Use system scope credentials to request keystone

When SRBAC is enforced, Keystone allows only system admin to create resources like user, role, role assignment and etc. With this change now each provider uses system scope credential to create resources like user, endpoint and etc. This change also replaces /etc/keystone/puppet.conf by the yaml file for openstackclient(/etc/openstack/puppet/admin-clouds.yaml) This allows us to switch a system scope credential and a project scope credential, and helps us implement a new provider which requires project scope, in the future. Depends-on: https://review.opendev.org/828025 Change-Id: I27eb6b11df593581c94ef0affaf5abb8e333833b
2 years ago · c140a44aeb
parent 845eb1c9a1
commit c140a44aeb
23 changed files with 178 additions and 201 deletions
--- a/lib/puppet/provider/keystone.rb
+++ b/lib/puppet/provider/keystone.rb
@ -8,68 +8,15 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack

  extend Puppet::Provider::Openstack::Auth

-  INI_FILENAME = '/etc/keystone/keystone.conf'
  DEFAULT_DOMAIN = 'Default'

  @@default_domain_id = nil

-  def self.conf_filename
-    '/etc/keystone/puppet.conf'
-  end
-
-  def self.keystone_puppet_conf
-    return @keystone_puppet_conf if @keystone_puppet_conf
-    @keystone_puppet_conf = Puppet::Util::IniConfig::File.new
-    @keystone_puppet_conf.read(conf_filename)
-    @keystone_puppet_conf
-  end
-
-  def self.get_keystone_puppet_credentials
-    auth_keys = ['auth_url', 'project_name', 'username', 'password']
-
-    conf = keystone_puppet_conf ? keystone_puppet_conf['keystone_authtoken'] : {}
-
-    if conf and auth_keys.all?{|k| !conf[k].nil?}
-      creds = Hash[ auth_keys.map { |k| [k, conf[k].strip] } ]
-
-      if conf['project_domain_name']
-        creds['project_domain_name'] = conf['project_domain_name']
-      else
-        creds['project_domain_name'] = 'Default'
-      end
-
-      if conf['user_domain_name']
-        creds['user_domain_name'] = conf['user_domain_name']
-      else
-        creds['user_domain_name'] = 'Default'
-      end
-
-      if conf['region_name']
-        creds['region_name'] = conf['region_name']
-      end
-
-      if conf['interface']
-        creds['interface'] = conf['interface']
-      end
-
-      return creds
-    else
-      raise(Puppet::Error, "File: #{conf_filename} does not contain all " +
-            "required configuration keys. Cannot authenticate to Keystone.")
-    end
-  end
-
-  def self.keystone_puppet_credentials
-    @keystone_puppet_credentials ||= get_keystone_puppet_credentials
-  end
-
-  def keystone_puppet_credentials
-    self.class.keystone_puppet_credentials
-  end
-
  def self.get_auth_endpoint
-    q = keystone_puppet_credentials
-    "#{q['auth_url']}"
+    configs = self.request('configuration', 'show')
+    "#{configs['auth.auth_url']}"
+  rescue Puppet::Error::OpenstackAuthInputError
+    nil
  end

  def self.auth_endpoint
@ -171,7 +118,7 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack

  def self.domain_name_from_id(id)
    unless @domain_hash
-      list = request('domain', 'list')
+      list = system_request('domain', 'list')
      if list.nil?
        err("Could not list domains")
      else
@ -179,7 +126,7 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
      end
    end
    unless @domain_hash.include?(id)
-      domain = request('domain', 'show', id)
+      domain = system_request('domain', 'show', id)
      if domain && domain.key?(:name)
        @domain_hash[id] = domain[:name]
      else
@ -191,11 +138,11 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack

  def self.domain_id_from_name(name)
    unless @domain_hash_name
-      list = request('domain', 'list')
+      list = system_request('domain', 'list')
      @domain_hash_name = Hash[list.collect{|domain| [domain[:name], domain[:id]]}]
    end
    unless @domain_hash_name.include?(name)
-      domain = request('domain', 'show', name)
+      domain = system_request('domain', 'show', name)
      if domain && domain.key?(:id)
        @domain_hash_name[name] = domain[:id]
      else
@ -207,18 +154,18 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack

  def self.fetch_project(name, domain)
    domain ||= default_domain
-    request('project', 'show',
-            [name, '--domain', domain],
-            {:no_retry_exception_msgs => /No project with a name or ID/})
+    system_request('project', 'show',
+                   [name, '--domain', domain],
+                   {:no_retry_exception_msgs => /No project with a name or ID/})
  rescue Puppet::ExecutionFailure => e
    raise e unless e.message =~ /No project with a name or ID/
  end

  def self.fetch_user(name, domain)
    domain ||= default_domain
-    request('user', 'show',
-            [name, '--domain', domain],
-            {:no_retry_exception_msgs => /No user with a name or ID/})
+    system_request('user', 'show',
+                   [name, '--domain', domain],
+                   {:no_retry_exception_msgs => /No user with a name or ID/})
  rescue Puppet::ExecutionFailure => e
    raise e unless e.message =~ /No user with a name or ID/
  end
@ -234,40 +181,12 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack
    return auth_url
  end

-  def self.ini_filename
-    INI_FILENAME
-  end
-
-  def self.keystone_file
-    return @keystone_file if @keystone_file
-    if File.exists?(ini_filename)
-      @keystone_file = Puppet::Util::IniConfig::File.new
-      @keystone_file.read(ini_filename)
-      @keystone_file
-    end
-  end
-
-  def self.request(service, action, properties=nil, options={})
-    super
-  rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error
-    keystone_request(service, action, error, properties)
+  def self.project_request(service, action, properties=nil, options={})
+    self.request(service, action, properties, options, 'project')
  end

-  def self.keystone_request(service, action, error, properties=nil)
-    properties ||= []
-    @credentials.username = keystone_puppet_credentials['username']
-    @credentials.password = keystone_puppet_credentials['password']
-    @credentials.project_name = keystone_puppet_credentials['project_name']
-    @credentials.auth_url = auth_endpoint
-    if keystone_puppet_credentials['region_name']
-      @credentials.region_name = keystone_puppet_credentials['region_name']
-    end
-    if @credentials.version == '3'
-      @credentials.user_domain_name = keystone_puppet_credentials['user_domain_name']
-      @credentials.project_domain_name = keystone_puppet_credentials['project_domain_name']
-    end
-    raise error unless @credentials.set?
-    Puppet::Provider::Openstack.request(service, action, properties, @credentials)
+  def self.system_request(service, action, properties=nil, options={})
+    self.request(service, action, properties, options, 'system')
  end

  def self.set_domain_for_name(name, domain_name)
--- a/lib/puppet/provider/keystone_domain/openstack.rb
+++ b/lib/puppet/provider/keystone_domain/openstack.rb
@ -37,7 +37,7 @@ Puppet::Type.type(:keystone_domain).provide(
      properties << '--description'
      properties << resource[:description]
    end
-    @property_hash = self.class.request('domain', 'create', properties)
+    @property_hash = self.class.system_request('domain', 'create', properties)
    @property_hash[:is_default] = sym_to_bool(resource[:is_default])
    @property_hash[:ensure] = :present
    ensure_default_domain(true)
@ -53,8 +53,8 @@ Puppet::Type.type(:keystone_domain).provide(
    end
    # have to disable first - Keystone does not allow you to delete an
    # enabled domain
-    self.class.request('domain', 'set', [resource[:name], '--disable'])
-    self.class.request('domain', 'delete', resource[:name])
+    self.class.system_request('domain', 'set', [resource[:name], '--disable'])
+    self.class.system_request('domain', 'delete', resource[:name])
    @property_hash[:ensure] = :absent
    ensure_default_domain(false, true)
    @property_hash.clear
@ -111,7 +111,7 @@ Puppet::Type.type(:keystone_domain).provide(

  def self.instances
    self.do_not_manage = true
-    list = request('domain', 'list').collect do |domain|
+    list = system_request('domain', 'list').collect do |domain|
      new(
        :name        => domain[:name],
        :ensure      => :present,
@ -142,7 +142,7 @@ Puppet::Type.type(:keystone_domain).provide(
      if @property_flush[:description]
        options << '--description' << resource[:description]
      end
-      self.class.request('domain', 'set', [resource[:name]] + options) unless options.empty?
+      self.class.system_request('domain', 'set', [resource[:name]] + options) unless options.empty?
      if @property_flush[:is_default]
        ensure_default_domain(false, false, @property_flush[:is_default])
      end
--- a/lib/puppet/provider/keystone_endpoint/openstack.rb
+++ b/lib/puppet/provider/keystone_endpoint/openstack.rb
@ -65,7 +65,7 @@ Puppet::Type.type(:keystone_endpoint).provide(
    end
    ids = @property_hash[:id].split(',')
    ids.each do |id|
-      self.class.request('endpoint', 'delete', id)
+      self.class.system_request('endpoint', 'delete', id)
    end
    @property_hash.clear
  end
@ -153,10 +153,9 @@ Puppet::Type.type(:keystone_endpoint).provide(
                                         scope.to_s.sub(/_url$/, ''),
                                         property_flush[scope])[:id]
          else
-            self.class.request('endpoint',
-                               'set',
-                               [ids[scope],
-                                "--url=#{resource[scope]}"])
+            self.class.system_request('endpoint',
+                                      'set',
+                                      [ids[scope], "--url=#{resource[scope]}"])
          end
        end
      end
@ -170,7 +169,7 @@ Puppet::Type.type(:keystone_endpoint).provide(

  def endpoint_create(name, region, interface, url)
    properties = [name, interface, url, '--region', region]
-    self.class.request('endpoint', 'create', properties)
+    self.class.system_request('endpoint', 'create', properties)
  end

  private
@ -179,7 +178,7 @@ Puppet::Type.type(:keystone_endpoint).provide(
    return @endpoints unless @endpoints.nil?
    prev_do_not_manage = self.do_not_manage
    self.do_not_manage = true
-    @endpoints = request('endpoint', 'list')
+    @endpoints = system_request('endpoint', 'list')
    self.do_not_manage = prev_do_not_manage
    @endpoints
  end
@ -192,7 +191,7 @@ Puppet::Type.type(:keystone_endpoint).provide(
    return @services unless @services.nil?
    prev_do_not_manage = self.do_not_manage
    self.do_not_manage = true
-    @services = request('service', 'list')
+    @services = system_request('service', 'list')
    self.do_not_manage = prev_do_not_manage
    @services
  end
--- a/lib/puppet/provider/keystone_identity_provider/openstack.rb
+++ b/lib/puppet/provider/keystone_identity_provider/openstack.rb
@ -35,9 +35,9 @@ Puppet::Type.type(:keystone_identity_provider).provide(
      resource[:description]
    properties << resource[:name]

-    @property_hash = self.class.request('identity provider',
-                                        'create',
-                                        properties)
+    @property_hash = self.class.system_request('identity provider',
+                                               'create',
+                                               properties)

  rescue Puppet::ExecutionFailure => e
    if e.message =~
@ -54,7 +54,7 @@ Puppet::Type.type(:keystone_identity_provider).provide(
  end

  def destroy
-    self.class.request('identity provider', 'delete', id)
+    self.class.system_request('identity provider', 'delete', id)
    @property_hash.clear
  end

@ -63,11 +63,11 @@ Puppet::Type.type(:keystone_identity_provider).provide(
  end

  def self.instances
-    list = request('identity provider', 'list')
+    list = system_request('identity provider', 'list')
    list.collect do |identity_provider|

      current_resource =
-        request('identity provider', 'show', identity_provider[:id])
+        system_request('identity provider', 'show', identity_provider[:id])
      new(
        :name        => identity_provider[:id],
        :id          => identity_provider[:id],
@ -100,19 +100,19 @@ Puppet::Type.type(:keystone_identity_provider).provide(
  def enabled=(value)
    options = value == :false ? ['--disable'] : ['--enable']
    options << id
-    self.class.request('identity provider', 'set', options)
+    self.class.system_request('identity provider', 'set', options)
  end

  def remote_ids=(value)
    options = []
    options += self.class.remote_ids_cli(value)
-    self.class.request('identity provider', 'set', options + [id]) unless
+    self.class.system_request('identity provider', 'set', options + [id]) unless
      options.empty?
  end

  def remote_id_file=(value)
    options = ['--remote-id-file', value]
-    self.class.request('identity provider', 'set', options + [id])
+    self.class.system_request('identity provider', 'set', options + [id])
  end

  def remote_id_file
@ -121,7 +121,7 @@ Puppet::Type.type(:keystone_identity_provider).provide(

  # bug/python-openstackclient/1478995: when fixed, parsing will be done by OSC.
  def self.clean_remote_ids(remote_ids)
-    version = request('--version', '').sub(/openstack\s+/i, '').strip
+    version = system_request('--version', '').sub(/openstack\s+/i, '').strip
    if Gem::Version.new(version) < Gem::Version.new('1.9.0')
      clean_remote_ids_old(remote_ids)
    else
--- a/lib/puppet/provider/keystone_role/openstack.rb
+++ b/lib/puppet/provider/keystone_role/openstack.rb
@ -26,7 +26,7 @@ Puppet::Type.type(:keystone_role).provide(
    if self.class.do_not_manage
      fail("Not managing Keystone_role[#{@resource[:name]}] due to earlier Keystone API failures.")
    end
-    self.class.request('role', 'create', name)
+    self.class.system_request('role', 'create', name)
    @property_hash[:ensure] = :present
  end

@ -34,7 +34,7 @@ Puppet::Type.type(:keystone_role).provide(
    if self.class.do_not_manage
      fail("Not managing Keystone_role[#{@resource[:name]}] due to earlier Keystone API failures.")
    end
-    self.class.request('role', 'delete', @property_hash[:id])
+    self.class.system_request('role', 'delete', @property_hash[:id])
    @property_hash.clear
  end

@ -48,7 +48,7 @@ Puppet::Type.type(:keystone_role).provide(

  def self.instances
    self.do_not_manage = true
-    list = request('role', 'list')
+    list = system_request('role', 'list')
    reallist = list.collect do |role|
      new(
        :name        => role[:name].downcase,
--- a/lib/puppet/provider/keystone_service/openstack.rb
+++ b/lib/puppet/provider/keystone_service/openstack.rb
@ -33,7 +33,7 @@ Puppet::Type.type(:keystone_service).provide(
    if resource[:description]
      properties << '--description' << resource[:description]
    end
-    created = self.class.request('service', 'create', properties)
+    created = self.class.system_request('service', 'create', properties)
    @property_hash[:ensure] = :present
    @property_hash[:type] = resource[:type]
    @property_hash[:id] = created[:id]
@ -44,7 +44,7 @@ Puppet::Type.type(:keystone_service).provide(
    if self.class.do_not_manage
      fail("Not managing Keystone_service[#{@resource[:name]}] due to earlier Keystone API failures.")
    end
-    self.class.request('service', 'delete', @property_hash[:id])
+    self.class.system_request('service', 'delete', @property_hash[:id])
    @property_hash.clear
  end

@ -70,7 +70,7 @@ Puppet::Type.type(:keystone_service).provide(

  def self.instances
    self.do_not_manage = true
-    list = request('service', 'list', '--long')
+    list = system_request('service', 'list', '--long')
    reallist = list.collect do |service|
      new(
        :name        => resource_to_name(service[:type], service[:name], false),
@ -100,7 +100,7 @@ Puppet::Type.type(:keystone_service).provide(
      options << "--name=#{resource[:name]}"
      options << "--description=#{resource[:description]}" if @property_flush[:description]
      options << "--type=#{resource[:type]}" if @property_flush[:type]
-      self.class.request('service', 'set', [@property_hash[:id]] + options) unless options.empty?
+      self.class.system_request('service', 'set', [@property_hash[:id]] + options) unless options.empty?
      @property_flush.clear
    end
  end
--- a/lib/puppet/provider/keystone_tenant/openstack.rb
+++ b/lib/puppet/provider/keystone_tenant/openstack.rb
@ -41,7 +41,7 @@ Puppet::Type.type(:keystone_tenant).provide(
    properties << '--domain'
    properties << resource[:domain]

-    @property_hash = self.class.request('project', 'create', properties)
+    @property_hash = self.class.system_request('project', 'create', properties)
    @property_hash[:name]   = resource[:name]
    @property_hash[:domain] = resource[:domain]
    @property_hash[:ensure] = :present
@ -63,7 +63,7 @@ Puppet::Type.type(:keystone_tenant).provide(
    if self.class.do_not_manage
      fail("Not managing Keystone_tenant[#{@resource[:name]}] due to earlier Keystone API failures.")
    end
-    self.class.request('project', 'delete', id)
+    self.class.system_request('project', 'delete', id)
    @property_hash.clear
  end

@ -90,7 +90,7 @@ Puppet::Type.type(:keystone_tenant).provide(
      warning(default_domain_deprecation_message)
    end
    self.do_not_manage = true
-    projects = request('project', 'list', '--long')
+    projects = system_request('project', 'list', '--long')
    list = projects.collect do |project|
      domain_name = domain_name_from_id(project[:domain_id])
      new(
@ -125,7 +125,7 @@ Puppet::Type.type(:keystone_tenant).provide(
        options << '--disable'
      end
      (options << "--description=#{resource[:description]}") if @property_flush[:description]
-      self.class.request('project', 'set', [id] + options) unless options.empty?
+      self.class.system_request('project', 'set', [id] + options) unless options.empty?
      @property_flush.clear
    end
  end
--- a/lib/puppet/provider/keystone_user/openstack.rb
+++ b/lib/puppet/provider/keystone_user/openstack.rb
@ -45,14 +45,14 @@ Puppet::Type.type(:keystone_user).provide(
      properties << '--domain'
      properties << user_domain
    end
-    @property_hash = self.class.request('user', 'create', properties)
+    @property_hash = self.class.system_request('user', 'create', properties)
    @property_hash[:name] = resource[:name]
    @property_hash[:domain] = user_domain
    @property_hash[:ensure] = :present
  end

  def destroy
-    self.class.request('user', 'delete', id)
+    self.class.system_request('user', 'delete', id)
    @property_hash.clear
  end

@ -67,7 +67,7 @@ Puppet::Type.type(:keystone_user).provide(
      # project handled in tenant= separately
      unless options.empty?
        options << id
-        self.class.request('user', 'set', options)
+        self.class.system_request('user', 'set', options)
      end
      @property_flush.clear
    end
@ -125,7 +125,7 @@ Puppet::Type.type(:keystone_user).provide(
      # Need to specify a project id to get a project scoped token.  List
      # all of the projects for the user, and use the id for the first one
      # that is enabled then fallback to domain id only.
-      projects = self.class.request('project', 'list', ['--user', id, '--long'])
+      projects = self.class.system_request('project', 'list', ['--user', id, '--long'])
      first_project = nil
      if projects && projects.respond_to?(:each)
        first_project = projects.detect { |p| p && p[:id] && p[:enabled] == 'True' }
--- a/lib/puppet/provider/keystone_user_role/openstack.rb
+++ b/lib/puppet/provider/keystone_user_role/openstack.rb
@ -29,7 +29,7 @@ Puppet::Type.type(:keystone_user_role).provide(
    if resource[:roles]
      options = properties
      resource[:roles].each do |role|
-        self.class.request('role', 'add', [role] + options)
+        self.class.system_request('role', 'add', [role] + options)
      end
    end
  end
@ -38,14 +38,14 @@ Puppet::Type.type(:keystone_user_role).provide(
    if @property_hash[:roles]
      options = properties
      @property_hash[:roles].each do |role|
-        self.class.request('role', 'remove', [role] + options)
+        self.class.system_request('role', 'remove', [role] + options)
      end
    end
    @property_hash[:ensure] = :absent
  end

  def exists?
-    roles_db = self.class.request('role assignment', 'list', ['--names'] + properties)
+    roles_db = self.class.system_request('role assignment', 'list', ['--names'] + properties)
    @property_hash[:name] = resource[:name]
    if roles_db.empty?
      @property_hash[:ensure] = :absent
@ -73,10 +73,10 @@ Puppet::Type.type(:keystone_user_role).provide(
    remove = current_roles - Array(value)
    add    = Array(value) - current_roles
    add.each do |role_name|
-      self.class.request('role', 'add', [role_name] + properties)
+      self.class.system_request('role', 'add', [role_name] + properties)
    end
    remove.each do |role_name|
-      self.class.request('role', 'remove', [role_name] + properties)
+      self.class.system_request('role', 'remove', [role_name] + properties)
    end
  end

--- a/lib/puppet/type/keystone_puppet_config.rb
+++ b/lib/puppet/type/keystone_puppet_config.rb
@ -4,6 +4,8 @@ Puppet::Type.newtype(:keystone_puppet_config) do
                    'puppet_x', 'keystone_config', 'ini_setting'))
  extend PuppetX::KeystoneConfig::IniSetting

+  desc 'Type for /etc/keystone/puppet.conf (DEPRECATED!!)'
+
  create_parameters

  autorequire(:file) do
--- a/manifests/bootstrap.pp
+++ b/manifests/bootstrap.pp
@ -159,33 +159,45 @@ class keystone::bootstrap (
    })
  }

-  # The below creates and populates the /etc/keystone/puppet.conf file that contains
-  # the credentials that can be loaded by providers. Ensure it has the proper owner,
-  # group and mode so that it cannot be read by anything other than root.
+  # NOTE(tkajinam): puppet.conf is no longer required and now clouds.yaml
+  #                 is used instead.
+  # TODO(tkajinam): Remove this after Y release.
  file { '/etc/keystone/puppet.conf':
-    ensure  => 'present',
-    replace => false,
-    content => '',
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    require => Anchor['keystone::install::end'],
+    ensure  => 'absent',
+    require => Anchor['keystone::config::begin'],
+    before  => Anchor['keystone::config::end'],
  }

-  if $interface == 'admin' {
-    $auth_url_real = $admin_url
-  } elsif $interface == 'internal' {
-    $auth_url_real = $internal_url_real
-  } else {
-    $auth_url_real = $public_url
+  $auth_url_real = $interface ? {
+    'admin'    => $admin_url,
+    'internal' => $internal_url_real,
+    default    => $public_url
  }

-  keystone::resource::authtoken { 'keystone_puppet_config':
+  ensure_resource('file', '/etc/openstack', {
+    'ensure' => 'directory',
+    'mode'   => '0755',
+    'owner'  => 'root',
+    'group'  => 'root',
+  })
+
+  ensure_resource('file', '/etc/openstack/puppet', {
+    'ensure' => 'directory',
+    'mode'   => '0755',
+    'owner'  => 'root',
+    'group'  => 'root',
+  })
+
+  openstacklib::clouds { '/etc/openstack/puppet/admin-clouds.yaml':
    username     => $username,
    password     => $password,
    auth_url     => $auth_url_real,
    project_name => $project_name,
+    system_scope => 'all',
    region_name  => $region,
    interface    => $interface,
  }
+  Anchor['keystone::config::begin']
+    -> Openstacklib::Clouds['/etc/openstack/puppet/admin-clouds.yaml']
+    -> Anchor['keystone::config::end']
 }
--- a/releasenotes/notes/provider-system-scope-15d21fb50a8432f8.yaml
+++ b/releasenotes/notes/provider-system-scope-15d21fb50a8432f8.yaml
@ -0,0 +1,23 @@
+---
+upgrades:
+  - |
+    Now the following resource types require system scope credential instead
+    of project scope credential when sending requests to Keystone API.
+
+    - ``keystone_domain``
+    - ``keystone_endpoint``
+    - ``keystone_identity_provider``
+    - ``keystone_role``
+    - ``keystone_service``
+    - ``keystone_tenant``
+    - ``keystone_user_role``
+    - ``keystone_user``
+
+  - |
+    The ``/etc/keystone/puppet.conf`` file has been replaced by
+    the ``/etc/openstack/puppet/admin-clouds.yaml`` file.
+
+deprecations:
+  - |
+    The ``keystone_puppet_config`` resource type has been deprecated and will
+    be removed in a future release.
--- a/spec/classes/keystone_bootstrap_spec.rb
+++ b/spec/classes/keystone_bootstrap_spec.rb
@ -71,20 +71,31 @@ describe 'keystone::bootstrap' do
      )}

      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
-        :ensure => 'present',
-        :replace => false,
-        :content => '',
+        :ensure  => 'absent',
+        :require => 'Anchor[keystone::config::begin]',
+        :before  => 'Anchor[keystone::config::end]',
+      )}
+
+      it { is_expected.to contain_file('/etc/openstack').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
        :owner   => 'root',
        :group   => 'root',
-        :mode    => '0600',
-        :require => 'Anchor[keystone::install::end]',
      )}

-      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+      it { is_expected.to contain_file('/etc/openstack/puppet').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
+        :owner   => 'root',
+        :group   => 'root',
+      )}
+
+      it { is_expected.to contain_openstacklib__clouds('/etc/openstack/puppet/admin-clouds.yaml').with(
        :username     => 'admin',
        :password     => 'secret',
        :auth_url     => 'http://127.0.0.1:5000',
        :project_name => 'admin',
+        :system_scope => 'all',
        :region_name  => 'RegionOne',
        :interface    => 'public',
      )}
@ -170,21 +181,32 @@ describe 'keystone::bootstrap' do
      )}

      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
-        :ensure => 'present',
-        :replace => false,
-        :content => '',
+        :ensure  => 'absent',
+        :require => 'Anchor[keystone::config::begin]',
+        :before  => 'Anchor[keystone::config::end]',
+      )}
+
+      it { is_expected.to contain_file('/etc/openstack').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
        :owner   => 'root',
        :group   => 'root',
-        :mode    => '0600',
-        :require => 'Anchor[keystone::install::end]',
      )}

-      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+      it { is_expected.to contain_file('/etc/openstack/puppet').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
+        :owner   => 'root',
+        :group   => 'root',
+      )}
+
+      it { is_expected.to contain_openstacklib__clouds('/etc/openstack/puppet/admin-clouds.yaml').with(
        :username     => 'user',
        :password     => 'secret',
        :auth_url     => 'http://admin:1234',
        :project_name => 'adminproj',
        :region_name  => 'RegionTwo',
+        :system_scope => 'all',
        :interface    => 'admin',
      )}
    end
@ -210,20 +232,31 @@ describe 'keystone::bootstrap' do
      it { is_expected.to_not contain_keystone_endpoint('RegionOne/keystone::identity') }

      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
-        :ensure => 'present',
-        :replace => false,
-        :content => '',
+        :ensure  => 'absent',
+        :require => 'Anchor[keystone::config::begin]',
+        :before  => 'Anchor[keystone::config::end]',
+      )}
+
+      it { is_expected.to contain_file('/etc/openstack').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
+        :owner   => 'root',
+        :group   => 'root',
+      )}
+
+      it { is_expected.to contain_file('/etc/openstack/puppet').with(
+        :ensure  => 'directory',
+        :mode    => '0755',
        :owner   => 'root',
        :group   => 'root',
-        :mode    => '0600',
-        :require => 'Anchor[keystone::install::end]',
      )}

-      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+      it { is_expected.to contain_openstacklib__clouds('/etc/openstack/puppet/admin-clouds.yaml').with(
        :username     => 'admin',
        :password     => 'secret',
        :auth_url     => 'http://127.0.0.1:5000',
        :project_name => 'admin',
+        :system_scope => 'all',
        :region_name  => 'RegionOne',
        :interface    => 'public',
      )}
@ -254,7 +287,7 @@ describe 'keystone::bootstrap' do
        }
      end

-      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+      it { is_expected.to contain_openstacklib__clouds('/etc/openstack/puppet/admin-clouds.yaml').with(
        :auth_url  => 'http://internal:1234',
        :interface => 'internal',
      )}
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -30,9 +30,6 @@ at_exit { RSpec::Puppet::Coverage.report! }
 def setup_provider_tests
  Puppet::Provider::Keystone.class_exec do
    def self.reset
-      @public_endpoint = nil
-      @tenant_hash    = nil
-      @keystone_file  = nil
      Puppet::Provider::Keystone.class_variable_set('@@default_domain_id', nil)
      @domain_hash = nil
      @users_name  = nil
--- a/spec/unit/provider/keystone_domain/openstack_spec.rb
+++ b/spec/unit/provider/keystone_domain/openstack_spec.rb
@ -9,8 +9,8 @@ describe Puppet::Type.type(:keystone_domain).provider(:openstack) do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
-    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v2.0'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
+    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end

  describe 'when managing a domain' do
--- a/spec/unit/provider/keystone_endpoint/openstack_spec.rb
+++ b/spec/unit/provider/keystone_endpoint/openstack_spec.rb
@ -7,7 +7,7 @@ describe Puppet::Type.type(:keystone_endpoint).provider(:openstack) do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end

--- a/spec/unit/provider/keystone_identity_provider/openstack_spec.rb
+++ b/spec/unit/provider/keystone_identity_provider/openstack_spec.rb
@ -6,7 +6,7 @@ describe Puppet::Type.type(:keystone_identity_provider).provider(:openstack) do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
  end

--- a/spec/unit/provider/keystone_role/openstack_spec.rb
+++ b/spec/unit/provider/keystone_role/openstack_spec.rb
@ -9,7 +9,7 @@ describe provider_class do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end

--- a/spec/unit/provider/keystone_service/openstack_spec.rb
+++ b/spec/unit/provider/keystone_service/openstack_spec.rb
@ -9,7 +9,7 @@ describe provider_class do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
  end

--- a/spec/unit/provider/keystone_spec.rb
+++ b/spec/unit/provider/keystone_spec.rb
@ -15,7 +15,7 @@ describe Puppet::Provider::Keystone do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
  end

@ -66,7 +66,7 @@ id="newid"
    let(:set_env) do
      ENV['OS_USERNAME']     = 'test'
      ENV['OS_PASSWORD']     = 'abc123'
-      ENV['OS_PROJECT_NAME'] = 'test'
+      ENV['OS_SYSTEM_SCOPE'] = 'all'
      ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
    end

@ -98,7 +98,7 @@ id="the_project_id"
    let(:set_env) do
      ENV['OS_USERNAME']     = 'test'
      ENV['OS_PASSWORD']     = 'abc123'
-      ENV['OS_PROJECT_NAME'] = 'test'
+      ENV['OS_SYSTEM_SCOPE'] = 'all'
      ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
    end

@ -127,14 +127,6 @@ id="the_user_id"
  end

  describe '#get_auth_url' do
-    it 'should raise when OS_AUTH_URL is no defined in either the environment or the openrc file and there is no keystone puppet config file' do
-      home = ENV['HOME']
-      ENV.clear
-      File.expects(:exists?).with("#{home}/openrc").returns(false)
-      File.expects(:exists?).with('/root/openrc').returns(false)
-      expect { klass.get_auth_url }.to raise_error(Puppet::Error, "File: /etc/keystone/puppet.conf does not contain all required configuration keys. Cannot authenticate to Keystone.")
-    end
-
    it 'should return the OS_AUTH_URL from the environment' do
      ENV.clear
      ENV['OS_AUTH_URL'] = 'http://127.0.0.1:5001'
--- a/spec/unit/provider/keystone_tenant/openstack_spec.rb
+++ b/spec/unit/provider/keystone_tenant/openstack_spec.rb
@ -54,7 +54,7 @@ describe provider_class do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000/v3'
  end

--- a/spec/unit/provider/keystone_user/openstack_spec.rb
+++ b/spec/unit/provider/keystone_user/openstack_spec.rb
@ -10,7 +10,7 @@ describe Puppet::Type.type(:keystone_user).provider(:openstack) do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end

--- a/spec/unit/provider/keystone_user_role/openstack_spec.rb
+++ b/spec/unit/provider/keystone_user_role/openstack_spec.rb
@ -9,7 +9,7 @@ describe Puppet::Type.type(:keystone_user_role).provider(:openstack) do
  let(:set_env) do
    ENV['OS_USERNAME']     = 'test'
    ENV['OS_PASSWORD']     = 'abc123'
-    ENV['OS_PROJECT_NAME'] = 'test'
+    ENV['OS_SYSTEM_SCOPE'] = 'all'
    ENV['OS_AUTH_URL']     = 'http://127.0.0.1:5000'
  end