openstack/puppet-keystone
Code Issues Proposed changes

Replace legacy facts and use fact hash

Browse Source 
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: Ie757167eedce6fa1c99d08f96be1173871f21817
This commit is contained in:
Takashi Kajinami 2023-03-02 11:10:02 +09:00
parent 43331eadcd
commit 486d7f1435
31 changed files with 574 additions and 583 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
examples/apache_dropin.pp
View File

@ -34,8 +34,8 @@ class { 'keystone':
}
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:5000",
admin_url => "https://${::fqdn}:5000",
public_url => "https://${facts['networking']['fqdn']}:5000",
admin_url => "https://${facts['networking']['fqdn']}:5000",
}
keystone_config { 'ssl/enable': value => true }

4
examples/apache_with_paths.pp
View File

@ -35,8 +35,8 @@ class { 'keystone':
}
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:443/v3",
admin_url => "https://${::fqdn}:443/v3",
public_url => "https://${facts['networking']['fqdn']}:443/v3",
admin_url => "https://${facts['networking']['fqdn']}:443/v3",
}
keystone_config { 'ssl/enable': ensure => absent }

4
examples/k2k_sp_shib.pp
View File

@ -53,8 +53,8 @@ class { 'keystone':
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:5000",
admin_url => "https://${::fqdn}:5000",
public_url => "https://${facts['networking']['fqdn']}:5000",
admin_url => "https://${facts['networking']['fqdn']}:5000",
}
keystone_config { 'ssl/enable': value => true }

116
manifests/cache.pp
View File

@ -8,99 +8,99 @@
# the cache region. This should not need to be changed unless there
# is another dogpile.cache region with the same configuration name.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*expiration_time*]
# (Optional) Default TTL, in seconds, for any cached item in the
# dogpile.cache region. This applies to any cached method that
# doesn't have an explicit cache expiration time defined for it.
# (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backend*]
# (Optional) Dogpile.cache backend module. It is recommended that
# Memcache with pooling (oslo_cache.memcache_pool) or Redis
# (dogpile.cache.redis) be used in production deployments. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backend_argument*]
# (Optional) Arguments supplied to the backend module. Specify this option
# once per argument to be passed to the dogpile.cache backend.
# Example format: "<argname>:<value>". (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*proxies*]
# (Optional) Proxy classes to import that will affect the way the
# dogpile.cache backend functions. See the dogpile.cache documentation on
# changing-backend-behavior. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*enabled*]
# (Optional) Global toggle for caching. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*debug_cache_backend*]
# (Optional) Extra debugging from the cache backend (cache keys,
# get/set/delete/etc calls). This is only really useful if you need
# to see the specific cache-backend get/set/delete calls with the keys/values.
# Typically this should be left set to false. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_servers*]
# (Optional) Memcache servers in the format of "host:port".
# (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
# (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before
# it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool
# backends only). (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_socket_timeout*]
# (Optional) Timeout in seconds for every call to a server.
# (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
# (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*enable_socket_keepalive*]
# (Optional) Global toggle for the socket keepalive of dogpile's
# pymemcache backend
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_idle*]
# (Optional) The time (in seconds) the connection needs to remain idle
# before TCP starts sending keepalive probes. Should be a positive integer
# most greater than zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_interval*]
# (Optional) The time (in seconds) between individual keepalive probes.
# Should be a positive integer most greater than zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_count*]
# (Optional) The maximum number of keepalive probes TCP should send before
# dropping the connection. Should be a positive integer most greater than
# zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_maxsize*]
# (Optional) Max total number of open connections to every memcached server.
# (oslo_cache.memcache_pool backend only). (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused
# in the pool before it is closed. (oslo_cache.memcache_pool backend only)
# (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_connection_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcache
# client connection. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*manage_backend_package*]
# (Optional) Whether to install the backend package for the cache.
@ -109,18 +109,18 @@
# [*token_caching*]
# (Optional) Toggle for token system caching. This has no effect unless
# cache_backend, cache_enabled and cache_memcache_servers is set.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_enabled*]
# (Optional) Global toggle for TLS usage when communicating with
# the caching servers.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
@ -128,84 +128,84 @@
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_allowed_ciphers*]
# (Optional) Set the available ciphers for sockets created with
# the TLS context. It should be a string in the OpenSSL cipher
# list format. If not specified, all OpenSSL enabled ciphers will
# be available.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*enable_retry_client*]
# (Optional) Enable retry client mechanisms to handle failure.
# Those mechanisms can be used to wrap all kind of pymemcache
# clients. The wrapper allows you to define how many attempts
# to make and how long to wait between attempts.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*retry_attempts*]
# (Optional) Number of times to attempt an action before failing.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*retry_delay*]
# (Optional) Number of seconds to sleep between each attempt.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*hashclient_retry_attempts*]
# (Optional) Amount of times a client should be tried
# before it is marked dead and removed from the pool in
# the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*hashclient_retry_delay*]
# (Optional) Time in seconds that should pass between
# retry attempts in the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*dead_timeout*]
# (Optional) Time in seconds before attempting to add a node
# back in the pool in the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
class keystone::cache(
$config_prefix = $::os_service_default,
$expiration_time = $::os_service_default,
$backend = $::os_service_default,
$backend_argument = $::os_service_default,
$proxies = $::os_service_default,
$enabled = $::os_service_default,
$debug_cache_backend = $::os_service_default,
$memcache_servers = $::os_service_default,
$memcache_dead_retry = $::os_service_default,
$memcache_socket_timeout = $::os_service_default,
$enable_socket_keepalive = $::os_service_default,
$socket_keepalive_idle = $::os_service_default,
$socket_keepalive_interval = $::os_service_default,
$socket_keepalive_count = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_pool_connection_get_timeout = $::os_service_default,
$config_prefix = $facts['os_service_default'],
$expiration_time = $facts['os_service_default'],
$backend = $facts['os_service_default'],
$backend_argument = $facts['os_service_default'],
$proxies = $facts['os_service_default'],
$enabled = $facts['os_service_default'],
$debug_cache_backend = $facts['os_service_default'],
$memcache_servers = $facts['os_service_default'],
$memcache_dead_retry = $facts['os_service_default'],
$memcache_socket_timeout = $facts['os_service_default'],
$enable_socket_keepalive = $facts['os_service_default'],
$socket_keepalive_idle = $facts['os_service_default'],
$socket_keepalive_interval = $facts['os_service_default'],
$socket_keepalive_count = $facts['os_service_default'],
$memcache_pool_maxsize = $facts['os_service_default'],
$memcache_pool_unused_timeout = $facts['os_service_default'],
$memcache_pool_connection_get_timeout = $facts['os_service_default'],
$manage_backend_package = true,
$token_caching = $::os_service_default,
$tls_enabled = $::os_service_default,
$tls_cafile = $::os_service_default,
$tls_certfile = $::os_service_default,
$tls_keyfile = $::os_service_default,
$tls_allowed_ciphers = $::os_service_default,
$enable_retry_client = $::os_service_default,
$retry_attempts = $::os_service_default,
$retry_delay = $::os_service_default,
$hashclient_retry_attempts = $::os_service_default,
$hashclient_retry_delay = $::os_service_default,
$dead_timeout = $::os_service_default,
$token_caching = $facts['os_service_default'],
$tls_enabled = $facts['os_service_default'],
$tls_cafile = $facts['os_service_default'],
$tls_certfile = $facts['os_service_default'],
$tls_keyfile = $facts['os_service_default'],
$tls_allowed_ciphers = $facts['os_service_default'],
$enable_retry_client = $facts['os_service_default'],
$retry_attempts = $facts['os_service_default'],
$retry_delay = $facts['os_service_default'],
$hashclient_retry_attempts = $facts['os_service_default'],
$hashclient_retry_delay = $facts['os_service_default'],
$dead_timeout = $facts['os_service_default'],
){
include keystone::deps

24
manifests/cors.pp
View File

@ -8,41 +8,41 @@
# (Optional) Indicate whether this resource may be shared with the domain
# received in the requests "origin" header.
# (string value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_credentials*]
# (Optional) Indicate that the actual request can include user credentials.
# (boolean value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*expose_headers*]
# (Optional) Indicate which headers are safe to expose to the API.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*max_age*]
# (Optional) Maximum cache age of CORS preflight requests.
# (integer value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_methods*]
# (Optional) Indicate which methods can be used during the actual request.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_headers*]
# (Optional) Indicate which header field names may be used during the actual
# request.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
class keystone::cors (
$allowed_origin = $::os_service_default,
$allow_credentials = $::os_service_default,
$expose_headers = $::os_service_default,
$max_age = $::os_service_default,
$allow_methods = $::os_service_default,
$allow_headers = $::os_service_default,
$allowed_origin = $facts['os_service_default'],
$allow_credentials = $facts['os_service_default'],
$expose_headers = $facts['os_service_default'],
$max_age = $facts['os_service_default'],
$allow_methods = $facts['os_service_default'],
$allow_headers = $facts['os_service_default'],
) {
include keystone::deps

32
manifests/db.pp
View File

@ -7,7 +7,7 @@
# [*database_db_max_retries*]
# Maximum retries in case of connection error or deadlock error before
# error is raised. Set to -1 to specify an infinite retry count.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_connection*]
# Url used to connect to database.
@ -15,44 +15,44 @@
#
# [*database_connection_recycle_time*]
# Timeout when db connections should be reaped.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_retries*]
# Maximum number of database connection retries during startup.
# Setting -1 implies an infinite retry count.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_retry_interval*]
# Interval between retries of opening a database connection.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_pool_size*]
# Maximum number of SQL connections to keep open in a pool.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_overflow*]
# If set, use this value for max_overflow with sqlalchemy.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_pool_timeout*]
# (Optional) If set, use this value for pool_timeout with SQLAlchemy.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*mysql_enable_ndb*]
# (Optional) If True, transparently enables support for handling MySQL
# Cluster (NDB).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::db (
$database_db_max_retries = $::os_service_default,
$database_db_max_retries = $facts['os_service_default'],
$database_connection = 'sqlite:////var/lib/keystone/keystone.sqlite',
$database_connection_recycle_time = $::os_service_default,
$database_max_pool_size = $::os_service_default,
$database_max_retries = $::os_service_default,
$database_retry_interval = $::os_service_default,
$database_max_overflow = $::os_service_default,
$database_pool_timeout = $::os_service_default,
$mysql_enable_ndb = $::os_service_default,
$database_connection_recycle_time = $facts['os_service_default'],
$database_max_pool_size = $facts['os_service_default'],
$database_max_retries = $facts['os_service_default'],
$database_retry_interval = $facts['os_service_default'],
$database_max_overflow = $facts['os_service_default'],
$database_pool_timeout = $facts['os_service_default'],
$mysql_enable_ndb = $facts['os_service_default'],
) {
include keystone::deps

8
manifests/federation.pp
View File

@ -7,16 +7,16 @@
# This setting ensures that keystone only sends token data back to trusted
# servers. This is performed as a precaution, specifically to prevent man-in-
# the-middle (MITM) attacks.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*remote_id_attribute*]
# (Optional) Value to be used to obtain the entity ID of the Identity
# Provider from the environment.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::federation (
$trusted_dashboards = $::os_service_default,
$remote_id_attribute = $::os_service_default,
$trusted_dashboards = $facts['os_service_default'],
$remote_id_attribute = $facts['os_service_default'],
) {
include keystone::deps

18
manifests/federation/identity_provider.pp
View File

@ -85,15 +85,15 @@ class keystone::federation::identity_provider(
$certfile = $::keystone::ssl_ca_certs,
$keyfile = $::keystone::ssl_ca_key,
$user = $::keystone::params::user,
$idp_organization_name = $::os_service_default,
$idp_organization_display_name = $::os_service_default,
$idp_organization_url = $::os_service_default,
$idp_contact_company = $::os_service_default,
$idp_contact_name = $::os_service_default,
$idp_contact_surname = $::os_service_default,
$idp_contact_email = $::os_service_default,
$idp_contact_telephone = $::os_service_default,
$idp_contact_type = $::os_service_default,
$idp_organization_name = $facts['os_service_default'],
$idp_organization_display_name = $facts['os_service_default'],
$idp_organization_url = $facts['os_service_default'],
$idp_contact_company = $facts['os_service_default'],
$idp_contact_name = $facts['os_service_default'],
$idp_contact_surname = $facts['os_service_default'],
$idp_contact_email = $facts['os_service_default'],
$idp_contact_telephone = $facts['os_service_default'],
$idp_contact_type = $facts['os_service_default'],
$package_ensure = present,
) inherits keystone::params {

6
manifests/federation/shibboleth.pp
View File

@ -74,8 +74,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
'auth/saml2': ensure => absent;
}
if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
if $::osfamily == 'RedHat' {
if $facts['os']['family'] == 'Debian' or ($facts['os']['family'] == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
if $facts['os']['family'] == 'RedHat' {
warning('The platform is not officially supported, use at your own risk. Check manifest documentation for more.')
apache::mod { 'shib2':
id => 'mod_shib',
@ -90,7 +90,7 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
}
} elsif $::osfamily == 'Redhat' {
} elsif $facts['os']['family'] == 'Redhat' {
if !$suppress_warning {
warning( 'Can not configure Shibboleth in Apache on RedHat OS.Read the Note on this federation/shibboleth.pp' )
}

16
manifests/healthcheck.pp
View File

@ -6,28 +6,28 @@
#
# [*detailed*]
# (Optional) Show more detailed information as part of the response.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backends*]
# (Optional) Additional backends that can perform health checks and report
# that information back as part of a request.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*disable_by_file_path*]
# (Optional) Check the presence of a file to determine if an application
# is running on a port.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*disable_by_file_paths*]
# (Optional) Check the presence of a file to determine if an application
# is running on a port. Expects a "port:path" list of strings.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::healthcheck (
$detailed = $::os_service_default,
$backends = $::os_service_default,
$disable_by_file_path = $::os_service_default,
$disable_by_file_paths = $::os_service_default,
$detailed = $facts['os_service_default'],
$backends = $facts['os_service_default'],
$disable_by_file_path = $facts['os_service_default'],
$disable_by_file_paths = $facts['os_service_default'],
) {
include keystone::deps

126
manifests/init.pp
View File

@ -32,15 +32,15 @@
#
# [*password_hash_algorithm*]
# (Optional) The password hash algorithm to use.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password_hash_rounds*]
# (Optional) The amount of rounds to do on the hash.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*revoke_driver*]
# (Optional) Driver for token revocation.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*revoke_by_id*]
# (Optional) Revoke token by token identifier.
@ -62,11 +62,11 @@
# (Optional) A URL representing the messaging driver to use and its full
# configuration. Transport URLs take the form:
# transport://user:pass@host1:port[,hostN:portN]/virtual_host
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_ha_queues*]
# (Optional) Use HA queues in RabbitMQ.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_timeout_threshold*]
# (Optional) Number of seconds after which the RabbitMQ broker is considered
@ -74,14 +74,14 @@
# Heartbeating helps to ensure the TCP connection to RabbitMQ isn't silently
# closed, resulting in missed or lost messages from the queue.
# (Requires kombu >= 3.0.7 and amqp >= 1.4.0)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_rate*]
# (Optional) How often during the rabbit_heartbeat_timeout_threshold period to
# check the heartbeat on RabbitMQ connection. (i.e. rabbit_heartbeat_rate=2
# when rabbit_heartbeat_timeout_threshold=60, the heartbeat will be checked
# every 30 seconds.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_in_pthread*]
# (Optional) EXPERIMENTAL: Run the health check heartbeat thread
@ -91,86 +91,86 @@
# example if the parent process have monkey patched the
# stdlib by using eventlet/greenlet then the heartbeat
# will be run through a green thread.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_use_ssl*]
# (Optional) Connect over SSL for RabbitMQ
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_ca_certs*]
# (Optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_certfile*]
# (Optional) SSL cert file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_keyfile*]
# (Optional) SSL key file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_version*]
# (Optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_reconnect_delay*]
# (Optional) How long to wait before reconnecting in response
# to an AMQP consumer cancel notification. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_failover_strategy*]
# (Optional) Determines how the next RabbitMQ node is chosen in case the one
# we are currently connected to becomes unavailable. Takes effect only if
# more than one RabbitMQ node is provided in config. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_compression*]
# (Optional) Possible values are: gzip, bz2. If not set compression will not
# be used. This option may notbe available in future versions. EXPERIMENTAL.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_transport_url*]
# (Optional) A URL representing the messaging driver to use for notifications
# and its full configuration. Transport URLs take the form:
# transport://user:pass@host1:port[,hostN:portN]/virtual_host
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_driver*]
# RPC driver. Not enabled by default (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_topics*]
# (Optional) AMQP topics to publish to when using the RPC notification driver.
# (list value)
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*notification_format*]
# (Optional) Define the notification format for identity service events.
# Valid values are 'basic' and 'cadf'.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*notification_opt_out*]
# (Optional) Opt out notifications that match the patterns expressed in this
# list.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*control_exchange*]
# (Optional) AMQP exchange to connect to if using RabbitMQ
# (string value)
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*rpc_response_timeout*]
# (Optional) Seconds to wait for a response from a call.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*public_endpoint*]
# (Optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*service_name*]
# (Optional) Name of the service that will be providing the
@ -193,7 +193,7 @@
#
# [*max_token_size*]
# (Optional) maximum allowable Keystone token size
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*sync_db*]
# (Optional) Run db sync on the node.
@ -213,7 +213,7 @@
#
# [*fernet_max_active_keys*]
# (Optional) Number of maximum active Fernet keys. Integer > 0.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*fernet_keys*]
# (Optional) Hash of Keystone fernet keys
@ -274,7 +274,7 @@
#
# [*policy_driver*]
# Policy backend driver. (string value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*using_domain_config*]
# (Optional) Eases the use of the keystone_domain_config resource type.
@ -303,11 +303,11 @@
#
# [*enable_proxy_headers_parsing*]
# (Optional) Enable oslo middleware to parse proxy headers.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*max_request_body_size*]
# (Optional) Set max request body size
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*purge_config*]
# (Optional) Whether to set only the specified config options
@ -316,7 +316,7 @@
#
# [*amqp_durable_queues*]
# (Optional) Whether to use durable queues in AMQP.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# DEPRECATED PARAMETERS
#
@ -340,55 +340,55 @@ class keystone(
$catalog_template_file = '/etc/keystone/default_catalog.templates',
$token_provider = 'fernet',
$token_expiration = 3600,
$password_hash_algorithm = $::os_service_default,
$password_hash_rounds = $::os_service_default,
$revoke_driver = $::os_service_default,
$password_hash_algorithm = $facts['os_service_default'],
$password_hash_rounds = $facts['os_service_default'],
$revoke_driver = $facts['os_service_default'],
$revoke_by_id = true,
$public_endpoint = $::os_service_default,
$public_endpoint = $facts['os_service_default'],
$manage_service = true,
$enabled = true,
$rabbit_heartbeat_timeout_threshold = $::os_service_default,
$rabbit_heartbeat_rate = $::os_service_default,
$rabbit_heartbeat_in_pthread = $::os_service_default,
$rabbit_use_ssl = $::os_service_default,
$default_transport_url = $::os_service_default,
$rabbit_ha_queues = $::os_service_default,
$kombu_ssl_ca_certs = $::os_service_default,
$kombu_ssl_certfile = $::os_service_default,
$kombu_ssl_keyfile = $::os_service_default,
$kombu_ssl_version = $::os_service_default,
$kombu_reconnect_delay = $::os_service_default,
$kombu_failover_strategy = $::os_service_default,
$kombu_compression = $::os_service_default,
$notification_transport_url = $::os_service_default,
$notification_driver = $::os_service_default,
$notification_topics = $::os_service_default,
$notification_format = $::os_service_default,
$notification_opt_out = $::os_service_default,
$control_exchange = $::os_service_default,
$rpc_response_timeout = $::os_service_default,
$rabbit_heartbeat_timeout_threshold = $facts['os_service_default'],
$rabbit_heartbeat_rate = $facts['os_service_default'],
$rabbit_heartbeat_in_pthread = $facts['os_service_default'],
$rabbit_use_ssl = $facts['os_service_default'],
$default_transport_url = $facts['os_service_default'],
$rabbit_ha_queues = $facts['os_service_default'],
$kombu_ssl_ca_certs = $facts['os_service_default'],
$kombu_ssl_certfile = $facts['os_service_default'],
$kombu_ssl_keyfile = $facts['os_service_default'],
$kombu_ssl_version = $facts['os_service_default'],
$kombu_reconnect_delay = $facts['os_service_default'],
$kombu_failover_strategy = $facts['os_service_default'],
$kombu_compression = $facts['os_service_default'],
$notification_transport_url = $facts['os_service_default'],
$notification_driver = $facts['os_service_default'],
$notification_topics = $facts['os_service_default'],
$notification_format = $facts['os_service_default'],
$notification_opt_out = $facts['os_service_default'],
$control_exchange = $facts['os_service_default'],
$rpc_response_timeout = $facts['os_service_default'],
$service_name = $::keystone::params::service_name,
$max_token_size = $::os_service_default,
$max_token_size = $facts['os_service_default'],
$sync_db = true,
$enable_fernet_setup = true,
$fernet_key_repository = '/etc/keystone/fernet-keys',
$fernet_max_active_keys = $::os_service_default,
$fernet_max_active_keys = $facts['os_service_default'],
$fernet_keys = false,
$fernet_replace_keys = true,
$enable_credential_setup = true,
$credential_key_repository = '/etc/keystone/credential-keys',
$credential_keys = false,
$default_domain = undef,
$policy_driver = $::os_service_default,
$policy_driver = $facts['os_service_default'],
$using_domain_config = false,
$domain_config_directory = '/etc/keystone/domains',
$keystone_user = $::keystone::params::user,
$keystone_group = $::keystone::params::group,
$manage_policyrcd = false,
$enable_proxy_headers_parsing = $::os_service_default,
$max_request_body_size = $::os_service_default,
$enable_proxy_headers_parsing = $facts['os_service_default'],
$max_request_body_size = $facts['os_service_default'],
$purge_config = false,
$amqp_durable_queues = $::os_service_default,
$amqp_durable_queues = $facts['os_service_default'],
# DEPRECATED PARAMETERS
$catalog_type = undef,
) inherits keystone::params {
@ -408,7 +408,7 @@ class keystone(
# openstacklib policy_rcd only affects debian based systems.
Policy_rcd <| title == 'keystone' |> -> Package['keystone']
Policy_rcd['apache2'] -> Package['httpd']
if ($::operatingsystem == 'Ubuntu') {
if ($facts['os']['name'] == 'Ubuntu') {
$policy_services = 'apache2'
} else {
$policy_services = ['keystone', 'apache2']
@ -526,7 +526,7 @@ class keystone(
case $service_name {
$::keystone::params::service_name: {
if $::operatingsystem != 'Debian' {
if $facts['os']['name'] != 'Debian' {
# TODO(tkajinam): Make this hard-fail
warning('Keystone under Eventlet is no longer supported by this operating system')
}
@ -547,7 +547,7 @@ class keystone(
$service_name_real = $::apache::params::service_name
Service <| title == 'httpd' |> { tag +> 'keystone-service' }
if $::operatingsystem == 'Debian' {
if $facts['os']['name'] == 'Debian' {
service { 'keystone':
ensure => 'stopped',
name => $::keystone::params::service_name,

200
manifests/ldap.pp
View File

@ -6,60 +6,60 @@
#
# [*url*]
# URL for connecting to the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user*]
# User BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password*]
# Password for the BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*suffix*]
# LDAP server suffix (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*query_scope*]
# The LDAP scope for queries, this can be either "one"
# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*page_size*]
# Maximum results per page; a value of zero ("0") disables paging. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_tree_dn*]
# Search base for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_filter*]
# LDAP search filter for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_objectclass*]
# LDAP objectclass for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_id_attribute*]
# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_name_attribute*]
# LDAP attribute mapped to user name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_description_attribute*]
# LDAP attribute mapped to user description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_mail_attribute*]
# LDAP attribute mapped to user email. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_attribute*]
# LDAP attribute mapped to user enabled flag. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_mask*]
# Bitmask integer to indicate the bit that the enabled value is stored in if
@ -67,7 +67,7 @@
# boolean. A value of "0" indicates the mask is not used. If this is not set
# to "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_default*]
# Default value to enable users. This should match an appropriate int value
@ -75,7 +75,7 @@
# is enabled or disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_invert*]
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
@ -83,30 +83,30 @@
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_attribute_ignore*]
# List of attributes stripped off the user on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_default_project_id_attribute*]
# LDAP attribute mapped to default_project_id for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_pass_attribute*]
# LDAP attribute mapped to password. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation_dn*]
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_additional_attribute_mapping*]
# List of additional LDAP attributes used for mapping
@ -114,119 +114,119 @@
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_filter*]
# LDAP search filter for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_objectclass*]
# LDAP objectclass for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_id_attribute*]
# LDAP attribute mapped to group id. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_name_attribute*]
# LDAP attribute mapped to group name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_member_attribute*]
# LDAP attribute mapped to show group membership. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_attribute_ignore*]
# List of attributes stripped off the group on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_additional_attribute_mapping*]
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertfile*]
# CA certificate file path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertdir*]
# CA certificate directory path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_req_cert*]
# Valid options for tls_req_cert are demand, never, and allow. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*identity_driver*]
# Identity backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_size*]
# Connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_max*]
# Maximum count of reconnect trials. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_delay*]
# Time span in seconds to wait between two reconnect trials. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_timeout*]
# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_lifetime*]
# Connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_auth_pool*]
# Enable LDAP connection pooling for end user authentication.
# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_size*]
# End user auth connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_connection_lifetime*]
# End user auth connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*credential_driver*]
# Credential backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*assignment_driver*]
# Assignment backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
@ -248,56 +248,56 @@
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class keystone::ldap(
$url = $::os_service_default,
$user = $::os_service_default,
$password = $::os_service_default,
$suffix = $::os_service_default,
$query_scope = $::os_service_default,
$page_size = $::os_service_default,
$user_tree_dn = $::os_service_default,
$user_filter = $::os_service_default,
$user_objectclass = $::os_service_default,
$user_id_attribute = $::os_service_default,
$user_name_attribute = $::os_service_default,
$user_description_attribute = $::os_service_default,
$user_mail_attribute = $::os_service_default,
$user_enabled_attribute = $::os_service_default,
$user_enabled_mask = $::os_service_default,
$user_enabled_default = $::os_service_default,
$user_enabled_invert = $::os_service_default,
$user_attribute_ignore = $::os_service_default,
$user_default_project_id_attribute = $::os_service_default,
$user_pass_attribute = $::os_service_default,
$user_enabled_emulation = $::os_service_default,
$user_enabled_emulation_dn = $::os_service_default,
$user_additional_attribute_mapping = $::os_service_default,
$group_tree_dn = $::os_service_default,
$group_filter = $::os_service_default,
$group_objectclass = $::os_service_default,
$group_id_attribute = $::os_service_default,
$group_name_attribute = $::os_service_default,
$group_member_attribute = $::os_service_default,
$group_members_are_ids = $::os_service_default,
$group_desc_attribute = $::os_service_default,
$group_attribute_ignore = $::os_service_default,
$group_additional_attribute_mapping = $::os_service_default,
$chase_referrals = $::os_service_default,
$use_tls = $::os_service_default,
$tls_cacertdir = $::os_service_default,
$tls_cacertfile = $::os_service_default,
$tls_req_cert = $::os_service_default,
$identity_driver = $::os_service_default,
$assignment_driver = $::os_service_default,
$credential_driver = $::os_service_default,
$use_pool = $::os_service_default,
$pool_size = $::os_service_default,
$pool_retry_max = $::os_service_default,
$pool_retry_delay = $::os_service_default,
$pool_connection_timeout = $::os_service_default,
$pool_connection_lifetime = $::os_service_default,
$use_auth_pool = $::os_service_default,
$auth_pool_size = $::os_service_default,
$auth_pool_connection_lifetime = $::os_service_default,
$url = $facts['os_service_default'],
$user = $facts['os_service_default'],
$password = $facts['os_service_default'],
$suffix = $facts['os_service_default'],
$query_scope = $facts['os_service_default'],
$page_size = $facts['os_service_default'],
$user_tree_dn = $facts['os_service_default'],
$user_filter = $facts['os_service_default'],
$user_objectclass = $facts['os_service_default'],
$user_id_attribute = $facts['os_service_default'],
$user_name_attribute = $facts['os_service_default'],
$user_description_attribute = $facts['os_service_default'],
$user_mail_attribute = $facts['os_service_default'],
$user_enabled_attribute = $facts['os_service_default'],
$user_enabled_mask = $facts['os_service_default'],
$user_enabled_default = $facts['os_service_default'],
$user_enabled_invert = $facts['os_service_default'],
$user_attribute_ignore = $facts['os_service_default'],
$user_default_project_id_attribute = $facts['os_service_default'],
$user_pass_attribute = $facts['os_service_default'],
$user_enabled_emulation = $facts['os_service_default'],
$user_enabled_emulation_dn = $facts['os_service_default'],
$user_additional_attribute_mapping = $facts['os_service_default'],
$group_tree_dn = $facts['os_service_default'],
$group_filter = $facts['os_service_default'],
$group_objectclass = $facts['os_service_default'],
$group_id_attribute = $facts['os_service_default'],
$group_name_attribute = $facts['os_service_default'],
$group_member_attribute = $facts['os_service_default'],
$group_members_are_ids = $facts['os_service_default'],
$group_desc_attribute = $facts['os_service_default'],
$group_attribute_ignore = $facts['os_service_default'],
$group_additional_attribute_mapping = $facts['os_service_default'],
$chase_referrals = $facts['os_service_default'],
$use_tls = $facts['os_service_default'],
$tls_cacertdir = $facts['os_service_default'],
$tls_cacertfile = $facts['os_service_default'],
$tls_req_cert = $facts['os_service_default'],
$identity_driver = $facts['os_service_default'],
$assignment_driver = $facts['os_service_default'],
$credential_driver = $facts['os_service_default'],
$use_pool = $facts['os_service_default'],
$pool_size = $facts['os_service_default'],
$pool_retry_max = $facts['os_service_default'],
$pool_retry_delay = $facts['os_service_default'],
$pool_connection_timeout = $facts['os_service_default'],
$pool_connection_lifetime = $facts['os_service_default'],
$use_auth_pool = $facts['os_service_default'],
$auth_pool_size = $facts['os_service_default'],
$auth_pool_connection_lifetime = $facts['os_service_default'],
$package_ensure = present,
$manage_packages = true,
) inherits keystone::params {

190
manifests/ldap_backend.pp
View File

@ -9,59 +9,59 @@
#
# [*url*]
# URL for connecting to the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user*]
# User BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password*]
# Password for the BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*suffix*]
# LDAP server suffix (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*query_scope*]
# The LDAP scope for queries, this can be either "one"
# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*page_size*]
# Maximum results per page; a value of zero ("0") disables paging. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_tree_dn*]
# Search base for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_filter*]
# LDAP search filter for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_objectclass*]
# LDAP objectclass for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_id_attribute*]
# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_name_attribute*]
# LDAP attribute mapped to user name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_description_attribute*]
# LDAP attribute mapped to user description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_mail_attribute*]
# LDAP attribute mapped to user email. (string value)
#
# [*user_enabled_attribute*]
# LDAP attribute mapped to user enabled flag. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_mask*]
# Bitmask integer to indicate the bit that the enabled value is stored in if
@ -69,7 +69,7 @@
# boolean. A value of "0" indicates the mask is not used. If this is not set
# to "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_default*]
# Default value to enable users. This should match an appropriate int value
@ -77,7 +77,7 @@
# is enabled or disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_invert*]
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
@ -85,30 +85,30 @@
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_attribute_ignore*]
# List of attributes stripped off the user on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_default_project_id_attribute*]
# LDAP attribute mapped to default_project_id for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_pass_attribute*]
# LDAP attribute mapped to password. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation_dn*]
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_additional_attribute_mapping*]
# List of additional LDAP attributes used for mapping
@ -116,75 +116,75 @@
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_filter*]
# LDAP search filter for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_objectclass*]
# LDAP objectclass for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_id_attribute*]
# LDAP attribute mapped to group id. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_name_attribute*]
# LDAP attribute mapped to group name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_member_attribute*]
# LDAP attribute mapped to show group membership. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_attribute_ignore*]
# List of attributes stripped off the group on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_additional_attribute_mapping*]
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_ad_nesting*]
# If enabled, group queries will use Active Directory specific
# filters for nested groups. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertfile*]
# CA certificate file path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertdir*]
# CA certificate directory path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_req_cert*]
# Valid options for tls_req_cert are demand, never, and allow. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*identity_driver*]
# Identity backend driver. (string value)
@ -192,40 +192,40 @@
#
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_size*]
# Connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_max*]
# Maximum count of reconnect trials. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_delay*]
# Time span in seconds to wait between two reconnect trials. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_timeout*]
# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_lifetime*]
# Connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_auth_pool*]
# Enable LDAP connection pooling for end user authentication.
# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_size*]
# End user auth connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_connection_lifetime*]
# End user auth connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
@ -245,55 +245,55 @@
# == Dependencies
# == Examples
define keystone::ldap_backend(
$url = $::os_service_default,
$user = $::os_service_default,
$password = $::os_service_default,
$suffix = $::os_service_default,
$query_scope = $::os_service_default,
$page_size = $::os_service_default,
$user_tree_dn = $::os_service_default,
$user_filter = $::os_service_default,
$user_objectclass = $::os_service_default,
$user_id_attribute = $::os_service_default,
$user_name_attribute = $::os_service_default,
$user_description_attribute = $::os_service_default,
$user_mail_attribute = $::os_service_default,
$user_enabled_attribute = $::os_service_default,
$user_enabled_mask = $::os_service_default,
$user_enabled_default = $::os_service_default,
$user_enabled_invert = $::os_service_default,
$user_attribute_ignore = $::os_service_default,
$user_default_project_id_attribute = $::os_service_default,
$user_pass_attribute = $::os_service_default,
$user_enabled_emulation = $::os_service_default,
$user_enabled_emulation_dn = $::os_service_default,
$user_additional_attribute_mapping = $::os_service_default,
$group_tree_dn = $::os_service_default,
$group_filter = $::os_service_default,
$group_objectclass = $::os_service_default,
$group_id_attribute = $::os_service_default,
$group_name_attribute = $::os_service_default,
$group_member_attribute = $::os_service_default,
$group_members_are_ids = $::os_service_default,
$group_desc_attribute = $::os_service_default,
$group_attribute_ignore = $::os_service_default,
$group_additional_attribute_mapping = $::os_service_default,
$group_ad_nesting = $::os_service_default,
$chase_referrals = $::os_service_default,
$use_tls = $::os_service_default,
$tls_cacertdir = $::os_service_default,
$tls_cacertfile = $::os_service_default,
$tls_req_cert = $::os_service_default,
$url = $facts['os_service_default'],
$user = $facts['os_service_default'],
$password = $facts['os_service_default'],
$suffix = $facts['os_service_default'],
$query_scope = $facts['os_service_default'],
$page_size = $facts['os_service_default'],
$user_tree_dn = $facts['os_service_default'],
$user_filter = $facts['os_service_default'],
$user_objectclass = $facts['os_service_default'],
$user_id_attribute = $facts['os_service_default'],
$user_name_attribute = $facts['os_service_default'],
$user_description_attribute = $facts['os_service_default'],
$user_mail_attribute = $facts['os_service_default'],
$user_enabled_attribute = $facts['os_service_default'],
$user_enabled_mask = $facts['os_service_default'],
$user_enabled_default = $facts['os_service_default'],
$user_enabled_invert = $facts['os_service_default'],
$user_attribute_ignore = $facts['os_service_default'],
$user_default_project_id_attribute = $facts['os_service_default'],
$user_pass_attribute = $facts['os_service_default'],
$user_enabled_emulation = $facts['os_service_default'],
$user_enabled_emulation_dn = $facts['os_service_default'],
$user_additional_attribute_mapping = $facts['os_service_default'],
$group_tree_dn = $facts['os_service_default'],
$group_filter = $facts['os_service_default'],
$group_objectclass = $facts['os_service_default'],
$group_id_attribute = $facts['os_service_default'],
$group_name_attribute = $facts['os_service_default'],
$group_member_attribute = $facts['os_service_default'],
$group_members_are_ids = $facts['os_service_default'],
$group_desc_attribute = $facts['os_service_default'],
$group_attribute_ignore = $facts['os_service_default'],
$group_additional_attribute_mapping = $facts['os_service_default'],
$group_ad_nesting = $facts['os_service_default'],
$chase_referrals = $facts['os_service_default'],
$use_tls = $facts['os_service_default'],
$tls_cacertdir = $facts['os_service_default'],
$tls_cacertfile = $facts['os_service_default'],
$tls_req_cert = $facts['os_service_default'],
$identity_driver = 'ldap',
$use_pool = $::os_service_default,
$pool_size = $::os_service_default,
$pool_retry_max = $::os_service_default,
$pool_retry_delay = $::os_service_default,
$pool_connection_timeout = $::os_service_default,
$pool_connection_lifetime = $::os_service_default,
$use_auth_pool = $::os_service_default,
$auth_pool_size = $::os_service_default,
$auth_pool_connection_lifetime = $::os_service_default,
$use_pool = $facts['os_service_default'],
$pool_size = $facts['os_service_default'],
$pool_retry_max = $facts['os_service_default'],
$pool_retry_delay = $facts['os_service_default'],
$pool_connection_timeout = $facts['os_service_default'],
$pool_connection_lifetime = $facts['os_service_default'],
$use_auth_pool = $facts['os_service_default'],
$auth_pool_size = $facts['os_service_default'],
$auth_pool_connection_lifetime = $facts['os_service_default'],
$package_ensure = present,
$manage_packages = true,
$create_domain_entry = false,

82
manifests/logging.pp
View File

@ -6,72 +6,72 @@
#
# [*debug*]
# (Optional) Should the daemons log debug messages
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_syslog*]
# (Optional) Use syslog for logging.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_journal*]
# (Optional) Use journal for logging.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_json*]
# (Optional) Use JSON format for logging.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_stderr*]
# (Optional) Use stderr for logging
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*log_facility*]
# (Optional) Syslog facility to receive log lines.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*log_dir*]
# (Optional) Directory where logs should be stored.
# If set to $::os_service_default, it will not log to any directory.
# If set to $facts['os_service_default'], it will not log to any directory.
# Defaults to '/var/log/keystone'
#
# [*log_file*]
# (Optional) File where logs should be stored.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*logging_context_format_string*]
# (Optional) Format string to use for log messages with context.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [%(request_id)s %(user_identity)s] %(instance)s%(message)s'
#
# [*logging_default_format_string*]
# (Optional) Format string to use for log messages without context.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
# [-] %(instance)s%(message)s'
#
# [*logging_debug_format_suffix*]
# (Optional) Formatted data to append to log format when level is DEBUG.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '%(funcName)s %(pathname)s:%(lineno)d'
#
# [*logging_exception_prefix*]
# (Optional) Prefix each line of exception output with this format.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s'
#
# [*logging_user_identity_format*]
# (Optional) Defines the format string for %(user_identity)s that is used in logging_context_format_string.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '%(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s'
#
# [*log_config_append*]
# (Optional) The name of an additional logging configuration file.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# See https://docs.python.org/2/howto/logging.html
#
# [*default_log_levels*]
# (Optional) Hash of logger (keys) and level (values) pairs.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example:
# { 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
# 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
@ -83,55 +83,55 @@
#
# [*publish_errors*]
# (Optional) Publish error events (boolean value).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*fatal_deprecations*]
# (Optional) Make deprecations fatal (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*instance_format*]
# (Optional) If an instance is passed with the log message, format it
# like this (string value).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: '[instance: %(uuid)s] '
#
# [*instance_uuid_format*]
# (Optional) If an instance UUID is passed with the log message, format
# it like this (string value).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: instance_uuid_format='[instance: %(uuid)s] '
#
# [*log_date_format*]
# (Optional) Format string for %%(asctime)s in log records.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
# Example: 'Y-%m-%d %H:%M:%S'
#
# [*watch_log_file*]
# (Optional) Uses logging handler designed to watch file system (boolean value).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::logging(
$use_syslog = $::os_service_default,
$use_journal = $::os_service_default,
$use_json = $::os_service_default,
$use_stderr = $::os_service_default,
$log_facility = $::os_service_default,
$use_syslog = $facts['os_service_default'],
$use_journal = $facts['os_service_default'],
$use_json = $facts['os_service_default'],
$use_stderr = $facts['os_service_default'],
$log_facility = $facts['os_service_default'],
$log_dir = '/var/log/keystone',
$log_file = $::os_service_default,
$debug = $::os_service_default,
$logging_context_format_string = $::os_service_default,
$logging_default_format_string = $::os_service_default,
$logging_debug_format_suffix = $::os_service_default,
$logging_exception_prefix = $::os_service_default,
$logging_user_identity_format = $::os_service_default,
$log_config_append = $::os_service_default,
$default_log_levels = $::os_service_default,
$publish_errors = $::os_service_default,
$fatal_deprecations = $::os_service_default,
$instance_format = $::os_service_default,
$instance_uuid_format = $::os_service_default,
$log_date_format = $::os_service_default,
$watch_log_file = $::os_service_default,
$log_file = $facts['os_service_default'],
$debug = $facts['os_service_default'],
$logging_context_format_string = $facts['os_service_default'],
$logging_default_format_string = $facts['os_service_default'],
$logging_debug_format_suffix = $facts['os_service_default'],
$logging_exception_prefix = $facts['os_service_default'],
$logging_user_identity_format = $facts['os_service_default'],
$log_config_append = $facts['os_service_default'],
$default_log_levels = $facts['os_service_default'],
$publish_errors = $facts['os_service_default'],
$fatal_deprecations = $facts['os_service_default'],
$instance_format = $facts['os_service_default'],
$instance_uuid_format = $facts['os_service_default'],
$log_date_format = $facts['os_service_default'],
$watch_log_file = $facts['os_service_default'],
) {
include keystone::deps

28
manifests/messaging/amqp.pp
View File

@ -6,40 +6,40 @@
#
# [*amqp_pre_settled*]
# (Optional) Send messages of this type pre-settled
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_idle_timeout*]
# (Optional) Timeout for inactive connections
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_ssl_ca_file*]
# (Optional) CA certificate PEM file to verify server certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_ssl_cert_file*]
# (Optional) Identifying certificate PEM file to present to clients
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_ssl_key_file*]
# (Optional) Private key PEM file used to sign cert_file certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_ssl_key_password*]
# (Optional) Password for decrypting ssl_key_file (if encrypted)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*amqp_sasl_mechanisms*]
# (Optional) Space separated list of acceptable SASL mechanisms
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
class keystone::messaging::amqp(
$amqp_pre_settled = $::os_service_default,
$amqp_idle_timeout = $::os_service_default,
$amqp_ssl_ca_file = $::os_service_default,
$amqp_ssl_cert_file = $::os_service_default,
$amqp_ssl_key_file = $::os_service_default,
$amqp_ssl_key_password = $::os_service_default,
$amqp_sasl_mechanisms = $::os_service_default,
$amqp_pre_settled = $facts['os_service_default'],
$amqp_idle_timeout = $facts['os_service_default'],
$amqp_ssl_ca_file = $facts['os_service_default'],
$amqp_ssl_cert_file = $facts['os_service_default'],
$amqp_ssl_key_file = $facts['os_service_default'],
$amqp_ssl_key_password = $facts['os_service_default'],
$amqp_sasl_mechanisms = $facts['os_service_default'],
) {
include keystone::deps

4
manifests/params.pp
View File

@ -12,7 +12,7 @@ class keystone::params {
$keystone_user = $user
$keystone_group = $group
case $::osfamily {
case $facts['os']['family'] {
'Debian': {
$package_name = 'keystone'
$service_name = 'keystone'
@ -30,7 +30,7 @@ class keystone::params {
$python_pysaml2_package_name = 'python3-pysaml2'
}
default: {
fail("Unsupported osfamily ${::osfamily}")
fail("Unsupported osfamily: ${facts['os']['family']}")
}
}
}

16
manifests/policy.pp
View File

@ -6,12 +6,12 @@
#
# [*enforce_scope*]
# (Optional) Whether or not to enforce scope when evaluating policies.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*enforce_new_defaults*]
# (Optional) Whether or not to use old deprecated defaults when evaluating
# policies.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*policies*]
# (Optional) Set of policies to configure for keystone
@ -34,11 +34,11 @@
#
# [*policy_default_rule*]
# (Optional) Default rule. Enforced when a requested rule is not found.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*policy_dirs*]
# (Optional) Path to the keystone policy folder
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*purge_config*]
# (optional) Whether to set only the specified policy rules in the policy
@ -46,12 +46,12 @@
# Defaults to false.
#
class keystone::policy (
$enforce_scope = $::os_service_default,
$enforce_new_defaults = $::os_service_default,
$enforce_scope = $facts['os_service_default'],
$enforce_new_defaults = $facts['os_service_default'],
$policies = {},
$policy_path = '/etc/keystone/policy.yaml',
$policy_default_rule = $::os_service_default,
$policy_dirs = $::os_service_default,
$policy_default_rule = $facts['os_service_default'],
$policy_dirs = $facts['os_service_default'],
$purge_config = false,
) {

142
manifests/resource/authtoken.pp
View File

@ -52,63 +52,63 @@
#
# [*project_name*]
# (Optional) Service project name
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_section*]
# (Optional) Config Section from which to load plugin specific options
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*www_authenticate_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*cache*]
# (Optional) Env key for the swift cache.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*collect_timing*]
# (Optional) If true, collect per-method timing information for each API call.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*enforce_token_bind*]
# (Optional) Used to control the use and type of token binding. Can be set
@ -118,56 +118,56 @@
# type is unknown the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a binding method that
# must be present in tokens. String value.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API server.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*http_request_max_retries*]
# (Optional) How many times are we trying to reconnect when communicating
# with Identity API Server. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will not
# set the X-Service-Catalog header. Boolean value.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_pool_conn_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_pool_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before it
# is tried again. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_pool_maxsize*]
# (Optional) Maximum total number of open connections to every memcached
# server. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_pool_socket_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_secret_key*]
# (Optional, mandatory if memcache_security_strategy is defined) This string
# is used for key derivation.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_security_strategy*]
# (Optional) If defined, indicate whether token data should be authenticated or
@ -175,27 +175,27 @@
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcache_use_advanced_pool*]
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x Boolean value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*memcached_servers*]
# (Optional) Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*token_cache_time*]
# (Optional) In order to prevent excessive effort spent validating tokens,
# the middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*manage_memcache_package*]
# (Optional) Whether to install the python-memcache package.
@ -209,63 +209,63 @@
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
# true/false
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*service_type*]
# (Optional) The name or type of the service as it appears in the service
# catalog. This is used to validate tokens that have restricted access rules.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*interface*]
# (Optional) Interface to use for the Identity API endpoint. Valid values are
# "public", "internal" or "admin".
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
define keystone::resource::authtoken(
$username,
$password,
$auth_url,
$project_name = $::os_service_default,
$user_domain_name = $::os_service_default,
$project_domain_name = $::os_service_default,
$system_scope = $::os_service_default,
$insecure = $::os_service_default,
$auth_section = $::os_service_default,
$auth_type = $::os_service_default,
$www_authenticate_uri = $::os_service_default,
$auth_version = $::os_service_default,
$cache = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$collect_timing = $::os_service_default,
$delay_auth_decision = $::os_service_default,
$enforce_token_bind = $::os_service_default,
$http_connect_timeout = $::os_service_default,
$http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
$keyfile = $::os_service_default,
$memcache_pool_conn_get_timeout = $::os_service_default,
$memcache_pool_dead_retry = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_socket_timeout = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_secret_key = $::os_service_default,
$memcache_security_strategy = $::os_service_default,
$memcache_use_advanced_pool = $::os_service_default,
$memcached_servers = $::os_service_default,
$region_name = $::os_service_default,
$token_cache_time = $::os_service_default,
$project_name = $facts['os_service_default'],
$user_domain_name = $facts['os_service_default'],
$project_domain_name = $facts['os_service_default'],
$system_scope = $facts['os_service_default'],
$insecure = $facts['os_service_default'],
$auth_section = $facts['os_service_default'],
$auth_type = $facts['os_service_default'],
$www_authenticate_uri = $facts['os_service_default'],
$auth_version = $facts['os_service_default'],
$cache = $facts['os_service_default'],
$cafile = $facts['os_service_default'],
$certfile = $facts['os_service_default'],
$collect_timing = $facts['os_service_default'],
$delay_auth_decision = $facts['os_service_default'],
$enforce_token_bind = $facts['os_service_default'],
$http_connect_timeout = $facts['os_service_default'],
$http_request_max_retries = $facts['os_service_default'],
$include_service_catalog = $facts['os_service_default'],
$keyfile = $facts['os_service_default'],
$memcache_pool_conn_get_timeout = $facts['os_service_default'],
$memcache_pool_dead_retry = $facts['os_service_default'],
$memcache_pool_maxsize = $facts['os_service_default'],
$memcache_pool_socket_timeout = $facts['os_service_default'],
$memcache_pool_unused_timeout = $facts['os_service_default'],
$memcache_secret_key = $facts['os_service_default'],
$memcache_security_strategy = $facts['os_service_default'],
$memcache_use_advanced_pool = $facts['os_service_default'],
$memcached_servers = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$token_cache_time = $facts['os_service_default'],
$manage_memcache_package = false,
$service_token_roles = $::os_service_default,
$service_token_roles_required = $::os_service_default,
$service_type = $::os_service_default,
$interface = $::os_service_default,
$service_token_roles = $facts['os_service_default'],
$service_token_roles_required = $facts['os_service_default'],
$service_type = $facts['os_service_default'],
$interface = $facts['os_service_default'],
) {
include keystone::params
@ -308,7 +308,7 @@ define keystone::resource::authtoken(
})
}
} else {
$memcached_servers_real = $::os_service_default
$memcached_servers_real = $facts['os_service_default']
}
if is_service_default($system_scope) {
@ -317,8 +317,8 @@ define keystone::resource::authtoken(
} else {
# When system scope is used, project parameters should be removed otherwise
# project scope is used.
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
$project_name_real = $facts['os_service_default']
$project_domain_name_real = $facts['os_service_default']
}
$keystonemiddleware_options = {

48
manifests/resource/service_user.pp
View File

@ -23,15 +23,15 @@
#
# [*project_name*]
# (Optional) Service project name
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true
@ -39,55 +39,55 @@
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
define keystone::resource::service_user(
$username,
$password,
$auth_url,
$project_name = $::os_service_default,
$user_domain_name = $::os_service_default,
$project_domain_name = $::os_service_default,
$system_scope = $::os_service_default,
$project_name = $facts['os_service_default'],
$user_domain_name = $facts['os_service_default'],
$project_domain_name = $facts['os_service_default'],
$system_scope = $facts['os_service_default'],
$send_service_user_token = false,
$insecure = $::os_service_default,
$auth_type = $::os_service_default,
$auth_version = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$keyfile = $::os_service_default,
$region_name = $::os_service_default,
$insecure = $facts['os_service_default'],
$auth_type = $facts['os_service_default'],
$auth_version = $facts['os_service_default'],
$cafile = $facts['os_service_default'],
$certfile = $facts['os_service_default'],
$keyfile = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
) {
include keystone::params
@ -99,8 +99,8 @@ define keystone::resource::service_user(
} else {
# When system scope is used, project parameters should be removed otherwise
# project scope is used.
$project_name_real = $::os_service_default
$project_domain_name_real = $::os_service_default
$project_name_real = $facts['os_service_default']
$project_domain_name_real = $facts['os_service_default']
}
$service_user_options = {

36
manifests/security_compliance.pp
View File

@ -8,65 +8,65 @@
# [*change_password_upon_first_use*]
# (Optional) Enabling this option requires users to change their password
# when the user is created, or upon administrative reset. (Boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*disable_user_account_days_inactive*]
# (Optional) The maximum number of days a user can go without authenticating
# before being considered "inactive" and automatically disabled (locked).
# (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*lockout_duration*]
# (Optional) The number of seconds a user account will be locked when the
# maximum number of failed authentication attempts (as specified by
# `[security_compliance] lockout_failure_attempts`) is exceeded.
# (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*lockout_failure_attempts*]
# (Optional) The maximum number of times that a user can fail to authenticate
# before the user account is locked for the number of seconds specified by
# `[security_compliance] lockout_duration`. (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*minimum_password_age*]
# (Optional) The number of days that a password must be used before the user
# can change it. This prevents users from changing their passwords immediately
# in order to wipe out their password history and reuse an old password.
# (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password_expires_days*]
# (Optional) The number of days for which a password will be considered valid
# before requiring it to be changed. (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password_regex*]
# (Optional) The regular expression used to validate password strength requirements.
# By default, the regular expression will match any password. (String value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password_regex_description*]
# (Optional) Describe your password regular expression here in language for humans.
# (String value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*unique_last_password_count*]
# (Optional) This controls the number of previous user password iterations to keep
# in history, in order to enforce that newly created passwords are unique.
# (Integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::security_compliance(
$change_password_upon_first_use = $::os_service_default,
$disable_user_account_days_inactive = $::os_service_default,
$lockout_duration = $::os_service_default,
$lockout_failure_attempts = $::os_service_default,
$minimum_password_age = $::os_service_default,
$password_expires_days = $::os_service_default,
$password_regex = $::os_service_default,
$password_regex_description = $::os_service_default,
$unique_last_password_count = $::os_service_default,
$change_password_upon_first_use = $facts['os_service_default'],
$disable_user_account_days_inactive = $facts['os_service_default'],
$lockout_duration = $facts['os_service_default'],
$lockout_failure_attempts = $facts['os_service_default'],
$minimum_password_age = $facts['os_service_default'],
$password_expires_days = $facts['os_service_default'],
$password_regex = $facts['os_service_default'],
$password_regex_description = $facts['os_service_default'],
$unique_last_password_count = $facts['os_service_default'],
) {
include keystone::deps

10
manifests/wsgi/apache.pp
View File

@ -12,7 +12,7 @@
#
# [*servername*]
# (Optional) The servername for the virtualhost.
# Defaults to $::fqdn
# Defaults to $facts['networking']['fqdn']
#
# [*bind_host*]
# (Optional) The host/ip address Apache will listen on.
@ -32,7 +32,7 @@
#
# [*workers*]
# (Optional) Number of WSGI workers to spawn.
# Defaults to $::os_workers_keystone
# Defaults to $facts['os_workers_keystone']
#
# [*ssl_cert*]
# (Optional) Path to SSL certificate
@ -142,12 +142,12 @@
# Defaults to undef
#
class keystone::wsgi::apache (
$servername = $::fqdn,
$servername = $facts['networking']['fqdn'],
$bind_host = undef,
$port = 5000,
$path = '/',
$ssl = false,
$workers = $::os_workers_keystone,
$workers = $facts['os_workers_keystone'],
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
@ -227,7 +227,7 @@ class keystone::wsgi::apache (
# The file should be created after the apache class is invoked, otherwise
# the file is deleted because of its default behavior which removes all files
# in sites-available/sites-enabled.
if ($::operatingsystem == 'Ubuntu') {
if ($facts['os']['name'] == 'Ubuntu') {
ensure_resource('file', '/etc/apache2/sites-available/keystone.conf', {
'ensure' => 'file',
'content' => '',

6
manifests/wsgi/uwsgi.pp
View File

@ -11,7 +11,7 @@
#
# [*processes*]
# (Optional) Number of processes.
# Defaults to $::os_workers.
# Defaults to $facts['os_workers'].
#
# [*threads*]
# (Optional) Number of threads.
@ -22,14 +22,14 @@
# Defaults to 100
#
class keystone::wsgi::uwsgi (
$processes = $::os_workers,
$processes = $facts['os_workers'],
$threads = 32,
$listen_queue_size = 100,
){
include keystone::deps
if $::operatingsystem != 'Debian'{
if $facts['os']['name'] != 'Debian'{
warning('This class is only valid for Debian, as other operating systems are not using uwsgi by default.')
}

2
spec/classes/keystone_client_spec.rb
View File

@ -42,7 +42,7 @@ describe 'keystone::client' do
end
let (:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
{ :client_package_name => 'python3-keystoneclient' }
when 'RedHat'

2
spec/classes/keystone_federation_identity_provider_spec.rb
View File

@ -119,7 +119,7 @@ describe 'keystone::federation::identity_provider' do
end
let (:platform_params) do
if facts[:osfamily] == 'RedHat'
if facts[:os]['family'] == 'RedHat'
keystone_service = 'openstack-keystone'
python_pysaml2_package_name = 'python3-pysaml2'
else

4
spec/classes/keystone_federation_mellon_spec.rb
View File

@ -86,9 +86,7 @@ describe 'keystone::federation::mellon' do
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge(OSDefaults.get_facts({
:concat_basedir => '/var/lib/puppet/concat'
}))
facts.merge(OSDefaults.get_facts())
end
it_behaves_like 'Federation Mellon'

6
spec/classes/keystone_federation_shibboleth_spec.rb
View File

@ -143,14 +143,12 @@ describe 'keystone::federation::shibboleth' do
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge(OSDefaults.get_facts({
:concat_basedir => '/var/lib/puppet/concat'
}))
facts.merge(OSDefaults.get_facts())
end
it_behaves_like 'keystone::federation::shibboleth'
it_behaves_like 'keystone::federation::shibboleth with invalid parameters'
it_behaves_like "keystone::federation::shibboleth on #{facts[:osfamily]}"
it_behaves_like "keystone::federation::shibboleth on #{facts[:os]['family']}"
end
end
end

9
spec/classes/keystone_init_spec.rb
View File

@ -177,7 +177,7 @@ describe 'keystone' do
end
it do
if facts[:operatingsystem] == 'Debian'
if facts[:os]['name'] == 'Debian'
is_expected.to contain_service('keystone').with(
:ensure => 'stopped',
:name => platform_params[:service_name],
@ -620,14 +620,11 @@ describe 'keystone' do
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts({
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'some.host.tld',
}))
facts.merge!(OSDefaults.get_facts())
end
let(:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
{ :package_name => 'keystone',
:service_name => 'keystone',

2
spec/classes/keystone_ldap_spec.rb
View File

@ -236,7 +236,7 @@ describe 'keystone::ldap' do
end
let (:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
{ :python_ldappool_package_name => 'python3-ldappool' }
when 'RedHat'

8
spec/classes/keystone_wsgi_apache_spec.rb
View File

@ -16,7 +16,7 @@ describe 'keystone::wsgi::apache' do
}
it { should contain_openstacklib__wsgi__apache('keystone_wsgi').with(
:servername => 'some.host.tld',
:servername => 'foo.example.com',
:bind_host => nil,
:bind_port => 5000,
:group => 'keystone',
@ -195,13 +195,11 @@ describe 'keystone::wsgi::apache' do
let (:facts) do
facts.merge!(OSDefaults.get_facts({
:os_workers_keystone => 8,
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'some.host.tld',
}))
end
let(:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
{
:wsgi_script_path => '/usr/lib/cgi-bin/keystone',
@ -214,7 +212,7 @@ describe 'keystone::wsgi::apache' do
end
it_behaves_like 'keystone::wsgi::apache'
if facts[:operatingsystem] == 'Ubuntu'
if facts[:os]['name'] == 'Ubuntu'
it_behaves_like 'keystone::wsgi::apache on Ubuntu'
end
end

2
spec/defines/keystone_ldap_backend_spec.rb
View File

@ -216,7 +216,7 @@ describe 'keystone::ldap_backend' do
end
let (:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
{ :python_ldappool_package_name => 'python3-ldappool' }
when 'RedHat'

2
spec/defines/keystone_resource_authtoken_spec.rb
View File

@ -273,7 +273,7 @@ describe 'keystone::resource::authtoken' do
end
let(:platform_params) do
case facts[:osfamily]
case facts[:os]['family']
when 'Debian'
memcache_package_name = 'python3-memcache'
when 'RedHat'