openstack/puppet-keystone
Code Issues Proposed changes

Merge "Remove PKI signing related parameters"

Browse Source
This commit is contained in:
Jenkins 2017-01-04 05:19:14 +00:00 committed by Gerrit Code Review
commit 42e4d02c8b
3 changed files with 16 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
manifests/init.pp
View File

@ -87,11 +87,6 @@
# other than KVS, which stores events in memory.
# Defaults to true.
#
# [*cache_dir*]
# (optional) Directory created when token_provider is pki. This folder is not
# created unless enable_pki_setup is set to True.
# Defaults to /var/cache/keystone.
#
# [*memcache_servers*]
# (optional) List of memcache servers as a comma separated string of
# 'server:port,server:port' or an array of servers ['server:port',
@ -557,43 +552,6 @@
# [*service_provider*]
# (optional) Deprecated. Provider, that can be used for keystone service.
#
# [*enable_pki_setup*]
# (optional) Deprecated. Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
# providing your own signing cert, make this false.
# Default to undef.
#
# [*signing_certfile*]
# (optional) Deprecated. Location of the cert file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert),
# the file will not be overwritten, even if enable_pki_setup is set to true.
# Defaults to $::os_service_default
#
# [*signing_keyfile*]
# (optional) Deprecated. Location of the key file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
# will not be overwritten, even if enable_pki_setup is set to true.
# Defaults to $::os_service_default
#
# [*signing_ca_certs*]
# (optional) Deprecated. Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists.
# Defaults to $::os_service_default
#
# [*signing_ca_key*]
# (optional) Deprecated. Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists.
# Defaults to $::os_service_default
#
# [*signing_cert_subject*]
# (optional) Deprecated. Certificate subject (auto generated certificate) for token signing.
# Defaults to $::os_service_default
#
# [*signing_key_size*]
# (optional) Deprecated. Key size (in bits) for token signing cert (auto generated certificate)
# Defaults to $::os_service_default
#
# [*rabbit_host*]
# (optional) Location of rabbitmq installation.
# Defaults to $::os_service_default
@ -618,6 +576,11 @@
# (optional) The RabbitMQ virtual host.
# Defaults to $::os_service_default
#
# [*cache_dir*]
# (optional) Directory created when token_provider is pki. This folder is not
# created unless enable_pki_setup is set to True.
# Defaults to undef
#
# == Dependencies
# None
#
@ -677,7 +640,6 @@ class keystone(
$ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
$ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
$ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
$cache_dir = '/var/cache/keystone',
$memcache_servers = $::os_service_default,
$manage_service = true,
$cache_backend = $::os_service_default,
@ -749,19 +711,13 @@ class keystone(
$admin_workers = $::os_workers,
$public_workers = $::os_workers,
$service_provider = undef,
$enable_pki_setup = undef,
$signing_certfile = $::os_service_default,
$signing_keyfile = $::os_service_default,
$signing_ca_certs = $::os_service_default,
$signing_ca_key = $::os_service_default,
$signing_cert_subject = $::os_service_default,
$signing_key_size = $::os_service_default,
$rabbit_host = $::os_service_default,
$rabbit_hosts = $::os_service_default,
$rabbit_password = $::os_service_default,
$rabbit_port = $::os_service_default,
$rabbit_userid = $::os_service_default,
$rabbit_virtual_host = $::os_service_default,
$cache_dir = undef,
) inherits keystone::params {
include ::keystone::deps
@ -795,6 +751,10 @@ deprecated. Please use keystone::default_transport_url instead.")
warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
}
if $cache_dir {
warning('cache_dir parameter is deprecated, has no effect and will be removed in the future release.')
}
if $admin_password == undef {
warning("admin_password is required, please set admin_password to a value != admin_token. \
admin_token will be removed in a later release")
@ -966,72 +926,6 @@ We have enabled caching as a backwards compatibility that will be removed in the
'catalog/template_file': value => $catalog_template_file;
}
# Set the signing key/cert configuration values.
if (!is_service_default($signing_certfile)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_keyfile)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_ca_certs)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_ca_key)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_cert_subject)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
if (!is_service_default($signing_key_size)) {
warning("PKI token support has been deprecated in the M release and will be removed in the O release. \
Fernet or UUID tokens are recommended.")
}
keystone_config {
'signing/certfile': value => $signing_certfile;
'signing/keyfile': value => $signing_keyfile;
'signing/ca_certs': value => $signing_ca_certs;
'signing/ca_key': value => $signing_ca_key;
'signing/cert_subject': value => $signing_cert_subject;
'signing/key_size': value => $signing_key_size;
}
# Only do pki_setup if we were asked to do so. This is needed
# regardless of the token provider since token revocation lists
# are always signed.
if $enable_pki_setup == true {
if is_service_default($signing_keyfile) {
fail('Please specify path to key file')
} else {
# Create cache directory used for signing.
file { $cache_dir:
ensure => directory,
}
exec { 'keystone-manage pki_setup':
command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
path => '/usr/bin',
user => $keystone_user,
refreshonly => true,
creates => $signing_keyfile,
notify => Anchor['keystone::service::begin'],
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
tag => 'keystone-exec',
}
}
}
keystone_config {
'token/provider': value => $token_provider;
'DEFAULT/max_token_size': value => $max_token_size;

6
releasenotes/notes/remove_deprecate_pki-98135a3ef2158d12.yaml Normal file
View File

@ -0,0 +1,6 @@
---
deprecations:
- cache_dir parameter is deprecated, has no effect and will be
removed in the future release.
other:
- Remove PKI signing related parameters.

173
spec/classes/keystone_init_spec.rb
View File

@ -34,7 +34,6 @@ describe 'keystone' do
'token_driver' => 'sql',
'revoke_driver' => 'sql',
'revoke_by_id' => true,
'cache_dir' => '/var/cache/keystone',
'memcache_servers' => '<SERVICE DEFAULT>',
'cache_backend' => '<SERVICE DEFAULT>',
'cache_backend_argument' => '<SERVICE DEFAULT>',
@ -50,12 +49,6 @@ describe 'keystone' do
'manage_service' => true,
'database_connection' => 'sqlite:////var/lib/keystone/keystone.db',
'database_idle_timeout' => '200',
'signing_certfile' => '<SERVICE DEFAULT>',
'signing_keyfile' => '<SERVICE DEFAULT>',
'signing_ca_certs' => '<SERVICE DEFAULT>',
'signing_ca_key' => '<SERVICE DEFAULT>',
'signing_cert_subject' => '<SERVICE DEFAULT>',
'signing_key_size' => '<SERVICE DEFAULT>',
'default_transport_url' => '<SERVICE DEFAULT>',
'rabbit_host' => '<SERVICE DEFAULT>',
'rabbit_password' => '<SERVICE DEFAULT>',
@ -101,13 +94,6 @@ describe 'keystone' do
'manage_service' => true,
'database_connection' => 'mysql://a:b@c/d',
'database_idle_timeout' => '300',
'enable_pki_setup' => true,
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
'signing_key_size' => 2048,
'default_transport_url' => 'rabbit://user:pass@host:1234/virt',
'rabbit_host' => '127.0.0.1',
'rabbit_password' => 'openstack',
@ -360,165 +346,6 @@ describe 'keystone' do
it { is_expected.to contain_anchor('keystone::service::end') }
end
describe 'when configuring signing token provider' do
describe 'when configuring as UUID' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'keystone.token.providers.uuid.Provider'
}
end
describe 'pki_setup is disabled by default' do
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it { is_expected.to_not contain_file('/var/cache/keystone').with_ensure('directory') }
end
end
describe 'when configuring as PKI' do
let :params do
{
'enable_pki_setup' => true,
'admin_token' => 'service_token',
'token_provider' => 'pki',
'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
'signing_key_size' => 2048,
'keystone_user' => 'keystone',
'keystone_group' => 'keystone',
}
end
it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
describe 'when overriding the cache dir' do
before do
params.merge!(:cache_dir => '/var/lib/cache/keystone')
end
it { is_expected.to contain_file('/var/lib/cache/keystone') }
end
it { is_expected.to contain_exec('keystone-manage pki_setup').with(
:command => "keystone-manage pki_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
:creates => '/etc/keystone/ssl/private/signing_key.pem'
) }
it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
describe 'when overriding the cache dir' do
before do
params.merge!(:cache_dir => '/var/lib/cache/keystone')
end
it { is_expected.to contain_file('/var/lib/cache/keystone') }
end
end
describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'uuid',
'enable_pki_setup' => false,
'signing_certfile' => 'signing_certfile',
'signing_keyfile' => 'signing_keyfile',
'signing_ca_certs' => 'signing_ca_certs',
'signing_ca_key' => 'signing_ca_key',
'signing_cert_subject' => 'signing_cert_subject',
'signing_key_size' => 2048
}
end
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it 'should contain correct PKI certfile config' do
is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile')
end
it 'should contain correct PKI keyfile config' do
is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
end
it 'should contain correct PKI ca_certs config' do
is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
end
it 'should contain correct PKI ca_key config' do
is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
end
it 'should contain correct PKI cert_subject config' do
is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
end
it 'should contain correct PKI key_size config' do
is_expected.to contain_keystone_config('signing/key_size').with_value('2048')
end
end
describe 'when configuring PKI signing cert paths with pki_setup disabled' do
let :params do
{
'admin_token' => 'service_token',
'token_provider' => 'pki',
'enable_pki_setup' => false,
'signing_certfile' => 'signing_certfile',
'signing_keyfile' => 'signing_keyfile',
'signing_ca_certs' => 'signing_ca_certs',
'signing_ca_key' => 'signing_ca_key',
'signing_cert_subject' => 'signing_cert_subject',
'signing_key_size' => 2048
}
end
it { is_expected.to_not contain_exec('keystone-manage pki_setup') }
it 'should contain correct PKI certfile config' do
is_expected.to contain_keystone_config('signing/certfile').with_value('signing_certfile')
end
it 'should contain correct PKI keyfile config' do
is_expected.to contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
end
it 'should contain correct PKI ca_certs config' do
is_expected.to contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
end
it 'should contain correct PKI ca_key config' do
is_expected.to contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
end
it 'should contain correct PKI cert_subject config' do
is_expected.to contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
end
it 'should contain correct PKI key_size config' do
is_expected.to contain_keystone_config('signing/key_size').with_value('2048')
end
end
describe 'with invalid catalog_type' do
let :params do
{ :admin_token => 'service_token',
:catalog_type => 'invalid' }
end
it_raises "a Puppet::Error", /validate_re\(\): "invalid" does not match "template|sql"/
end
describe 'when configuring catalog driver' do
let :params do
{ :admin_token => 'service_token',
:catalog_driver => 'alien' }
end
it { is_expected.to contain_keystone_config('catalog/driver').with_value(params[:catalog_driver]) }
end
end
describe 'when configuring token expiration' do
let :params do
{