openstack/puppet-keystone
Code Issues Proposed changes

Merge "Keystone hooks support"

Browse Source
This commit is contained in:
Jenkins 2016-03-16 16:42:56 +00:00 committed by Gerrit Code Review
commit 5039a59e19
35 changed files with 255 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/puppet/type/keystone_domain.rb
View File

@ -47,6 +47,6 @@ Puppet::Type.newtype(:keystone_domain) do
# we should not do anything until the keystone service is started # we should not do anything until the keystone service is started
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
end end

2
lib/puppet/type/keystone_endpoint.rb
View File

@ -41,7 +41,7 @@ Puppet::Type.newtype(:keystone_endpoint) do
# we should not do anything until the keystone service is started # we should not do anything until the keystone service is started
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
autorequire(:keystone_service) do autorequire(:keystone_service) do

2
lib/puppet/type/keystone_identity_provider.rb
View File

@ -93,6 +93,6 @@ Puppet::Type.newtype(:keystone_identity_provider) do
end end
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
end end

2
lib/puppet/type/keystone_role.rb
View File

@ -23,6 +23,6 @@ Puppet::Type.newtype(:keystone_role) do
# we should not do anything until the keystone service is started # we should not do anything until the keystone service is started
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
end end

2
lib/puppet/type/keystone_service.rb
View File

@ -35,7 +35,7 @@ Puppet::Type.newtype(:keystone_service) do
# If there is no keystone config, authentication credentials # If there is no keystone config, authentication credentials
# need to come from another source. # need to come from another source.
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
def self.title_patterns def self.title_patterns

2
lib/puppet/type/keystone_tenant.rb
View File

@ -60,7 +60,7 @@ Puppet::Type.newtype(:keystone_tenant) do
# If there is no keystone config, authentication credentials # If there is no keystone config, authentication credentials
# need to come from another source. # need to come from another source.
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started', 'default_domain_created'] ['keystone::service::end', 'default_domain_created']
end end
def self.title_patterns def self.title_patterns

2
lib/puppet/type/keystone_user.rb
View File

@ -80,7 +80,7 @@ Puppet::Type.newtype(:keystone_user) do
# we should not do anything until the keystone service is started # we should not do anything until the keystone service is started
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started', 'default_domain_created'] ['keystone::service::end', 'default_domain_created']
end end
def self.title_patterns def self.title_patterns

2
lib/puppet/type/keystone_user_role.rb
View File

@ -104,7 +104,7 @@ Puppet::Type.newtype(:keystone_user_role) do
# we should not do anything until the keystone service is started # we should not do anything until the keystone service is started
autorequire(:anchor) do autorequire(:anchor) do
['keystone_started'] ['keystone::service::end']
end end
def self.title_patterns def self.title_patterns

2
manifests/client.pp
View File

@ -17,6 +17,8 @@ class keystone::client (
$ensure = 'present' $ensure = 'present'
) inherits keystone::params { ) inherits keystone::params {
include ::keystone::deps
package { 'python-keystoneclient': package { 'python-keystoneclient':
ensure => $ensure, ensure => $ensure,
name => $client_package_name, name => $client_package_name,

2
manifests/config.pp
View File

@ -28,6 +28,8 @@ class keystone::config (
$keystone_paste_ini = {}, $keystone_paste_ini = {},
) { ) {
include ::keystone::deps
validate_hash($keystone_config) validate_hash($keystone_config)
validate_hash($keystone_paste_ini) validate_hash($keystone_paste_ini)

2
manifests/cron/token_flush.pp
View File

@ -65,6 +65,8 @@ class keystone::cron::token_flush (
$user = 'keystone', $user = 'keystone',
) { ) {
include ::keystone::deps
if $maxdelay == 0 { if $maxdelay == 0 {
$sleep = '' $sleep = ''
} else { } else {

3
manifests/db.pp
View File

@ -43,6 +43,7 @@ class keystone::db (
$database_max_overflow = $::os_service_default, $database_max_overflow = $::os_service_default,
) { ) {
include ::keystone::deps
include ::keystone::params include ::keystone::params
# NOTE(spredzy): In order to keep backward compatibility we rely on the pick function # NOTE(spredzy): In order to keep backward compatibility we rely on the pick function
@ -84,7 +85,7 @@ class keystone::db (
package {'keystone-backend-package': package {'keystone-backend-package':
ensure => present, ensure => present,
name => $backend_package, name => $backend_package,
tag => 'openstack', tag => ['openstack', 'keystone-package'],
} }
} }

6
manifests/db/mysql.pp
View File

@ -58,6 +58,8 @@ class keystone::db::mysql(
$allowed_hosts = undef $allowed_hosts = undef
) { ) {
include ::keystone::deps
validate_string($password) validate_string($password)
::openstacklib::db::mysql { 'keystone': ::openstacklib::db::mysql { 'keystone':
@ -70,5 +72,7 @@ class keystone::db::mysql(
allowed_hosts => $allowed_hosts, allowed_hosts => $allowed_hosts,
} }
::Openstacklib::Db::Mysql['keystone'] ~> Exec<| title == 'keystone-manage db_sync' |> Anchor['keystone::db::begin']
~> Class['keystone::db::mysql']
~> Anchor['keystone::db::end']
} }

7
manifests/db/postgresql.pp
View File

@ -42,7 +42,7 @@ class keystone::db::postgresql(
$privileges = 'ALL', $privileges = 'ALL',
) { ) {
Class['keystone::db::postgresql'] -> Service<| title == 'keystone' |> include ::keystone::deps
::openstacklib::db::postgresql { 'keystone': ::openstacklib::db::postgresql { 'keystone':
password_hash => postgresql_password($user, $password), password_hash => postgresql_password($user, $password),
@ -52,6 +52,7 @@ class keystone::db::postgresql(
privileges => $privileges, privileges => $privileges,
} }
::Openstacklib::Db::Postgresql['keystone'] ~> Exec<| title == 'keystone-manage db_sync' |> Anchor['keystone::db::begin']
~> Class['keystone::db::postgresql']
~> Anchor['keystone::db::end']
} }

15
manifests/db/sync.pp
View File

@ -11,15 +11,22 @@
# Defaults to '' # Defaults to ''
# #
class keystone::db::sync( class keystone::db::sync(
$extra_params = undef, $extra_params = undef,
) { ) {
include ::keystone::deps
exec { 'keystone-manage db_sync': exec { 'keystone-manage db_sync':
command => "keystone-manage ${extra_params} db_sync", command => "keystone-manage ${extra_params} db_sync",
path => '/usr/bin', path => '/usr/bin',
user => 'keystone', user => 'keystone',
refreshonly => true, refreshonly => true,
subscribe => [Package['keystone'], Keystone_config['database/connection']], subscribe => [
Anchor['keystone::install::end'],
Anchor['keystone::config::end'],
Anchor['keystone::dbsync::begin']
],
notify => Anchor['keystone::dbsync::end'],
tag => 'keystone-exec',
} }
Exec['keystone-manage db_sync'] ~> Service<| title == 'keystone' |>
} }

74
manifests/deps.pp Normal file
View File

@ -0,0 +1,74 @@
# == Class: keystone::deps
#
# keystone anchors and dependency management
#
class keystone::deps {
# Setup anchors for install, config and service phases of the module. These
# anchors allow external modules to hook the begin and end of any of these
# phases. Package or service management can also be replaced by ensuring the
# package is absent or turning off service management and having the
# replacement depend on the appropriate anchors. When applicable, end tags
# should be notified so that subscribers can determine if installation,
# config or service state changed and act on that if needed.
anchor { 'keystone::install::begin': }
-> Package<| tag == 'keystone-package'|>
~> anchor { 'keystone::install::end': }
-> anchor { 'keystone::config::begin': }
-> Keystone_config<||>
~> anchor { 'keystone::config::end': }
-> anchor { 'keystone::db::begin': }
-> anchor { 'keystone::db::end': }
~> anchor { 'keystone::dbsync::begin': }
-> anchor { 'keystone::dbsync::end': }
~> anchor { 'keystone::service::begin': }
~> Service<| tag == 'keystone-service' |>
~> anchor { 'keystone::service::end': }
# paste-api.ini config should occur in the config block also.
Anchor['keystone::config::begin']
-> Keystone_paste_ini<||>
~> Anchor['keystone::config::end']
# policy config should occur in the config block also.
Anchor['keystone::config::begin']
-> Openstacklib::Policy::Base<||>
~> Anchor['keystone::config::end']
# Support packages need to be installed in the install phase, but we don't
# put them in the chain above because we don't want any false dependencies
# between packages with the keystone-package tag and the keystone-support-package
# tag. Note: the package resources here will have a 'before' relationshop on
# the keystone::install::end anchor. The line between keystone-support-package and
# keystone-package should be whether or not keystone services would need to be
# restarted if the package state was changed.
Anchor['keystone::install::begin']
-> Package<| tag == 'keystone-support-package'|>
-> Anchor['keystone::install::end']
# We need openstackclient before marking service end so that keystone
# will have clients available to create resources. This tag handles the
# openstackclient but indirectly since the client is not available in
# all catalogs that don't need the client class (like many spec tests)
Package<| tag == 'openstack'|>
~> Anchor['keystone::service::end']
# The following resources need to be provisioned after the service is up.
Anchor['keystone::service::end']
-> Keystone_domain<||>
Anchor['keystone::service::end']
-> Keystone_endpoint<||>
Anchor['keystone::service::end']
-> Keystone_role<||>
Anchor['keystone::service::end']
-> Keystone_service<||>
Anchor['keystone::service::end']
-> Keystone_tenant<||>
Anchor['keystone::service::end']
-> Keystone_user<||>
Anchor['keystone::service::end']
-> Keystone_user_role<||>
# Installation or config changes will always restart services.
Anchor['keystone::install::end'] ~> Anchor['keystone::service::begin']
Anchor['keystone::config::end'] ~> Anchor['keystone::service::begin']
}

2
manifests/endpoint.pp
View File

@ -62,6 +62,8 @@ class keystone::endpoint (
$version = 'unset', # defaults to 'v2.0' if unset by user $version = 'unset', # defaults to 'v2.0' if unset by user
) { ) {
include ::keystone::deps
if $version == 'unset' { if $version == 'unset' {
# $version will be set to empty '' once tempest & all openstack clients # $version will be set to empty '' once tempest & all openstack clients
# actually support versionless endpoints. # actually support versionless endpoints.

26
manifests/federation/identity_provider.pp
View File

@ -63,6 +63,11 @@
# (Optional) User with access to keystone files. (string value) # (Optional) User with access to keystone files. (string value)
# Defaults to 'keystone'. # Defaults to 'keystone'.
# #
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
# == Dependencies # == Dependencies
# == Examples # == Examples
# == Authors # == Authors
@ -89,7 +94,10 @@ class keystone::federation::identity_provider(
$idp_contact_email = undef, $idp_contact_email = undef,
$idp_contact_telephone = undef, $idp_contact_telephone = undef,
$idp_contact_type = undef, $idp_contact_type = undef,
$package_ensure = present,
) { ) {
include ::keystone::deps
include ::keystone::params include ::keystone::params
if $::keystone::service_name != 'httpd' { if $::keystone::service_name != 'httpd' {
@ -97,7 +105,8 @@ class keystone::federation::identity_provider(
} }
ensure_packages(['xmlsec1','python-pysaml2'], { ensure_packages(['xmlsec1','python-pysaml2'], {
ensure => present ensure => $package_ensure,
tag => 'keystone-support-package',
}) })
keystone_config { keystone_config {
@ -125,12 +134,13 @@ class keystone::federation::identity_provider(
} }
exec {'saml_idp_metadata': exec {'saml_idp_metadata':
path => '/usr/bin', path => '/usr/bin',
user => "${user}", user => "${user}",
command => "keystone-manage saml_idp_metadata > ${idp_metadata_path}", command => "keystone-manage saml_idp_metadata > ${idp_metadata_path}",
creates => $idp_metadata_path, creates => $idp_metadata_path,
notify => Service[$::keystone::params::service_name], subscribe => Anchor['keystone::config::end'],
subscribe => Package['keystone'], notify => Anchor['keystone::service::end'],
tag => 'keystone-exec',
} }
file { $idp_metadata_path: file { $idp_metadata_path:
@ -139,6 +149,4 @@ class keystone::federation::identity_provider(
owner => "${user}", owner => "${user}",
} }
Keystone_config<||> -> Exec<| title == 'saml_idp_metadata'|>
} }

10
manifests/federation/mellon.pp
View File

@ -41,6 +41,11 @@
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer". # The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
# (Optional) Defaults to 331. # (Optional) Defaults to 331.
# #
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
class keystone::federation::mellon ( class keystone::federation::mellon (
$methods, $methods,
$idp_name, $idp_name,
@ -49,9 +54,11 @@ class keystone::federation::mellon (
$main_port = true, $main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped', $module_plugin = 'keystone.auth.plugins.mapped.Mapped',
$template_order = 331, $template_order = 331,
$package_ensure = present,
) { ) {
include ::apache include ::apache
include ::keystone::deps
include ::keystone::params include ::keystone::params
# Note: if puppet-apache modify these values, this needs to be updated # Note: if puppet-apache modify these values, this needs to be updated
@ -84,7 +91,8 @@ class keystone::federation::mellon (
} }
ensure_packages([$::keystone::params::mellon_package_name], { ensure_packages([$::keystone::params::mellon_package_name], {
ensure => present ensure => $package_ensure,
tag => 'keystone-support-package',
}) })
if $admin_port { if $admin_port {

1
manifests/federation/shibboleth.pp
View File

@ -69,6 +69,7 @@ class keystone::federation::shibboleth(
) { ) {
include ::apache include ::apache
include ::keystone::deps
# Note: if puppet-apache modify these values, this needs to be updated # Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 { if $template_order <= 330 or $template_order >= 999 {

37
manifests/init.pp
View File

@ -625,6 +625,7 @@ class keystone(
$public_workers = max($::processorcount, 2), $public_workers = max($::processorcount, 2),
) inherits keystone::params { ) inherits keystone::params {
include ::keystone::deps
include ::keystone::logging include ::keystone::logging
if ! $catalog_driver { if ! $catalog_driver {
@ -651,12 +652,6 @@ class keystone(
} }
} }
Keystone_config<||> ~> Service[$service_name]
Keystone_config<||> ~> Exec<| title == 'keystone-manage bootstrap'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
include ::keystone::db include ::keystone::db
include ::keystone::params include ::keystone::params
@ -692,6 +687,7 @@ class keystone(
package { 'python-memcache': package { 'python-memcache':
ensure => present, ensure => present,
name => $::keystone::params::python_memcache_package_name, name => $::keystone::params::python_memcache_package_name,
tag => ['openstack', 'keystone-package'],
} }
} }
@ -725,7 +721,7 @@ class keystone(
} }
if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) { if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) {
Service<| title == 'memcached' |> -> Service['keystone'] Service<| title == 'memcached' |> -> Anchor['keystone::service::begin']
} }
# TODO(aschultz): remove in N cycle # TODO(aschultz): remove in N cycle
@ -801,8 +797,9 @@ class keystone(
path => '/usr/bin', path => '/usr/bin',
refreshonly => true, refreshonly => true,
creates => $signing_keyfile, creates => $signing_keyfile,
notify => Service[$service_name], notify => Anchor['keystone::service::begin'],
subscribe => Package['keystone'], subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
tag => 'keystone-exec',
} }
} }
@ -909,14 +906,15 @@ class keystone(
validate => false, validate => false,
} }
$service_name_real = $::apache::params::service_name $service_name_real = $::apache::params::service_name
Service['keystone'] -> Service[$service_name_real] # leave this here because Ubuntu packages will start Keystone and we need it stopped
# before apache can run
Service['keystone'] -> Service[$service_name_real]
} else { } else {
fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server') fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server')
} }
if $sync_db { if $sync_db {
include ::keystone::db::sync include ::keystone::db::sync
Class['::keystone::db::sync'] ~> Service[$service_name]
} }
# Fernet tokens support # Fernet tokens support
@ -927,8 +925,9 @@ class keystone(
path => '/usr/bin', path => '/usr/bin',
refreshonly => true, refreshonly => true,
creates => "${fernet_key_repository}/0", creates => "${fernet_key_repository}/0",
notify => Service[$service_name], notify => Anchor['keystone::service::begin'],
subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']], subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
tag => 'keystone-exec',
} }
} }
@ -979,13 +978,16 @@ class keystone(
} }
if $enable_bootstrap { if $enable_bootstrap {
# this requires the database to be up and running and configured
# and is only run once, so we don't need to notify the service
exec { 'keystone-manage bootstrap': exec { 'keystone-manage bootstrap':
command => "keystone-manage bootstrap --bootstrap-password ${admin_token}", command => "keystone-manage bootstrap --bootstrap-password ${admin_token}",
path => '/usr/bin', path => '/usr/bin',
refreshonly => true, refreshonly => true,
notify => Anchor['keystone::service::begin'],
subscribe => Anchor['keystone::dbsync::end'],
tag => 'keystone-exec',
} }
Exec<| title == 'keystone-manage db_sync'|> ~> Exec<| title == 'keystone-manage bootstrap'|>
Exec['keystone-manage bootstrap'] ~> Service<| title == 'keystone' |>
} }
if $using_domain_config { if $using_domain_config {
@ -1002,7 +1004,7 @@ class keystone(
group => 'keystone', group => 'keystone',
mode => '0750', mode => '0750',
notify => Service[$service_name], notify => Service[$service_name],
require => Package['keystone'], require => Anchor['keystone::install::end'],
} }
} }
# Here we want the creation to fail if the user has created those # Here we want the creation to fail if the user has created those
@ -1019,7 +1021,4 @@ class keystone(
{'value' => $domain_config_directory} {'value' => $domain_config_directory}
) )
} }
anchor { 'keystone_started':
require => Service[$service_name]
}
} }

13
manifests/ldap.pp
View File

@ -356,6 +356,11 @@
# End user auth connection lifetime in seconds. (integer value) # End user auth connection lifetime in seconds. (integer value)
# Defaults to '60' # Defaults to '60'
# #
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
# === DEPRECATED group/name # === DEPRECATED group/name
# #
# == Dependencies # == Dependencies
@ -450,12 +455,14 @@ class keystone::ldap(
$use_auth_pool = false, $use_auth_pool = false,
$auth_pool_size = 100, $auth_pool_size = 100,
$auth_pool_connection_lifetime = 60, $auth_pool_connection_lifetime = 60,
$package_ensure = present,
) { ) {
include ::keystone::deps
$ldap_packages = ['python-ldap', 'python-ldappool'] $ldap_packages = ['python-ldap', 'python-ldappool']
package { $ldap_packages: ensure_resource('package', $ldap_packages, { ensure => $package_ensure,
ensure => present, tag => 'keystone-package' })
}
if ($tls_cacertdir != undef) { if ($tls_cacertdir != undef) {
file { $tls_cacertdir: file { $tls_cacertdir:

12
manifests/ldap_backend.pp
View File

@ -359,6 +359,11 @@
# End user auth connection lifetime in seconds. (integer value) # End user auth connection lifetime in seconds. (integer value)
# Defaults to '60' # Defaults to '60'
# #
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
# === DEPRECATED group/name # === DEPRECATED group/name
# #
# == Dependencies # == Dependencies
@ -444,8 +449,11 @@ define keystone::ldap_backend(
$use_auth_pool = false, $use_auth_pool = false,
$auth_pool_size = 100, $auth_pool_size = 100,
$auth_pool_connection_lifetime = 60, $auth_pool_connection_lifetime = 60,
$package_ensure = present,
) { ) {
include ::keystone::deps
$domain_enabled = getparam(Keystone_config['identity/domain_specific_drivers_enabled'], 'value') $domain_enabled = getparam(Keystone_config['identity/domain_specific_drivers_enabled'], 'value')
$domain_dir_enabled = getparam(Keystone_config['identity/domain_config_dir'], 'value') $domain_dir_enabled = getparam(Keystone_config['identity/domain_config_dir'], 'value')
$err_msg = "You should add \"using_domain_config => true\" parameter to your Keystone class, got \"${domain_enabled}\" for identity/domain_specific_drivers_enabled and \"${domain_dir_enabled}\" for identity/domain_config_dir" $err_msg = "You should add \"using_domain_config => true\" parameter to your Keystone class, got \"${domain_enabled}\" for identity/domain_specific_drivers_enabled and \"${domain_dir_enabled}\" for identity/domain_config_dir"
@ -468,8 +476,8 @@ define keystone::ldap_backend(
$ldap_packages = ['python-ldap', 'python-ldappool'] $ldap_packages = ['python-ldap', 'python-ldappool']
ensure_resource('package', $ldap_packages, { ensure_resource('package', $ldap_packages, {
ensure => present, ensure => $package_ensure,
require => Package['keystone'], tag => ['openstack', 'keystone-package'],
}) })
if ($tls_cacertdir != undef) { if ($tls_cacertdir != undef) {

2
manifests/logging.pp
View File

@ -118,6 +118,8 @@ class keystone::logging(
$log_date_format = $::os_service_default, $log_date_format = $::os_service_default,
) { ) {
include ::keystone::deps
# NOTE(spredzy): In order to keep backward compatibility we rely on the pick function # NOTE(spredzy): In order to keep backward compatibility we rely on the pick function
# to use keystone::<myparam> first then keystone::logging::<myparam>. # to use keystone::<myparam> first then keystone::logging::<myparam>.
$use_syslog_real = pick($::keystone::use_syslog,$use_syslog) $use_syslog_real = pick($::keystone::use_syslog,$use_syslog)

2
manifests/policy.pp
View File

@ -28,6 +28,8 @@ class keystone::policy (
$policy_path = '/etc/keystone/policy.json', $policy_path = '/etc/keystone/policy.json',
) { ) {
include ::keystone::deps
validate_hash($policies) validate_hash($policies)
Openstacklib::Policy::Base { Openstacklib::Policy::Base {

2
manifests/resource/authtoken.pp
View File

@ -160,6 +160,8 @@ define keystone::resource::authtoken(
$insecure = false, $insecure = false,
) { ) {
include ::keystone::deps
if !$project_name and !$project_id and !$domain_name and !$domain_id { if !$project_name and !$project_id and !$domain_name and !$domain_id {
fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)') fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
} }

3
manifests/resource/service_identity.pp
View File

@ -125,6 +125,9 @@ define keystone::resource::service_identity(
$project_domain = undef, $project_domain = undef,
$default_domain = undef, $default_domain = undef,
) { ) {
include ::keystone::deps
if $service_name == undef { if $service_name == undef {
$service_name_real = $auth_name $service_name_real = $auth_name
} else { } else {

4
manifests/roles/admin.pp
View File

@ -87,6 +87,8 @@ class keystone::roles::admin(
$service_project_domain = undef, $service_project_domain = undef,
) { ) {
include ::keystone::deps
$domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain])) $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain]))
keystone_domain { $domains: keystone_domain { $domains:
ensure => present, ensure => present,
@ -99,12 +101,14 @@ class keystone::roles::admin(
description => $service_tenant_desc, description => $service_tenant_desc,
domain => $service_project_domain, domain => $service_project_domain,
} }
keystone_tenant { $admin_tenant: keystone_tenant { $admin_tenant:
ensure => present, ensure => present,
enabled => true, enabled => true,
description => $admin_tenant_desc, description => $admin_tenant_desc,
domain => $admin_project_domain, domain => $admin_project_domain,
} }
keystone_role { 'admin': keystone_role { 'admin':
ensure => present, ensure => present,
} }

11
manifests/service.pp
View File

@ -78,6 +78,8 @@ class keystone::service(
$insecure = false, $insecure = false,
$cacert = undef, $cacert = undef,
) { ) {
include ::keystone::deps
include ::keystone::params include ::keystone::params
service { 'keystone': service { 'keystone':
@ -112,13 +114,8 @@ class keystone::service(
subscribe => Service['keystone'], subscribe => Service['keystone'],
refreshonly => true, refreshonly => true,
tries => $retries, tries => $retries,
try_sleep => $delay try_sleep => $delay,
notify => Anchor['keystone::service::end'],
} }
Exec['validate_keystone_connection'] -> Keystone_user<||>
Exec['validate_keystone_connection'] -> Keystone_role<||>
Exec['validate_keystone_connection'] -> Keystone_tenant<||>
Exec['validate_keystone_connection'] -> Keystone_service<||>
Exec['validate_keystone_connection'] -> Keystone_endpoint<||>
} }
} }

33
manifests/wsgi/apache.pp
View File

@ -172,6 +172,7 @@ class keystone::wsgi::apache (
$vhost_custom_fragment = undef, $vhost_custom_fragment = undef,
) { ) {
include ::keystone::deps
include ::keystone::params include ::keystone::params
include ::apache include ::apache
include ::apache::mod::wsgi include ::apache::mod::wsgi
@ -179,15 +180,25 @@ class keystone::wsgi::apache (
include ::apache::mod::ssl include ::apache::mod::ssl
} }
Package['keystone'] -> Package['httpd'] # The httpd package is untagged, but needs to have ordering enforced,
Package['keystone'] ~> Service['httpd'] # so handle it here rather than in the deps class.
Keystone_config <| |> ~> Service['httpd'] Anchor['keystone::install::begin']
Service['httpd'] -> Keystone_endpoint <| |> -> Package['httpd']
Service['httpd'] -> Keystone_role <| |> -> Anchor['keystone::install::end']
Service['httpd'] -> Keystone_service <| |>
Service['httpd'] -> Keystone_tenant <| |> # Configure apache during the config phase
Service['httpd'] -> Keystone_user <| |> Anchor['keystone::config::begin']
Service['httpd'] -> Keystone_user_role <| |> -> Apache::Vhost<||>
~> Anchor['keystone::config::end']
# Start the service during the service phase
Anchor['keystone::service::begin']
-> Service['httpd']
-> Anchor['keystone::service::end']
# Notify the service when config changes
Anchor['keystone::config::end']
~> Service['httpd']
## Sanitize parameters ## Sanitize parameters
@ -204,7 +215,7 @@ class keystone::wsgi::apache (
ensure => directory, ensure => directory,
owner => 'keystone', owner => 'keystone',
group => 'keystone', group => 'keystone',
require => Package['httpd'], require => Anchor['keystone::install::end'],
} }
$wsgi_files = { $wsgi_files = {
@ -221,7 +232,7 @@ class keystone::wsgi::apache (
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'mode' => '0644', 'mode' => '0644',
'require' => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], 'require' => File[$::keystone::params::keystone_wsgi_script_path],
} }
$wsgi_script_source_real = $wsgi_script_source ? { $wsgi_script_source_real = $wsgi_script_source ? {

2
spec/classes/keystone_db_spec.rb
View File

@ -92,7 +92,7 @@ describe 'keystone::db' do
is_expected.to contain_package('keystone-backend-package').with( is_expected.to contain_package('keystone-backend-package').with(
:ensure => 'present', :ensure => 'present',
:name => 'python-pymysql', :name => 'python-pymysql',
:tag => 'openstack' :tag => ['openstack', 'keystone-package']
) )
end end
end end

12
spec/classes/keystone_db_sync_spec.rb
View File

@ -6,9 +6,11 @@ describe 'keystone::db::sync' do
it { it {
is_expected.to contain_exec('keystone-manage db_sync').with( is_expected.to contain_exec('keystone-manage db_sync').with(
:command => 'keystone-manage db_sync', :command => 'keystone-manage db_sync',
:user => 'keystone',
:refreshonly => true, :refreshonly => true,
:subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], :subscribe => ['Anchor[keystone::install::end]',
'Anchor[keystone::config::end]',
'Anchor[keystone::dbsync::begin]'],
:notify => 'Anchor[keystone::dbsync::end]',
) )
} }
end end
@ -23,9 +25,11 @@ describe 'keystone::db::sync' do
it { it {
is_expected.to contain_exec('keystone-manage db_sync').with( is_expected.to contain_exec('keystone-manage db_sync').with(
:command => 'keystone-manage --config-file /etc/keystone/keystone.conf db_sync', :command => 'keystone-manage --config-file /etc/keystone/keystone.conf db_sync',
:user => 'keystone',
:refreshonly => true, :refreshonly => true,
:subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], :subscribe => ['Anchor[keystone::install::end]',
'Anchor[keystone::config::end]',
'Anchor[keystone::dbsync::begin]'],
:notify => 'Anchor[keystone::dbsync::end]',
) )
} }
end end

17
spec/classes/keystone_deps_spec.rb Normal file
View File

@ -0,0 +1,17 @@
require 'spec_helper'
describe 'keystone::deps' do
it 'set up the anchors' do
is_expected.to contain_anchor('keystone::install::begin')
is_expected.to contain_anchor('keystone::install::end')
is_expected.to contain_anchor('keystone::config::begin')
is_expected.to contain_anchor('keystone::config::end')
is_expected.to contain_anchor('keystone::db::begin')
is_expected.to contain_anchor('keystone::db::end')
is_expected.to contain_anchor('keystone::dbsync::begin')
is_expected.to contain_anchor('keystone::dbsync::end')
is_expected.to contain_anchor('keystone::service::begin')
is_expected.to contain_anchor('keystone::service::end')
end
end

13
spec/classes/keystone_spec.rb
View File

@ -133,7 +133,10 @@ describe 'keystone' do
:command => 'keystone-manage db_sync', :command => 'keystone-manage db_sync',
:user => 'keystone', :user => 'keystone',
:refreshonly => true, :refreshonly => true,
:subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], :subscribe => ['Anchor[keystone::install::end]',
'Anchor[keystone::config::end]',
'Anchor[keystone::dbsync::begin]'],
:notify => 'Anchor[keystone::dbsync::end]',
) )
end end
end end
@ -262,7 +265,7 @@ describe 'keystone' do
'tag' => 'keystone-service', 'tag' => 'keystone-service',
) } ) }
it { is_expected.to contain_anchor('keystone_started') } it { is_expected.to contain_anchor('keystone::service::end') }
end end
end end
@ -273,7 +276,7 @@ describe 'keystone' do
end end
let :pre_condition do let :pre_condition do
'include ::apache' 'include ::keystone::wsgi::apache'
end end
it_configures 'core keystone examples', httpd_params it_configures 'core keystone examples', httpd_params
@ -290,7 +293,7 @@ describe 'keystone' do
'enable' => false, 'enable' => false,
'validate' => false 'validate' => false
)} )}
it { is_expected.to contain_service('keystone').with_before(/Service\[#{platform_parameters[:httpd_service_name]}\]/) } it { is_expected.to contain_service('httpd').with_before(/Anchor\[keystone::service::end\]/) }
it { is_expected.to contain_exec('restart_keystone').with( it { is_expected.to contain_exec('restart_keystone').with(
'command' => "service #{platform_parameters[:httpd_service_name]} restart", 'command' => "service #{platform_parameters[:httpd_service_name]} restart",
) } ) }
@ -315,7 +318,7 @@ describe 'keystone' do
'hasstatus' => true, 'hasstatus' => true,
'hasrestart' => true 'hasrestart' => true
) } ) }
it { is_expected.to contain_anchor('keystone_started') } it { is_expected.to contain_anchor('keystone::service::end') }
end end
describe 'when configuring signing token provider' do describe 'when configuring signing token provider' do

10
spec/classes/keystone_wsgi_apache_spec.rb
View File

@ -29,7 +29,7 @@ describe 'keystone::wsgi::apache' do
'ensure' => 'directory', 'ensure' => 'directory',
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'require' => 'Package[httpd]' 'require' => 'Anchor[keystone::install::end]',
)} )}
it { is_expected.to contain_file('keystone_wsgi_admin').with( it { is_expected.to contain_file('keystone_wsgi_admin').with(
@ -39,7 +39,7 @@ describe 'keystone::wsgi::apache' do
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'mode' => '0644', 'mode' => '0644',
'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] 'require' => "File[#{platform_parameters[:wsgi_script_path]}]",
)} )}
it { is_expected.to contain_file('keystone_wsgi_main').with( it { is_expected.to contain_file('keystone_wsgi_main').with(
@ -49,7 +49,7 @@ describe 'keystone::wsgi::apache' do
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'mode' => '0644', 'mode' => '0644',
'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] 'require' => "File[#{platform_parameters[:wsgi_script_path]}]",
)} )}
it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with( it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with(
@ -282,7 +282,7 @@ describe 'keystone::wsgi::apache' do
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'mode' => '0644', 'mode' => '0644',
'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] 'require' => "File[#{platform_parameters[:wsgi_script_path]}]",
)} )}
it { is_expected.to contain_file('keystone_wsgi_main').with( it { is_expected.to contain_file('keystone_wsgi_main').with(
@ -292,7 +292,7 @@ describe 'keystone::wsgi::apache' do
'owner' => 'keystone', 'owner' => 'keystone',
'group' => 'keystone', 'group' => 'keystone',
'mode' => '0644', 'mode' => '0644',
'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] 'require' => "File[#{platform_parameters[:wsgi_script_path]}]",
)} )}
end end