Merge "Implement resource to configure parameters to use service token"
This commit is contained in:
commit
c20b5a026c
|
@ -352,5 +352,6 @@ define keystone::resource::authtoken(
|
|||
'keystone_authtoken/service_token_roles' => {'value' => $service_token_roles},
|
||||
'keystone_authtoken/service_token_roles_required' => {'value' => $service_token_roles_required},
|
||||
}
|
||||
|
||||
create_resources($name, $keystonemiddleware_options)
|
||||
}
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
# == Definition: keystone::resource::service_user
|
||||
#
|
||||
# This resource configures Keystone authentication resources to make OpenStack
|
||||
# services like nova or cinder use service token feature. It will manage the
|
||||
# [service_user] section in the given config resource.
|
||||
#
|
||||
# == Parameters:
|
||||
#
|
||||
# [*name*]
|
||||
# (Required) The name of the resource corresponding to the config file.
|
||||
# For example, keystone::resource::service_user { 'nova_config': ... }
|
||||
# Where 'nova_config' is the name of the resource used to manage
|
||||
# the nova configuration.
|
||||
#
|
||||
# [*username*]
|
||||
# (Required) The name of the service user
|
||||
#
|
||||
# [*password*]
|
||||
# (Required) Password to create for the service user
|
||||
#
|
||||
# [*auth_url*]
|
||||
# (Required) The URL to use for authentication.
|
||||
#
|
||||
# [*project_name*]
|
||||
# (Required) Service project name
|
||||
#
|
||||
# [*user_domain_name*]
|
||||
# (Optional) Name of domain for $username
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*project_domain_name*]
|
||||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*send_service_user_token*]
|
||||
# (Optional) The service uses service token feature when this is set as true
|
||||
# Defaults to false
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
# caution.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_type*]
|
||||
# (Optional) Authentication type to load
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_version*]
|
||||
# (Optional) API version of the admin Identity API endpoint.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*cafile*]
|
||||
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
|
||||
# connections.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*certfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*keyfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*region_name*]
|
||||
# (Optional) The region in which the identity server can be found.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
define keystone::resource::service_user(
|
||||
$username,
|
||||
$password,
|
||||
$auth_url,
|
||||
$project_name,
|
||||
$user_domain_name = $::os_service_default,
|
||||
$project_domain_name = $::os_service_default,
|
||||
$send_service_user_token = false,
|
||||
$insecure = $::os_service_default,
|
||||
$auth_type = $::os_service_default,
|
||||
$auth_version = $::os_service_default,
|
||||
$cafile = $::os_service_default,
|
||||
$certfile = $::os_service_default,
|
||||
$keyfile = $::os_service_default,
|
||||
$region_name = $::os_service_default,
|
||||
) {
|
||||
|
||||
include ::keystone::params
|
||||
include ::keystone::deps
|
||||
|
||||
$service_user_options = {
|
||||
'service_user/auth_type' => {'value' => $auth_type},
|
||||
'service_user/auth_version' => {'value' => $auth_version},
|
||||
'service_user/cafile' => {'value' => $cafile},
|
||||
'service_user/certfile' => {'value' => $certfile},
|
||||
'service_user/keyfile' => {'value' => $keyfile},
|
||||
'service_user/region_name' => {'value' => $region_name},
|
||||
'service_user/auth_url' => {'value' => $auth_url},
|
||||
'service_user/username' => {'value' => $username},
|
||||
'service_user/password' => {'value' => $password, 'secret' => true},
|
||||
'service_user/user_domain_name' => {'value' => $user_domain_name},
|
||||
'service_user/project_name' => {'value' => $project_name},
|
||||
'service_user/project_domain_name' => {'value' => $project_domain_name},
|
||||
'service_user/send_service_user_token' => {'value' => $send_service_user_token},
|
||||
'service_user/insecure' => {'value' => $insecure},
|
||||
}
|
||||
|
||||
create_resources($name, $service_user_options)
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
New resource, keystone::resource::service_user, is available to configure
|
||||
Keystone authentication parameters to use service token feature.
|
|
@ -93,12 +93,15 @@ describe 'keystone::resource::authtoken' do
|
|||
is_expected.to contain_keystone_config('keystone_authtoken/www_authenticate_uri').with_value(params[:www_authenticate_uri])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/cache').with_value(params[:cache])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/cafile').with_value(params[:cafile])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/certfile').with_value(params[:certfile])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/collect_timing').with_value(params[:collect_timing])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'keystone::resource::service_user' do
|
||||
|
||||
let (:title) { 'keystone_config' }
|
||||
|
||||
let :params do
|
||||
{ :username => 'keystone',
|
||||
:password => 'secret',
|
||||
:auth_url => 'http://127.0.0.1:5000',
|
||||
:project_name => 'services' }
|
||||
end
|
||||
|
||||
shared_examples 'shared examples' do
|
||||
context 'with only required parameters' do
|
||||
it 'configures keystone service_user' do
|
||||
is_expected.to contain_keystone_config('service_user/username').with_value('keystone')
|
||||
is_expected.to contain_keystone_config('service_user/password').with_value('secret').with_secret(true)
|
||||
is_expected.to contain_keystone_config('service_user/auth_url').with_value( params[:auth_url] )
|
||||
is_expected.to contain_keystone_config('service_user/project_name').with_value( params[:project_name] )
|
||||
is_expected.to contain_keystone_config('service_user/project_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/user_domain_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/send_service_user_token').with_value(false)
|
||||
is_expected.to contain_keystone_config('service_user/insecure').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/auth_type').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/auth_version').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/cafile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/certfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/keyfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('service_user/region_name').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
||||
context 'set all keystone service_user parameters' do
|
||||
before do
|
||||
params.merge! ({
|
||||
:username => 'username',
|
||||
:password => 'hardpassword',
|
||||
:auth_url => 'http://127.1.1.127:5000/',
|
||||
:project_name => 'NoProject',
|
||||
:user_domain_name => 'MyDomain',
|
||||
:project_domain_name => 'OurDomain',
|
||||
:send_service_user_token => true,
|
||||
:insecure => true,
|
||||
:auth_type => 'password',
|
||||
:auth_version => '3',
|
||||
:cafile => 'cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:keyfile => 'somekey.key',
|
||||
:region_name => 'MyRegion',
|
||||
})
|
||||
end
|
||||
it 'override keystone service_user parameters' do
|
||||
is_expected.to contain_keystone_config('service_user/username').with_value(params[:username])
|
||||
is_expected.to contain_keystone_config('service_user/password').with_value(params[:password]).with_secret(true)
|
||||
is_expected.to contain_keystone_config('service_user/auth_url').with_value( params[:auth_url] )
|
||||
is_expected.to contain_keystone_config('service_user/project_name').with_value( params[:project_name] )
|
||||
is_expected.to contain_keystone_config('service_user/user_domain_name').with_value(params[:user_domain_name])
|
||||
is_expected.to contain_keystone_config('service_user/project_domain_name').with_value(params[:project_domain_name])
|
||||
is_expected.to contain_keystone_config('service_user/send_service_user_token').with_value(params[:send_service_user_token])
|
||||
is_expected.to contain_keystone_config('service_user/insecure').with_value(params[:insecure])
|
||||
is_expected.to contain_keystone_config('service_user/auth_version').with_value(params[:auth_version])
|
||||
is_expected.to contain_keystone_config('service_user/cafile').with_value(params[:cafile])
|
||||
is_expected.to contain_keystone_config('service_user/certfile').with_value(params[:certfile])
|
||||
is_expected.to contain_keystone_config('service_user/keyfile').with_value(params[:keyfile])
|
||||
is_expected.to contain_keystone_config('service_user/region_name').with_value(params[:region_name])
|
||||
end
|
||||
end
|
||||
|
||||
context 'without password required parameter' do
|
||||
let :params do
|
||||
params.delete(:password)
|
||||
end
|
||||
it { expect { is_expected.to raise_error(Puppet::Error) } }
|
||||
end
|
||||
|
||||
context 'without specify project' do
|
||||
let :params do
|
||||
params.delete(:project_name)
|
||||
end
|
||||
it { expect { is_expected.to raise_error(Puppet::Error) } }
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
include_examples 'shared examples'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue