Deprecate module_plugins

An upstream change in keystone has removed the requirement to define the
module_plugins for the Mellon, Openidc and Shibboleth federation
configs.

Change-Id: I9ef488df3564f5b01ba7cf8e6a7957565858e27e
(cherry picked from commit 73f863e21c)

manifests/federation/mellon.pp

@@ -26,11 +26,6 @@
 #  using Keystone VirtualHost on port 5000.
 #  (Optional) Defaults to true.
 #
-# [*module_plugin*]
-#  The plugin for authentication acording to the choice made with protocol and
-#  module.
-#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
-#
 # [*template_order*]
 #  This number indicates the order for the concat::fragment that will apply
 #  the shibboleth configuration to Keystone VirtualHost. The value should
@@ -57,17 +52,25 @@
 #   the-middle (MITM) attacks.
 #   Defaults to undef
 #
+# === DEPRECATED
+#
+# [*module_plugin*]
+#  The plugin for authentication acording to the choice made with protocol and
+#  module.
+#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
+#
 class keystone::federation::mellon (
   $methods,
   $idp_name,
   $protocol_name,
   $admin_port         = false,
   $main_port          = true,
-  $module_plugin      = 'keystone.auth.plugins.mapped.Mapped',
   $template_order     = 331,
   $package_ensure     = present,
   $enable_websso      = false,
   $trusted_dashboards = undef,
+  # DEPRECATED
+  $module_plugin      = undef,
 ) {
 
   include ::apache
@@ -86,10 +89,6 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
 
   if !('saml2' in $methods ) {
     fail('Methods should contain saml2 as one of the auth methods.')
-  }else{
-    if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
-      fail('The plugin for saml and mellon should be keystone.auth.plugins.mapped.Mapped')
-    }
   }
 
   validate_bool($admin_port)
@@ -101,8 +100,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
   }
 
   keystone_config {
-    'auth/methods': value => join(any2array($methods),',');
-    'auth/saml2':   value => $module_plugin;
+    'auth/methods': value  => join(any2array($methods),',');
+    'auth/saml2':   ensure => absent;
   }
 
   if($enable_websso){

manifests/federation/openidc.pp

@@ -44,11 +44,6 @@
 #  using Keystone VirtualHost on port 5000.
 #  (Optional) Defaults to true.
 #
-# [*module_plugin*]
-#  The plugin for authentication acording to the choice made with protocol and
-#  module.
-#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
-#
 # [*template_order*]
 #  This number indicates the order for the concat::fragment that will apply
 #  the shibboleth configuration to Keystone VirtualHost. The value should
@@ -64,6 +59,13 @@
 #   accepts latest or specific versions.
 #   Defaults to present.
 #
+# === DEPRECATED
+#
+# [*module_plugin*]
+#  The plugin for authentication acording to the choice made with protocol and
+#  module.
+#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
+#
 class keystone::federation::openidc (
   $methods,
   $idp_name,
@@ -74,9 +76,10 @@ class keystone::federation::openidc (
   $openidc_response_type       = 'id_token',
   $admin_port                  = false,
   $main_port                   = true,
-  $module_plugin               = 'keystone.auth.plugins.mapped.Mapped',
   $template_order              = 331,
   $package_ensure              = present,
+  # DEPRECATED
+  $module_plugin               = undef,
 ) {
 
   include ::apache
@@ -94,10 +97,6 @@ class keystone::federation::openidc (
 
   if !('openidc' in $methods ) {
     fail('Methods should contain openidc as one of the auth methods.')
-  } else {
-    if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
-      fail('Other plugins are not currently supported for openidc')
-    }
   }
 
   validate_bool($admin_port)
@@ -108,8 +107,8 @@ class keystone::federation::openidc (
   }
 
   keystone_config {
-    'auth/methods': value => join(any2array($methods),',');
-    'auth/openidc': value => $module_plugin;
+    'auth/methods': value  => join(any2array($methods),',');
+    'auth/openidc': ensure => absent;
   }
 
   ensure_packages([$::keystone::params::openidc_package_name], {

manifests/federation/shibboleth.pp

@@ -18,11 +18,6 @@
 #  (Required) (string or array value).
 #  Note: The external value should be dropped to avoid problems.
 #
-# [*module_plugin*]
-#  The plugin for authentication according to the choice made with protocol and
-#  module.
-#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
-#
 # [*suppress_warning*]
 #  A boolean value to disable the warning about not installing shibboleth on RedHat.
 #  (Optional) Defaults to false.
@@ -52,6 +47,12 @@
 #      require  => Anchor['openstack_extras_redhat']
 #    }
 #
+# === DEPRECATED
+# [*module_plugin*]
+#  The plugin for authentication according to the choice made with protocol and
+#  module.
+#  (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
+#
 # == Note about Redhat osfamily
 #    According to puppet-apache we need to enable a new repo, but in puppet-openstack
 #    we won't enable any external third party repo.
@@ -62,10 +63,11 @@ class keystone::federation::shibboleth(
   $methods,
   $admin_port       = false,
   $main_port        = true,
-  $module_plugin    = 'keystone.auth.plugins.mapped.Mapped',
   $suppress_warning = false,
   $template_order   = 331,
-  $yum_repo_name    = 'shibboleth'
+  $yum_repo_name    = 'shibboleth',
+  # DEPRECATED
+  $module_plugin    = undef,
 ) {
 
   include ::apache
@@ -83,10 +85,6 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
 
   if !('saml2' in $methods ) {
     fail('Methods should contain saml2 as one of the auth methods.')
-  }else{
-    if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
-      fail('The plugin for saml and shibboleth should be keystone.auth.plugins.mapped.Mapped')
-    }
   }
 
   validate_bool($admin_port)
@@ -98,8 +96,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
   }
 
   keystone_config {
-    'auth/methods': value => join(any2array($methods),',');
-    'auth/saml2':   value => $module_plugin;
+    'auth/methods': value  => join(any2array($methods),',');
+    'auth/saml2':   ensure => absent;
   }
 
   if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {

releasenotes/notes/deprecate-module_plugin-ef8159de8e019dda.yaml

@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    keystone::federation::mellon::module_plugin,
+    keystone::federation::shibboleth::module_plugin,
+    keystone::federation::openidc::module_plugin have been deprecated and
+    are no longer used.

spec/classes/keystone_federation_mellon_spec.rb

@@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do
       it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
     end
 
-    before do
-      params.merge!({:methods       => 'password, token, oauth1, saml2',
-                     :module_plugin => 'keystone.auth.plugins'})
-      it_raises 'a Puppet::Error', /The plugin for saml and mellon should be keystone.auth.plugins.mapped.Mapped/
-    end
-
     before do
       params.merge!({:admin_port => false,
                      :main_port  => false})
@@ -56,7 +50,7 @@ describe 'keystone::federation::mellon' do
     context 'with only required parameters' do
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
-        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
       end
 
       it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
@@ -74,7 +68,7 @@ describe 'keystone::federation::mellon' do
 
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
-        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
       end
 
       it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
@@ -103,7 +97,7 @@ describe 'keystone::federation::mellon' do
 
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
-        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
       end
 
       it 'should have parameters for websso in Keystone configuration' do

spec/classes/keystone_federation_openidc_spec.rb

@@ -36,12 +36,6 @@ describe 'keystone::federation::openidc' do
       it_raises 'a Puppet::Error', /Methods should contain openidc as one of the auth methods./
     end
 
-    before do
-      params.merge!(:methods       => 'password, token, oauth1, openidc',
-                    :module_plugin => 'keystone.auth.plugins')
-      it_raises 'a Puppet:Error', /The plugin for openidc should be keystone.auth.plugins.mapped.Mapped/
-    end
-
     before do
       params.merge!(:admin_port => false,
                     :main_port  => false)
@@ -81,7 +75,7 @@ describe 'keystone::federation::openidc' do
     context 'with only required parameters' do
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc')
-        is_expected.to contain_keystone_config('auth/openidc').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/openidc').with_ensure('absent')
       end
 
       it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({
@@ -99,7 +93,7 @@ describe 'keystone::federation::openidc' do
 
       it 'should have basic params for mellon in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc')
-        is_expected.to contain_keystone_config('auth/openidc').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/openidc').with_ensure('absent')
       end
 
       it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({

spec/classes/keystone_federation_shibboleth_spec.rb

@@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do
       it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
     end
 
-    context 'wrong plugin' do
-      let (:params) { default_params.merge(:methods => ['password', 'token', 'oauth1', 'saml2'],
-                    :module_plugin => 'keystone.auth.plugins') }
-      it_raises 'a Puppet::Error', /The plugin for saml and shibboleth should be keystone.auth.plugins.mapped.Mapped/
-    end
-
     context 'no ports' do
       let (:params) { default_params.merge(:admin_port => false,
                     :main_port  => false) }
@@ -64,7 +58,7 @@ describe 'keystone::federation::shibboleth' do
       let (:params) { default_params }
       it 'should have basic params for shibboleth in Keystone configuration' do
         is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
-        is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+        is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
       end
     end
 
@@ -107,7 +101,7 @@ describe 'keystone::federation::shibboleth' do
         }) }
 
         it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
-        it {is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') }
+        it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
         it {
           is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
             :target => "10-keystone_wsgi_admin.conf",
@@ -144,7 +138,7 @@ describe 'keystone::federation::shibboleth' do
         }) }
 
         it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
-        it { is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') }
+        it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
         it {
           is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
             :target => "10-keystone_wsgi_admin.conf",
@@ -169,7 +163,7 @@ describe 'keystone::federation::shibboleth' do
         }) }
 
         it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
-        it { is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') }
+        it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
         it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') }
       end
     end