openstack/puppet-keystone
Code Issues Proposed changes

Deprecate module_plugins

Browse Source 
An upstream change in keystone has removed the requirement to define the
module_plugins for the Mellon, Openidc and Shibboleth federation
configs.

Change-Id: I9ef488df3564f5b01ba7cf8e6a7957565858e27e
(cherry picked from commit 73f863e21c)
This commit is contained in:
Alex Schultz 2018-04-25 15:52:09 -06:00 committed by Tobias Urdin
parent b6d21977ab
commit 2c1e7fdbb9
7 changed files with 49 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
manifests/federation/mellon.pp
View File

@ -26,11 +26,6 @@
# using Keystone VirtualHost on port 5000. # using Keystone VirtualHost on port 5000.
# (Optional) Defaults to true. # (Optional) Defaults to true.
# #
# [*module_plugin*]
# The plugin for authentication acording to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
# [*template_order*] # [*template_order*]
# This number indicates the order for the concat::fragment that will apply # This number indicates the order for the concat::fragment that will apply
# the shibboleth configuration to Keystone VirtualHost. The value should # the shibboleth configuration to Keystone VirtualHost. The value should
@ -57,17 +52,25 @@
# the-middle (MITM) attacks. # the-middle (MITM) attacks.
# Defaults to undef # Defaults to undef
# #
# === DEPRECATED
#
# [*module_plugin*]
# The plugin for authentication acording to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
class keystone::federation::mellon ( class keystone::federation::mellon (
$methods, $methods,
$idp_name, $idp_name,
$protocol_name, $protocol_name,
$admin_port = false, $admin_port = false,
$main_port = true, $main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
$template_order = 331, $template_order = 331,
$package_ensure = present, $package_ensure = present,
$enable_websso = false, $enable_websso = false,
$trusted_dashboards = undef, $trusted_dashboards = undef,
# DEPRECATED
$module_plugin = undef,
) { ) {
include ::apache include ::apache
@ -86,10 +89,6 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
if !('saml2' in $methods ) { if !('saml2' in $methods ) {
fail('Methods should contain saml2 as one of the auth methods.') fail('Methods should contain saml2 as one of the auth methods.')
}else{
if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
fail('The plugin for saml and mellon should be keystone.auth.plugins.mapped.Mapped')
}
} }
validate_bool($admin_port) validate_bool($admin_port)
@ -102,7 +101,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
keystone_config { keystone_config {
'auth/methods': value => join(any2array($methods),','); 'auth/methods': value => join(any2array($methods),',');
'auth/saml2': value => $module_plugin; 'auth/saml2': ensure => absent;
} }
if($enable_websso){ if($enable_websso){

21
manifests/federation/openidc.pp
View File

@ -44,11 +44,6 @@
# using Keystone VirtualHost on port 5000. # using Keystone VirtualHost on port 5000.
# (Optional) Defaults to true. # (Optional) Defaults to true.
# #
# [*module_plugin*]
# The plugin for authentication acording to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
# [*template_order*] # [*template_order*]
# This number indicates the order for the concat::fragment that will apply # This number indicates the order for the concat::fragment that will apply
# the shibboleth configuration to Keystone VirtualHost. The value should # the shibboleth configuration to Keystone VirtualHost. The value should
@ -64,6 +59,13 @@
# accepts latest or specific versions. # accepts latest or specific versions.
# Defaults to present. # Defaults to present.
# #
# === DEPRECATED
#
# [*module_plugin*]
# The plugin for authentication acording to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
class keystone::federation::openidc ( class keystone::federation::openidc (
$methods, $methods,
$idp_name, $idp_name,
@ -74,9 +76,10 @@ class keystone::federation::openidc (
$openidc_response_type = 'id_token', $openidc_response_type = 'id_token',
$admin_port = false, $admin_port = false,
$main_port = true, $main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
$template_order = 331, $template_order = 331,
$package_ensure = present, $package_ensure = present,
# DEPRECATED
$module_plugin = undef,
) { ) {
include ::apache include ::apache
@ -94,10 +97,6 @@ class keystone::federation::openidc (
if !('openidc' in $methods ) { if !('openidc' in $methods ) {
fail('Methods should contain openidc as one of the auth methods.') fail('Methods should contain openidc as one of the auth methods.')
} else {
if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
fail('Other plugins are not currently supported for openidc')
}
} }
validate_bool($admin_port) validate_bool($admin_port)
@ -109,7 +108,7 @@ class keystone::federation::openidc (
keystone_config { keystone_config {
'auth/methods': value => join(any2array($methods),','); 'auth/methods': value => join(any2array($methods),',');
'auth/openidc': value => $module_plugin; 'auth/openidc': ensure => absent;
} }
ensure_packages([$::keystone::params::openidc_package_name], { ensure_packages([$::keystone::params::openidc_package_name], {

22
manifests/federation/shibboleth.pp
View File

@ -18,11 +18,6 @@
# (Required) (string or array value). # (Required) (string or array value).
# Note: The external value should be dropped to avoid problems. # Note: The external value should be dropped to avoid problems.
# #
# [*module_plugin*]
# The plugin for authentication according to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
# [*suppress_warning*] # [*suppress_warning*]
# A boolean value to disable the warning about not installing shibboleth on RedHat. # A boolean value to disable the warning about not installing shibboleth on RedHat.
# (Optional) Defaults to false. # (Optional) Defaults to false.
@ -52,6 +47,12 @@
# require => Anchor['openstack_extras_redhat'] # require => Anchor['openstack_extras_redhat']
# } # }
# #
# === DEPRECATED
# [*module_plugin*]
# The plugin for authentication according to the choice made with protocol and
# module.
# (Optional) Defaults to 'keystone.auth.plugins.mapped.Mapped' (string value)
#
# == Note about Redhat osfamily # == Note about Redhat osfamily
# According to puppet-apache we need to enable a new repo, but in puppet-openstack # According to puppet-apache we need to enable a new repo, but in puppet-openstack
# we won't enable any external third party repo. # we won't enable any external third party repo.
@ -62,10 +63,11 @@ class keystone::federation::shibboleth(
$methods, $methods,
$admin_port = false, $admin_port = false,
$main_port = true, $main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
$suppress_warning = false, $suppress_warning = false,
$template_order = 331, $template_order = 331,
$yum_repo_name = 'shibboleth' $yum_repo_name = 'shibboleth',
# DEPRECATED
$module_plugin = undef,
) { ) {
include ::apache include ::apache
@ -83,10 +85,6 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
if !('saml2' in $methods ) { if !('saml2' in $methods ) {
fail('Methods should contain saml2 as one of the auth methods.') fail('Methods should contain saml2 as one of the auth methods.')
}else{
if ($module_plugin != 'keystone.auth.plugins.mapped.Mapped') {
fail('The plugin for saml and shibboleth should be keystone.auth.plugins.mapped.Mapped')
}
} }
validate_bool($admin_port) validate_bool($admin_port)
@ -99,7 +97,7 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
keystone_config { keystone_config {
'auth/methods': value => join(any2array($methods),','); 'auth/methods': value => join(any2array($methods),',');
'auth/saml2': value => $module_plugin; 'auth/saml2': ensure => absent;
} }
if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) { if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {

7
releasenotes/notes/deprecate-module_plugin-ef8159de8e019dda.yaml Normal file
View File

@ -0,0 +1,7 @@
---
deprecations:
- |
keystone::federation::mellon::module_plugin,
keystone::federation::shibboleth::module_plugin,
keystone::federation::openidc::module_plugin have been deprecated and
are no longer used.

12
spec/classes/keystone_federation_mellon_spec.rb
View File

@ -29,12 +29,6 @@ describe 'keystone::federation::mellon' do
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
end end
before do
params.merge!({:methods => 'password, token, oauth1, saml2',
:module_plugin => 'keystone.auth.plugins'})
it_raises 'a Puppet::Error', /The plugin for saml and mellon should be keystone.auth.plugins.mapped.Mapped/
end
before do before do
params.merge!({:admin_port => false, params.merge!({:admin_port => false,
:main_port => false}) :main_port => false})
@ -56,7 +50,7 @@ describe 'keystone::federation::mellon' do
context 'with only required parameters' do context 'with only required parameters' do
it 'should have basic params for mellon in Keystone configuration' do it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end end
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
@ -74,7 +68,7 @@ describe 'keystone::federation::mellon' do
it 'should have basic params for mellon in Keystone configuration' do it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end end
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({ it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
@ -103,7 +97,7 @@ describe 'keystone::federation::mellon' do
it 'should have basic params for mellon in Keystone configuration' do it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end end
it 'should have parameters for websso in Keystone configuration' do it 'should have parameters for websso in Keystone configuration' do

10
spec/classes/keystone_federation_openidc_spec.rb
View File

@ -36,12 +36,6 @@ describe 'keystone::federation::openidc' do
it_raises 'a Puppet::Error', /Methods should contain openidc as one of the auth methods./ it_raises 'a Puppet::Error', /Methods should contain openidc as one of the auth methods./
end end
before do
params.merge!(:methods => 'password, token, oauth1, openidc',
:module_plugin => 'keystone.auth.plugins')
it_raises 'a Puppet:Error', /The plugin for openidc should be keystone.auth.plugins.mapped.Mapped/
end
before do before do
params.merge!(:admin_port => false, params.merge!(:admin_port => false,
:main_port => false) :main_port => false)
@ -81,7 +75,7 @@ describe 'keystone::federation::openidc' do
context 'with only required parameters' do context 'with only required parameters' do
it 'should have basic params for mellon in Keystone configuration' do it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc')
is_expected.to contain_keystone_config('auth/openidc').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/openidc').with_ensure('absent')
end end
it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({ it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({
@ -99,7 +93,7 @@ describe 'keystone::federation::openidc' do
it 'should have basic params for mellon in Keystone configuration' do it 'should have basic params for mellon in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, openidc')
is_expected.to contain_keystone_config('auth/openidc').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/openidc').with_ensure('absent')
end end
it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({ it { is_expected.to contain_concat__fragment('configure_openidc_on_port_5000').with({

14
spec/classes/keystone_federation_shibboleth_spec.rb
View File

@ -27,12 +27,6 @@ describe 'keystone::federation::shibboleth' do
it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./ it_raises 'a Puppet::Error', /Methods should contain saml2 as one of the auth methods./
end end
context 'wrong plugin' do
let (:params) { default_params.merge(:methods => ['password', 'token', 'oauth1', 'saml2'],
:module_plugin => 'keystone.auth.plugins') }
it_raises 'a Puppet::Error', /The plugin for saml and shibboleth should be keystone.auth.plugins.mapped.Mapped/
end
context 'no ports' do context 'no ports' do
let (:params) { default_params.merge(:admin_port => false, let (:params) { default_params.merge(:admin_port => false,
:main_port => false) } :main_port => false) }
@ -64,7 +58,7 @@ describe 'keystone::federation::shibboleth' do
let (:params) { default_params } let (:params) { default_params }
it 'should have basic params for shibboleth in Keystone configuration' do it 'should have basic params for shibboleth in Keystone configuration' do
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
end end
end end
@ -107,7 +101,7 @@ describe 'keystone::federation::shibboleth' do
}) } }) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it {is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') } it {is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it { it {
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
:target => "10-keystone_wsgi_admin.conf", :target => "10-keystone_wsgi_admin.conf",
@ -144,7 +138,7 @@ describe 'keystone::federation::shibboleth' do
}) } }) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') } it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it { it {
is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({ is_expected.to contain_concat__fragment('configure_shibboleth_on_port_35357').with({
:target => "10-keystone_wsgi_admin.conf", :target => "10-keystone_wsgi_admin.conf",
@ -169,7 +163,7 @@ describe 'keystone::federation::shibboleth' do
}) } }) }
it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') } it { is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2') }
it { is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped') } it { is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent') }
it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') } it { is_expected.to_not contain_concat__fragment('configure_shibboleth_on_port_35357') }
end end
end end