Use puppetlabs-apache to load auth modules.
... so that we don't have to maintain the required logics to enable the module in our modules. Related-Bug: #2006924 Change-Id: Ia46deea226a58638e74eee0c0172f0c3c5fa62e7
This commit is contained in:
parent
6c52159c7b
commit
fe95db4cb0
|
@ -27,28 +27,36 @@
|
||||||
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
|
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
|
||||||
# (Optional) Defaults to 331.
|
# (Optional) Defaults to 331.
|
||||||
#
|
#
|
||||||
|
# [*enable_websso*]
|
||||||
|
# (optional) Whether or not to enable Web Single Sign-On (SSO)
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
|
#
|
||||||
# [*package_ensure*]
|
# [*package_ensure*]
|
||||||
# (optional) Desired ensure state of packages.
|
# (optional) Desired ensure state of packages.
|
||||||
# accepts latest or specific versions.
|
# accepts latest or specific versions.
|
||||||
# Defaults to present.
|
# Defaults to present.
|
||||||
#
|
#
|
||||||
# [*enable_websso*]
|
|
||||||
# (optional) Whether or not to enable Web Single Sign-On (SSO)
|
|
||||||
# Defaults to false
|
|
||||||
#
|
|
||||||
class keystone::federation::mellon (
|
class keystone::federation::mellon (
|
||||||
$methods,
|
$methods,
|
||||||
$idp_name,
|
$idp_name,
|
||||||
$protocol_name,
|
$protocol_name,
|
||||||
$template_order = 331,
|
$template_order = 331,
|
||||||
$package_ensure = present,
|
|
||||||
$enable_websso = false,
|
$enable_websso = false,
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
|
$package_ensure = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include apache
|
include apache
|
||||||
|
include apache::mod::auth_mellon
|
||||||
include keystone::deps
|
include keystone::deps
|
||||||
include keystone::params
|
include keystone::params
|
||||||
|
|
||||||
|
if $package_ensure != undef {
|
||||||
|
warning('The package_ensure parameter is deprecated and has no effect.')
|
||||||
|
}
|
||||||
|
|
||||||
# Note: if puppet-apache modify these values, this needs to be updated
|
# Note: if puppet-apache modify these values, this needs to be updated
|
||||||
if $template_order <= 330 or $template_order >= 999 {
|
if $template_order <= 330 or $template_order >= 999 {
|
||||||
fail('The template order should be greater than 330 and less than 999.')
|
fail('The template order should be greater than 330 and less than 999.')
|
||||||
|
@ -76,11 +84,6 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ensure_packages([$::keystone::params::mellon_package_name], {
|
|
||||||
ensure => $package_ensure,
|
|
||||||
tag => 'keystone-support-package',
|
|
||||||
})
|
|
||||||
|
|
||||||
concat::fragment { 'configure_mellon_keystone':
|
concat::fragment { 'configure_mellon_keystone':
|
||||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
||||||
content => template('keystone/mellon.conf.erb'),
|
content => template('keystone/mellon.conf.erb'),
|
||||||
|
|
|
@ -128,10 +128,12 @@
|
||||||
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
|
# The value 999 corresponds to the order for concat::fragment "${name}-file_footer".
|
||||||
# (Optional) Defaults to 331.
|
# (Optional) Defaults to 331.
|
||||||
#
|
#
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
|
#
|
||||||
# [*package_ensure*]
|
# [*package_ensure*]
|
||||||
# (Optional) Desired ensure state of packages.
|
# (Optional) Desired ensure state of packages.
|
||||||
# accepts latest or specific versions.
|
# accepts latest or specific versions.
|
||||||
# Defaults to present.
|
# Defaults to undef,
|
||||||
#
|
#
|
||||||
class keystone::federation::openidc (
|
class keystone::federation::openidc (
|
||||||
$keystone_url,
|
$keystone_url,
|
||||||
|
@ -160,16 +162,20 @@ class keystone::federation::openidc (
|
||||||
$redis_password = undef,
|
$redis_password = undef,
|
||||||
$remote_id_attribute = undef,
|
$remote_id_attribute = undef,
|
||||||
$template_order = 331,
|
$template_order = 331,
|
||||||
$package_ensure = present,
|
# DEPRECATED PARAMETERS
|
||||||
|
$package_ensure = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include apache
|
include apache
|
||||||
include apache::mod::authn_core
|
include apache::mod::auth_openidc
|
||||||
include apache::mod::authz_user
|
|
||||||
|
|
||||||
include keystone::deps
|
include keystone::deps
|
||||||
include keystone::params
|
include keystone::params
|
||||||
|
|
||||||
|
if $package_ensure != undef {
|
||||||
|
warning('The package_ensure parameter is deprecated and has no effect.')
|
||||||
|
}
|
||||||
|
|
||||||
if !($openidc_verify_method in ['introspection', 'jwks']) {
|
if !($openidc_verify_method in ['introspection', 'jwks']) {
|
||||||
fail('Unsupported token verification method.' +
|
fail('Unsupported token verification method.' +
|
||||||
' Must be one of "introspection" or "jwks"')
|
' Must be one of "introspection" or "jwks"')
|
||||||
|
@ -229,11 +235,6 @@ class keystone::federation::openidc (
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ensure_packages([$::keystone::params::openidc_package_name], {
|
|
||||||
ensure => $package_ensure,
|
|
||||||
tag => 'keystone-support-package',
|
|
||||||
})
|
|
||||||
|
|
||||||
concat::fragment { 'configure_openidc_keystone':
|
concat::fragment { 'configure_openidc_keystone':
|
||||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
target => "${keystone::wsgi::apache::priority}-keystone_wsgi.conf",
|
||||||
content => template('keystone/openidc.conf.erb'),
|
content => template('keystone/openidc.conf.erb'),
|
||||||
|
|
|
@ -20,8 +20,6 @@ class keystone::params {
|
||||||
$python_memcache_package_name = 'python3-memcache'
|
$python_memcache_package_name = 'python3-memcache'
|
||||||
$python_ldappool_package_name = 'python3-ldappool'
|
$python_ldappool_package_name = 'python3-ldappool'
|
||||||
$python_pysaml2_package_name = 'python3-pysaml2'
|
$python_pysaml2_package_name = 'python3-pysaml2'
|
||||||
$mellon_package_name = 'libapache2-mod-auth-mellon'
|
|
||||||
$openidc_package_name = 'libapache2-mod-auth-openidc'
|
|
||||||
}
|
}
|
||||||
'RedHat': {
|
'RedHat': {
|
||||||
$package_name = 'openstack-keystone'
|
$package_name = 'openstack-keystone'
|
||||||
|
@ -30,8 +28,6 @@ class keystone::params {
|
||||||
$python_memcache_package_name = 'python3-memcached'
|
$python_memcache_package_name = 'python3-memcached'
|
||||||
$python_ldappool_package_name = 'python3-ldappool'
|
$python_ldappool_package_name = 'python3-ldappool'
|
||||||
$python_pysaml2_package_name = 'python3-pysaml2'
|
$python_pysaml2_package_name = 'python3-pysaml2'
|
||||||
$mellon_package_name = 'mod_auth_mellon'
|
|
||||||
$openidc_package_name = 'mod_auth_openidc'
|
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("Unsupported osfamily ${::osfamily}")
|
fail("Unsupported osfamily ${::osfamily}")
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
"dependencies": [
|
"dependencies": [
|
||||||
{
|
{
|
||||||
"name": "puppetlabs/apache",
|
"name": "puppetlabs/apache",
|
||||||
"version_requirement": ">=5.0.0 <9.0.0"
|
"version_requirement": ">=5.5.0 <9.0.0"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "puppetlabs/concat",
|
"name": "puppetlabs/concat",
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The following parameters have been deprecated and have no effect. Now
|
||||||
|
the module packages are managed using puppetlabs-apache module.
|
||||||
|
|
||||||
|
- ``keystone::federation::openidc::package_ensure``
|
||||||
|
- ``keystone::federation::mellon::package_ensure``
|
|
@ -42,6 +42,10 @@ describe 'keystone::federation::mellon' do
|
||||||
|
|
||||||
shared_examples 'Federation Mellon' do
|
shared_examples 'Federation Mellon' do
|
||||||
context 'with only required parameters' do
|
context 'with only required parameters' do
|
||||||
|
it 'should enable auth_mellon module' do
|
||||||
|
is_expected.to contain_class('apache::mod::auth_mellon')
|
||||||
|
end
|
||||||
|
|
||||||
it 'should have basic params for mellon in Keystone configuration' do
|
it 'should have basic params for mellon in Keystone configuration' do
|
||||||
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
|
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
|
||||||
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
|
is_expected.to contain_keystone_config('auth/saml2').with_ensure('absent')
|
||||||
|
@ -88,13 +92,6 @@ describe 'keystone::federation::mellon' do
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'Federation Mellon'
|
it_behaves_like 'Federation Mellon'
|
||||||
|
|
||||||
case [:osfamily]
|
|
||||||
when 'Debian'
|
|
||||||
it { is_expected.to contain_package('libapache2-mod-auth-mellon') }
|
|
||||||
when 'RedHat'
|
|
||||||
it { is_expected.to contain_package('mod_auth_mellon') }
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -58,22 +58,7 @@ describe 'keystone::federation::openidc' do
|
||||||
facts.merge!(OSDefaults.get_facts({}))
|
facts.merge!(OSDefaults.get_facts({}))
|
||||||
end
|
end
|
||||||
|
|
||||||
let(:platform_parameters) do
|
it { is_expected.to contain_class('apache::mod::auth_openidc') }
|
||||||
case facts[:osfamily]
|
|
||||||
when 'Debian'
|
|
||||||
{
|
|
||||||
:openidc_package_name => 'libapache2-mod-auth-openidc',
|
|
||||||
}
|
|
||||||
when 'RedHat'
|
|
||||||
{
|
|
||||||
:openidc_package_name => 'mod_auth_openidc',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
it { is_expected.to contain_package(platform_parameters[:openidc_package_name]) }
|
|
||||||
it { is_expected.to contain_class('apache::mod::authn_core') }
|
|
||||||
it { is_expected.to contain_class('apache::mod::authz_user') }
|
|
||||||
|
|
||||||
context 'with only required parameters' do
|
context 'with only required parameters' do
|
||||||
it 'should have basic params for openidc in Keystone configuration' do
|
it 'should have basic params for openidc in Keystone configuration' do
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
|
||||||
OIDCClaimPrefix "OIDC-"
|
OIDCClaimPrefix "OIDC-"
|
||||||
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
|
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
|
||||||
OIDCScope "openid email profile"
|
OIDCScope "openid email profile"
|
||||||
|
|
Loading…
Reference in New Issue