Merge "Add missing puppetdoc and lint all parameter documentation"

2015-03-15 20:41:39 +00:00 · 2015-03-15 20:41:39 +00:00 · a687f5d0e0
parent 5b4bc4871b a3bdaad473
commit a687f5d0e0
13 changed files with 836 additions and 297 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@ source 'https://rubygems.org'

 group :development, :test do
  gem 'puppetlabs_spec_helper', :require => false
-  gem 'puppet-lint', '~> 0.3.2'
+  gem 'puppet-lint-param-docs'
  gem 'rspec-puppet', '~> 1.0.1'
  gem 'rake', '10.1.1'
 end
--- a/manifests/client.pp
+++ b/manifests/client.pp
@ -5,7 +5,8 @@
 # === Parameters
 #
 # [*ensure*]
-#   (optional) Ensure state of the package. Defaults to 'present'.
+#   (optional) Ensure state of the package.
+#   Defaults to 'present'.
 #
 class keystone::client (
  $ensure = 'present'
--- a/manifests/db/mysql.pp
+++ b/manifests/db/mysql.pp
@ -5,19 +5,39 @@
 #
 # == parameters
 #
-# [password] Password that will be used for the keystone db user.
-#   Optional. Defaults to: 'keystone_default_password'
+# [*password*]
+#   (Mandatory) Password to connect to the database.
+#   Defaults to 'false'.
 #
-# [dbname] Name of keystone database. Optional. Defaults to keystone.
+# [*dbname*]
+#   (Optional) Name of the database.
+#   Defaults to 'keystone'.
 #
-# [user] Name of keystone user. Optional. Defaults to keystone.
+# [*user*]
+#   (Optional) User to connect to the database.
+#   Defaults to 'keystone'.
 #
-# [host] Host where user should be allowed all priveleges for database.
-# Optional. Defaults to 127.0.0.1.
+# [*host*]
+#   (Optional) The default source host user is allowed to connect from.
+#   Defaults to '127.0.0.1'
 #
-# [allowed_hosts] Hosts allowed to use the database
+# [*allowed_hosts*]
+#   (Optional) Other hosts the user is allowed to connect from.
+#   Defaults to 'undef'.
 #
-# [*mysql_module*] Deprecated. Does nothing.
+# [*charset*]
+#   (Optional) The database charset.
+#   Defaults to 'utf8'
+#
+# [*collate*]
+#   (Optional) The database collate.
+#   Only used with mysql modules >= 2.2.
+#   Defaults to 'utf8_unicode_ci'
+#
+# === Deprecated Parameters
+#
+# [*mysql_module*]
+#   (Optional) Does nothing.
 #
 # == Dependencies
 #   Class['mysql::server']
--- a/manifests/dev/install.pp
+++ b/manifests/dev/install.pp
@ -1,6 +1,12 @@
 #
 # Installs keystone from source. This is not yet fully implemented
 #
+# == Parameters
+#
+# [*source_dir*]
+#   (optional) The source dire for dev installation
+#   Defaults to '/usr/local/keystone'
+#
 # == Dependencies
 # == Examples
 # == Authors
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -3,72 +3,111 @@
 #
 # == Parameters
 #
-#   [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
+# [*package_ensure*]
+#   (optional) Desired ensure state of packages.
 #   accepts latest or specific versions.
-#   [client_package_ensure] Desired ensure state of the client package. Optional. Defaults to present.
+#   Defaults to present.
+#
+# [*client_package_ensure*]
+#   (optional) Desired ensure state of the client package.
 #   accepts latest or specific versions.
-#   [public_port]
+#   Defaults to present.
 #
-#   [compute_port]
-#     (optional) DEPRECATED. The port for the compute service.
-#     Defaults to 8774.
+# [*public_port*]
+#   (optional) Port that keystone binds to.
+#   Defaults to '5000'
 #
-#   [admin_port]
-#   [admin_port] Port that can be used for admin tasks.
-#   [admin_token] Admin token that can be used to authenticate as a keystone
+# [*compute_port*]
+#   (optional) DEPRECATED The port for compute servie.
+#   Defaults to '8774'
+#
+# [*admin_port*]
+#   (optional) Port that can be used for admin tasks.
+#   Defaults to '35357'
+#
+# [*admin_token*]
+#   Admin token that can be used to authenticate as a keystone
 #   admin. Required.
-#   [verbose] Rather keystone should log at verbose level. Optional.
+#
+# [*verbose*]
+#   (optional) Rather keystone should log at verbose level.
+#   Defaults to false.
+#
+# [*debug*]
+#   (optional) Rather keystone should log at debug level.
 #   Defaults to False.
-#   [debug] Rather keystone should log at debug level. Optional.
-#     Defaults to False.
-#   [use_syslog] Use syslog for logging. Optional.
-#     Defaults to False.
-#   [log_facility] Syslog facility to receive log lines. Optional.
-#   [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
+#
+# [*use_syslog*]
+#   (optional) Use syslog for logging.
+#   Defaults to false.
+#
+# [*log_facility*]
+#   (optional) Syslog facility to receive log lines.
+#   Defaults to 'LOG_USER'.
+#
+# [*catalog_type*]
+#   (optional) Type of catalog that keystone uses to store endpoints,services.
 #   Defaults to sql. (Also accepts template)
-#   [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
+#
+# [*catalog_driver*]
+#   (optional) Catalog driver used by Keystone to store endpoints and services.
 #   Setting this value will override and ignore catalog_type.
-#   [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
+#   Defaults to false.
+#
+# [*catalog_template_file*]
+#   (optional) Path to the catalog used if catalog_type equals 'template'.
 #   Defaults to '/etc/keystone/default_catalog.templates'
-#   [token_provider] Format keystone uses for tokens. Optional.
+#
+# [*token_provider*]
+#   (optional) Format keystone uses for tokens.
 #   Defaults to 'keystone.token.providers.uuid.Provider'
 #   Supports PKI and UUID.
-#   [token_driver] Driver to use for managing tokens.
-#     Optional.  Defaults to 'keystone.token.persistence.backends.sql.Token'
-#   [token_expiration] Amount of time a token should remain valid (seconds).
-#     Optional.  Defaults to 3600 (1 hour).
-#   [revoke_driver] Driver for token revocation.
-#     Optional.  Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
-#   [cache_dir] Directory created when token_provider is pki. Optional.
+#
+# [*token_driver*]
+#   (optional) Driver to use for managing tokens.
+#   Defaults to 'keystone.token.persistence.backends.sql.Token'
+#
+# [*token_expiration*]
+#   (optional) Amount of time a token should remain valid (seconds).
+#   Defaults to 3600 (1 hour).
+#
+# [*revoke_driver*]
+#   (optional) Driver for token revocation.
+#   Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
+#
+# [*cache_dir*]
+#   (optional) Directory created when token_provider is pki.
 #   Defaults to /var/cache/keystone.
 #
-#   [memcache_servers]
-#     List of memcache servers in format of server:port.
+# [*memcache_servers*]
+#   (optional) List of memcache servers in format of server:port.
 #   Used with token_driver 'keystone.token.backends.memcache.Token'.
-#     Optional. Defaults to false. Example: ['localhost:11211']
+#   Defaults to false. Example: ['localhost:11211']
 #
-#   [cache_backend]
-#     Dogpile.cache backend module. It is recommended that Memcache with pooling
+# [*cache_backend*]
+#   (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
 #   (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
 #   This has no effects unless 'memcache_servers' is set.
-#     Optional. Defaults to 'keystone.common.cache.noop'
+#   Defaults to 'keystone.common.cache.noop'
 #
-#   [cache_backend_argument]
-#     List of arguments in format of argname:value supplied to the backend module.
+# [*cache_backend_argument*]
+#   (optional) List of arguments in format of argname:value supplied to the backend module.
 #   Specify this option once per argument to be passed to the dogpile.cache backend.
 #   This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to undef.
+#   Default to undef.
 #
-#   [debug_cache_backend]
-#     Extra debugging from the cache backend (cache keys, get/set/delete calls).
+# [*debug_cache_backend*]
+#   (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
 #   This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to false.
+#   Default to false.
 #
-#   [token_caching]
-#     Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
-#     Optional. Default to true.
+# [*token_caching*]
+#   (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+#   Default to true.
 #
-#   [enabled] If the keystone services should be enabled. Optional. Default to true.
+# [*enabled*]
+#  (optional) If the keystone services should be enabled.
+#   Default to true.
 #
 # [*database_connection*]
 #   (optional) Url used to connect to database.
@ -78,22 +117,34 @@
 #   (optional) Timeout when db connections should be reaped.
 #   Defaults to 200.
 #
-#   [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
+# [*enable_pki_setup*]
+#   (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
 #   revocation lists if it doesn't already exist. This generates a cert and key stored in file
 #   locations based on the signing_certfile and signing_keyfile paramters below. If you are
 #   providing your own signing cert, make this false.
-#   [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
-#     Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
+#   Default to true.
+#
+# [*signing_certfile*]
+#   (optional) Location of the cert file for signing pki tokens and revocation lists.
+#   Note that if this file already exists (i.e. you are providing your own signing cert),
 #   the file will not be overwritten, even if enable_pki_setup is set to true.
 #   Default: /etc/keystone/ssl/certs/signing_cert.pem
-#   [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
+#
+# [*signing_keyfile*]
+#   (optional) Location of the key file for signing pki tokens and revocation lists.
 #   Note that if this file already exists (i.e. you are providing your own signing cert), the file
 #   will not be overwritten, even if enable_pki_setup is set to true.
 #   Default: /etc/keystone/ssl/private/signing_key.pem
-#   [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-#     signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
-#   [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-#     pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
+#
+# [*signing_ca_certs*]
+#   (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
+#   signing pki tokens and revocation lists.
+#   Default: /etc/keystone/ssl/certs/ca.pem
+#
+# [*signing_ca_key*]
+#   (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
+#   pki tokens and revocation lists.
+#   Default: /etc/keystone/ssl/private/cakey.pem
 #
 # [*signing_cert_subject*]
 #   (optional) Certificate subject (auto generated certificate) for token signing.
@ -103,12 +154,29 @@
 #   (optional) Key size (in bits) for token signing cert (auto generated certificate)
 #   Defaults to 2048
 #
-#   [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
-#   [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
-#   [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
-#   [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
-#   [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
-#   [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
+# [*rabbit_host*]
+#   (optional) Location of rabbitmq installation.
+#    Defaults to localhost.
+#
+# [*rabbit_port*]
+#   (optional) Port for rabbitmq instance.
+#   Defaults to 5672.
+#
+# [*rabbit_hosts*]
+#   (optional) Location of rabbitmq installation.
+#   Defaults to undef.
+#
+# [*rabbit_password*]
+#   (optional) Password used to connect to rabbitmq.
+#   Defaults to guest.
+#
+# [*rabbit_userid*]
+#   (optional) User used to connect to rabbitmq.
+#   Defaults to guest.
+#
+# [*rabbit_virtual_host*]
+#   (optional) The RabbitMQ virtual host.
+#   Defaults to /.
 #
 # [*rabbit_use_ssl*]
 #   (optional) Connect over SSL for RabbitMQ
@ -132,9 +200,16 @@
 #   available on some distributions.
 #   Defaults to 'TLSv1'
 #
-#   [notification_driver] RPC driver. Not enabled by default
-#   [notification_topics] AMQP topics to publish to when using the RPC notification driver.
-#   [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
+# [*notification_driver*]
+#   RPC driver. Not enabled by default
+#
+# [*notification_topics*]
+#   (optional) AMQP topics to publish to when using the RPC notification driver.
+#   Default to false.
+#
+# [*control_exchange*]
+#   (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
+#   Default to false.
 #
 # [*public_bind_host*]
 #   (optional) The IP address of the public network interface to listen on
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@ -1,6 +1,376 @@
+# == class: keystone::ldap
 #
 # Implements ldap configuration for keystone.
 #
+# === parameters:
+#
+# [*url*]
+#   URL for connecting to the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*user*]
+#   User BindDN to query the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*password*]
+#   Password for the BindDN to query the LDAP server. (string value)
+#   Defaults to 'undef'
+#
+# [*suffix*]
+#   LDAP server suffix (string value)
+#   Defaults to 'undef'
+#
+# [*query_scope*]
+#   The LDAP scope for queries, this can be either "one"
+#   (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
+#   Defaults to 'undef'
+#
+# [*page_size*]
+#   Maximum results per page; a value of zero ("0") disables paging. (integer value)
+#   Defaults to 'undef'
+#
+# [*user_tree_dn*]
+#   Search base for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_filter*]
+#   LDAP search filter for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_objectclass*]
+#   LDAP objectclass for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_id_attribute*]
+#   LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
+#   Defaults to 'undef'
+#
+# [*user_name_attribute*]
+#   LDAP attribute mapped to user name. (string value)
+#   Defaults to 'undef'
+#
+# [*user_mail_attribute*]
+#   LDAP attribute mapped to user email. (string value)
+#
+# [*user_enabled_attribute*]
+#   LDAP attribute mapped to user enabled flag. (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_mask*]
+#   Bitmask integer to indicate the bit that the enabled value is stored in if
+#   the LDAP server represents "enabled" as a bit on an integer rather than a
+#   boolean. A value of "0" indicates the mask is not used. If this is not set
+#   to "0" the typical value is "2". This is typically used when
+#   "user_enabled_attribute = userAccountControl". (integer value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_default*]
+#   Default value to enable users. This should match an appropriate int value
+#   if the LDAP server uses non-boolean (bitmask) values to indicate if a user
+#   is enabled or disabled. If this is not set to "True" the typical value is
+#   "512". This is typically used when "user_enabled_attribute =
+#   userAccountControl". (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_invert*]
+#   Invert the meaning of the boolean enabled values. Some LDAP servers use a
+#   boolean lock attribute where "true" means an account is disabled. Setting
+#   "user_enabled_invert = true" will allow these lock attributes to be used.
+#   This setting will have no effect if "user_enabled_mask" or
+#   "user_enabled_emulation" settings are in use. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_attribute_ignore*]
+#   List of attributes stripped off the user on update. (list value)
+#   Defaults to 'undef'
+#
+# [*user_default_project_id_attribute*]
+#   LDAP attribute mapped to default_project_id for users. (string value)
+#   Defaults to 'undef'
+#
+# [*user_allow_create*]
+#   Allow user creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_update*]
+#   Allow user updates in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_allow_delete*]
+#   Allow user deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_pass_attribute*]
+#   LDAP attribute mapped to password. (string value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_emulation*]
+#   If true, Keystone uses an alternative method to determine if
+#   a user is enabled or not by checking if they are a member of
+#   the "user_enabled_emulation_dn" group. (boolean value)
+#   Defaults to 'undef'
+#
+# [*user_enabled_emulation_dn*]
+#   DN of the group entry to hold enabled users when using enabled emulation.
+#   (string value)
+#   Defaults to 'undef'
+#
+# [*user_additional_attribute_mapping*]
+#   List of additional LDAP attributes used for mapping
+#   additional attribute mappings for users. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*project_tree_dn*]
+#   Search base for projects (string value)
+#   Defaults to 'undef'
+#
+# [*project_filter*]
+#   LDAP search filter for projects. (string value)
+#   Defaults to 'undef'
+#
+# [*project_objectclass*]
+#   LDAP objectclass for projects. (string value)
+#   Defaults to 'undef'
+#
+# [*project_id_attribute*]
+#   LDAP attribute mapped to project id. (string value)
+#   Defaults to 'undef'
+#
+# [*project_member_attribute*]
+#   LDAP attribute mapped to project membership for user. (string value)
+#   Defaults to 'undef'
+#
+# [*project_name_attribute*]
+#   LDAP attribute mapped to project name. (string value)
+#   Defaults to 'undef'
+#
+# [*project_desc_attribute*]
+#   LDAP attribute mapped to project description. (string value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_attribute*]
+#   LDAP attribute mapped to project enabled. (string value)
+#   Defaults to 'undef'
+#
+# [*project_domain_id_attribute*]
+#   LDAP attribute mapped to project domain_id. (string value)
+#   Defaults to 'undef'
+#
+# [*project_attribute_ignore*]
+#   List of attributes stripped off the project on update. (list value)
+#   Defaults to 'undef'
+#
+# [*project_allow_create*]
+#   Allow project creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_allow_update*]
+#   Allow project update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_allow_delete*]
+#   Allow project deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_emulation*]
+#   If true, Keystone uses an alternative method to determine if
+#   a project is enabled or not by checking if they are a member
+#   of the "project_enabled_emulation_dn" group. (boolean value)
+#   Defaults to 'undef'
+#
+# [*project_enabled_emulation_dn*]
+#   DN of the group entry to hold enabled projects when using
+#   enabled emulation. (string value)
+#   Defaults to 'undef'
+#
+# [*project_additional_attribute_mapping*]
+#   Additional attribute mappings for projects. Attribute
+#   mapping format is <ldap_attr>:<user_attr>, where ldap_attr
+#   is the attribute in the LDAP entry and user_attr is the
+#   Identity API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*role_tree_dn*]
+#   Search base for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_filter*]
+#   LDAP search filter for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_objectclass*]
+#   LDAP objectclass for roles. (string value)
+#   Defaults to 'undef'
+#
+# [*role_id_attribute*]
+#   LDAP attribute mapped to role id. (string value)
+#   Defaults to 'undef'
+#
+# [*role_name_attribute*]
+#   LDAP attribute mapped to role name. (string value)
+#   Defaults to 'undef'
+#
+# [*role_member_attribute*]
+#   LDAP attribute mapped to role membership. (string value)
+#   Defaults to 'undef'
+#
+# [*role_attribute_ignore*]
+#   List of attributes stripped off the role on update. (list value)
+#   Defaults to 'undef'
+#
+# [*role_allow_create*]
+#   Allow role creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_allow_update*]
+#   Allow role update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_allow_delete*]
+#   Allow role deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*role_additional_attribute_mapping*]
+#   Additional attribute mappings for roles. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*group_tree_dn*]
+#   Search base for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_filter*]
+#   LDAP search filter for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_objectclass*]
+#   LDAP objectclass for groups. (string value)
+#   Defaults to 'undef'
+#
+# [*group_id_attribute*]
+#   LDAP attribute mapped to group id. (string value)
+#   Defaults to 'undef'
+#
+# [*group_name_attribute*]
+#   LDAP attribute mapped to group name. (string value)
+#   Defaults to 'undef'
+#
+# [*group_member_attribute*]
+#   LDAP attribute mapped to show group membership. (string value)
+#   Defaults to 'undef'
+#
+# [*group_desc_attribute*]
+#   LDAP attribute mapped to group description. (string value)
+#   Defaults to 'undef'
+#
+# [*group_attribute_ignore*]
+#   List of attributes stripped off the group on update. (list value)
+#   Defaults to 'undef'
+#
+# [*group_allow_create*]
+#   Allow group creation in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_update*]
+#   Allow group update in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_allow_delete*]
+#   Allow group deletion in LDAP backend. (boolean value)
+#   Defaults to 'undef'
+#
+# [*group_additional_attribute_mapping*]
+#   Additional attribute mappings for groups. Attribute mapping
+#   format is <ldap_attr>:<user_attr>, where ldap_attr is the
+#   attribute in the LDAP entry and user_attr is the Identity
+#   API attribute. (list value)
+#   Defaults to 'undef'
+#
+# [*use_tls*]
+#   Enable TLS for communicating with LDAP servers. (boolean value)
+#   Defaults to 'undef'
+#
+# [*tls_cacertfile*]
+#   CA certificate file path for communicating with LDAP servers. (string value)
+#   Defaults to 'undef'
+#
+# [*tls_cacertdir*]
+#   CA certificate directory path for communicating with LDAP servers. (string value)
+#   Defaults to 'undef'
+#
+# [*tls_req_cert*]
+#   Valid options for tls_req_cert are demand, never, and allow. (string value)
+#   Defaults to 'undef'
+#
+# [*identity_driver*]
+#   Identity backend driver. (string value)
+#   Defaults to 'undef'
+#
+# [*assignment_driver*]
+#   Assignment backend driver. (string value)
+#   Defaults to 'undef'
+#
+# [*use_pool*]
+#   Enable LDAP connection pooling. (boolean value)
+#   Defaults to false
+#
+# [*pool_size*]
+#   Connection pool size. (integer value)
+#   Defaults to '10'
+#
+# [*pool_retry_max*]
+#   Maximum count of reconnect trials. (integer value)
+#   Defaults to '3'
+#
+# [*pool_retry_delay*]
+#   Time span in seconds to wait between two reconnect trials. (floating point value)
+#   Defaults to '0.1'
+#
+# [*pool_connection_timeout*]
+#   Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
+#   Defaults to '-1'
+#
+# [*pool_connection_lifetime*]
+#   Connection lifetime in seconds. (integer value)
+#   Defaults to '600'
+#
+# [*use_auth_pool*]
+#   Enable LDAP connection pooling for end user authentication.
+#   If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
+#   Defaults to false
+#
+# [*auth_pool_size*]
+#   End user auth connection pool size. (integer value)
+#   Defaults to '100'
+#
+# [*auth_pool_connection_lifetime*]
+#   End user auth connection lifetime in seconds. (integer value)
+#   Defaults to '60'
+#
+# === DEPRECATED group/name
+#
+# [*tenant_tree_dn*]
+# [*tenant_filter*]
+# [*tenant_objectclass*]
+# [*tenant_id_attribute*]
+# [*tenant_member_attribute*]
+# [*tenant_name_attribute*]
+# [*tenant_desc_attribute*]
+# [*tenant_enabled_attribute*]
+# [*tenant_domain_id_attribute*]
+# [*tenant_attribute_ignore*]
+# [*tenant_allow_create*]
+# [*tenant_allow_update*]
+# [*tenant_enabled_emulation*]
+# [*tenant_enabled_emulation_dn*]
+# [*tenant_additional_attribute_mapping*]
+# [*tenant_allow_delete*]
+#
 # == Dependencies
 # == Examples
 # == Authors
--- a/manifests/python.pp
+++ b/manifests/python.pp
@ -1,6 +1,16 @@
+# == Class keystone::python
 #
 # installs client python libraries for keystone
 #
+# === Parameters:
+#
+# [*client_package_name*]
+#   (optional) The name of python keystone client package
+#   Defaults to $keystone::params::client_package_name
+#
+# [*ensure*]
+#   (optional) The state for the keystone client package
+#   Defaults to 'present'
 #
 class keystone::python (
  $client_package_name = $keystone::params::client_package_name,
--- a/manifests/roles/admin.pp
+++ b/manifests/roles/admin.pp
@ -1,3 +1,4 @@
+# == Class: keystone::roles::admin
 #
 # This class implements some reasonable admin defaults for keystone.
 #
@ -8,18 +9,49 @@
 #   * admin role
 #   * adds admin role to admin user on the "admin" tenant
 #
-# [*Parameters*]
+# === Parameters:
 #
-# [email] The email address for the admin. Required.
-# [password] The admin password. Required.
-# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin'].
-# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack.
-# [admin] Admin user. Optional. Defaults to admin.
-# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false.
-# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant'
-# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services'
-# [configure_user] Optional. Should the admin user be created? Defaults to 'true'.
-# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'.
+# [*email*]
+#   The email address for the admin. Required.
+#
+# [*password*]
+#   The admin password. Required.
+#
+# [*admin_roles*]
+#   The list of the roles with admin privileges. Optional.
+#   Defaults to ['admin'].
+#
+# [*admin_tenant*]
+#   The name of the tenant to be used for admin privileges. Optional.
+#   Defaults to openstack.
+#
+# [*service_tenant*]
+#   The name of service keystone tenant. Optional.
+#   Defaults to 'services'.
+#
+# [*admin*]
+#   Admin user. Optional.
+#   Defaults to admin.
+#
+# [*ignore_default_tenant*]
+#   Ignore setting the default tenant value when the user is created. Optional.
+#   Defaults to false.
+#
+# [*admin_tenant_desc*]
+#   Optional. Description for admin tenant,
+#   Defaults to 'admin tenant'
+#
+# [*service_tenant_desc*]
+#   Optional. Description for admin tenant,
+#   Defaults to 'Tenant for the openstack services'
+#
+# [*configure_user*]
+#   Optional. Should the admin user be created?
+#   Defaults to 'true'.
+#
+# [*configure_user_role*]
+#   Optional. Should the admin role be configured for the admin user?
+#   Defaulst to 'true'.
 #
 # == Dependencies
 # == Examples
--- a/manifests/service.pp
+++ b/manifests/service.pp
@ -33,8 +33,7 @@
 #   Defaults to $::keystone::params::service_provider
 #
 # [*validate*]
-# (optional) Whether to validate the service is working
-# after any service refreshes
+#   (optional) Whether to validate the service is working after any service refreshes
 #   Defaults to false
 #
 # [*admin_token*]
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@ -46,15 +46,41 @@
 #     Optional. Defaults to 1
 #
 #   [*ssl_cert*]
+#     (optional) Path to SSL certificate
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_key*]
+#     (optional) Path to SSL key
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_chain*]
+#     (optional) SSL chain
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_ca*]
+#     (optional) Path to SSL certificate authority
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_crl_path*]
+#     (optional) Path to SSL certificate revocation list
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_crl*]
+#     (optional) SSL certificate revocation list name
+#     Default to apache::vhost 'ssl_*' defaults.
+#
 #   [*ssl_certs_dir*]
 #     apache::vhost ssl parameters.
 #     Optional. Default to apache::vhost 'ssl_*' defaults.
 #
+# [*priority*]
+#   (optional) The priority for the vhost.
+#   Defaults to '10'
+#
+# [*threads*]
+#   (optional) The number of threads for the vhost.
+#   Defaults to $::processorcount
+#
 # == Dependencies
 #
 #   requires Class['apache'] & Class['keystone']