Changes around keystone-manage commands
* perform all keystone-manage commands only as keystone user * as it possible to override keystone user in init class we should also have an ability to override it in db::sync class * ensure that fernet key directory is created before fernet setup command and it's owned by keystone user Closes-bug: #1604884 Change-Id: Ib90d8e2259b9a650a2edb5f0baf0e68451b9abf6
This commit is contained in:
iberezovskiy
@@ -10,16 +10,21 @@
|
||||
# 'db_sync' in the command line.
|
||||
# Defaults to ''
|
||||
#
|
||||
# [*keystone_user*]
|
||||
# (optional) Specify the keystone system user to be used with keystone-manage.
|
||||
# Defaults to $::keystone::params::keystone_user
|
||||
#
|
||||
class keystone::db::sync(
|
||||
$extra_params = undef,
|
||||
) {
|
||||
$extra_params = undef,
|
||||
$keystone_user = $::keystone::params::keystone_user,
|
||||
) inherits keystone::params {
|
||||
|
||||
include ::keystone::deps
|
||||
|
||||
exec { 'keystone-manage db_sync':
|
||||
command => "keystone-manage ${extra_params} db_sync",
|
||||
path => '/usr/bin',
|
||||
user => 'keystone',
|
||||
user => $keystone_user,
|
||||
refreshonly => true,
|
||||
subscribe => [
|
||||
Anchor['keystone::install::end'],
|
||||
|
||||
@@ -497,11 +497,11 @@
|
||||
#
|
||||
# [*keystone_user*]
|
||||
# (optional) Specify the keystone system user to be used with keystone-manage.
|
||||
# Defaults to 'keystone'
|
||||
# Defaults to $::keystone::params::keystone_user
|
||||
#
|
||||
# [*keystone_group*]
|
||||
# (optional) Specify the keystone system group to be used with keystone-manage.
|
||||
# Defaults to 'keystone'
|
||||
# Defaults to $::keystone::params::keystone_group
|
||||
#
|
||||
# [*manage_policyrcd*]
|
||||
# (optional) Whether to manage the policy-rc.d on debian based systems to
|
||||
@@ -935,6 +935,7 @@ class keystone(
|
||||
exec { 'keystone-manage pki_setup':
|
||||
command => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
user => $keystone_user,
|
||||
refreshonly => true,
|
||||
creates => $signing_keyfile,
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
@@ -1040,13 +1041,22 @@ class keystone(
|
||||
# Fernet tokens support
|
||||
if $enable_fernet_setup {
|
||||
validate_string($fernet_key_repository)
|
||||
ensure_resource('file', $fernet_key_repository, {
|
||||
ensure => 'directory',
|
||||
owner => $keystone_user,
|
||||
group => $keystone_group,
|
||||
subscribe => Anchor['keystone::install::end'],
|
||||
})
|
||||
|
||||
exec { 'keystone-manage fernet_setup':
|
||||
command => "keystone-manage fernet_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
|
||||
path => '/usr/bin',
|
||||
user => $keystone_user,
|
||||
refreshonly => true,
|
||||
creates => "${fernet_key_repository}/0",
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
|
||||
require => File[$fernet_key_repository],
|
||||
tag => 'keystone-exec',
|
||||
}
|
||||
}
|
||||
@@ -1102,6 +1112,7 @@ class keystone(
|
||||
# and is only run once, so we don't need to notify the service
|
||||
exec { 'keystone-manage bootstrap':
|
||||
command => "keystone-manage bootstrap --bootstrap-password ${admin_token}",
|
||||
user => $keystone_user,
|
||||
path => '/usr/bin',
|
||||
refreshonly => true,
|
||||
notify => Anchor['keystone::service::begin'],
|
||||
@@ -1120,8 +1131,8 @@ class keystone(
|
||||
if (!defined(File[$domain_config_directory])) {
|
||||
file { $domain_config_directory:
|
||||
ensure => directory,
|
||||
owner => 'keystone',
|
||||
group => 'keystone',
|
||||
owner => $keystone_user,
|
||||
group => $keystone_group,
|
||||
mode => '0750',
|
||||
notify => Service[$service_name],
|
||||
require => Anchor['keystone::install::end'],
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
upgrade:
|
||||
- All keystone-manage execs are performed now only by keystone user.
|
||||
@@ -2,36 +2,54 @@ require 'spec_helper'
|
||||
|
||||
describe 'keystone::db::sync' do
|
||||
|
||||
describe 'with only required params' do
|
||||
it {
|
||||
shared_examples_for 'keystone-dbsync' do
|
||||
|
||||
describe 'with only required params' do
|
||||
it {
|
||||
is_expected.to contain_exec('keystone-manage db_sync').with(
|
||||
:command => 'keystone-manage db_sync',
|
||||
:user => 'keystone',
|
||||
:refreshonly => true,
|
||||
:subscribe => ['Anchor[keystone::install::end]',
|
||||
'Anchor[keystone::config::end]',
|
||||
'Anchor[keystone::dbsync::begin]'],
|
||||
:notify => 'Anchor[keystone::dbsync::end]',
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
describe "overriding extra_params" do
|
||||
let :params do
|
||||
{
|
||||
:extra_params => '--config-file /etc/keystone/keystone.conf',
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
describe "overriding extra_params and keystone user" do
|
||||
let :params do
|
||||
{
|
||||
:extra_params => '--config-file /etc/keystone/keystone.conf',
|
||||
:keystone_user => 'test_user',
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_exec('keystone-manage db_sync').with(
|
||||
:command => 'keystone-manage --config-file /etc/keystone/keystone.conf db_sync',
|
||||
:user => 'test_user',
|
||||
:refreshonly => true,
|
||||
:subscribe => ['Anchor[keystone::install::end]',
|
||||
'Anchor[keystone::config::end]',
|
||||
'Anchor[keystone::dbsync::begin]'],
|
||||
:notify => 'Anchor[keystone::dbsync::end]',
|
||||
)
|
||||
}
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_configures 'keystone-dbsync'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -69,6 +69,8 @@ describe 'keystone' do
|
||||
'paste_config' => '<SERVICE DEFAULT>',
|
||||
'sync_db' => true,
|
||||
'purge_config' => false,
|
||||
'keystone_user' => 'keystone',
|
||||
'keystone_group' => 'keystone',
|
||||
}
|
||||
|
||||
override_params = {
|
||||
@@ -115,7 +117,9 @@ describe 'keystone' do
|
||||
'member_role_id' => '123456789',
|
||||
'member_role_name' => 'othermember',
|
||||
'paste_config' => '/usr/share/keystone/keystone-paste.ini',
|
||||
'using_domain_config' => false
|
||||
'using_domain_config' => false,
|
||||
'keystone_user' => 'test_user',
|
||||
'keystone_group' => 'test_group',
|
||||
}
|
||||
|
||||
httpd_params = {'service_name' => 'httpd'}.merge(default_params)
|
||||
@@ -151,7 +155,7 @@ describe 'keystone' do
|
||||
if param_hash['enable_bootstrap']
|
||||
is_expected.to contain_exec('keystone-manage bootstrap').with(
|
||||
:command => 'keystone-manage bootstrap --bootstrap-password service_token',
|
||||
:user => 'keystone',
|
||||
:user => param_hash['keystone_user'],
|
||||
:refreshonly => true
|
||||
)
|
||||
end
|
||||
@@ -377,7 +381,9 @@ describe 'keystone' do
|
||||
'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
|
||||
'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
|
||||
'signing_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
|
||||
'signing_key_size' => 2048
|
||||
'signing_key_size' => 2048,
|
||||
'keystone_user' => 'keystone',
|
||||
'keystone_group' => 'keystone',
|
||||
}
|
||||
end
|
||||
|
||||
@@ -391,7 +397,7 @@ describe 'keystone' do
|
||||
end
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage pki_setup').with(
|
||||
:command => 'keystone-manage pki_setup --keystone-user keystone --keystone-group keystone',
|
||||
:command => "keystone-manage pki_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
|
||||
:creates => '/etc/keystone/ssl/private/signing_key.pem'
|
||||
) }
|
||||
it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
|
||||
@@ -896,14 +902,21 @@ describe 'keystone' do
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_max_active_keys' => 5,
|
||||
'revoke_by_id' => false,
|
||||
'keystone_user' => 'keystone',
|
||||
'keystone_group' => 'keystone'
|
||||
'fernet_key_repository' => '/etc/keystone/fernet-keys',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_file(params['fernet_key_repository']).with(
|
||||
:ensure => 'directory',
|
||||
:owner => params['keystone_user'],
|
||||
:group => params['keystone_group'],
|
||||
) }
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
|
||||
:command => 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone',
|
||||
:creates => '/etc/keystone/fernet-keys/0'
|
||||
:command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
|
||||
:user => params['keystone_user'],
|
||||
:creates => '/etc/keystone/fernet-keys/0',
|
||||
:require => 'File[/etc/keystone/fernet-keys]',
|
||||
) }
|
||||
it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
|
||||
it { is_expected.to contain_keystone_config('token/revoke_by_id').with_value(false)}
|
||||
@@ -921,6 +934,25 @@ describe 'keystone' do
|
||||
) }
|
||||
|
||||
end
|
||||
|
||||
describe 'when overriding the keystone group and user' do
|
||||
let :params do
|
||||
default_params.merge({
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_key_repository' => '/etc/keystone/fernet-keys',
|
||||
'keystone_user' => 'test_user',
|
||||
'keystone_group' => 'test_group',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
|
||||
:command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
|
||||
:user => params['keystone_user'],
|
||||
:creates => '/etc/keystone/fernet-keys/0',
|
||||
:require => 'File[/etc/keystone/fernet-keys]',
|
||||
) }
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples_for "when configuring default domain" do
|
||||
|
||||
Reference in New Issue
Block a user