Add misssing parameters to keystone_authtoken

Added keystonemiddleware parameters according to [1]
Remove deprecated parameters instead of deprecate them,
since this define is not used yet.

Keystonemiddleware documentation:
http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration

add release note

Co-Authored-By: Iury Gregory <iurygregory@gmail.com>

Closes-Bug: #1590748
Closes-Bug: #1533476

Change-Id: Iaac179f2aa32d484dab9296dcb939580aba07c73
This commit is contained in:
Daniel Pawlik 2016-06-11 12:41:30 +00:00 committed by Iury Gregory Melo Ferreira
parent 5d542d6ac7
commit 4bab7ac675
3 changed files with 392 additions and 287 deletions

View File

@ -6,13 +6,6 @@
# at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/ # at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
# with the addition of the default domain for user and project. # with the addition of the default domain for user and project.
# #
# The username and project_name parameters may be given in the form
# "name::domainname". The authtoken resource will use the domains in
# the following order:
# 1) The given domain parameter (user_domain_name or project_domain_name)
# 2) The domain given as the "::domainname" part of username or project_name
# 3) The default_domain_name
#
# For example, instead of doing this:: # For example, instead of doing this::
# #
# glance_api_config { # glance_api_config {
@ -32,7 +25,6 @@
# project_name => $keystone_tenant, # project_name => $keystone_tenant,
# user_domain_name => $keystone_user_domain, # user_domain_name => $keystone_user_domain,
# project_domain_name => $keystone_project_domain, # project_domain_name => $keystone_project_domain,
# default_domain_name => $keystone_default_domain,
# cacert => $ca_file, # cacert => $ca_file,
# ... # ...
# } # }
@ -44,176 +36,286 @@
# == Parameters: # == Parameters:
# #
# [*name*] # [*name*]
# (Required) The name of the resource corresponding to the config file. For example, # (Required) The name of the resource corresponding to the config file.
# keystone::resource::authtoken { 'glance_api_config': ... } # For example, keystone::resource::authtoken { 'glance_api_config': ... }
# Where 'glance_api_config' is the name of the resource used to manage # Where 'glance_api_config' is the name of the resource used to manage
# the glance api configuration. string; # the glance api configuration.
# #
# [*username*] # [*username*]
# (Required) The name of the service user; string; # (Required) The name of the service user
# #
# [*password*] # [*password*]
# (Required) Password to create for the service user; string; # (Required) Password to create for the service user
# #
# [*auth_url*] # [*auth_url*]
# (Required) The URL to use for authentication. string; # (Required) The URL to use for authentication.
# #
# [*auth_plugin*] # [*project_name*]
# (Optional) The plugin to use for authentication. string; # (Required) Service project name
# Defaults to 'password'
#
# [*user_id*]
# (Optional) The ID of the service user;
# string; Defaults to $::os_service_default
# #
# [*user_domain_name*] # [*user_domain_name*]
# (Optional) Name of domain for $username # (Optional) Name of domain for $username
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*user_domain_id*]
# (Optional) ID of domain for $username
# Defaults to $::os_service_default
#
# [*project_name*]
# (Optional) Service project name; string;
# Defaults to $::os_service_default
#
# [*project_id*]
# (Optional) Service project ID;
# string; Defaults to $::os_service_default
#
# [*project_domain_name*] # [*project_domain_name*]
# (Optional) Name of domain for $project_name # (Optional) Name of domain for $project_name
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*project_domain_id*]
# (Optional) ID of domain for $project_name
# Defaults to $::os_service_default
#
# [*domain_name*]
# (Optional) Use this for auth to obtain a domain-scoped token.
# If using this option, do not specify $project_name or $project_id.
# Defaults to $::os_service_default
#
# [*domain_id*]
# (Optional) Use this for auth to obtain a domain-scoped token.
# If using this option, do not specify $project_name or $project_id.
# Defaults to $::os_service_default
#
# [*default_domain_name*]
# (Optional) Name of domain for $username and $project_name
# If user_domain_name is not specified, use $default_domain_name
# If project_domain_name is not specified, use $default_domain_name
# Defaults to $::os_service_default
#
# [*default_domain_id*]
# (Optional) ID of domain for $user_id and $project_id
# If user_domain_id is not specified, use $default_domain_id
# If project_domain_id is not specified, use $default_domain_id
# Defaults to $::os_service_default
#
# [*trust_id*]
# (Optional) Trust ID
# Defaults to $::os_service_default
#
# [*cacert*]
# (Optional) CA certificate file for TLS (https)
# Defaults to $::os_service_default
#
# [*cert*]
# (Optional) Certificate file for TLS (https)
# Defaults to $::os_service_default
#
# [*key*]
# (Optional) Key file for TLS (https)
# Defaults to $::os_service_default
#
# [*insecure*] # [*insecure*]
# If true, explicitly allow TLS without checking server cert against any # (Optional) If true, explicitly allow TLS without checking server cert
# certificate authorities. WARNING: not recommended. Use with caution. # against any certificate authorities. WARNING: not recommended. Use with
# boolean; Defaults to false (which means be secure) # caution.
# Defaults to $:os_service_default
#
# [*auth_section*]
# (Optional) Config Section from which to load plugin specific options
# Defaults to $::os_service_default.
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to $::os_service_default
#
# [*auth_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cache*]
# (Optional) Env key for the swift cache.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*check_revocations_for_cached*]
# (Optional) If true, the revocation list will be checked for cached tokens.
# This requires that PKI tokens are configured on the identity server.
# boolean value.
# Defaults to $::os_service_default.
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean value
# Defaults to $::os_service_default.
#
# [*enforce_token_bind*]
# (Optional) Used to control the use and type of token binding. Can be set
# to: "disabled" to not check token binding. "permissive" (default) to
# validate binding information if the bind type is of a form known to the
# server and ignore it if not. "strict" like "permissive" but if the bind
# type is unknown the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a binding method that
# must be present in tokens. String value.
# Defaults to $::os_service_default.
#
# [*hash_algorithms*]
# (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
# single algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given, so put
# the preferred one first for performance. The result of the first hash will
# be stored in the cache. This will typically be set to multiple values only
# while migrating from a less secure algorithm to a more secure one. Once all
# the old tokens are expired this option should be set to a single value for
# better performance. List value.
# Defaults to $::os_service_default.
#
# [*http_connect_timeout*]
# (Optional) Request timeout value for communicating with Identity API server.
# Defaults to $::os_service_default.
#
# [*http_request_max_retries*]
# (Optional) How many times are we trying to reconnect when communicating
# with Identity API Server. Integer value
# Defaults to $::os_service_default.
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will not
# set the X-Service-Catalog header. Boolean value.
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*memcache_pool_conn_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before it
# is tried again. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_maxsize*]
# (Optional) Maximum total number of open connections to every memcached
# server. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_socket_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused in the
# pool before it is closed. Integer value
# Defaults to $::os_service_default.
#
# [*memcache_secret_key*]
# (Optional, mandatory if memcache_security_strategy is defined) This string
# is used for key derivation.
# Defaults to $::os_service_default.
#
# [*memcache_security_strategy*]
# (Optional) If defined, indicate whether token data should be authenticated or
# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization.
# Defaults to $::os_service_default.
#
# [*memcache_use_advanced_pool*]
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x Boolean value
# Defaults to $::os_service_default.
#
# [*memcached_servers*]
# (Optional) Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached in-process.
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
# [*revocation_cache_time*]
# (Optional) Determines the frequency at which the list of revoked tokens is
# retrieved from the Identity service (in seconds). A high number of
# revocation events combined with a low cache duration may significantly
# reduce performance. Only valid for PKI tokens. Integer value
# Defaults to $::os_service_default.
#
# [*signing_dir*]
# (Optional) Directory used to cache files related to PKI tokens.
# Defaults to $::os_service_default.
#
# [*token_cache_time*]
# (Optional) In order to prevent excessive effort spent validating tokens,
# the middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. Integer value
# Defaults to $::os_service_default.
# #
define keystone::resource::authtoken( define keystone::resource::authtoken(
$username, $username,
$password, $password,
$auth_url, $auth_url,
$auth_plugin = 'password', $project_name,
$user_id = $::os_service_default, $user_domain_name = $::os_service_default,
$user_domain_name = $::os_service_default, $project_domain_name = $::os_service_default,
$user_domain_id = $::os_service_default, $insecure = $::os_service_default,
$project_name = $::os_service_default, $auth_section = $::os_service_default,
$project_id = $::os_service_default, $auth_type = $::os_service_default,
$project_domain_name = $::os_service_default, $auth_uri = $::os_service_default,
$project_domain_id = $::os_service_default, $auth_version = $::os_service_default,
$domain_name = $::os_service_default, $cache = $::os_service_default,
$domain_id = $::os_service_default, $cafile = $::os_service_default,
$default_domain_name = $::os_service_default, $certfile = $::os_service_default,
$default_domain_id = $::os_service_default, $check_revocations_for_cached = $::os_service_default,
$trust_id = $::os_service_default, $delay_auth_decision = $::os_service_default,
$cacert = $::os_service_default, $enforce_token_bind = $::os_service_default,
$cert = $::os_service_default, $hash_algorithms = $::os_service_default,
$key = $::os_service_default, $http_connect_timeout = $::os_service_default,
$insecure = false, $http_request_max_retries = $::os_service_default,
$include_service_catalog = $::os_service_default,
$keyfile = $::os_service_default,
$memcache_pool_conn_get_timeout = $::os_service_default,
$memcache_pool_dead_retry = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_socket_timeout = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_secret_key = $::os_service_default,
$memcache_security_strategy = $::os_service_default,
$memcache_use_advanced_pool = $::os_service_default,
$memcached_servers = $::os_service_default,
$region_name = $::os_service_default,
$revocation_cache_time = $::os_service_default,
$signing_dir = $::os_service_default,
$token_cache_time = $::os_service_default,
) { ) {
include ::keystone::deps include ::keystone::deps
if is_service_default($project_name) and is_service_default($project_id) and if !is_service_default($check_revocations_for_cached) {
is_service_default($domain_name) and is_service_default($domain_id) { validate_bool($check_revocations_for_cached)
fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
} }
if ( !is_service_default($project_name) or !is_service_default($project_id) ) and if !is_service_default($include_service_catalog) {
( !is_service_default($domain_name) or !is_service_default($domain_id) ) { validate_bool($include_service_catalog)
fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)')
} }
$user_and_domain_array = split($username, '::') if !is_service_default($memcache_use_advanced_pool) {
$real_username = $user_and_domain_array[0] validate_bool($memcache_use_advanced_pool)
if !is_service_default($user_domain_name) {
$real_user_domain_name = pick($user_domain_name,$user_and_domain_array[1])
} elsif !is_service_default($default_domain_name) {
$real_user_domain_name = pick($user_and_domain_array[1], $default_domain_name)
} else {
$real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name)
} }
$project_and_domain_array = split($project_name, '::') if! ($memcache_security_strategy in [$::os_service_default,'MAC','ENCRYPT']) {
$real_project_name = $project_and_domain_array[0] fail('memcache_security_strategy can be set only to MAC or ENCRYPT')
if !is_service_default($project_domain_name) {
$real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1])
} elsif !is_service_default($default_domain_name) {
$real_project_domain_name = pick($project_and_domain_array[1], $default_domain_name)
} else {
$real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name)
} }
$real_user_domain_id = pick($user_domain_id,$default_domain_id) if !is_service_default($memcache_security_strategy) and is_service_default($memcache_secret_key) {
$real_project_domain_id = pick($project_domain_id, $default_domain_id) fail('memcache_secret_key is required when memcache_security_strategy is defined')
$authtoken_options = {
'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin },
'keystone_authtoken/auth_url' => {'value' => $auth_url },
'keystone_authtoken/username' => {'value' => $real_username },
'keystone_authtoken/password' => {'value' => $password, 'secret' => true },
'keystone_authtoken/user_id' => {'value' => $user_id },
'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name },
'keystone_authtoken/project_name' => {'value' => $real_project_name },
'keystone_authtoken/project_id' => {'value' => $project_id },
'keystone_authtoken/domain_name' => {'value' => $domain_name },
'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name },
'keystone_authtoken/domain_id' => {'value' => $domain_id },
'keystone_authtoken/trust_id' => {'value' => $trust_id },
'keystone_authtoken/cacert' => {'value' => $cacert },
'keystone_authtoken/cert' => {'value' => $cert },
'keystone_authtoken/key' => {'value' => $key },
'keystone_authtoken/insecure' => {'value' => $insecure },
'keystone_authtoken/user_domain_id' => {'value' => $real_user_domain_id },
'keystone_authtoken/project_domain_id' => {'value' => $real_project_domain_id },
} }
create_resources($name, $authtoken_options) if !is_service_default($delay_auth_decision) {
validate_bool($delay_auth_decision)
}
$keystonemiddleware_options = {
'keystone_authtoken/auth_section' => {'value' => $auth_section},
'keystone_authtoken/auth_uri' => {'value' => $auth_uri},
'keystone_authtoken/auth_type' => {'value' => $auth_type},
'keystone_authtoken/auth_version' => {'value' => $auth_version},
'keystone_authtoken/cache' => {'value' => $cache},
'keystone_authtoken/cafile' => {'value' => $cafile},
'keystone_authtoken/certfile' => {'value' => $certfile},
'keystone_authtoken/check_revocations_for_cached' => {'value' => $check_revocations_for_cached},
'keystone_authtoken/delay_auth_decision' => {'value' => $delay_auth_decision},
'keystone_authtoken/enforce_token_bind' => {'value' => $enforce_token_bind},
'keystone_authtoken/hash_algorithms' => {'value' => $hash_algorithms},
'keystone_authtoken/http_connect_timeout' => {'value' => $http_connect_timeout},
'keystone_authtoken/http_request_max_retries' => {'value' => $http_request_max_retries},
'keystone_authtoken/include_service_catalog' => {'value' => $include_service_catalog},
'keystone_authtoken/keyfile' => {'value' => $keyfile},
'keystone_authtoken/memcache_pool_conn_get_timeout' => {'value' => $memcache_pool_conn_get_timeout},
'keystone_authtoken/memcache_pool_dead_retry' => {'value' => $memcache_pool_dead_retry},
'keystone_authtoken/memcache_pool_maxsize' => {'value' => $memcache_pool_maxsize},
'keystone_authtoken/memcache_pool_socket_timeout' => {'value' => $memcache_pool_socket_timeout},
'keystone_authtoken/memcache_pool_unused_timeout' => {'value' => $memcache_pool_unused_timeout},
'keystone_authtoken/memcache_secret_key' => {'value' => $memcache_secret_key},
'keystone_authtoken/memcache_security_strategy' => {'value' => $memcache_security_strategy},
'keystone_authtoken/memcache_use_advanced_pool' => {'value' => $memcache_use_advanced_pool},
'keystone_authtoken/memcached_servers' => {'value' => $memcached_servers},
'keystone_authtoken/region_name' => {'value' => $region_name},
'keystone_authtoken/revocation_cache_time' => {'value' => $revocation_cache_time},
'keystone_authtoken/signing_dir' => {'value' => $signing_dir},
'keystone_authtoken/token_cache_time' => {'value' => $token_cache_time},
'keystone_authtoken/auth_url' => {'value' => $auth_url},
'keystone_authtoken/username' => {'value' => $username},
'keystone_authtoken/password' => {'value' => $password, 'secret' => true},
'keystone_authtoken/user_domain_name' => {'value' => $user_domain_name},
'keystone_authtoken/project_name' => {'value' => $project_name},
'keystone_authtoken/project_domain_name' => {'value' => $project_domain_name},
'keystone_authtoken/insecure' => {'value' => $insecure},
}
create_resources($name, $keystonemiddleware_options)
} }

View File

@ -0,0 +1,4 @@
---
upgrade:
- Add all missing parameters and remove deprecated ones
to configure keystone_authtoken section.

View File

@ -4,178 +4,176 @@ describe 'keystone::resource::authtoken' do
let (:title) { 'keystone_config' } let (:title) { 'keystone_config' }
let :required_params do let :params do
{ :username => 'keystone', { :username => 'keystone',
:password => 'secret', :password => 'secret',
:auth_url => 'http://127.0.0.1:35357/', :auth_url => 'http://127.0.0.1:35357',
:project_name => 'services' } :project_name => 'services' }
end end
shared_examples 'shared examples' do shared_examples 'shared examples' do
context 'with only required parameters' do context 'with only required parameters' do
let :params do it 'configures keystone authtoken' do
required_params is_expected.to contain_keystone_config('keystone_authtoken/username').with_value('keystone')
is_expected.to contain_keystone_config('keystone_authtoken/password').with_value('secret').with_secret(true)
is_expected.to contain_keystone_config('keystone_authtoken/auth_url').with_value( params[:auth_url] )
is_expected.to contain_keystone_config('keystone_authtoken/project_name').with_value( params[:project_name] )
is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/auth_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/auth_uri').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
end end
it { is_expected.to contain_keystone_config('keystone_authtoken/username').with(
:value => 'keystone',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/user_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/password').with(
:value => 'secret',
:secret => true,
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/auth_plugin').with(
:value => 'password',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/auth_url').with(
:value => 'http://127.0.0.1:35357/',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_name').with(
:value => 'services',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/user_domain_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_domain_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/domain_name').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/domain_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/trust_id').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/cacert').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/cert').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/key').with(
:value => '<SERVICE DEFAULT>',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/insecure').with(
:value => 'false',
)}
end end
context 'when omitting a required parameter password' do context 'set all keystone authoken parameters' do
before do
params.merge! ({
:username => 'username',
:password => 'hardpassword',
:auth_url => 'http://127.1.1.127:35357/',
:project_name => 'NoProject',
:user_domain_name => 'MyDomain',
:project_domain_name => 'OurDomain',
:insecure => true,
:auth_section => 'some_section',
:auth_type => 'password',
:auth_uri => 'http://127.1.1.127:5000/',
:auth_version => '3',
:cache => 'somevalue',
:cafile => 'cafile.pem',
:certfile => 'certfile.crt',
:check_revocations_for_cached => true,
:delay_auth_decision => true,
:enforce_token_bind => 'strict',
:hash_algorithms => 'sha1',
:http_connect_timeout => '120',
:http_request_max_retries => '5',
:include_service_catalog => false,
:keyfile => 'somekey.key',
:region_name => 'MyRegion',
:revocation_cache_time => '50',
:signing_dir => '/tmp/',
:token_cache_time => '20',
})
end
it 'override keystone authtoken parameters' do
is_expected.to contain_keystone_config('keystone_authtoken/username').with_value(params[:username])
is_expected.to contain_keystone_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
is_expected.to contain_keystone_config('keystone_authtoken/auth_url').with_value( params[:auth_url] )
is_expected.to contain_keystone_config('keystone_authtoken/project_name').with_value( params[:project_name] )
is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
is_expected.to contain_keystone_config('keystone_authtoken/insecure').with_value(params[:insecure])
is_expected.to contain_keystone_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
is_expected.to contain_keystone_config('keystone_authtoken/auth_uri').with_value(params[:auth_uri])
is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value(params[:cache])
is_expected.to contain_keystone_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
is_expected.to contain_keystone_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('keystone_authtoken/region_name').with_value(params[:region_name])
is_expected.to contain_keystone_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
is_expected.to contain_keystone_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
is_expected.to contain_keystone_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
end
end
context 'without password required parameter' do
let :params do let :params do
required_params.delete(:password) params.delete(:password)
end end
it { expect { is_expected.to raise_error(Puppet::Error) } } it { expect { is_expected.to raise_error(Puppet::Error) } }
end end
context 'when specifying auth_url' do context 'without specify project' do
let :params do let :params do
required_params.merge({:auth_url => 'https://host:11111/v3/'}) params.delete(:project_name)
end end
it { is_expected.to contain_keystone_config('keystone_authtoken/auth_url').with( it { expect { is_expected.to raise_error(Puppet::Error) } }
:value => 'https://host:11111/v3/',
)}
end end
context 'when specifying project and scope_domain' do context 'when specifying all memcache params' do
let :params do before do
required_params.merge({:domain_name => 'domain'}) params.merge! ({
:memcached_servers => 'localhost',
:memcache_use_advanced_pool => true,
:memcache_security_strategy => 'ENCRYPT',
:memcache_secret_key => 'secret_key',
:memcache_pool_unused_timeout => '60',
:memcache_pool_socket_timeout => '3',
:memcache_pool_maxsize => '10',
:memcache_pool_dead_retry => '300',
:memcache_pool_conn_get_timeout => '10',
})
end
it 'configures memcahce severs in keystone authtoken' do
is_expected.to contain_keystone_config('keystone_authtoken/memcached_servers').with_value( params[:memcached_servers] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_use_advanced_pool').with_value( params[:memcache_use_advanced_pool] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_security_strategy').with_value( params[:memcache_security_strategy] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_secret_key').with_value( params[:memcache_secret_key] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_unused_timeout').with_value( params[:memcache_pool_unused_timeout] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_socket_timeout').with_value( params[:memcache_pool_socket_timeout] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_maxsize').with_value( params[:memcache_pool_maxsize] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_dead_retry').with_value( params[:memcache_pool_dead_retry] )
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value( params[:memcache_pool_conn_get_timeout] )
end end
it { expect { is_expected.to raise_error(Puppet::Error, 'Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)') } }
end end
context 'when specifying neither project nor domain' do context 'memcache_security_strategy with invalid value' do
let :params do before do
required_params.delete(:project_name) params.merge!({ :memcache_security_strategy => 'mystrategy', })
end end
it { expect { is_expected.to raise_error(Puppet::Error, 'Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)') } } it { expect { is_expected.to raise_error(Puppet::Error, 'memcache_security_strategy can be set only to MAC or ENCRYPT') } }
end end
context 'when specifying domain in name' do context 'require memcache_secret_key when memcache_security_strategy is defined' do
let :params do before do
required_params.merge({ params.merge!({
:username => 'keystone::userdomain', :memcache_security_strategy => 'MAC',
:project_name => 'services::projdomain', :memcache_secret_key => '<SERVICE DEFAULT>',
:default_domain_name => 'shouldnotuse'
}) })
end end
it { is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with( it { expect { is_expected.to raise_error(Puppet::Error, 'memcache_secret_key is required when memcache_security_strategy is defined') } }
:value => 'userdomain',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with(
:value => 'projdomain',
)}
end
context 'when specifying domain in parameters' do
let :params do
required_params.merge({
:username => 'keystone::userdomain',
:user_domain_name => 'realuserdomain',
:project_name => 'services::projdomain',
:project_domain_name => 'realprojectdomain',
:default_domain_name => 'shouldnotuse'
})
end
it { is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with(
:value => 'realuserdomain',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with(
:value => 'realprojectdomain',
)}
end
context 'when specifying only default domain' do
let :params do
required_params.merge({
:default_domain_name => 'defaultdomain'
})
end
it { is_expected.to contain_keystone_config('keystone_authtoken/user_domain_name').with(
:value => 'defaultdomain',
)}
it { is_expected.to contain_keystone_config('keystone_authtoken/project_domain_name').with(
:value => 'defaultdomain',
)}
end end
end end
@ -191,4 +189,5 @@ describe 'keystone::resource::authtoken' do
include_examples 'shared examples' include_examples 'shared examples'
end end
end end
end end