diff --git a/Gemfile b/Gemfile index 6ef55b6ed..07362aca9 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' group :development, :test do gem 'puppetlabs_spec_helper', :require => false - gem 'puppet-lint', '~> 0.3.2' + gem 'puppet-lint-param-docs' gem 'rspec-puppet', '~> 1.0.1' gem 'rake', '10.1.1' end diff --git a/examples/ldap_full.pp b/examples/ldap_full.pp index bc455690f..9c5a43d92 100644 --- a/examples/ldap_full.pp +++ b/examples/ldap_full.pp @@ -16,57 +16,57 @@ class { 'keystone::roles::admin': # "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \ # -b cn=users,cn=accounts,dc=example,dc=com class { 'keystone:ldap': - url => 'ldap://ldap.example.com:389', - user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com', - password => 'SecretPass', - suffix => 'dc=example,dc=com', - query_scope => 'sub', - user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com', - user_id_attribute => 'uid', - user_name_attribute => 'uid', - user_mail_attribute => 'mail', - user_allow_create => 'False', - user_allow_update => 'False', - user_allow_delete => 'False', - user_enabled_emulation => 'True', - user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com', - group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com', - group_objectclass => 'organizationalRole', - group_id_attribute => 'cn', - group_name_attribute => 'cn', - group_member_attribute => 'RoleOccupant', - group_desc_attribute => 'description', - group_allow_create => 'True', - group_allow_update => 'True', - group_allow_delete => 'True', - project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com', - project_objectclass => 'organizationalUnit', - project_id_attribute => 'ou', - project_member_attribute => 'member', - project_name_attribute => 'ou', - project_desc_attribute => 'description', - project_allow_create => 'True', - project_allow_update => 'True', - project_allow_delete => 'True', - project_enabled_emulation => 'True', - project_enabled_emulation_dn=> 'cn=enabled,ou=openstack,dc=example,dc=com', - role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com', - role_objectclass => 'organizationalRole', - role_id_attribute => 'cn', - role_name_attribute => 'cn', - role_member_attribute => 'roleOccupant', - role_allow_create => 'True', - role_allow_update => 'True', - role_allow_delete => 'True', - identity_driver => 'keystone.identity.backends.ldap.Identity', - assignment_driver => 'keystone.assignment.backends.ldap.Assignment', - use_tls => 'True', - tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', - tls_req_cert => 'demand', - use_pool => 'True', - use_auth_pool => 'True', - pool_size => 5, - auth_pool_size => 5, - pool_retry_max => 3, - pool_connection_timeout => 120, + url => 'ldap://ldap.example.com:389', + user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com', + password => 'SecretPass', + suffix => 'dc=example,dc=com', + query_scope => 'sub', + user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com', + user_id_attribute => 'uid', + user_name_attribute => 'uid', + user_mail_attribute => 'mail', + user_allow_create => 'False', + user_allow_update => 'False', + user_allow_delete => 'False', + user_enabled_emulation => 'True', + user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com', + group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com', + group_objectclass => 'organizationalRole', + group_id_attribute => 'cn', + group_name_attribute => 'cn', + group_member_attribute => 'RoleOccupant', + group_desc_attribute => 'description', + group_allow_create => 'True', + group_allow_update => 'True', + group_allow_delete => 'True', + project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com', + project_objectclass => 'organizationalUnit', + project_id_attribute => 'ou', + project_member_attribute => 'member', + project_name_attribute => 'ou', + project_desc_attribute => 'description', + project_allow_create => 'True', + project_allow_update => 'True', + project_allow_delete => 'True', + project_enabled_emulation => 'True', + project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com', + role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com', + role_objectclass => 'organizationalRole', + role_id_attribute => 'cn', + role_name_attribute => 'cn', + role_member_attribute => 'roleOccupant', + role_allow_create => 'True', + role_allow_update => 'True', + role_allow_delete => 'True', + identity_driver => 'keystone.identity.backends.ldap.Identity', + assignment_driver => 'keystone.assignment.backends.ldap.Assignment', + use_tls => 'True', + tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', + tls_req_cert => 'demand', + use_pool => 'True', + use_auth_pool => 'True', + pool_size => 5, + auth_pool_size => 5, + pool_retry_max => 3, + pool_connection_timeout => 120, } diff --git a/examples/ldap_identity.pp b/examples/ldap_identity.pp index 41272c52f..b62804925 100644 --- a/examples/ldap_identity.pp +++ b/examples/ldap_identity.pp @@ -12,17 +12,17 @@ class { 'keystone::roles::admin': # This was tested against a FreeIPA box, you will likely need to change the # attributes to match your configuration. class { 'keystone:ldap': - identity_driver => 'keystone.identity.backends.ldap.Identity', - url => 'ldap://ldap.example.com:389', - user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com', - password => 'SecretPass', - suffix => 'dc=example,dc=com', - query_scope => 'sub', - user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com', - user_id_attribute => 'uid', - user_name_attribute => 'uid', - user_mail_attribute => 'mail', - user_allow_create => 'False', - user_allow_update => 'False', - user_allow_delete => 'False' + identity_driver => 'keystone.identity.backends.ldap.Identity', + url => 'ldap://ldap.example.com:389', + user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com', + password => 'SecretPass', + suffix => 'dc=example,dc=com', + query_scope => 'sub', + user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com', + user_id_attribute => 'uid', + user_name_attribute => 'uid', + user_mail_attribute => 'mail', + user_allow_create => 'False', + user_allow_update => 'False', + user_allow_delete => 'False' } diff --git a/manifests/client.pp b/manifests/client.pp index d400f3970..84a6e08ce 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -5,7 +5,8 @@ # === Parameters # # [*ensure*] -# (optional) Ensure state of the package. Defaults to 'present'. +# (optional) Ensure state of the package. +# Defaults to 'present'. # class keystone::client ( $ensure = 'present' diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index 3e046f4a2..7baef9415 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -5,19 +5,39 @@ # # == parameters # -# [password] Password that will be used for the keystone db user. -# Optional. Defaults to: 'keystone_default_password' +# [*password*] +# (Mandatory) Password to connect to the database. +# Defaults to 'false'. # -# [dbname] Name of keystone database. Optional. Defaults to keystone. +# [*dbname*] +# (Optional) Name of the database. +# Defaults to 'keystone'. # -# [user] Name of keystone user. Optional. Defaults to keystone. +# [*user*] +# (Optional) User to connect to the database. +# Defaults to 'keystone'. # -# [host] Host where user should be allowed all priveleges for database. -# Optional. Defaults to 127.0.0.1. +# [*host*] +# (Optional) The default source host user is allowed to connect from. +# Defaults to '127.0.0.1' # -# [allowed_hosts] Hosts allowed to use the database +# [*allowed_hosts*] +# (Optional) Other hosts the user is allowed to connect from. +# Defaults to 'undef'. # -# [*mysql_module*] Deprecated. Does nothing. +# [*charset*] +# (Optional) The database charset. +# Defaults to 'utf8' +# +# [*collate*] +# (Optional) The database collate. +# Only used with mysql modules >= 2.2. +# Defaults to 'utf8_unicode_ci' +# +# === Deprecated Parameters +# +# [*mysql_module*] +# (Optional) Does nothing. # # == Dependencies # Class['mysql::server'] diff --git a/manifests/dev/install.pp b/manifests/dev/install.pp index 3e68113c2..f52800f23 100644 --- a/manifests/dev/install.pp +++ b/manifests/dev/install.pp @@ -1,6 +1,12 @@ # # Installs keystone from source. This is not yet fully implemented # +# == Parameters +# +# [*source_dir*] +# (optional) The source dire for dev installation +# Defaults to '/usr/local/keystone' +# # == Dependencies # == Examples # == Authors diff --git a/manifests/init.pp b/manifests/init.pp index 664d5e361..dfc7c57e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,157 +3,232 @@ # # == Parameters # -# [package_ensure] Desired ensure state of packages. Optional. Defaults to present. -# accepts latest or specific versions. -# [client_package_ensure] Desired ensure state of the client package. Optional. Defaults to present. -# accepts latest or specific versions. -# [public_port] +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. # -# [compute_port] -# (optional) DEPRECATED. The port for the compute service. -# Defaults to 8774. +# [*client_package_ensure*] +# (optional) Desired ensure state of the client package. +# accepts latest or specific versions. +# Defaults to present. # -# [admin_port] -# [admin_port] Port that can be used for admin tasks. -# [admin_token] Admin token that can be used to authenticate as a keystone -# admin. Required. -# [verbose] Rather keystone should log at verbose level. Optional. -# Defaults to False. -# [debug] Rather keystone should log at debug level. Optional. -# Defaults to False. -# [use_syslog] Use syslog for logging. Optional. -# Defaults to False. -# [log_facility] Syslog facility to receive log lines. Optional. -# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional. -# Defaults to sql. (Also accepts template) -# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional. -# Setting this value will override and ignore catalog_type. -# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'. -# Defaults to '/etc/keystone/default_catalog.templates' -# [token_provider] Format keystone uses for tokens. Optional. -# Defaults to 'keystone.token.providers.uuid.Provider' -# Supports PKI and UUID. -# [token_driver] Driver to use for managing tokens. -# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token' -# [token_expiration] Amount of time a token should remain valid (seconds). -# Optional. Defaults to 3600 (1 hour). -# [revoke_driver] Driver for token revocation. -# Optional. Defaults to 'keystone.contrib.revoke.backends.sql.Revoke' -# [cache_dir] Directory created when token_provider is pki. Optional. -# Defaults to /var/cache/keystone. +# [*public_port*] +# (optional) Port that keystone binds to. +# Defaults to '5000' # -# [memcache_servers] -# List of memcache servers in format of server:port. -# Used with token_driver 'keystone.token.backends.memcache.Token'. -# Optional. Defaults to false. Example: ['localhost:11211'] +# [*compute_port*] +# (optional) DEPRECATED The port for compute servie. +# Defaults to '8774' # -# [cache_backend] -# Dogpile.cache backend module. It is recommended that Memcache with pooling -# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. -# This has no effects unless 'memcache_servers' is set. -# Optional. Defaults to 'keystone.common.cache.noop' +# [*admin_port*] +# (optional) Port that can be used for admin tasks. +# Defaults to '35357' # -# [cache_backend_argument] -# List of arguments in format of argname:value supplied to the backend module. -# Specify this option once per argument to be passed to the dogpile.cache backend. -# This has no effects unless 'memcache_servers' is set. -# Optional. Default to undef. +# [*admin_token*] +# Admin token that can be used to authenticate as a keystone +# admin. Required. # -# [debug_cache_backend] -# Extra debugging from the cache backend (cache keys, get/set/delete calls). -# This has no effects unless 'memcache_servers' is set. -# Optional. Default to false. +# [*verbose*] +# (optional) Rather keystone should log at verbose level. +# Defaults to false. # -# [token_caching] -# Toggle for token system caching. This has no effects unless 'memcache_servers' is set. -# Optional. Default to true. +# [*debug*] +# (optional) Rather keystone should log at debug level. +# Defaults to False. # -# [enabled] If the keystone services should be enabled. Optional. Default to true. +# [*use_syslog*] +# (optional) Use syslog for logging. +# Defaults to false. # -# [*database_connection*] -# (optional) Url used to connect to database. -# Defaults to sqlite:////var/lib/keystone/keystone.db +# [*log_facility*] +# (optional) Syslog facility to receive log lines. +# Defaults to 'LOG_USER'. # -# [*database_idle_timeout*] -# (optional) Timeout when db connections should be reaped. -# Defaults to 200. +# [*catalog_type*] +# (optional) Type of catalog that keystone uses to store endpoints,services. +# Defaults to sql. (Also accepts template) # -# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and -# revocation lists if it doesn't already exist. This generates a cert and key stored in file -# locations based on the signing_certfile and signing_keyfile paramters below. If you are -# providing your own signing cert, make this false. -# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists. -# Optional. Note that if this file already exists (i.e. you are providing your own signing cert), -# the file will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/certs/signing_cert.pem -# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional. -# Note that if this file already exists (i.e. you are providing your own signing cert), the file -# will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/private/signing_key.pem -# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for -# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem -# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing -# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem +# [*catalog_driver*] +# (optional) Catalog driver used by Keystone to store endpoints and services. +# Setting this value will override and ignore catalog_type. +# Defaults to false. # -# [*signing_cert_subject*] +# [*catalog_template_file*] +# (optional) Path to the catalog used if catalog_type equals 'template'. +# Defaults to '/etc/keystone/default_catalog.templates' +# +# [*token_provider*] +# (optional) Format keystone uses for tokens. +# Defaults to 'keystone.token.providers.uuid.Provider' +# Supports PKI and UUID. +# +# [*token_driver*] +# (optional) Driver to use for managing tokens. +# Defaults to 'keystone.token.persistence.backends.sql.Token' +# +# [*token_expiration*] +# (optional) Amount of time a token should remain valid (seconds). +# Defaults to 3600 (1 hour). +# +# [*revoke_driver*] +# (optional) Driver for token revocation. +# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke' +# +# [*cache_dir*] +# (optional) Directory created when token_provider is pki. +# Defaults to /var/cache/keystone. +# +# [*memcache_servers*] +# (optional) List of memcache servers in format of server:port. +# Used with token_driver 'keystone.token.backends.memcache.Token'. +# Defaults to false. Example: ['localhost:11211'] +# +# [*cache_backend*] +# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling +# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. +# This has no effects unless 'memcache_servers' is set. +# Defaults to 'keystone.common.cache.noop' +# +# [*cache_backend_argument*] +# (optional) List of arguments in format of argname:value supplied to the backend module. +# Specify this option once per argument to be passed to the dogpile.cache backend. +# This has no effects unless 'memcache_servers' is set. +# Default to undef. +# +# [*debug_cache_backend*] +# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls). +# This has no effects unless 'memcache_servers' is set. +# Default to false. +# +# [*token_caching*] +# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set. +# Default to true. +# +# [*enabled*] +# (optional) If the keystone services should be enabled. +# Default to true. +# +# [*database_connection*] +# (optional) Url used to connect to database. +# Defaults to sqlite:////var/lib/keystone/keystone.db +# +# [*database_idle_timeout*] +# (optional) Timeout when db connections should be reaped. +# Defaults to 200. +# +# [*enable_pki_setup*] +# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and +# revocation lists if it doesn't already exist. This generates a cert and key stored in file +# locations based on the signing_certfile and signing_keyfile paramters below. If you are +# providing your own signing cert, make this false. +# Default to true. +# +# [*signing_certfile*] +# (optional) Location of the cert file for signing pki tokens and revocation lists. +# Note that if this file already exists (i.e. you are providing your own signing cert), +# the file will not be overwritten, even if enable_pki_setup is set to true. +# Default: /etc/keystone/ssl/certs/signing_cert.pem +# +# [*signing_keyfile*] +# (optional) Location of the key file for signing pki tokens and revocation lists. +# Note that if this file already exists (i.e. you are providing your own signing cert), the file +# will not be overwritten, even if enable_pki_setup is set to true. +# Default: /etc/keystone/ssl/private/signing_key.pem +# +# [*signing_ca_certs*] +# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for +# signing pki tokens and revocation lists. +# Default: /etc/keystone/ssl/certs/ca.pem +# +# [*signing_ca_key*] +# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing +# pki tokens and revocation lists. +# Default: /etc/keystone/ssl/private/cakey.pem +# +# [*signing_cert_subject*] # (optional) Certificate subject (auto generated certificate) for token signing. # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com' # -# [*signing_key_size*] +# [*signing_key_size*] # (optional) Key size (in bits) for token signing cert (auto generated certificate) # Defaults to 2048 # -# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost. -# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672. -# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef. -# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest. -# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest. -# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /. +# [*rabbit_host*] +# (optional) Location of rabbitmq installation. +# Defaults to localhost. # -# [*rabbit_use_ssl*] -# (optional) Connect over SSL for RabbitMQ -# Defaults to false +# [*rabbit_port*] +# (optional) Port for rabbitmq instance. +# Defaults to 5672. # -# [*kombu_ssl_ca_certs*] -# (optional) SSL certification authority file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_hosts*] +# (optional) Location of rabbitmq installation. +# Defaults to undef. # -# [*kombu_ssl_certfile*] -# (optional) SSL cert file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_password*] +# (optional) Password used to connect to rabbitmq. +# Defaults to guest. # -# [*kombu_ssl_keyfile*] -# (optional) SSL key file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_userid*] +# (optional) User used to connect to rabbitmq. +# Defaults to guest. # -# [*kombu_ssl_version*] -# (optional) SSL version to use (valid only if SSL enabled). -# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be -# available on some distributions. -# Defaults to 'TLSv1' +# [*rabbit_virtual_host*] +# (optional) The RabbitMQ virtual host. +# Defaults to /. # -# [notification_driver] RPC driver. Not enabled by default -# [notification_topics] AMQP topics to publish to when using the RPC notification driver. -# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid +# [*rabbit_use_ssl*] +# (optional) Connect over SSL for RabbitMQ +# Defaults to false # -# [*public_bind_host*] +# [*kombu_ssl_ca_certs*] +# (optional) SSL certification authority file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_certfile*] +# (optional) SSL cert file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_keyfile*] +# (optional) SSL key file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_version*] +# (optional) SSL version to use (valid only if SSL enabled). +# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be +# available on some distributions. +# Defaults to 'TLSv1' +# +# [*notification_driver*] +# RPC driver. Not enabled by default +# +# [*notification_topics*] +# (optional) AMQP topics to publish to when using the RPC notification driver. +# Default to false. +# +# [*control_exchange*] +# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid +# Default to false. +# +# [*public_bind_host*] # (optional) The IP address of the public network interface to listen on # Default to '0.0.0.0'. # -# [*admin_bind_host*] +# [*admin_bind_host*] # (optional) The IP address of the public network interface to listen on # Default to '0.0.0.0'. # -# [*log_dir*] +# [*log_dir*] # (optional) Directory where logs should be stored # If set to boolean false, it will not log to any directory # Defaults to '/var/log/keystone' # -# [*log_file*] +# [*log_file*] # (optional) Where to log # Defaults to false # -# [*public_endpoint*] +# [*public_endpoint*] # (optional) The base public endpoint URL for keystone that are # advertised to clients (NOTE: this does NOT affect how # keystone listens for connections) (string value) @@ -161,7 +236,7 @@ # Sample value: 'http://localhost:5000/' # Defaults to false # -# [*admin_endpoint*] +# [*admin_endpoint*] # (optional) The base admin endpoint URL for keystone that are # advertised to clients (NOTE: this does NOT affect how keystone listens # for connections) (string value) @@ -169,63 +244,63 @@ # Sample value: 'http://localhost:35357/' # Defaults to false # -# [*enable_ssl*] +# [*enable_ssl*] # (optional) Toggle for SSL support on the keystone eventlet servers. # (boolean value) # Defaults to false # -# [*ssl_certfile*] +# [*ssl_certfile*] # (optional) Path of the certfile for SSL. (string value) # Defaults to '/etc/keystone/ssl/certs/keystone.pem' # -# [*ssl_keyfile*] +# [*ssl_keyfile*] # (optional) Path of the keyfile for SSL. (string value) # Defaults to '/etc/keystone/ssl/private/keystonekey.pem' # -# [*ssl_ca_certs*] +# [*ssl_ca_certs*] # (optional) Path of the ca cert file for SSL. (string value) # Defaults to '/etc/keystone/ssl/certs/ca.pem' # -# [*ssl_ca_key*] +# [*ssl_ca_key*] # (optional) Path of the CA key file for SSL (string value) # Defaults to '/etc/keystone/ssl/private/cakey.pem' # -# [*ssl_cert_subject*] +# [*ssl_cert_subject*] # (optional) SSL Certificate Subject (auto generated certificate) # (string value) # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost' # -# [*mysql_module*] +# [*mysql_module*] # (optional) Deprecated. Does nothing. # -# [*validate_service*] +# [*validate_service*] # (optional) Whether to validate keystone connections after # the service is started. # Defaults to false # -# [*validate_insecure*] +# [*validate_insecure*] # (optional) Whether to validate keystone connections # using the --insecure option with keystone client. # Defaults to false # -# [*validate_cacert*] +# [*validate_cacert*] # (optional) Whether to validate keystone connections # using the specified argument with the --os-cacert option # with keystone client. # Defaults to undef # -# [*validate_auth_url*] +# [*validate_auth_url*] # (optional) The url to validate keystone against # Defaults to undef # -# [*service_provider*] +# [*service_provider*] # (optional) Provider, that can be used for keystone service. # Default value defined in keystone::params for given operation system. # If you use Pacemaker or another Cluster Resource Manager, you can make # custom service provider for changing start/stop/status behavior of service, # and set it here. # -# [*service_name*] +# [*service_name*] # (optional) Name of the service that will be providing the # server functionality of keystone. For example, the default # is just 'keystone', which means keystone will be run as a @@ -242,23 +317,23 @@ # Defaults to 'keystone' # NOTE: validate_service only applies if the value is 'keystone' # -# [*paste_config*] +# [*paste_config*] # (optional) Name of the paste configuration file that defines the # available pipelines. (string value) # Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and # undef on other platforms. # -# [*max_token_size*] -# (optional) maximum allowable Keystone token size -# Defaults to undef +# [*max_token_size*] +# (optional) maximum allowable Keystone token size +# Defaults to undef # -# [*admin_workers*] -# (optional) The number of worker processes to serve the admin WSGI application. -# Defaults to max($::processorcount, 2) +# [*admin_workers*] +# (optional) The number of worker processes to serve the admin WSGI application. +# Defaults to max($::processorcount, 2) # -# [*public_workers*] -# (optional) The number of worker processes to serve the public WSGI application. -# Defaults to max($::processorcount, 2) +# [*public_workers*] +# (optional) The number of worker processes to serve the public WSGI application. +# Defaults to max($::processorcount, 2) # # == Dependencies # None diff --git a/manifests/ldap.pp b/manifests/ldap.pp index 96ec8cd0a..33ff97785 100644 --- a/manifests/ldap.pp +++ b/manifests/ldap.pp @@ -1,6 +1,376 @@ +# == class: keystone::ldap # # Implements ldap configuration for keystone. # +# === parameters: +# +# [*url*] +# URL for connecting to the LDAP server. (string value) +# Defaults to 'undef' +# +# [*user*] +# User BindDN to query the LDAP server. (string value) +# Defaults to 'undef' +# +# [*password*] +# Password for the BindDN to query the LDAP server. (string value) +# Defaults to 'undef' +# +# [*suffix*] +# LDAP server suffix (string value) +# Defaults to 'undef' +# +# [*query_scope*] +# The LDAP scope for queries, this can be either "one" +# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value) +# Defaults to 'undef' +# +# [*page_size*] +# Maximum results per page; a value of zero ("0") disables paging. (integer value) +# Defaults to 'undef' +# +# [*user_tree_dn*] +# Search base for users. (string value) +# Defaults to 'undef' +# +# [*user_filter*] +# LDAP search filter for users. (string value) +# Defaults to 'undef' +# +# [*user_objectclass*] +# LDAP objectclass for users. (string value) +# Defaults to 'undef' +# +# [*user_id_attribute*] +# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value) +# Defaults to 'undef' +# +# [*user_name_attribute*] +# LDAP attribute mapped to user name. (string value) +# Defaults to 'undef' +# +# [*user_mail_attribute*] +# LDAP attribute mapped to user email. (string value) +# +# [*user_enabled_attribute*] +# LDAP attribute mapped to user enabled flag. (string value) +# Defaults to 'undef' +# +# [*user_enabled_mask*] +# Bitmask integer to indicate the bit that the enabled value is stored in if +# the LDAP server represents "enabled" as a bit on an integer rather than a +# boolean. A value of "0" indicates the mask is not used. If this is not set +# to "0" the typical value is "2". This is typically used when +# "user_enabled_attribute = userAccountControl". (integer value) +# Defaults to 'undef' +# +# [*user_enabled_default*] +# Default value to enable users. This should match an appropriate int value +# if the LDAP server uses non-boolean (bitmask) values to indicate if a user +# is enabled or disabled. If this is not set to "True" the typical value is +# "512". This is typically used when "user_enabled_attribute = +# userAccountControl". (string value) +# Defaults to 'undef' +# +# [*user_enabled_invert*] +# Invert the meaning of the boolean enabled values. Some LDAP servers use a +# boolean lock attribute where "true" means an account is disabled. Setting +# "user_enabled_invert = true" will allow these lock attributes to be used. +# This setting will have no effect if "user_enabled_mask" or +# "user_enabled_emulation" settings are in use. (boolean value) +# Defaults to 'undef' +# +# [*user_attribute_ignore*] +# List of attributes stripped off the user on update. (list value) +# Defaults to 'undef' +# +# [*user_default_project_id_attribute*] +# LDAP attribute mapped to default_project_id for users. (string value) +# Defaults to 'undef' +# +# [*user_allow_create*] +# Allow user creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_allow_update*] +# Allow user updates in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_allow_delete*] +# Allow user deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_pass_attribute*] +# LDAP attribute mapped to password. (string value) +# Defaults to 'undef' +# +# [*user_enabled_emulation*] +# If true, Keystone uses an alternative method to determine if +# a user is enabled or not by checking if they are a member of +# the "user_enabled_emulation_dn" group. (boolean value) +# Defaults to 'undef' +# +# [*user_enabled_emulation_dn*] +# DN of the group entry to hold enabled users when using enabled emulation. +# (string value) +# Defaults to 'undef' +# +# [*user_additional_attribute_mapping*] +# List of additional LDAP attributes used for mapping +# additional attribute mappings for users. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*project_tree_dn*] +# Search base for projects (string value) +# Defaults to 'undef' +# +# [*project_filter*] +# LDAP search filter for projects. (string value) +# Defaults to 'undef' +# +# [*project_objectclass*] +# LDAP objectclass for projects. (string value) +# Defaults to 'undef' +# +# [*project_id_attribute*] +# LDAP attribute mapped to project id. (string value) +# Defaults to 'undef' +# +# [*project_member_attribute*] +# LDAP attribute mapped to project membership for user. (string value) +# Defaults to 'undef' +# +# [*project_name_attribute*] +# LDAP attribute mapped to project name. (string value) +# Defaults to 'undef' +# +# [*project_desc_attribute*] +# LDAP attribute mapped to project description. (string value) +# Defaults to 'undef' +# +# [*project_enabled_attribute*] +# LDAP attribute mapped to project enabled. (string value) +# Defaults to 'undef' +# +# [*project_domain_id_attribute*] +# LDAP attribute mapped to project domain_id. (string value) +# Defaults to 'undef' +# +# [*project_attribute_ignore*] +# List of attributes stripped off the project on update. (list value) +# Defaults to 'undef' +# +# [*project_allow_create*] +# Allow project creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_allow_update*] +# Allow project update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_allow_delete*] +# Allow project deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_enabled_emulation*] +# If true, Keystone uses an alternative method to determine if +# a project is enabled or not by checking if they are a member +# of the "project_enabled_emulation_dn" group. (boolean value) +# Defaults to 'undef' +# +# [*project_enabled_emulation_dn*] +# DN of the group entry to hold enabled projects when using +# enabled emulation. (string value) +# Defaults to 'undef' +# +# [*project_additional_attribute_mapping*] +# Additional attribute mappings for projects. Attribute +# mapping format is :, where ldap_attr +# is the attribute in the LDAP entry and user_attr is the +# Identity API attribute. (list value) +# Defaults to 'undef' +# +# [*role_tree_dn*] +# Search base for roles. (string value) +# Defaults to 'undef' +# +# [*role_filter*] +# LDAP search filter for roles. (string value) +# Defaults to 'undef' +# +# [*role_objectclass*] +# LDAP objectclass for roles. (string value) +# Defaults to 'undef' +# +# [*role_id_attribute*] +# LDAP attribute mapped to role id. (string value) +# Defaults to 'undef' +# +# [*role_name_attribute*] +# LDAP attribute mapped to role name. (string value) +# Defaults to 'undef' +# +# [*role_member_attribute*] +# LDAP attribute mapped to role membership. (string value) +# Defaults to 'undef' +# +# [*role_attribute_ignore*] +# List of attributes stripped off the role on update. (list value) +# Defaults to 'undef' +# +# [*role_allow_create*] +# Allow role creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_allow_update*] +# Allow role update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_allow_delete*] +# Allow role deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_additional_attribute_mapping*] +# Additional attribute mappings for roles. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*group_tree_dn*] +# Search base for groups. (string value) +# Defaults to 'undef' +# +# [*group_filter*] +# LDAP search filter for groups. (string value) +# Defaults to 'undef' +# +# [*group_objectclass*] +# LDAP objectclass for groups. (string value) +# Defaults to 'undef' +# +# [*group_id_attribute*] +# LDAP attribute mapped to group id. (string value) +# Defaults to 'undef' +# +# [*group_name_attribute*] +# LDAP attribute mapped to group name. (string value) +# Defaults to 'undef' +# +# [*group_member_attribute*] +# LDAP attribute mapped to show group membership. (string value) +# Defaults to 'undef' +# +# [*group_desc_attribute*] +# LDAP attribute mapped to group description. (string value) +# Defaults to 'undef' +# +# [*group_attribute_ignore*] +# List of attributes stripped off the group on update. (list value) +# Defaults to 'undef' +# +# [*group_allow_create*] +# Allow group creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_allow_update*] +# Allow group update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_allow_delete*] +# Allow group deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_additional_attribute_mapping*] +# Additional attribute mappings for groups. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*use_tls*] +# Enable TLS for communicating with LDAP servers. (boolean value) +# Defaults to 'undef' +# +# [*tls_cacertfile*] +# CA certificate file path for communicating with LDAP servers. (string value) +# Defaults to 'undef' +# +# [*tls_cacertdir*] +# CA certificate directory path for communicating with LDAP servers. (string value) +# Defaults to 'undef' +# +# [*tls_req_cert*] +# Valid options for tls_req_cert are demand, never, and allow. (string value) +# Defaults to 'undef' +# +# [*identity_driver*] +# Identity backend driver. (string value) +# Defaults to 'undef' +# +# [*assignment_driver*] +# Assignment backend driver. (string value) +# Defaults to 'undef' +# +# [*use_pool*] +# Enable LDAP connection pooling. (boolean value) +# Defaults to false +# +# [*pool_size*] +# Connection pool size. (integer value) +# Defaults to '10' +# +# [*pool_retry_max*] +# Maximum count of reconnect trials. (integer value) +# Defaults to '3' +# +# [*pool_retry_delay*] +# Time span in seconds to wait between two reconnect trials. (floating point value) +# Defaults to '0.1' +# +# [*pool_connection_timeout*] +# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value) +# Defaults to '-1' +# +# [*pool_connection_lifetime*] +# Connection lifetime in seconds. (integer value) +# Defaults to '600' +# +# [*use_auth_pool*] +# Enable LDAP connection pooling for end user authentication. +# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value) +# Defaults to false +# +# [*auth_pool_size*] +# End user auth connection pool size. (integer value) +# Defaults to '100' +# +# [*auth_pool_connection_lifetime*] +# End user auth connection lifetime in seconds. (integer value) +# Defaults to '60' +# +# === DEPRECATED group/name +# +# [*tenant_tree_dn*] +# [*tenant_filter*] +# [*tenant_objectclass*] +# [*tenant_id_attribute*] +# [*tenant_member_attribute*] +# [*tenant_name_attribute*] +# [*tenant_desc_attribute*] +# [*tenant_enabled_attribute*] +# [*tenant_domain_id_attribute*] +# [*tenant_attribute_ignore*] +# [*tenant_allow_create*] +# [*tenant_allow_update*] +# [*tenant_enabled_emulation*] +# [*tenant_enabled_emulation_dn*] +# [*tenant_additional_attribute_mapping*] +# [*tenant_allow_delete*] +# # == Dependencies # == Examples # == Authors diff --git a/manifests/python.pp b/manifests/python.pp index 858fd6504..32adc63f4 100644 --- a/manifests/python.pp +++ b/manifests/python.pp @@ -1,6 +1,16 @@ +# == Class keystone::python # # installs client python libraries for keystone # +# === Parameters: +# +# [*client_package_name*] +# (optional) The name of python keystone client package +# Defaults to $keystone::params::client_package_name +# +# [*ensure*] +# (optional) The state for the keystone client package +# Defaults to 'present' # class keystone::python ( $client_package_name = $keystone::params::client_package_name, diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp index 08eaa7f5e..9bbd1b13a 100644 --- a/manifests/resource/service_identity.pp +++ b/manifests/resource/service_identity.pp @@ -22,76 +22,76 @@ # == Parameters: # # [*password*] -# Password to create for the service user; -# string; required +# Password to create for the service user; +# string; required # # [*auth_name*] -# The name of the service user; -# string; optional; default to the $title of the resource, i.e. 'nova' +# The name of the service user; +# string; optional; default to the $title of the resource, i.e. 'nova' # # [*service_name*] -# Name of the service; -# string; required +# Name of the service; +# string; required # # [*service_type*] -# Type of the service; -# string; required +# Type of the service; +# string; required # # [*service_description*] -# Description of the service; -# string; optional: default to '$name service' +# Description of the service; +# string; optional: default to '$name service' # # [*public_url*] -# Public endpoint URL; -# string; required +# Public endpoint URL; +# string; required # # [*internal_url*] -# Internal endpoint URL; -# string; required +# Internal endpoint URL; +# string; required # # [*admin_url*] -# Admin endpoint URL; -# string; required +# Admin endpoint URL; +# string; required # # [*region*] -# Endpoint region; -# string; optional: default to 'RegionOne' +# Endpoint region; +# string; optional: default to 'RegionOne' # # [*tenant*] -# Service tenant; -# string; optional: default to 'services' +# Service tenant; +# string; optional: default to 'services' # # [*ignore_default_tenant*] -# Ignore setting the default tenant value when the user is created. -# string; optional: default to false +# Ignore setting the default tenant value when the user is created. +# string; optional: default to false # # [*roles*] -# List of roles; -# string; optional: default to ['admin'] +# List of roles; +# string; optional: default to ['admin'] # # [*domain*] -# User domain (keystone v3), not implemented yet. -# string; optional: default to undef +# User domain (keystone v3), not implemented yet. +# string; optional: default to undef # # [*email*] -# Service email; -# string; optional: default to '$auth_name@localhost' +# Service email; +# string; optional: default to '$auth_name@localhost' # # [*configure_endpoint*] -# Whether to create the endpoint. -# string; optional: default to True +# Whether to create the endpoint. +# string; optional: default to True # # [*configure_user*] -# Whether to create the user. -# string; optional: default to True +# Whether to create the user. +# string; optional: default to True # # [*configure_user_role*] -# Whether to create the user role. -# string; optional: default to True +# Whether to create the user role. +# string; optional: default to True # # [*configure_service*] -# Whether to create the service. -# string; optional: default to True +# Whether to create the service. +# string; optional: default to True # define keystone::resource::service_identity( $admin_url = false, diff --git a/manifests/roles/admin.pp b/manifests/roles/admin.pp index 4fd5e0970..aa5abd72f 100644 --- a/manifests/roles/admin.pp +++ b/manifests/roles/admin.pp @@ -1,3 +1,4 @@ +# == Class: keystone::roles::admin # # This class implements some reasonable admin defaults for keystone. # @@ -8,18 +9,49 @@ # * admin role # * adds admin role to admin user on the "admin" tenant # -# [*Parameters*] +# === Parameters: # -# [email] The email address for the admin. Required. -# [password] The admin password. Required. -# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin']. -# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack. -# [admin] Admin user. Optional. Defaults to admin. -# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false. -# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant' -# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services' -# [configure_user] Optional. Should the admin user be created? Defaults to 'true'. -# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'. +# [*email*] +# The email address for the admin. Required. +# +# [*password*] +# The admin password. Required. +# +# [*admin_roles*] +# The list of the roles with admin privileges. Optional. +# Defaults to ['admin']. +# +# [*admin_tenant*] +# The name of the tenant to be used for admin privileges. Optional. +# Defaults to openstack. +# +# [*service_tenant*] +# The name of service keystone tenant. Optional. +# Defaults to 'services'. +# +# [*admin*] +# Admin user. Optional. +# Defaults to admin. +# +# [*ignore_default_tenant*] +# Ignore setting the default tenant value when the user is created. Optional. +# Defaults to false. +# +# [*admin_tenant_desc*] +# Optional. Description for admin tenant, +# Defaults to 'admin tenant' +# +# [*service_tenant_desc*] +# Optional. Description for admin tenant, +# Defaults to 'Tenant for the openstack services' +# +# [*configure_user*] +# Optional. Should the admin user be created? +# Defaults to 'true'. +# +# [*configure_user_role*] +# Optional. Should the admin role be configured for the admin user? +# Defaulst to 'true'. # # == Dependencies # == Examples diff --git a/manifests/service.pp b/manifests/service.pp index 25407ff7d..72f6f138a 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -9,60 +9,59 @@ # === Parameters # # [*ensure*] -# (optional) The desired state of the keystone service -# Defaults to 'running' +# (optional) The desired state of the keystone service +# Defaults to 'running' # # [*service_name*] -# (optional) The name of the keystone service -# Defaults to $::keystone::params::service_name +# (optional) The name of the keystone service +# Defaults to $::keystone::params::service_name # # [*enable*] -# (optional) Whether to enable the keystone service -# Defaults to true +# (optional) Whether to enable the keystone service +# Defaults to true # # [*hasstatus*] -# (optional) Whether the keystone service has status -# Defaults to true +# (optional) Whether the keystone service has status +# Defaults to true # # [*hasrestart*] -# (optional) Whether the keystone service has restart -# Defaults to true +# (optional) Whether the keystone service has restart +# Defaults to true # # [*provider*] -# (optional) Provider for keystone service -# Defaults to $::keystone::params::service_provider +# (optional) Provider for keystone service +# Defaults to $::keystone::params::service_provider # # [*validate*] -# (optional) Whether to validate the service is working -# after any service refreshes -# Defaults to false +# (optional) Whether to validate the service is working after any service refreshes +# Defaults to false # # [*admin_token*] -# (optional) The admin token to use for validation -# Defaults to undef +# (optional) The admin token to use for validation +# Defaults to undef # # [*admin_endpoint*] -# (optional) The admin endpont to use for validation -# Defaults to 'http://localhost:35357/v2.0' +# (optional) The admin endpont to use for validation +# Defaults to 'http://localhost:35357/v2.0' # # [*retries*] -# (optional) Number of times to retry validation -# Defaults to 10 +# (optional) Number of times to retry validation +# Defaults to 10 # # [*delay*] -# (optional) Number of seconds between validation attempts -# Defaults to 2 +# (optional) Number of seconds between validation attempts +# Defaults to 2 # # [*insecure*] -# (optional) Whether to validate keystone connections -# using the --insecure option with keystone client. -# Defaults to false +# (optional) Whether to validate keystone connections +# using the --insecure option with keystone client. +# Defaults to false # # [*cacert*] -# (optional) Whether to validate keystone connections -# using the specified argument with the --os-cacert option -# with keystone client. -# Defaults to undef +# (optional) Whether to validate keystone connections +# using the specified argument with the --os-cacert option +# with keystone client. +# Defaults to undef # class keystone::service( $ensure = 'running', @@ -106,13 +105,13 @@ class keystone::service( $cmd = "openstack --os-auth-url ${admin_endpoint} --os-token ${admin_token} ${insecure_s} ${cacert_s} user list" $catch = 'name' exec { 'validate_keystone_connection': - path => '/usr/bin:/bin:/usr/sbin:/sbin', - provider => shell, - command => $cmd, - subscribe => Service['keystone'], - refreshonly => true, - tries => $retries, - try_sleep => $delay + path => '/usr/bin:/bin:/usr/sbin:/sbin', + provider => shell, + command => $cmd, + subscribe => Service['keystone'], + refreshonly => true, + tries => $retries, + try_sleep => $delay } Exec['validate_keystone_connection'] -> Keystone_user<||> diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index b2a3b10c3..38a9f70cd 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -46,15 +46,41 @@ # Optional. Defaults to 1 # # [*ssl_cert*] +# (optional) Path to SSL certificate +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_key*] +# (optional) Path to SSL key +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_chain*] +# (optional) SSL chain +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_ca*] +# (optional) Path to SSL certificate authority +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_crl_path*] +# (optional) Path to SSL certificate revocation list +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_crl*] +# (optional) SSL certificate revocation list name +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_certs_dir*] # apache::vhost ssl parameters. # Optional. Default to apache::vhost 'ssl_*' defaults. # +# [*priority*] +# (optional) The priority for the vhost. +# Defaults to '10' +# +# [*threads*] +# (optional) The number of threads for the vhost. +# Defaults to $::processorcount +# # == Dependencies # # requires Class['apache'] & Class['keystone']