +# Defaults to $::os_service_default. # class glance::registry::authtoken( $username = 'glance', @@ -228,26 +223,16 @@ class glance::registry::authtoken( $token_cache_time = $::os_service_default, ) { - if is_service_default($password) and $::glance::registry::keystone_password == undef { + if is_service_default($password) { fail('Please set password for Glance service user') } - #NOTE(degorenko): Use pick to keep backward compatibility - $username_real = pick($::glance::registry::keystone_user, $username) - $password_real = pick($::glance::registry::keystone_password, $password) - $project_name_real = pick($::glance::registry::keystone_tenant, $project_name) - $auth_url_real = pick($::glance::registry::identity_uri, $auth_url) - $auth_uri_real = pick($::glance::registry::auth_uri, $auth_uri) - $memcached_servers_real = pick($::glance::registry::memcached_servers, $memcached_servers) - $token_cache_time_real = pick($::glance::registry::token_cache_time, $token_cache_time) - $signing_dir_real = pick($::glance::registry::signing_dir, $signing_dir) - keystone::resource::authtoken { 'glance_registry_config': - username => $username_real, - password => $password_real, - project_name => $project_name_real, - auth_url => $auth_url_real, - auth_uri => $auth_uri_real, + username => $username, + password => $password, + project_name => $project_name, + auth_url => $auth_url, + auth_uri => $auth_uri, auth_version => $auth_version, auth_type => $auth_type, auth_section => $auth_section, @@ -273,10 +258,10 @@ class glance::registry::authtoken( memcache_security_strategy => $memcache_security_strategy, memcache_use_advanced_pool => $memcache_use_advanced_pool, memcache_pool_unused_timeout => $memcache_pool_unused_timeout, - memcached_servers => $memcached_servers_real, + memcached_servers => $memcached_servers, region_name => $region_name, revocation_cache_time => $revocation_cache_time, - signing_dir => $signing_dir_real, - token_cache_time => $token_cache_time_real, + signing_dir => $signing_dir, + token_cache_time => $token_cache_time, } } diff --git a/releasenotes/notes/remove_old_authtoken_options-954b592223d48e6e.yaml b/releasenotes/notes/remove_old_authtoken_options-954b592223d48e6e.yaml new file mode 100644 index 00000000..2932c334 --- /dev/null +++ b/releasenotes/notes/remove_old_authtoken_options-954b592223d48e6e.yaml @@ -0,0 +1,29 @@ +--- +other: + - removed deprecated glance::api::keystone_user + - removed deprecated glance::api::keystone_password + - removed deprecated glance::api::keystone_tenant + - removed deprecatedglance::api::identity_uri + - removed deprecated glance::api::auth_uri + - removed deprecated glance::api::memcached_servers + - removed deprecated glance::api::token_cache_time + - removed deprecated glance::api::signing_dir + - removed deprecated glance::api::auth_type + - removed deprecated glance::glare::keystone_user + - removed deprecated glance::glare::keystone_password + - removed deprecated glance::glare::keystone_tenant + - removed deprecated glance::glare::identity_uri + - removed deprecated glance::glare::auth_uri + - removed deprecated glance::glare::memcached_servers + - removed deprecated glance::glare::token_cache_time + - removed deprecated glance::glare::signing_dir + - removed deprecated glance::glare::auth_type + - removed deprecated glance::registry::keystone_user + - removed deprecated glance::registry::keystone_password + - removed deprecated glance::registry::keystone_tenant + - removed deprecated glance::registry::identity_uri + - removed deprecated glance::registry::auth_uri + - removed deprecated glance::registry::memcached_servers + - removed deprecated glance::registry::token_cache_time + - removed deprecated glance::registry::signing_dir + - removed deprecated glance::registry::auth_type diff --git a/spec/classes/glance_api_spec.rb b/spec/classes/glance_api_spec.rb index 22577dc2..05b36b08 100644 --- a/spec/classes/glance_api_spec.rb +++ b/spec/classes/glance_api_spec.rb @@ -1,6 +1,11 @@ require 'spec_helper' describe 'glance::api' do + let :pre_condition do + "class { '::glance::api::authtoken': + password => 'ChangeMe', + }" + end let :default_params do { @@ -18,7 +23,6 @@ describe 'glance::api' do :manage_service => true, :backlog => '', :workers => '7', - :keystone_password => 'ChangeMe', :show_image_direct_url => '', :show_multiple_locations => '', :location_strategy => '', @@ -43,8 +47,7 @@ describe 'glance::api' do shared_examples_for 'glance::api' do - [{:keystone_password => 'ChangeMe'}, - { + [{ :debug => true, :bind_host => '127.0.0.1', :bind_port => '9222', @@ -55,7 +58,6 @@ describe 'glance::api' do :enabled => false, :backlog => '4095', :workers => '5', - :keystone_password => 'ChangeMe', :show_image_direct_url => true, :show_multiple_locations => true, :location_strategy => 'store_type', @@ -164,9 +166,8 @@ describe 'glance::api' do describe 'with disabled service managing' do let :params do { - :keystone_password => 'ChangeMe', - :manage_service => false, - :enabled => false, + :manage_service => false, + :enabled => false, } end @@ -182,8 +183,7 @@ describe 'glance::api' do describe 'with overridden pipeline' do let :params do { - :keystone_password => 'ChangeMe', - :pipeline => 'something', + :pipeline => 'something', } end @@ -193,8 +193,7 @@ describe 'glance::api' do describe 'with blank pipeline' do let :params do { - :keystone_password => 'ChangeMe', - :pipeline => '', + :pipeline => '', } end @@ -389,32 +388,6 @@ describe 'glance::api' do :require => 'Exec[execute glance-api validation]', )} end - - describe 'with deprecated auth parameters' do - let :params do - default_params.merge({ - :auth_type => 'keystone', - :keystone_tenant => 'services', - :keystone_user => 'glance', - :keystone_password => 'password', - :token_cache_time => '1000', - :memcached_servers => 'localhost:11211', - :signing_dir => '/tmp/keystone', - :auth_uri => 'http://127.0.0.1:5000', - :identity_uri => 'http://127.0.0.1:35357', - }) - end - it 'deprecated auth parameters' do - is_expected.to contain_glance_api_config('keystone_authtoken/memcached_servers').with_value(params[:memcached_servers]) - is_expected.to contain_glance_api_config('keystone_authtoken/username').with_value(params[:keystone_user]) - is_expected.to contain_glance_api_config('keystone_authtoken/project_name').with_value(params[:keystone_tenant]) - is_expected.to contain_glance_api_config('keystone_authtoken/password').with_value(params[:keystone_password]) - is_expected.to contain_glance_api_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) - is_expected.to contain_glance_api_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir]) - is_expected.to contain_glance_api_config('keystone_authtoken/auth_uri').with_value(params[:auth_uri]) - is_expected.to contain_glance_api_config('keystone_authtoken/auth_url').with_value(params[:identity_uri]) - end - end end shared_examples_for 'glance::api Debian' do diff --git a/spec/classes/glance_backend_cinder_spec.rb b/spec/classes/glance_backend_cinder_spec.rb index 7876a916..256d0359 100644 --- a/spec/classes/glance_backend_cinder_spec.rb +++ b/spec/classes/glance_backend_cinder_spec.rb @@ -23,7 +23,7 @@ require 'spec_helper' describe 'glance::backend::cinder' do let :pre_condition do - 'class { "glance::api": keystone_password => "pass" }' + 'class { "glance::api::authtoken": password => "pass" }' end shared_examples_for 'glance with cinder backend' do diff --git a/spec/classes/glance_backend_swift_spec.rb b/spec/classes/glance_backend_swift_spec.rb index 970f396b..83f44ce3 100644 --- a/spec/classes/glance_backend_swift_spec.rb +++ b/spec/classes/glance_backend_swift_spec.rb @@ -10,7 +10,8 @@ describe 'glance::backend::swift' do end let :pre_condition do - 'class { "glance::api": keystone_password => "pass" }' + 'class { "glance::api::authtoken": password => "pass" } + include ::glance::api' end describe 'when default parameters' do diff --git a/spec/classes/glance_backend_vsphere_spec.rb b/spec/classes/glance_backend_vsphere_spec.rb index 665742cb..5966c57e 100644 --- a/spec/classes/glance_backend_vsphere_spec.rb +++ b/spec/classes/glance_backend_vsphere_spec.rb @@ -23,7 +23,7 @@ require 'spec_helper' describe 'glance::backend::vsphere' do let :pre_condition do - 'class { "glance::api": keystone_password => "pass" }' + 'class { "glance::api::authtoken": password => "pass" }' end shared_examples_for 'glance with vsphere backend' do diff --git a/spec/classes/glance_glare_spec.rb b/spec/classes/glance_glare_spec.rb index c36c99c6..6c105c7d 100644 --- a/spec/classes/glance_glare_spec.rb +++ b/spec/classes/glance_glare_spec.rb @@ -1,17 +1,20 @@ require 'spec_helper' describe 'glance::glare' do - + let :pre_condition do + "class {'::glance::glare::authtoken': + password => 'ChangeMe', + }" + end let :default_params do { :bind_host => '0.0.0.0', :bind_port => '9494', - :auth_type => 'keystone', + :auth_strategy => 'keystone', :enabled => true, :manage_service => true, :backlog => '4096', :workers => '7', - :keystone_password => 'ChangeMe', :stores => false, :default_store => false, :os_region_name => 'RegionOne', @@ -24,17 +27,16 @@ describe 'glance::glare' do { :bind_host => '127.0.0.1', :bind_port => '9222', - :auth_type => 'not_keystone', + :auth_strategy => 'not_keystone', :enabled => false, :backlog => '4095', :workers => '5', - :keystone_password => 'ChangeMe2', :os_region_name => 'RegionOne2', :pipeline => 'keystone2', } ].each do |param_set| - describe "when #{param_set == {:keystone_password => 'ChangeMe'} ? "using default" : "specifying"} class parameters" do + describe "when not using default class parameters" do let :param_hash do default_params.merge(param_set) @@ -82,8 +84,8 @@ describe 'glance::glare' do is_expected.to contain_glance_glare_config('DEFAULT/key_file').with_value('') end - it 'is_expected.to configure itself for keystone if that is the auth_type' do - if params[:auth_type] == 'keystone' + it 'is_expected.to configure itself for keystone if that is the auth_strategy' do + if params[:auth_strategy] == 'keystone' is_expected.to contain('paste_deploy/flavor').with_value('keystone+cachemanagement') end end @@ -94,7 +96,6 @@ describe 'glance::glare' do describe 'with disabled service managing' do let :params do { - :keystone_password => 'ChangeMe', :manage_service => false, :enabled => false, } @@ -112,8 +113,7 @@ describe 'glance::glare' do describe 'with overridden pipeline' do let :params do { - :keystone_password => 'ChangeMe', - :pipeline => 'something', + :pipeline => 'something', } end @@ -123,8 +123,7 @@ describe 'glance::glare' do describe 'with blank pipeline' do let :params do { - :keystone_password => 'ChangeMe', - :pipeline => '', + :pipeline => '', } end @@ -141,8 +140,7 @@ describe 'glance::glare' do describe "with pipeline incorrect value #{pipeline}" do let :params do { - :keystone_password => 'ChangeMe', - :pipeline => pipeline + :pipeline => pipeline } end @@ -232,33 +230,7 @@ describe 'glance::glare' do it { is_expected.to contain_glance_glare_config('glance_store/default_store').with_value('glance.store.filesystem.Store') } it { is_expected.to contain_glance_glare_config('glance_store/stores').with_value('glance.store.filesystem.Store') } end - - describe 'with deprecated auth parameters' do - let :params do - default_params.merge({ - :auth_type => 'keystone', - :keystone_tenant => 'services', - :keystone_user => 'glance', - :keystone_password => 'password', - :token_cache_time => '1000', - :memcached_servers => 'localhost:11211', - :signing_dir => '/tmp/keystone', - :auth_uri => 'http://127.0.0.1:5000', - :identity_uri => 'http://127.0.0.1:35357', - }) - end - it 'deprecated auth parameters' do - is_expected.to contain_glance_glare_config('keystone_authtoken/memcached_servers').with_value(params[:memcached_servers]) - is_expected.to contain_glance_glare_config('keystone_authtoken/username').with_value(params[:keystone_user]) - is_expected.to contain_glance_glare_config('keystone_authtoken/project_name').with_value(params[:keystone_tenant]) - is_expected.to contain_glance_glare_config('keystone_authtoken/password').with_value(params[:keystone_password]) - is_expected.to contain_glance_glare_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) - is_expected.to contain_glance_glare_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir]) - is_expected.to contain_glance_glare_config('keystone_authtoken/auth_uri').with_value(params[:auth_uri]) - is_expected.to contain_glance_glare_config('keystone_authtoken/auth_url').with_value(params[:identity_uri]) - end - end - end +end shared_examples_for 'glance::glare Debian' do let(:params) { default_params } diff --git a/spec/classes/glance_keystone_auth_spec.rb b/spec/classes/glance_keystone_auth_spec.rb index 3039d236..0cd5ec5a 100644 --- a/spec/classes/glance_keystone_auth_spec.rb +++ b/spec/classes/glance_keystone_auth_spec.rb @@ -128,7 +128,8 @@ describe 'glance::keystone::auth' do describe 'when configuring glance-api and the keystone endpoint' do let :pre_condition do - "class { 'glance::api': keystone_password => 'test' }" + "class { 'glance::api::authtoken': password => 'test' } + include ::glance::api" end let :params do diff --git a/spec/classes/glance_keystone_glare_auth_spec.rb b/spec/classes/glance_keystone_glare_auth_spec.rb index 0130186a..9a835519 100644 --- a/spec/classes/glance_keystone_glare_auth_spec.rb +++ b/spec/classes/glance_keystone_glare_auth_spec.rb @@ -128,7 +128,7 @@ describe 'glance::keystone::glare_auth' do describe 'when configuring glance-glare and the keystone endpoint' do let :pre_condition do - "class { 'glance::glare': keystone_password => 'test' }" + "class { 'glance::glare::authtoken': password => 'test' }" end let :params do diff --git a/spec/classes/glance_registry_spec.rb b/spec/classes/glance_registry_spec.rb index 220d1877..5df02fef 100644 --- a/spec/classes/glance_registry_spec.rb +++ b/spec/classes/glance_registry_spec.rb @@ -1,6 +1,12 @@ require 'spec_helper' describe 'glance::registry' do + let :pre_condition do + "class { 'glance::registry::authtoken': + password => 'ChangeMe', + }" + end + let :default_params do { :debug => false, @@ -12,8 +18,6 @@ describe 'glance::registry' do :log_dir => '/var/log/glance', :enabled => true, :manage_service => true, - :auth_type => 'keystone', - :keystone_password => 'ChangeMe', :purge_config => false, :sync_db => true, :os_region_name => '', @@ -25,20 +29,17 @@ describe 'glance::registry' do shared_examples_for 'glance::registry' do [ - {:keystone_password => 'ChangeMe'}, { :bind_host => '127.0.0.1', :bind_port => '9111', :workers => '5', :enabled => false, - :auth_type => 'keystone', - :keystone_password => 'ChangeMe', :sync_db => false, :os_region_name => 'RegionOne2', } ].each do |param_set| - describe "when #{param_set == {:keystone_password => 'ChangeMe'} ? "using default" : "specifying"} class parameters" do + describe "when using default class parameters" do let :param_hash do default_params.merge(param_set) end @@ -80,7 +81,7 @@ describe 'glance::registry' do ].each do |config| is_expected.to contain_glance_registry_config("DEFAULT/#{config}").with_value(param_hash[config.intern]) end - if param_hash[:auth_type] == 'keystone' + if param_hash[:auth_strategy] == 'keystone' is_expected.to contain_glance_registry_config("paste_deploy/flavor").with_value('keystone') end end @@ -106,7 +107,6 @@ describe 'glance::registry' do describe 'with disabled service managing' do let :params do { - :keystone_password => 'ChangeMe', :manage_service => false, :enabled => false, } @@ -128,7 +128,6 @@ describe 'glance::registry' do # but there is no reason that there can't be more options in the future. let :params do { - :keystone_password => 'ChangeMe', :pipeline => 'validoptionstring', } end @@ -139,7 +138,6 @@ describe 'glance::registry' do describe 'with blank pipeline' do let :params do { - :keystone_password => 'ChangeMe', :pipeline => '', } end @@ -157,8 +155,7 @@ describe 'glance::registry' do describe "with pipeline incorrect value #{pipeline}" do let :params do { - :keystone_password => 'ChangeMe', - :auth_type => 'keystone', + :auth_strategy => 'keystone', :pipeline => pipeline } end @@ -184,31 +181,6 @@ describe 'glance::registry' do end end - describe 'with deprecated auth parameters' do - let :params do - default_params.merge({ - :auth_type => 'keystone', - :keystone_tenant => 'services', - :keystone_user => 'glance', - :keystone_password => 'password', - :token_cache_time => '1000', - :memcached_servers => 'localhost:11211', - :signing_dir => '/tmp/keystone', - :auth_uri => 'http://127.0.0.1:5000', - :identity_uri => 'http://127.0.0.1:35357', - }) - end - it 'deprecated auth parameters' do - is_expected.to contain_glance_registry_config('keystone_authtoken/memcached_servers').with_value(params[:memcached_servers]) - is_expected.to contain_glance_registry_config('keystone_authtoken/username').with_value(params[:keystone_user]) - is_expected.to contain_glance_registry_config('keystone_authtoken/project_name').with_value(params[:keystone_tenant]) - is_expected.to contain_glance_registry_config('keystone_authtoken/password').with_value(params[:keystone_password]) - is_expected.to contain_glance_registry_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time]) - is_expected.to contain_glance_registry_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir]) - is_expected.to contain_glance_registry_config('keystone_authtoken/auth_uri').with_value(params[:auth_uri]) - is_expected.to contain_glance_registry_config('keystone_authtoken/auth_url').with_value(params[:identity_uri]) - end - end end shared_examples_for 'glance::registry Debian' do