Merge "Add missing puppetdoc and lint all parameter documentation"

This commit is contained in:
Jenkins 2015-03-15 20:41:39 +00:00 committed by Gerrit Code Review
commit a687f5d0e0
13 changed files with 836 additions and 297 deletions

View File

@ -2,7 +2,7 @@ source ''
group :development, :test do
gem 'puppetlabs_spec_helper', :require => false
gem 'puppet-lint', '~> 0.3.2'
gem 'puppet-lint-param-docs'
gem 'rspec-puppet', '~> 1.0.1'
gem 'rake', '10.1.1'

View File

@ -16,57 +16,57 @@ class { 'keystone::roles::admin':
# "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
# -b cn=users,cn=accounts,dc=example,dc=com
class { 'keystone:ldap':
url => 'ldap://',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_allow_create => 'False',
user_allow_update => 'False',
user_allow_delete => 'False',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
group_allow_create => 'True',
group_allow_update => 'True',
group_allow_delete => 'True',
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn=> 'cn=enabled,ou=openstack,dc=example,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'keystone.identity.backends.ldap.Identity',
assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
url => 'ldap://',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_allow_create => 'False',
user_allow_update => 'False',
user_allow_delete => 'False',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
group_allow_create => 'True',
group_allow_update => 'True',
group_allow_delete => 'True',
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'keystone.identity.backends.ldap.Identity',
assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,

View File

@ -12,17 +12,17 @@ class { 'keystone::roles::admin':
# This was tested against a FreeIPA box, you will likely need to change the
# attributes to match your configuration.
class { 'keystone:ldap':
identity_driver => 'keystone.identity.backends.ldap.Identity',
url => 'ldap://',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_allow_create => 'False',
user_allow_update => 'False',
user_allow_delete => 'False'
identity_driver => 'keystone.identity.backends.ldap.Identity',
url => 'ldap://',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_allow_create => 'False',
user_allow_update => 'False',
user_allow_delete => 'False'

View File

@ -5,7 +5,8 @@
# === Parameters
# [*ensure*]
# (optional) Ensure state of the package. Defaults to 'present'.
# (optional) Ensure state of the package.
# Defaults to 'present'.
class keystone::client (
$ensure = 'present'

View File

@ -5,19 +5,39 @@
# == parameters
# [password] Password that will be used for the keystone db user.
# Optional. Defaults to: 'keystone_default_password'
# [*password*]
# (Mandatory) Password to connect to the database.
# Defaults to 'false'.
# [dbname] Name of keystone database. Optional. Defaults to keystone.
# [*dbname*]
# (Optional) Name of the database.
# Defaults to 'keystone'.
# [user] Name of keystone user. Optional. Defaults to keystone.
# [*user*]
# (Optional) User to connect to the database.
# Defaults to 'keystone'.
# [host] Host where user should be allowed all priveleges for database.
# Optional. Defaults to
# [*host*]
# (Optional) The default source host user is allowed to connect from.
# Defaults to ''
# [allowed_hosts] Hosts allowed to use the database
# [*allowed_hosts*]
# (Optional) Other hosts the user is allowed to connect from.
# Defaults to 'undef'.
# [*mysql_module*] Deprecated. Does nothing.
# [*charset*]
# (Optional) The database charset.
# Defaults to 'utf8'
# [*collate*]
# (Optional) The database collate.
# Only used with mysql modules >= 2.2.
# Defaults to 'utf8_unicode_ci'
# === Deprecated Parameters
# [*mysql_module*]
# (Optional) Does nothing.
# == Dependencies
# Class['mysql::server']

View File

@ -1,6 +1,12 @@
# Installs keystone from source. This is not yet fully implemented
# == Parameters
# [*source_dir*]
# (optional) The source dire for dev installation
# Defaults to '/usr/local/keystone'
# == Dependencies
# == Examples
# == Authors

View File

@ -3,157 +3,232 @@
# == Parameters
# [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
# accepts latest or specific versions.
# [client_package_ensure] Desired ensure state of the client package. Optional. Defaults to present.
# accepts latest or specific versions.
# [public_port]
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
# [compute_port]
# (optional) DEPRECATED. The port for the compute service.
# Defaults to 8774.
# [*client_package_ensure*]
# (optional) Desired ensure state of the client package.
# accepts latest or specific versions.
# Defaults to present.
# [admin_port]
# [admin_port] Port that can be used for admin tasks.
# [admin_token] Admin token that can be used to authenticate as a keystone
# admin. Required.
# [verbose] Rather keystone should log at verbose level. Optional.
# Defaults to False.
# [debug] Rather keystone should log at debug level. Optional.
# Defaults to False.
# [use_syslog] Use syslog for logging. Optional.
# Defaults to False.
# [log_facility] Syslog facility to receive log lines. Optional.
# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
# Defaults to sql. (Also accepts template)
# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
# Setting this value will override and ignore catalog_type.
# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
# Defaults to '/etc/keystone/default_catalog.templates'
# [token_provider] Format keystone uses for tokens. Optional.
# Defaults to 'keystone.token.providers.uuid.Provider'
# Supports PKI and UUID.
# [token_driver] Driver to use for managing tokens.
# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
# [token_expiration] Amount of time a token should remain valid (seconds).
# Optional. Defaults to 3600 (1 hour).
# [revoke_driver] Driver for token revocation.
# Optional. Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
# [cache_dir] Directory created when token_provider is pki. Optional.
# Defaults to /var/cache/keystone.
# [*public_port*]
# (optional) Port that keystone binds to.
# Defaults to '5000'
# [memcache_servers]
# List of memcache servers in format of server:port.
# Used with token_driver 'keystone.token.backends.memcache.Token'.
# Optional. Defaults to false. Example: ['localhost:11211']
# [*compute_port*]
# (optional) DEPRECATED The port for compute servie.
# Defaults to '8774'
# [cache_backend]
# Dogpile.cache backend module. It is recommended that Memcache with pooling
# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
# This has no effects unless 'memcache_servers' is set.
# Optional. Defaults to 'keystone.common.cache.noop'
# [*admin_port*]
# (optional) Port that can be used for admin tasks.
# Defaults to '35357'
# [cache_backend_argument]
# List of arguments in format of argname:value supplied to the backend module.
# Specify this option once per argument to be passed to the dogpile.cache backend.
# This has no effects unless 'memcache_servers' is set.
# Optional. Default to undef.
# [*admin_token*]
# Admin token that can be used to authenticate as a keystone
# admin. Required.
# [debug_cache_backend]
# Extra debugging from the cache backend (cache keys, get/set/delete calls).
# This has no effects unless 'memcache_servers' is set.
# Optional. Default to false.
# [*verbose*]
# (optional) Rather keystone should log at verbose level.
# Defaults to false.
# [token_caching]
# Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
# Optional. Default to true.
# [*debug*]
# (optional) Rather keystone should log at debug level.
# Defaults to False.
# [enabled] If the keystone services should be enabled. Optional. Default to true.
# [*use_syslog*]
# (optional) Use syslog for logging.
# Defaults to false.
# [*database_connection*]
# (optional) Url used to connect to database.
# Defaults to sqlite:////var/lib/keystone/keystone.db
# [*log_facility*]
# (optional) Syslog facility to receive log lines.
# Defaults to 'LOG_USER'.
# [*database_idle_timeout*]
# (optional) Timeout when db connections should be reaped.
# Defaults to 200.
# [*catalog_type*]
# (optional) Type of catalog that keystone uses to store endpoints,services.
# Defaults to sql. (Also accepts template)
# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
# providing your own signing cert, make this false.
# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
# Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
# the file will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/certs/signing_cert.pem
# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
# will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/private/signing_key.pem
# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
# [*catalog_driver*]
# (optional) Catalog driver used by Keystone to store endpoints and services.
# Setting this value will override and ignore catalog_type.
# Defaults to false.
# [*signing_cert_subject*]
# [*catalog_template_file*]
# (optional) Path to the catalog used if catalog_type equals 'template'.
# Defaults to '/etc/keystone/default_catalog.templates'
# [*token_provider*]
# (optional) Format keystone uses for tokens.
# Defaults to 'keystone.token.providers.uuid.Provider'
# Supports PKI and UUID.
# [*token_driver*]
# (optional) Driver to use for managing tokens.
# Defaults to 'keystone.token.persistence.backends.sql.Token'
# [*token_expiration*]
# (optional) Amount of time a token should remain valid (seconds).
# Defaults to 3600 (1 hour).
# [*revoke_driver*]
# (optional) Driver for token revocation.
# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
# [*cache_dir*]
# (optional) Directory created when token_provider is pki.
# Defaults to /var/cache/keystone.
# [*memcache_servers*]
# (optional) List of memcache servers in format of server:port.
# Used with token_driver 'keystone.token.backends.memcache.Token'.
# Defaults to false. Example: ['localhost:11211']
# [*cache_backend*]
# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
# This has no effects unless 'memcache_servers' is set.
# Defaults to 'keystone.common.cache.noop'
# [*cache_backend_argument*]
# (optional) List of arguments in format of argname:value supplied to the backend module.
# Specify this option once per argument to be passed to the dogpile.cache backend.
# This has no effects unless 'memcache_servers' is set.
# Default to undef.
# [*debug_cache_backend*]
# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
# This has no effects unless 'memcache_servers' is set.
# Default to false.
# [*token_caching*]
# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
# Default to true.
# [*enabled*]
# (optional) If the keystone services should be enabled.
# Default to true.
# [*database_connection*]
# (optional) Url used to connect to database.
# Defaults to sqlite:////var/lib/keystone/keystone.db
# [*database_idle_timeout*]
# (optional) Timeout when db connections should be reaped.
# Defaults to 200.
# [*enable_pki_setup*]
# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
# revocation lists if it doesn't already exist. This generates a cert and key stored in file
# locations based on the signing_certfile and signing_keyfile paramters below. If you are
# providing your own signing cert, make this false.
# Default to true.
# [*signing_certfile*]
# (optional) Location of the cert file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert),
# the file will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/certs/signing_cert.pem
# [*signing_keyfile*]
# (optional) Location of the key file for signing pki tokens and revocation lists.
# Note that if this file already exists (i.e. you are providing your own signing cert), the file
# will not be overwritten, even if enable_pki_setup is set to true.
# Default: /etc/keystone/ssl/private/signing_key.pem
# [*signing_ca_certs*]
# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
# signing pki tokens and revocation lists.
# Default: /etc/keystone/ssl/certs/ca.pem
# [*signing_ca_key*]
# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
# pki tokens and revocation lists.
# Default: /etc/keystone/ssl/private/cakey.pem
# [*signing_cert_subject*]
# (optional) Certificate subject (auto generated certificate) for token signing.
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/'
# [*signing_key_size*]
# [*signing_key_size*]
# (optional) Key size (in bits) for token signing cert (auto generated certificate)
# Defaults to 2048
# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
# [*rabbit_host*]
# (optional) Location of rabbitmq installation.
# Defaults to localhost.
# [*rabbit_use_ssl*]
# (optional) Connect over SSL for RabbitMQ
# Defaults to false
# [*rabbit_port*]
# (optional) Port for rabbitmq instance.
# Defaults to 5672.
# [*kombu_ssl_ca_certs*]
# (optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to undef
# [*rabbit_hosts*]
# (optional) Location of rabbitmq installation.
# Defaults to undef.
# [*kombu_ssl_certfile*]
# (optional) SSL cert file (valid only if SSL enabled).
# Defaults to undef
# [*rabbit_password*]
# (optional) Password used to connect to rabbitmq.
# Defaults to guest.
# [*kombu_ssl_keyfile*]
# (optional) SSL key file (valid only if SSL enabled).
# Defaults to undef
# [*rabbit_userid*]
# (optional) User used to connect to rabbitmq.
# Defaults to guest.
# [*kombu_ssl_version*]
# (optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to 'TLSv1'
# [*rabbit_virtual_host*]
# (optional) The RabbitMQ virtual host.
# Defaults to /.
# [notification_driver] RPC driver. Not enabled by default
# [notification_topics] AMQP topics to publish to when using the RPC notification driver.
# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
# [*rabbit_use_ssl*]
# (optional) Connect over SSL for RabbitMQ
# Defaults to false
# [*public_bind_host*]
# [*kombu_ssl_ca_certs*]
# (optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to undef
# [*kombu_ssl_certfile*]
# (optional) SSL cert file (valid only if SSL enabled).
# Defaults to undef
# [*kombu_ssl_keyfile*]
# (optional) SSL key file (valid only if SSL enabled).
# Defaults to undef
# [*kombu_ssl_version*]
# (optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to 'TLSv1'
# [*notification_driver*]
# RPC driver. Not enabled by default
# [*notification_topics*]
# (optional) AMQP topics to publish to when using the RPC notification driver.
# Default to false.
# [*control_exchange*]
# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
# Default to false.
# [*public_bind_host*]
# (optional) The IP address of the public network interface to listen on
# Default to ''.
# [*admin_bind_host*]
# [*admin_bind_host*]
# (optional) The IP address of the public network interface to listen on
# Default to ''.
# [*log_dir*]
# [*log_dir*]
# (optional) Directory where logs should be stored
# If set to boolean false, it will not log to any directory
# Defaults to '/var/log/keystone'
# [*log_file*]
# [*log_file*]
# (optional) Where to log
# Defaults to false
# [*public_endpoint*]
# [*public_endpoint*]
# (optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
@ -161,7 +236,7 @@
# Sample value: 'http://localhost:5000/'
# Defaults to false
# [*admin_endpoint*]
# [*admin_endpoint*]
# (optional) The base admin endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value)
@ -169,63 +244,63 @@
# Sample value: 'http://localhost:35357/'
# Defaults to false
# [*enable_ssl*]
# [*enable_ssl*]
# (optional) Toggle for SSL support on the keystone eventlet servers.
# (boolean value)
# Defaults to false
# [*ssl_certfile*]
# [*ssl_certfile*]
# (optional) Path of the certfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
# [*ssl_keyfile*]
# [*ssl_keyfile*]
# (optional) Path of the keyfile for SSL. (string value)
# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
# [*ssl_ca_certs*]
# [*ssl_ca_certs*]
# (optional) Path of the ca cert file for SSL. (string value)
# Defaults to '/etc/keystone/ssl/certs/ca.pem'
# [*ssl_ca_key*]
# [*ssl_ca_key*]
# (optional) Path of the CA key file for SSL (string value)
# Defaults to '/etc/keystone/ssl/private/cakey.pem'
# [*ssl_cert_subject*]
# [*ssl_cert_subject*]
# (optional) SSL Certificate Subject (auto generated certificate)
# (string value)
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
# [*mysql_module*]
# [*mysql_module*]
# (optional) Deprecated. Does nothing.
# [*validate_service*]
# [*validate_service*]
# (optional) Whether to validate keystone connections after
# the service is started.
# Defaults to false
# [*validate_insecure*]
# [*validate_insecure*]
# (optional) Whether to validate keystone connections
# using the --insecure option with keystone client.
# Defaults to false
# [*validate_cacert*]
# [*validate_cacert*]
# (optional) Whether to validate keystone connections
# using the specified argument with the --os-cacert option
# with keystone client.
# Defaults to undef
# [*validate_auth_url*]
# [*validate_auth_url*]
# (optional) The url to validate keystone against
# Defaults to undef
# [*service_provider*]
# [*service_provider*]
# (optional) Provider, that can be used for keystone service.
# Default value defined in keystone::params for given operation system.
# If you use Pacemaker or another Cluster Resource Manager, you can make
# custom service provider for changing start/stop/status behavior of service,
# and set it here.
# [*service_name*]
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of keystone. For example, the default
# is just 'keystone', which means keystone will be run as a
@ -242,23 +317,23 @@
# Defaults to 'keystone'
# NOTE: validate_service only applies if the value is 'keystone'
# [*paste_config*]
# [*paste_config*]
# (optional) Name of the paste configuration file that defines the
# available pipelines. (string value)
# Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and
# undef on other platforms.
# [*max_token_size*]
# (optional) maximum allowable Keystone token size
# Defaults to undef
# [*max_token_size*]
# (optional) maximum allowable Keystone token size
# Defaults to undef
# [*admin_workers*]
# (optional) The number of worker processes to serve the admin WSGI application.
# Defaults to max($::processorcount, 2)
# [*admin_workers*]
# (optional) The number of worker processes to serve the admin WSGI application.
# Defaults to max($::processorcount, 2)
# [*public_workers*]
# (optional) The number of worker processes to serve the public WSGI application.
# Defaults to max($::processorcount, 2)
# [*public_workers*]
# (optional) The number of worker processes to serve the public WSGI application.
# Defaults to max($::processorcount, 2)
# == Dependencies
# None

View File

@ -1,6 +1,376 @@
# == class: keystone::ldap
# Implements ldap configuration for keystone.
# === parameters:
# [*url*]
# URL for connecting to the LDAP server. (string value)
# Defaults to 'undef'
# [*user*]
# User BindDN to query the LDAP server. (string value)
# Defaults to 'undef'
# [*password*]
# Password for the BindDN to query the LDAP server. (string value)
# Defaults to 'undef'
# [*suffix*]
# LDAP server suffix (string value)
# Defaults to 'undef'
# [*query_scope*]
# The LDAP scope for queries, this can be either "one"
# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
# Defaults to 'undef'
# [*page_size*]
# Maximum results per page; a value of zero ("0") disables paging. (integer value)
# Defaults to 'undef'
# [*user_tree_dn*]
# Search base for users. (string value)
# Defaults to 'undef'
# [*user_filter*]
# LDAP search filter for users. (string value)
# Defaults to 'undef'
# [*user_objectclass*]
# LDAP objectclass for users. (string value)
# Defaults to 'undef'
# [*user_id_attribute*]
# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
# Defaults to 'undef'
# [*user_name_attribute*]
# LDAP attribute mapped to user name. (string value)
# Defaults to 'undef'
# [*user_mail_attribute*]
# LDAP attribute mapped to user email. (string value)
# [*user_enabled_attribute*]
# LDAP attribute mapped to user enabled flag. (string value)
# Defaults to 'undef'
# [*user_enabled_mask*]
# Bitmask integer to indicate the bit that the enabled value is stored in if
# the LDAP server represents "enabled" as a bit on an integer rather than a
# boolean. A value of "0" indicates the mask is not used. If this is not set
# to "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
# Defaults to 'undef'
# [*user_enabled_default*]
# Default value to enable users. This should match an appropriate int value
# if the LDAP server uses non-boolean (bitmask) values to indicate if a user
# is enabled or disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
# Defaults to 'undef'
# [*user_enabled_invert*]
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
# boolean lock attribute where "true" means an account is disabled. Setting
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
# Defaults to 'undef'
# [*user_attribute_ignore*]
# List of attributes stripped off the user on update. (list value)
# Defaults to 'undef'
# [*user_default_project_id_attribute*]
# LDAP attribute mapped to default_project_id for users. (string value)
# Defaults to 'undef'
# [*user_allow_create*]
# Allow user creation in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*user_allow_update*]
# Allow user updates in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*user_allow_delete*]
# Allow user deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*user_pass_attribute*]
# LDAP attribute mapped to password. (string value)
# Defaults to 'undef'
# [*user_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
# Defaults to 'undef'
# [*user_enabled_emulation_dn*]
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
# Defaults to 'undef'
# [*user_additional_attribute_mapping*]
# List of additional LDAP attributes used for mapping
# additional attribute mappings for users. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to 'undef'
# [*project_tree_dn*]
# Search base for projects (string value)
# Defaults to 'undef'
# [*project_filter*]
# LDAP search filter for projects. (string value)
# Defaults to 'undef'
# [*project_objectclass*]
# LDAP objectclass for projects. (string value)
# Defaults to 'undef'
# [*project_id_attribute*]
# LDAP attribute mapped to project id. (string value)
# Defaults to 'undef'
# [*project_member_attribute*]
# LDAP attribute mapped to project membership for user. (string value)
# Defaults to 'undef'
# [*project_name_attribute*]
# LDAP attribute mapped to project name. (string value)
# Defaults to 'undef'
# [*project_desc_attribute*]
# LDAP attribute mapped to project description. (string value)
# Defaults to 'undef'
# [*project_enabled_attribute*]
# LDAP attribute mapped to project enabled. (string value)
# Defaults to 'undef'
# [*project_domain_id_attribute*]
# LDAP attribute mapped to project domain_id. (string value)
# Defaults to 'undef'
# [*project_attribute_ignore*]
# List of attributes stripped off the project on update. (list value)
# Defaults to 'undef'
# [*project_allow_create*]
# Allow project creation in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*project_allow_update*]
# Allow project update in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*project_allow_delete*]
# Allow project deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*project_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a project is enabled or not by checking if they are a member
# of the "project_enabled_emulation_dn" group. (boolean value)
# Defaults to 'undef'
# [*project_enabled_emulation_dn*]
# DN of the group entry to hold enabled projects when using
# enabled emulation. (string value)
# Defaults to 'undef'
# [*project_additional_attribute_mapping*]
# Additional attribute mappings for projects. Attribute
# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
# is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
# Defaults to 'undef'
# [*role_tree_dn*]
# Search base for roles. (string value)
# Defaults to 'undef'
# [*role_filter*]
# LDAP search filter for roles. (string value)
# Defaults to 'undef'
# [*role_objectclass*]
# LDAP objectclass for roles. (string value)
# Defaults to 'undef'
# [*role_id_attribute*]
# LDAP attribute mapped to role id. (string value)
# Defaults to 'undef'
# [*role_name_attribute*]
# LDAP attribute mapped to role name. (string value)
# Defaults to 'undef'
# [*role_member_attribute*]
# LDAP attribute mapped to role membership. (string value)
# Defaults to 'undef'
# [*role_attribute_ignore*]
# List of attributes stripped off the role on update. (list value)
# Defaults to 'undef'
# [*role_allow_create*]
# Allow role creation in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*role_allow_update*]
# Allow role update in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*role_allow_delete*]
# Allow role deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*role_additional_attribute_mapping*]
# Additional attribute mappings for roles. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to 'undef'
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to 'undef'
# [*group_filter*]
# LDAP search filter for groups. (string value)
# Defaults to 'undef'
# [*group_objectclass*]
# LDAP objectclass for groups. (string value)
# Defaults to 'undef'
# [*group_id_attribute*]
# LDAP attribute mapped to group id. (string value)
# Defaults to 'undef'
# [*group_name_attribute*]
# LDAP attribute mapped to group name. (string value)
# Defaults to 'undef'
# [*group_member_attribute*]
# LDAP attribute mapped to show group membership. (string value)
# Defaults to 'undef'
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to 'undef'
# [*group_attribute_ignore*]
# List of attributes stripped off the group on update. (list value)
# Defaults to 'undef'
# [*group_allow_create*]
# Allow group creation in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*group_allow_update*]
# Allow group update in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*group_allow_delete*]
# Allow group deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
# [*group_additional_attribute_mapping*]
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to 'undef'
# [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to 'undef'
# [*tls_cacertfile*]
# CA certificate file path for communicating with LDAP servers. (string value)
# Defaults to 'undef'
# [*tls_cacertdir*]
# CA certificate directory path for communicating with LDAP servers. (string value)
# Defaults to 'undef'
# [*tls_req_cert*]
# Valid options for tls_req_cert are demand, never, and allow. (string value)
# Defaults to 'undef'
# [*identity_driver*]
# Identity backend driver. (string value)
# Defaults to 'undef'
# [*assignment_driver*]
# Assignment backend driver. (string value)
# Defaults to 'undef'
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
# Defaults to false
# [*pool_size*]
# Connection pool size. (integer value)
# Defaults to '10'
# [*pool_retry_max*]
# Maximum count of reconnect trials. (integer value)
# Defaults to '3'
# [*pool_retry_delay*]
# Time span in seconds to wait between two reconnect trials. (floating point value)
# Defaults to '0.1'
# [*pool_connection_timeout*]
# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
# Defaults to '-1'
# [*pool_connection_lifetime*]
# Connection lifetime in seconds. (integer value)
# Defaults to '600'
# [*use_auth_pool*]
# Enable LDAP connection pooling for end user authentication.
# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
# Defaults to false
# [*auth_pool_size*]
# End user auth connection pool size. (integer value)
# Defaults to '100'
# [*auth_pool_connection_lifetime*]
# End user auth connection lifetime in seconds. (integer value)
# Defaults to '60'
# === DEPRECATED group/name
# [*tenant_tree_dn*]
# [*tenant_filter*]
# [*tenant_objectclass*]
# [*tenant_id_attribute*]
# [*tenant_member_attribute*]
# [*tenant_name_attribute*]
# [*tenant_desc_attribute*]
# [*tenant_enabled_attribute*]
# [*tenant_domain_id_attribute*]
# [*tenant_attribute_ignore*]
# [*tenant_allow_create*]
# [*tenant_allow_update*]
# [*tenant_enabled_emulation*]
# [*tenant_enabled_emulation_dn*]
# [*tenant_additional_attribute_mapping*]
# [*tenant_allow_delete*]
# == Dependencies
# == Examples
# == Authors

View File

@ -1,6 +1,16 @@
# == Class keystone::python
# installs client python libraries for keystone
# === Parameters:
# [*client_package_name*]
# (optional) The name of python keystone client package
# Defaults to $keystone::params::client_package_name
# [*ensure*]
# (optional) The state for the keystone client package
# Defaults to 'present'
class keystone::python (
$client_package_name = $keystone::params::client_package_name,

View File

@ -22,76 +22,76 @@
# == Parameters:
# [*password*]
# Password to create for the service user;
# string; required
# Password to create for the service user;
# string; required
# [*auth_name*]
# The name of the service user;
# string; optional; default to the $title of the resource, i.e. 'nova'
# The name of the service user;
# string; optional; default to the $title of the resource, i.e. 'nova'
# [*service_name*]
# Name of the service;
# string; required
# Name of the service;
# string; required
# [*service_type*]
# Type of the service;
# string; required
# Type of the service;
# string; required
# [*service_description*]
# Description of the service;
# string; optional: default to '$name service'
# Description of the service;
# string; optional: default to '$name service'
# [*public_url*]
# Public endpoint URL;
# string; required
# Public endpoint URL;
# string; required
# [*internal_url*]
# Internal endpoint URL;
# string; required
# Internal endpoint URL;
# string; required
# [*admin_url*]
# Admin endpoint URL;
# string; required
# Admin endpoint URL;
# string; required
# [*region*]
# Endpoint region;
# string; optional: default to 'RegionOne'
# Endpoint region;
# string; optional: default to 'RegionOne'
# [*tenant*]
# Service tenant;
# string; optional: default to 'services'
# Service tenant;
# string; optional: default to 'services'
# [*ignore_default_tenant*]
# Ignore setting the default tenant value when the user is created.
# string; optional: default to false
# Ignore setting the default tenant value when the user is created.
# string; optional: default to false
# [*roles*]
# List of roles;
# string; optional: default to ['admin']
# List of roles;
# string; optional: default to ['admin']
# [*domain*]
# User domain (keystone v3), not implemented yet.
# string; optional: default to undef
# User domain (keystone v3), not implemented yet.
# string; optional: default to undef
# [*email*]
# Service email;
# string; optional: default to '$auth_name@localhost'
# Service email;
# string; optional: default to '$auth_name@localhost'
# [*configure_endpoint*]
# Whether to create the endpoint.
# string; optional: default to True
# Whether to create the endpoint.
# string; optional: default to True
# [*configure_user*]
# Whether to create the user.
# string; optional: default to True
# Whether to create the user.
# string; optional: default to True
# [*configure_user_role*]
# Whether to create the user role.
# string; optional: default to True
# Whether to create the user role.
# string; optional: default to True
# [*configure_service*]
# Whether to create the service.
# string; optional: default to True
# Whether to create the service.
# string; optional: default to True
define keystone::resource::service_identity(
$admin_url = false,

View File

@ -1,3 +1,4 @@
# == Class: keystone::roles::admin
# This class implements some reasonable admin defaults for keystone.
@ -8,18 +9,49 @@
# * admin role
# * adds admin role to admin user on the "admin" tenant
# [*Parameters*]
# === Parameters:
# [email] The email address for the admin. Required.
# [password] The admin password. Required.
# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin'].
# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack.
# [admin] Admin user. Optional. Defaults to admin.
# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false.
# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant'
# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services'
# [configure_user] Optional. Should the admin user be created? Defaults to 'true'.
# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'.
# [*email*]
# The email address for the admin. Required.
# [*password*]
# The admin password. Required.
# [*admin_roles*]
# The list of the roles with admin privileges. Optional.
# Defaults to ['admin'].
# [*admin_tenant*]
# The name of the tenant to be used for admin privileges. Optional.
# Defaults to openstack.
# [*service_tenant*]
# The name of service keystone tenant. Optional.
# Defaults to 'services'.
# [*admin*]
# Admin user. Optional.
# Defaults to admin.
# [*ignore_default_tenant*]
# Ignore setting the default tenant value when the user is created. Optional.
# Defaults to false.
# [*admin_tenant_desc*]
# Optional. Description for admin tenant,
# Defaults to 'admin tenant'
# [*service_tenant_desc*]
# Optional. Description for admin tenant,
# Defaults to 'Tenant for the openstack services'
# [*configure_user*]
# Optional. Should the admin user be created?
# Defaults to 'true'.
# [*configure_user_role*]
# Optional. Should the admin role be configured for the admin user?
# Defaulst to 'true'.
# == Dependencies
# == Examples

View File

@ -9,60 +9,59 @@
# === Parameters
# [*ensure*]
# (optional) The desired state of the keystone service
# Defaults to 'running'
# (optional) The desired state of the keystone service
# Defaults to 'running'
# [*service_name*]
# (optional) The name of the keystone service
# Defaults to $::keystone::params::service_name
# (optional) The name of the keystone service
# Defaults to $::keystone::params::service_name
# [*enable*]
# (optional) Whether to enable the keystone service
# Defaults to true
# (optional) Whether to enable the keystone service
# Defaults to true
# [*hasstatus*]
# (optional) Whether the keystone service has status
# Defaults to true
# (optional) Whether the keystone service has status
# Defaults to true
# [*hasrestart*]
# (optional) Whether the keystone service has restart
# Defaults to true
# (optional) Whether the keystone service has restart
# Defaults to true
# [*provider*]
# (optional) Provider for keystone service
# Defaults to $::keystone::params::service_provider
# (optional) Provider for keystone service
# Defaults to $::keystone::params::service_provider
# [*validate*]
# (optional) Whether to validate the service is working
# after any service refreshes
# Defaults to false
# (optional) Whether to validate the service is working after any service refreshes
# Defaults to false
# [*admin_token*]
# (optional) The admin token to use for validation
# Defaults to undef
# (optional) The admin token to use for validation
# Defaults to undef
# [*admin_endpoint*]
# (optional) The admin endpont to use for validation
# Defaults to 'http://localhost:35357/v2.0'
# (optional) The admin endpont to use for validation
# Defaults to 'http://localhost:35357/v2.0'
# [*retries*]
# (optional) Number of times to retry validation
# Defaults to 10
# (optional) Number of times to retry validation
# Defaults to 10
# [*delay*]
# (optional) Number of seconds between validation attempts
# Defaults to 2
# (optional) Number of seconds between validation attempts
# Defaults to 2
# [*insecure*]
# (optional) Whether to validate keystone connections
# using the --insecure option with keystone client.
# Defaults to false
# (optional) Whether to validate keystone connections
# using the --insecure option with keystone client.
# Defaults to false
# [*cacert*]
# (optional) Whether to validate keystone connections
# using the specified argument with the --os-cacert option
# with keystone client.
# Defaults to undef
# (optional) Whether to validate keystone connections
# using the specified argument with the --os-cacert option
# with keystone client.
# Defaults to undef
class keystone::service(
$ensure = 'running',
@ -106,13 +105,13 @@ class keystone::service(
$cmd = "openstack --os-auth-url ${admin_endpoint} --os-token ${admin_token} ${insecure_s} ${cacert_s} user list"
$catch = 'name'
exec { 'validate_keystone_connection':
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
command => $cmd,
subscribe => Service['keystone'],
refreshonly => true,
tries => $retries,
try_sleep => $delay
path => '/usr/bin:/bin:/usr/sbin:/sbin',
provider => shell,
command => $cmd,
subscribe => Service['keystone'],
refreshonly => true,
tries => $retries,
try_sleep => $delay
Exec['validate_keystone_connection'] -> Keystone_user<||>

View File

@ -46,15 +46,41 @@
# Optional. Defaults to 1
# [*ssl_cert*]
# (optional) Path to SSL certificate
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_key*]
# (optional) Path to SSL key
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_chain*]
# (optional) SSL chain
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_ca*]
# (optional) Path to SSL certificate authority
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_crl_path*]
# (optional) Path to SSL certificate revocation list
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_crl*]
# (optional) SSL certificate revocation list name
# Default to apache::vhost 'ssl_*' defaults.
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to $::processorcount
# == Dependencies
# requires Class['apache'] & Class['keystone']