OpenStack Keystone Puppet Module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

init.pp 42KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126
  1. #
  2. # Module for managing keystone config.
  3. #
  4. # == Parameters
  5. #
  6. # [*package_ensure*]
  7. # (Optional) Desired ensure state of packages.
  8. # accepts latest or specific versions.
  9. # Defaults to present.
  10. #
  11. # [*client_package_ensure*]
  12. # (Optional) Desired ensure state of the client package.
  13. # accepts latest or specific versions.
  14. # Defaults to present.
  15. #
  16. # [*public_port*]
  17. # (Optional) Port that keystone binds to.
  18. # Defaults to '5000'
  19. #
  20. # [*admin_port*]
  21. # (Optional) Port that can be used for admin tasks.
  22. # Defaults to '35357'
  23. #
  24. # [*admin_token*]
  25. # Admin token that can be used to authenticate as a keystone
  26. # admin. This is not the password for the admin user
  27. # in the Keystone database. This is a token that bypasses authentication.
  28. # The admin_token has been deprecated by the Keystone service and this
  29. # will be deprecated in a future changeset. Required.
  30. #
  31. # [*admin_password*]
  32. # Keystone password for the admin user. This is not the admin_token.
  33. # This is the password that the admin user signs into keystone with.
  34. # Required.
  35. #
  36. # [*catalog_type*]
  37. # (Optional) Type of catalog that keystone uses to store endpoints,services.
  38. # Defaults to sql. (Also accepts template)
  39. #
  40. # [*catalog_driver*]
  41. # (Optional) Catalog driver used by Keystone to store endpoints and services.
  42. # Setting this value will override and ignore catalog_type.
  43. # Defaults to false.
  44. #
  45. # [*catalog_template_file*]
  46. # (Optional) Path to the catalog used if catalog_type equals 'template'.
  47. # Defaults to '/etc/keystone/default_catalog.templates'
  48. #
  49. # [*token_provider*]
  50. # (Optional) Format keystone uses for tokens.
  51. # Defaults to 'fernet'
  52. # Supports fernet or uuid.
  53. #
  54. # [*token_expiration*]
  55. # (Optional) Amount of time a token should remain valid (seconds).
  56. # Defaults to 3600 (1 hour).
  57. #
  58. # [*password_hash_algorithm*]
  59. # (Optional) The password hash algorithm to use.
  60. # Defaults to $::os_service_default
  61. #
  62. # [*password_hash_rounds*]
  63. # (Optional) The amount of rounds to do on the hash.
  64. # Defaults to $::os_service_default
  65. #
  66. # [*revoke_driver*]
  67. # (Optional) Driver for token revocation.
  68. # Defaults to $::os_service_default
  69. #
  70. # [*revoke_by_id*]
  71. # (Optional) Revoke token by token identifier.
  72. # Setting revoke_by_id to true enables various forms of enumerating tokens.
  73. # These enumerations are processed to determine the list of tokens to revoke.
  74. # Only disable if you are switching to using the Revoke extension with a backend
  75. # other than KVS, which stores events in memory.
  76. # Defaults to true.
  77. #
  78. # [*cache_backend*]
  79. # (Optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
  80. # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
  81. # This has no effect unless cache_enabled is true and cache_memcache_servers is set.
  82. # Defaults to $::os_service_default
  83. #
  84. # [*cache_backend_argument*]
  85. # (Optional) List of arguments in format of argname:value supplied to the backend module.
  86. # Specify this option once per argument to be passed to the dogpile.cache backend.
  87. # This has no effect unless cache_backend and cache_enabled is set.
  88. # Default to $::os_service_default
  89. #
  90. # [*cache_enabled*]
  91. # (Optional) Setting this boolean will enable the caching backend for Keystone.
  92. # Defaults to $::os_service_default
  93. #
  94. # [*cache_memcache_servers*]
  95. # (Optional) List of memcache servers to be used with the caching backend to
  96. # configure cache/memcache_servers. This has no effect unless cache_backend
  97. # is set and cache_enabled is true.
  98. # Specified as a comma separated string of 'server:port,server:port' or an
  99. # array of servers ['server:port', 'server:port'].
  100. # Default to $::os_service_default
  101. #
  102. # [*debug_cache_backend*]
  103. # (Optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
  104. # Default to $::os_service_default
  105. #
  106. # [*cache_config_prefix*]
  107. # (Optional) Prefix for building the configuration dictionary for
  108. # the cache region. This should not need to be changed unless there
  109. # is another dogpile.cache region with the same configuration name.
  110. # (string value)
  111. # Defaults to $::os_service_default
  112. #
  113. # [*cache_expiration_time*]
  114. # (Optional) Default TTL, in seconds, for any cached item in the
  115. # dogpile.cache region. This applies to any cached method that
  116. # doesn't have an explicit cache expiration time defined for it.
  117. # (integer value)
  118. # Defaults to $::os_service_default
  119. #
  120. # [*cache_proxies*]
  121. # (Optional) Proxy classes to import that will affect the way the
  122. # dogpile.cache backend functions. See the dogpile.cache documentation on
  123. # changing-backend-behavior. (list value)
  124. # Defaults to $::os_service_default
  125. #
  126. # [*token_caching*]
  127. # (Optional) Toggle for token system caching. This has no effect unless
  128. # cache_backend, cache_enabled and cache_memcache_servers is set.
  129. # Default to $::os_service_default
  130. #
  131. # [*manage_service*]
  132. # (Optional) If Puppet should manage service startup / shutdown.
  133. # Defaults to true.
  134. #
  135. # [*enabled*]
  136. # (Optional) If the keystone services should be enabled.
  137. # Default to true.
  138. #
  139. # [*database_connection*]
  140. # (Optional) Url used to connect to database.
  141. # Defaults to undef.
  142. #
  143. # [*database_idle_timeout*]
  144. # (Optional) Timeout when db connections should be reaped.
  145. # Defaults to undef.
  146. #
  147. # [*database_max_retries*]
  148. # (Optional) Maximum number of database connection retries during startup.
  149. # Setting -1 implies an infinite retry count.
  150. # (Defaults to undef)
  151. #
  152. # [*database_retry_interval*]
  153. # (Optional) Interval between retries of opening a database connection.
  154. # (Defaults to undef)
  155. #
  156. # [*database_min_pool_size*]
  157. # (Optional) Minimum number of SQL connections to keep open in a pool.
  158. # Defaults to: undef
  159. #
  160. # [*database_max_pool_size*]
  161. # (Optional) Maximum number of SQL connections to keep open in a pool.
  162. # Defaults to: undef
  163. #
  164. # [*database_max_overflow*]
  165. # (Optional) If set, use this value for max_overflow with sqlalchemy.
  166. # Defaults to: undef
  167. #
  168. # [*default_transport_url*]
  169. # (Optional) A URL representing the messaging driver to use and its full
  170. # configuration. Transport URLs take the form:
  171. # transport://user:pass@host1:port[,hostN:portN]/virtual_host
  172. # Defaults to $::os_service_default
  173. #
  174. # [*rabbit_ha_queues*]
  175. # (Optional) Use HA queues in RabbitMQ.
  176. # Defaults to $::os_service_default
  177. #
  178. # [*rabbit_heartbeat_timeout_threshold*]
  179. # (Optional) Number of seconds after which the RabbitMQ broker is considered
  180. # down if the heartbeat keepalive fails. Any value >0 enables heartbeats.
  181. # Heartbeating helps to ensure the TCP connection to RabbitMQ isn't silently
  182. # closed, resulting in missed or lost messages from the queue.
  183. # (Requires kombu >= 3.0.7 and amqp >= 1.4.0)
  184. # Defaults to $::os_service_default
  185. #
  186. # [*rabbit_heartbeat_rate*]
  187. # (Optional) How often during the rabbit_heartbeat_timeout_threshold period to
  188. # check the heartbeat on RabbitMQ connection. (i.e. rabbit_heartbeat_rate=2
  189. # when rabbit_heartbeat_timeout_threshold=60, the heartbeat will be checked
  190. # every 30 seconds.
  191. # Defaults to $::os_service_default
  192. #
  193. # [*rabbit_use_ssl*]
  194. # (Optional) Connect over SSL for RabbitMQ
  195. # Defaults to $::os_serice_default
  196. #
  197. # [*kombu_ssl_ca_certs*]
  198. # (Optional) SSL certification authority file (valid only if SSL enabled).
  199. # Defaults to $::os_service_default
  200. #
  201. # [*kombu_ssl_certfile*]
  202. # (Optional) SSL cert file (valid only if SSL enabled).
  203. # Defaults to $::os_service_default
  204. #
  205. # [*kombu_ssl_keyfile*]
  206. # (Optional) SSL key file (valid only if SSL enabled).
  207. # Defaults to $::os_service_default
  208. #
  209. # [*kombu_ssl_version*]
  210. # (Optional) SSL version to use (valid only if SSL enabled).
  211. # Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
  212. # available on some distributions.
  213. # Defaults to $::os_service_default
  214. #
  215. # [*kombu_reconnect_delay*]
  216. # (Optional) How long to wait before reconnecting in response
  217. # to an AMQP consumer cancel notification. (floating point value)
  218. # Defaults to $::os_service_default
  219. #
  220. # [*kombu_failover_strategy*]
  221. # (Optional) Determines how the next RabbitMQ node is chosen in case the one
  222. # we are currently connected to becomes unavailable. Takes effect only if
  223. # more than one RabbitMQ node is provided in config. (string value)
  224. # Defaults to $::os_service_default
  225. #
  226. # [*kombu_compression*]
  227. # (Optional) Possible values are: gzip, bz2. If not set compression will not
  228. # be used. This option may notbe available in future versions. EXPERIMENTAL.
  229. # (string value)
  230. # Defaults to $::os_service_default
  231. #
  232. # [*notification_transport_url*]
  233. # (Optional) A URL representing the messaging driver to use for notifications
  234. # and its full configuration. Transport URLs take the form:
  235. # transport://user:pass@host1:port[,hostN:portN]/virtual_host
  236. # Defaults to $::os_service_default
  237. #
  238. # [*notification_driver*]
  239. # RPC driver. Not enabled by default (list value)
  240. # Defaults to $::os_service_default
  241. #
  242. # [*notification_topics*]
  243. # (Optional) AMQP topics to publish to when using the RPC notification driver.
  244. # (list value)
  245. # Default to $::os_service_default
  246. #
  247. # [*notification_format*]
  248. # Format for the notifications. Valid values are 'basic' and 'cadf'.
  249. # Default to undef
  250. #
  251. # [*control_exchange*]
  252. # (Optional) AMQP exchange to connect to if using RabbitMQ
  253. # (string value)
  254. # Default to $::os_service_default
  255. #
  256. # [*rpc_response_timeout*]
  257. # (Optional) Seconds to wait for a response from a call.
  258. # Defaults to $::os_service_default
  259. #
  260. # [*public_bind_host*]
  261. # (Optional) The IP address of the public network interface to listen on
  262. # Default to '0.0.0.0'.
  263. #
  264. # [*admin_bind_host*]
  265. # (Optional) The IP address of the public network interface to listen on
  266. # Default to '0.0.0.0'.
  267. #
  268. # [*log_dir*]
  269. # (Optional) Directory where logs should be stored
  270. # If set to $::os_service_default, it will not log to any directory
  271. # Defaults to undef.
  272. #
  273. # [*log_file*]
  274. # (Optional) Where to log
  275. # Defaults to undef.
  276. #
  277. # [*public_endpoint*]
  278. # (Optional) The base public endpoint URL for keystone that are
  279. # advertised to clients (NOTE: this does NOT affect how
  280. # keystone listens for connections) (string value)
  281. # If set to false, no public_endpoint will be defined in keystone.conf.
  282. # Sample value: 'http://localhost:5000/'
  283. # Defaults to $::os_service_default
  284. #
  285. # [*admin_endpoint*]
  286. # (Optional) The base admin endpoint URL for keystone that are
  287. # advertised to clients (NOTE: this does NOT affect how keystone listens
  288. # for connections) (string value)
  289. # If set to false, no admin_endpoint will be defined in keystone.conf.
  290. # Sample value: 'http://localhost:5000/'
  291. # Defaults to $::os_service_default
  292. #
  293. # [*enable_ssl*]
  294. # (Optional) Toggle for SSL support on the keystone eventlet servers.
  295. # (boolean value)
  296. # Defaults to false
  297. #
  298. # [*ssl_certfile*]
  299. # (Optional) Path of the certfile for SSL. (string value)
  300. # Defaults to '/etc/keystone/ssl/certs/keystone.pem'
  301. #
  302. # [*ssl_keyfile*]
  303. # (Optional) Path of the keyfile for SSL. (string value)
  304. # Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
  305. #
  306. # [*ssl_ca_certs*]
  307. # (Optional) Path of the ca cert file for SSL. (string value)
  308. # Defaults to '/etc/keystone/ssl/certs/ca.pem'
  309. #
  310. # [*ssl_ca_key*]
  311. # (Optional) Path of the CA key file for SSL (string value)
  312. # Defaults to '/etc/keystone/ssl/private/cakey.pem'
  313. #
  314. # [*ssl_cert_subject*]
  315. # (Optional) SSL Certificate Subject (auto generated certificate)
  316. # (string value)
  317. # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
  318. #
  319. # [*validate_service*]
  320. # (Optional) Whether to validate keystone connections after
  321. # the service is started.
  322. # Defaults to false
  323. #
  324. # [*validate_insecure*]
  325. # (Optional) Whether to validate keystone connections
  326. # using the --insecure option with keystone client.
  327. # Defaults to false
  328. #
  329. # [*validate_cacert*]
  330. # (Optional) Whether to validate keystone connections
  331. # using the specified argument with the --os-cacert option
  332. # with keystone client.
  333. # Defaults to undef
  334. #
  335. # [*validate_auth_url*]
  336. # (Optional) The url to validate keystone against
  337. # Defaults to undef
  338. #
  339. # [*service_name*]
  340. # (Optional) Name of the service that will be providing the
  341. # server functionality of keystone. For example, the default
  342. # is just 'keystone', which means keystone will be run as a
  343. # standalone eventlet service, and will able to be managed
  344. # separately by the operating system's service manager. For
  345. # example, you will be able to use
  346. # service openstack-keystone restart
  347. # to restart the service.
  348. # If the value is 'httpd', this means keystone will be a web
  349. # service, and you must use another class to configure that
  350. # web service. For example, after calling class {'keystone'...}
  351. # use class { 'keystone::wsgi::apache'...} to make keystone be
  352. # a web app using apache mod_wsgi.
  353. # If the value is 'keystone-public-keystone-admin', then the
  354. # module will use 2 services, one called keystone-public, and
  355. # one called keystone-admin (as per the new Debian package
  356. # which uses UWSGI instead of Apache).
  357. # Defaults to '$::keystone::params::service_name'
  358. # NOTE: validate_service only applies if the default value is used.
  359. #
  360. # [*max_token_size*]
  361. # (Optional) maximum allowable Keystone token size
  362. # Defaults to $::os_service_default
  363. #
  364. # [*admin_workers*]
  365. # (Optional) The number of worker processes to serve the admin eventlet application.
  366. # This option is deprecated along with eventlet and will be removed in M.
  367. # This setting has no affect when using WSGI.
  368. # Defaults to $::os_workers
  369. #
  370. # [*public_workers*]
  371. # (Optional) The number of worker processes to serve the public eventlet application.
  372. # This option is deprecated along with eventlet and will be removed in M.
  373. # This setting has no affect when using WSGI.
  374. # Defaults to $::os_workers
  375. #
  376. # [*sync_db*]
  377. # (Optional) Run db sync on the node.
  378. # Defaults to true
  379. #
  380. # [*enable_fernet_setup*]
  381. # (Optional) Setup keystone for fernet tokens. This is typically only
  382. # run on a single node, then the keys are replicated to the other nodes
  383. # in a cluster. You would typically also pair this with a fernet token
  384. # provider setting.
  385. # Defaults to true
  386. #
  387. # [*fernet_key_repository*]
  388. # (Optional) Location for the fernet key repository. This value must
  389. # be set if enable_fernet_setup is set to true.
  390. # Defaults to '/etc/keystone/fernet-keys'
  391. #
  392. # [*fernet_max_active_keys*]
  393. # (Optional) Number of maximum active Fernet keys. Integer > 0.
  394. # Defaults to $::os_service_default
  395. #
  396. # [*fernet_keys*]
  397. # (Optional) Hash of Keystone fernet keys
  398. # If you enable this parameter, make sure enable_fernet_setup is set to True.
  399. # Example of valid value:
  400. # fernet_keys:
  401. # /etc/keystone/fernet-keys/0:
  402. # content: c_aJfy6At9y-toNS9SF1NQMTSkSzQ-OBYeYulTqKsWU=
  403. # /etc/keystone/fernet-keys/1:
  404. # content: zx0hNG7CStxFz5KXZRsf7sE4lju0dLYvXdGDIKGcd7k=
  405. # Puppet will create a file per key in $fernet_key_repository.
  406. # Note: defaults to false so keystone-manage fernet_setup will be executed.
  407. # Otherwise Puppet will manage keys with File resource.
  408. # Defaults to false
  409. #
  410. # [*fernet_replace_keys*]
  411. # (Optional) Whether or not to replace the fernet keys if they are already in
  412. # the filesystem
  413. # Defaults to true
  414. #
  415. # [*enable_credential_setup*]
  416. # (Optional) Setup keystone for credentials.
  417. # In a cluster environment where multiple Keystone nodes are running, you might
  418. # need the same keys everywhere; so you'll have to set credential_keys parameter in
  419. # order to let Puppet manage Keystone keys in a consistent way, otherwise
  420. # keystone-manage will generate different set of keys on keystone nodes and the
  421. # service won't work.
  422. # This feature was added at the end of Newton. The default value is now False
  423. # by default but will switch to True once UCA will have latest Keystone version.
  424. # Defaults to False
  425. #
  426. # [*credential_key_repository*]
  427. # (Optional) Location for the Credential key repository. This value must
  428. # be set if enable_credential_setup is set to true.
  429. # Defaults to '/etc/keystone/credential-keys'
  430. #
  431. # [*credential_keys*]
  432. # (Optional) Hash of Keystone credential keys
  433. # If you enable this parameter, make sure enable_credential_setup is set to True.
  434. # Example of valid value:
  435. # credential_keys:
  436. # /etc/keystone/credential-keys/0:
  437. # content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=
  438. # /etc/keystone/credential-keys/1:
  439. # content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=
  440. # Puppet will create a file per key in $credential_key_repository.
  441. # Note: defaults to false so keystone-manage credential_setup will be executed.
  442. # Otherwise Puppet will manage keys with File resource.
  443. # Defaults to false
  444. #
  445. # [*enable_bootstrap*]
  446. # (Optional) Enable keystone bootstrapping.
  447. # This option to true will automatically bootstrap the default domain
  448. # user by running 'keystone-manage bootstrap'.
  449. # Defaults to true
  450. #
  451. # [*default_domain*]
  452. # (Optional) When Keystone v3 support is enabled, v2 clients will need
  453. # to have a domain assigned for certain operations. For example,
  454. # doing a user create operation must have a domain associated with it.
  455. # This is the domain which will be used if a domain is needed and not
  456. # explicitly set in the request. Using this means that you will have
  457. # to add it to every user/tenant/user_role you create, as without a domain
  458. # qualification those resources goes into "Default" domain. See README.
  459. # Defaults to undef (will use built-in Keystone default)
  460. #
  461. # [*member_role_id*]
  462. # (Optional) Similar to the member_role_name option, this represents the
  463. # default role ID used to associate users with their default projects in the
  464. # v2 API. This will be used as the explicit role where one is not specified
  465. # by the v2 API.
  466. # Defaults to $::os_service_default
  467. #
  468. # [*member_role_name*]
  469. # (Optional) # This is the role name used in combination with the
  470. # member_role_id option; see that option for more detail.
  471. # Defaults to $::os_service_default
  472. #
  473. # [*memcache_dead_retry*]
  474. # (Optional) Number of seconds memcached server is considered dead before it
  475. # is tried again. This is used for the cache memcache_dead_retry and the
  476. # memcache dead_retry values.
  477. # Defaults to $::os_service_default
  478. #
  479. # [*memcache_socket_timeout*]
  480. # (Optional) Timeout in seconds for every call to a server.
  481. # (floating point value)
  482. # Defaults to $::os_service_default
  483. #
  484. # [*memcache_pool_maxsize*]
  485. # (Optional) Max total number of open connections to every memcached server.
  486. # Defaults to $::os_service_default
  487. #
  488. # [*memcache_pool_unused_timeout*]
  489. # (Optional) Number of seconds a connection to memcached is held unused in
  490. # the pool before it is closed.
  491. # Defaults to $::os_service_default
  492. #
  493. # [*memcache_pool_connection_get_timeout*]
  494. # (Optional) Number of seconds that an operation will wait to get a memcache
  495. # client connection. (integer value)
  496. # Defaults to $::os_service_default
  497. #
  498. # [*manage_backend_package*]
  499. # (Optional) (Optional) Whether to install the backend package for the cache.
  500. # Defaults to true
  501. #
  502. # [*policy_driver*]
  503. # Policy backend driver. (string value)
  504. # Defaults to $::os_service_default.
  505. #
  506. # [*using_domain_config*]
  507. # (Optional) Eases the use of the keystone_domain_config resource type.
  508. # It ensures that a directory for holding the domain configuration is present
  509. # and the associated configuration in keystone.conf is set up right.
  510. # Defaults to false
  511. #
  512. # [*domain_config_directory*]
  513. # (Optional) Specify a domain configuration directory.
  514. # For this to work the using_domain_config must be set to true. Raise an
  515. # error if it's not the case.
  516. # Defaults to '/etc/keystone/domains'
  517. #
  518. # [*keystone_user*]
  519. # (Optional) Specify the keystone system user to be used with keystone-manage.
  520. # Defaults to $::keystone::params::keystone_user
  521. #
  522. # [*keystone_group*]
  523. # (Optional) Specify the keystone system group to be used with keystone-manage.
  524. # Defaults to $::keystone::params::keystone_group
  525. #
  526. # [*manage_policyrcd*]
  527. # (Optional) Whether to manage the policy-rc.d on debian based systems to
  528. # prevent keystone eventlet and apache from auto-starting on package install.
  529. # Defaults to false
  530. #
  531. # [*enable_proxy_headers_parsing*]
  532. # (Optional) Enable oslo middleware to parse proxy headers.
  533. # Defaults to $::os_service_default.
  534. #
  535. # [*max_request_body_size*]
  536. # (Optional) Set max request body size
  537. # Defaults to $::os_service_default.
  538. #
  539. # [*purge_config*]
  540. # (Optional) Whether to set only the specified config options
  541. # in the keystone config.
  542. # Defaults to false.
  543. #
  544. # [*amqp_durable_queues*]
  545. # (Optional) Whether to use durable queues in AMQP.
  546. # Defaults to $::os_service_default.
  547. #
  548. # === DEPRECATED PARAMETERS
  549. #
  550. # [*cache_dir*]
  551. # (Optional) Directory created when token_provider is pki. This folder is not
  552. # created unless enable_pki_setup is set to True.
  553. # Defaults to undef
  554. #
  555. # [*token_driver*]
  556. # (Optional) Driver to use for managing tokens.
  557. # Defaults to undef
  558. #
  559. # == Dependencies
  560. # None
  561. #
  562. # == Examples
  563. #
  564. # class { 'keystone':
  565. # admin_token => 'my_special_token',
  566. # }
  567. #
  568. # OR
  569. #
  570. # class { 'keystone':
  571. # ...
  572. # service_name => 'httpd',
  573. # ...
  574. # }
  575. # class { 'keystone::wsgi::apache':
  576. # ...
  577. # }
  578. #
  579. # == Authors
  580. #
  581. # Dan Bode dan@puppetlabs.com
  582. #
  583. # == Copyright
  584. #
  585. # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
  586. #
  587. class keystone(
  588. $admin_token,
  589. $admin_password = undef,
  590. $package_ensure = 'present',
  591. $client_package_ensure = 'present',
  592. $public_bind_host = '0.0.0.0',
  593. $admin_bind_host = '0.0.0.0',
  594. $public_port = '5000',
  595. $admin_port = '35357',
  596. $log_dir = undef,
  597. $log_file = undef,
  598. $catalog_type = 'sql',
  599. $catalog_driver = false,
  600. $catalog_template_file = '/etc/keystone/default_catalog.templates',
  601. $token_provider = 'fernet',
  602. $token_expiration = 3600,
  603. $password_hash_algorithm = $::os_service_default,
  604. $password_hash_rounds = $::os_service_default,
  605. $revoke_driver = $::os_service_default,
  606. $revoke_by_id = true,
  607. $public_endpoint = $::os_service_default,
  608. $admin_endpoint = $::os_service_default,
  609. $enable_ssl = false,
  610. $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
  611. $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
  612. $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
  613. $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
  614. $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
  615. $manage_service = true,
  616. $cache_backend = $::os_service_default,
  617. $cache_backend_argument = $::os_service_default,
  618. $cache_enabled = $::os_service_default,
  619. $cache_memcache_servers = $::os_service_default,
  620. $debug_cache_backend = $::os_service_default,
  621. $cache_config_prefix = $::os_service_default,
  622. $cache_expiration_time = $::os_service_default,
  623. $cache_proxies = $::os_service_default,
  624. $token_caching = $::os_service_default,
  625. $enabled = true,
  626. $database_connection = undef,
  627. $database_idle_timeout = undef,
  628. $database_max_retries = undef,
  629. $database_retry_interval = undef,
  630. $database_min_pool_size = undef,
  631. $database_max_pool_size = undef,
  632. $database_max_overflow = undef,
  633. $rabbit_heartbeat_timeout_threshold = $::os_service_default,
  634. $rabbit_heartbeat_rate = $::os_service_default,
  635. $rabbit_use_ssl = $::os_service_default,
  636. $default_transport_url = $::os_service_default,
  637. $rabbit_ha_queues = $::os_service_default,
  638. $kombu_ssl_ca_certs = $::os_service_default,
  639. $kombu_ssl_certfile = $::os_service_default,
  640. $kombu_ssl_keyfile = $::os_service_default,
  641. $kombu_ssl_version = $::os_service_default,
  642. $kombu_reconnect_delay = $::os_service_default,
  643. $kombu_failover_strategy = $::os_service_default,
  644. $kombu_compression = $::os_service_default,
  645. $notification_transport_url = $::os_service_default,
  646. $notification_driver = $::os_service_default,
  647. $notification_topics = $::os_service_default,
  648. $notification_format = $::os_service_default,
  649. $control_exchange = $::os_service_default,
  650. $rpc_response_timeout = $::os_service_default,
  651. $validate_service = false,
  652. $validate_insecure = false,
  653. $validate_auth_url = false,
  654. $validate_cacert = undef,
  655. $service_name = $::keystone::params::service_name,
  656. $max_token_size = $::os_service_default,
  657. $sync_db = true,
  658. $enable_fernet_setup = true,
  659. $fernet_key_repository = '/etc/keystone/fernet-keys',
  660. $fernet_max_active_keys = $::os_service_default,
  661. $fernet_keys = false,
  662. $fernet_replace_keys = true,
  663. $enable_credential_setup = false,
  664. $credential_key_repository = '/etc/keystone/credential-keys',
  665. $credential_keys = false,
  666. $default_domain = undef,
  667. $member_role_id = $::os_service_default,
  668. $member_role_name = $::os_service_default,
  669. $enable_bootstrap = true,
  670. $memcache_dead_retry = $::os_service_default,
  671. $memcache_socket_timeout = $::os_service_default,
  672. $memcache_pool_maxsize = $::os_service_default,
  673. $memcache_pool_unused_timeout = $::os_service_default,
  674. $memcache_pool_connection_get_timeout = $::os_service_default,
  675. $manage_backend_package = true,
  676. $policy_driver = $::os_service_default,
  677. $using_domain_config = false,
  678. $domain_config_directory = '/etc/keystone/domains',
  679. $keystone_user = $::keystone::params::keystone_user,
  680. $keystone_group = $::keystone::params::keystone_group,
  681. $manage_policyrcd = false,
  682. $enable_proxy_headers_parsing = $::os_service_default,
  683. $max_request_body_size = $::os_service_default,
  684. $purge_config = false,
  685. $amqp_durable_queues = $::os_service_default,
  686. # DEPRECATED PARAMETERS
  687. $admin_workers = $::os_workers,
  688. $public_workers = $::os_workers,
  689. $cache_dir = undef,
  690. $token_driver = undef,
  691. ) inherits keystone::params {
  692. include ::keystone::deps
  693. include ::keystone::logging
  694. include ::keystone::policy
  695. if $cache_dir {
  696. warning('keystone::cache_dir is deprecated, has no effect and will be removed in a later release')
  697. }
  698. if $token_driver {
  699. warning('keystone::token_driver is deprecated, has no effect and will be removed in a later release')
  700. }
  701. if ! $catalog_driver {
  702. validate_legacy(Enum['template', 'sql'], 'validate_re', $catalog_type)
  703. }
  704. if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
  705. warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
  706. }
  707. if ($public_endpoint and 'v2.0' in $public_endpoint) {
  708. warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
  709. }
  710. if $admin_password == undef {
  711. warning("admin_password is required, please set admin_password to a value != admin_token. \
  712. admin_token will be removed in a later release")
  713. $admin_password_real = $admin_token
  714. } else {
  715. $admin_password_real = $admin_password
  716. }
  717. if $manage_policyrcd {
  718. # openstacklib policy_rcd only affects debian based systems.
  719. Policy_rcd <| title == 'keystone' |> -> Package['keystone']
  720. Policy_rcd['apache2'] -> Package['httpd']
  721. # we don't have keystone service anymore starting from Newton
  722. if ($::operatingsystem == 'Ubuntu') and (versioncmp($::operatingsystemmajrelease, '16') >= 0) {
  723. $policy_services = 'apache2'
  724. } else {
  725. $policy_services = ['keystone', 'apache2']
  726. }
  727. ensure_resource('policy_rcd', $policy_services, { ensure => present, 'set_code' => '101' })
  728. }
  729. include ::keystone::db
  730. include ::keystone::params
  731. package { 'keystone':
  732. ensure => $package_ensure,
  733. name => $::keystone::params::package_name,
  734. tag => ['openstack', 'keystone-package'],
  735. }
  736. if $client_package_ensure == 'present' {
  737. include '::keystone::client'
  738. } else {
  739. class { '::keystone::client':
  740. ensure => $client_package_ensure,
  741. }
  742. }
  743. resources { 'keystone_config':
  744. purge => $purge_config,
  745. }
  746. keystone_config {
  747. 'DEFAULT/admin_token': value => $admin_token, secret => true;
  748. 'DEFAULT/public_bind_host': value => $public_bind_host;
  749. 'DEFAULT/admin_bind_host': value => $admin_bind_host;
  750. 'DEFAULT/public_port': value => $public_port;
  751. 'DEFAULT/admin_port': value => $admin_port;
  752. 'DEFAULT/member_role_id': value => $member_role_id;
  753. 'DEFAULT/member_role_name': value => $member_role_name;
  754. }
  755. # Endpoint configuration
  756. keystone_config {
  757. 'DEFAULT/public_endpoint': value => $public_endpoint;
  758. 'DEFAULT/admin_endpoint': value => $admin_endpoint;
  759. }
  760. keystone_config {
  761. 'token/expiration': value => $token_expiration;
  762. }
  763. keystone_config {
  764. 'identity/password_hash_algorithm': value => $password_hash_algorithm;
  765. 'identity/password_hash_rounds': value => $password_hash_rounds;
  766. }
  767. keystone_config {
  768. 'revoke/driver': value => $revoke_driver;
  769. }
  770. keystone_config {
  771. 'policy/driver': value => $policy_driver;
  772. }
  773. # ssl config
  774. if ($enable_ssl) {
  775. keystone_config {
  776. 'ssl/enable': value => true;
  777. 'ssl/certfile': value => $ssl_certfile;
  778. 'ssl/keyfile': value => $ssl_keyfile;
  779. 'ssl/ca_certs': value => $ssl_ca_certs;
  780. 'ssl/ca_key': value => $ssl_ca_key;
  781. 'ssl/cert_subject': value => $ssl_cert_subject;
  782. }
  783. } else {
  784. keystone_config {
  785. 'ssl/enable': value => false;
  786. }
  787. }
  788. if !is_service_default($cache_memcache_servers) {
  789. Service<| title == 'memcached' |> -> Anchor['keystone::service::begin']
  790. }
  791. keystone_config {
  792. 'memcache/dead_retry': value => $memcache_dead_retry;
  793. 'memcache/pool_maxsize': value => $memcache_pool_maxsize;
  794. 'memcache/pool_unused_timeout': value => $memcache_pool_unused_timeout;
  795. 'memcache/socket_timeout': value => $memcache_socket_timeout;
  796. 'token/caching': value => $token_caching;
  797. }
  798. if is_string($cache_memcache_servers) {
  799. $cache_memcache_servers_real = split($cache_memcache_servers, ',')
  800. } else {
  801. $cache_memcache_servers_real = $cache_memcache_servers
  802. }
  803. oslo::cache { 'keystone_config':
  804. config_prefix => $cache_config_prefix,
  805. expiration_time => $cache_expiration_time,
  806. backend => $cache_backend,
  807. backend_argument => $cache_backend_argument,
  808. proxies => $cache_proxies,
  809. enabled => $cache_enabled,
  810. debug_cache_backend => $debug_cache_backend,
  811. memcache_servers => $cache_memcache_servers_real,
  812. memcache_dead_retry => $memcache_dead_retry,
  813. memcache_socket_timeout => $memcache_socket_timeout,
  814. memcache_pool_maxsize => $memcache_pool_maxsize,
  815. memcache_pool_unused_timeout => $memcache_pool_unused_timeout,
  816. memcache_pool_connection_get_timeout => $memcache_pool_connection_get_timeout,
  817. manage_backend_package => $manage_backend_package,
  818. }
  819. oslo::middleware { 'keystone_config':
  820. enable_proxy_headers_parsing => $enable_proxy_headers_parsing,
  821. max_request_body_size => $max_request_body_size,
  822. }
  823. # configure based on the catalog backend
  824. if $catalog_driver {
  825. $catalog_driver_real = $catalog_driver
  826. }
  827. elsif ($catalog_type == 'template') {
  828. $catalog_driver_real = 'templated'
  829. }
  830. elsif ($catalog_type == 'sql') {
  831. $catalog_driver_real = 'sql'
  832. }
  833. keystone_config {
  834. 'catalog/driver': value => $catalog_driver_real;
  835. 'catalog/template_file': value => $catalog_template_file;
  836. }
  837. keystone_config {
  838. 'token/provider': value => $token_provider;
  839. 'DEFAULT/max_token_size': value => $max_token_size;
  840. 'DEFAULT/notification_format': value => $notification_format;
  841. }
  842. oslo::messaging::default { 'keystone_config':
  843. transport_url => $default_transport_url,
  844. control_exchange => $control_exchange,
  845. rpc_response_timeout => $rpc_response_timeout,
  846. }
  847. oslo::messaging::notifications { 'keystone_config':
  848. transport_url => $notification_transport_url,
  849. driver => $notification_driver,
  850. topics => $notification_topics,
  851. }
  852. oslo::messaging::rabbit { 'keystone_config':
  853. kombu_ssl_version => $kombu_ssl_version,
  854. kombu_ssl_keyfile => $kombu_ssl_keyfile,
  855. kombu_ssl_certfile => $kombu_ssl_certfile,
  856. kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
  857. kombu_reconnect_delay => $kombu_reconnect_delay,
  858. kombu_failover_strategy => $kombu_failover_strategy,
  859. kombu_compression => $kombu_compression,
  860. rabbit_use_ssl => $rabbit_use_ssl,
  861. rabbit_ha_queues => $rabbit_ha_queues,
  862. heartbeat_timeout_threshold => $rabbit_heartbeat_timeout_threshold,
  863. heartbeat_rate => $rabbit_heartbeat_rate,
  864. amqp_durable_queues => $amqp_durable_queues,
  865. }
  866. keystone_config {
  867. 'eventlet_server/admin_workers': value => $admin_workers;
  868. 'eventlet_server/public_workers': value => $public_workers;
  869. }
  870. if $manage_service {
  871. if $enabled {
  872. $service_ensure = 'running'
  873. } else {
  874. $service_ensure = 'stopped'
  875. }
  876. } else {
  877. warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.')
  878. }
  879. case $service_name {
  880. $::keystone::params::service_name, 'keystone-public-keystone-admin' : {
  881. $service_name_real = $::keystone::params::service_name
  882. if $validate_service {
  883. if $validate_auth_url {
  884. $v_auth_url = $validate_auth_url
  885. } else {
  886. $v_auth_url = $admin_endpoint
  887. }
  888. class { '::keystone::service':
  889. ensure => $service_ensure,
  890. service_name => $service_name,
  891. enable => $enabled,
  892. hasstatus => true,
  893. hasrestart => true,
  894. validate => true,
  895. admin_endpoint => $v_auth_url,
  896. admin_token => $admin_token,
  897. insecure => $validate_insecure,
  898. cacert => $validate_cacert,
  899. }
  900. } else {
  901. class { '::keystone::service':
  902. ensure => $service_ensure,
  903. service_name => $service_name,
  904. enable => $enabled,
  905. hasstatus => true,
  906. hasrestart => true,
  907. validate => false,
  908. }
  909. }
  910. if $service_name == $::keystone::params::service_name {
  911. warning("Keystone under Eventlet has been deprecated during the Kilo cycle. \
  912. Support for deploying under eventlet will be dropped as of the M-release of OpenStack.")
  913. }
  914. }
  915. 'httpd': {
  916. include ::apache::params
  917. $service_name_real = $::apache::params::service_name
  918. }
  919. default: {
  920. fail("Invalid service_name. Either keystone/openstack-keystone for \
  921. running as a standalone service, or httpd for being run by a httpd server")
  922. }
  923. }
  924. if $sync_db {
  925. include ::keystone::db::sync
  926. }
  927. # Fernet tokens support
  928. if $enable_fernet_setup {
  929. validate_legacy(String, 'validate_string', $fernet_key_repository)
  930. ensure_resource('file', $fernet_key_repository, {
  931. ensure => 'directory',
  932. owner => $keystone_user,
  933. group => $keystone_group,
  934. mode => '0600',
  935. subscribe => Anchor['keystone::install::end'],
  936. })
  937. if $fernet_keys {
  938. validate_legacy(Hash, 'validate_hash', $fernet_keys)
  939. create_resources('file', $fernet_keys, {
  940. 'owner' => $keystone_user,
  941. 'group' => $keystone_group,
  942. 'mode' => '0600',
  943. 'replace' => $fernet_replace_keys,
  944. 'subscribe' => 'Anchor[keystone::install::end]',
  945. }
  946. )
  947. } else {
  948. exec { 'keystone-manage fernet_setup':
  949. command => "keystone-manage fernet_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
  950. path => '/usr/bin',
  951. user => $keystone_user,
  952. refreshonly => true,
  953. creates => "${fernet_key_repository}/0",
  954. notify => Anchor['keystone::service::begin'],
  955. subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
  956. require => File[$fernet_key_repository],
  957. tag => 'keystone-exec',
  958. }
  959. }
  960. }
  961. # Credential support
  962. if $enable_credential_setup {
  963. validate_legacy(String, 'validate_string', $credential_key_repository)
  964. ensure_resource('file', $credential_key_repository, {
  965. ensure => 'directory',
  966. owner => $keystone_user,
  967. group => $keystone_group,
  968. mode => '0600',
  969. subscribe => Anchor['keystone::install::end'],
  970. })
  971. if $credential_keys {
  972. validate_legacy(Hash, 'validate_hash', $credential_keys)
  973. create_resources('file', $credential_keys, {
  974. 'owner' => $keystone_user,
  975. 'group' => $keystone_group,
  976. 'mode' => '0600',
  977. 'subscribe' => 'Anchor[keystone::install::end]',
  978. }
  979. )
  980. } else {
  981. exec { 'keystone-manage credential_setup':
  982. command => "keystone-manage credential_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
  983. path => '/usr/bin',
  984. user => $keystone_user,
  985. refreshonly => true,
  986. creates => "${credential_key_repository}/0",
  987. notify => Anchor['keystone::service::begin'],
  988. subscribe => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
  989. require => File[$credential_key_repository],
  990. tag => 'keystone-exec',
  991. }
  992. }
  993. }
  994. if $fernet_key_repository {
  995. keystone_config {
  996. 'fernet_tokens/key_repository': value => $fernet_key_repository;
  997. }
  998. } else {
  999. keystone_config {
  1000. 'fernet_tokens/key_repository': ensure => absent;
  1001. }
  1002. }
  1003. keystone_config {
  1004. 'token/revoke_by_id': value => $revoke_by_id;
  1005. 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
  1006. 'credential/key_repository': value => $credential_key_repository;
  1007. }
  1008. # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed.
  1009. # 1/ Keystone needs to be started before creating the default domain
  1010. # 2/ Once the default domain is created, we can query Keystone to get the default domain ID
  1011. # 3/ The Keystone_domain provider has in charge of doing the query and configure keystone.conf
  1012. # 4/ After such a change, we need to restart Keystone service.
  1013. # restart_keystone exec is doing 4/, it restart Keystone if we have a new default domain setted
  1014. # and if we manage the service to be enabled.
  1015. if $manage_service and $enabled {
  1016. exec { 'restart_keystone':
  1017. path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin/'],
  1018. command => "service ${service_name_real} restart",
  1019. refreshonly => true,
  1020. }
  1021. }
  1022. if $default_domain {
  1023. keystone_domain { $default_domain:
  1024. ensure => present,
  1025. enabled => true,
  1026. is_default => true,
  1027. require => Service[$service_name],
  1028. } ~> Exec<| title == 'restart_keystone' |>
  1029. anchor { 'default_domain_created':
  1030. require => Keystone_domain[$default_domain],
  1031. }
  1032. }
  1033. if $domain_config_directory != '/etc/keystone/domains' and !$using_domain_config {
  1034. fail('You must activate domain configuration using "using_domain_config" parameter to keystone class.')
  1035. }
  1036. if $enable_bootstrap {
  1037. # this requires the database to be up and running and configured
  1038. # and is only run once, so we don't need to notify the service
  1039. exec { 'keystone-manage bootstrap':
  1040. command => 'keystone-manage bootstrap',
  1041. environment => "OS_BOOTSTRAP_PASSWORD=${admin_password_real}",
  1042. user => $keystone_user,
  1043. path => '/usr/bin',
  1044. refreshonly => true,
  1045. notify => Anchor['keystone::service::begin'],
  1046. subscribe => Anchor['keystone::dbsync::end'],
  1047. tag => 'keystone-exec',
  1048. }
  1049. }
  1050. if $using_domain_config {
  1051. validate_legacy(Stdlib::Absolutepath, 'validate_absolute_path', $domain_config_directory)
  1052. # Better than ensure resource. We don't want to conflict with any
  1053. # user definition even if they don't match exactly our parameters.
  1054. # The error catching mechanism in the provider will remind them if
  1055. # they did something silly, like defining a file rather than a
  1056. # directory. For the permission it's their choice.
  1057. if (!defined(File[$domain_config_directory])) {
  1058. file { $domain_config_directory:
  1059. ensure => directory,
  1060. owner => $keystone_user,
  1061. group => $keystone_group,
  1062. mode => '0750',
  1063. notify => Service[$service_name],
  1064. require => Anchor['keystone::install::end'],
  1065. }
  1066. }
  1067. # Here we want the creation to fail if the user has created those
  1068. # resources with different values. That means that the user
  1069. # wrongly uses using_domain_config parameter.
  1070. ensure_resource(
  1071. 'keystone_config',
  1072. 'identity/domain_specific_drivers_enabled',
  1073. {'value' => true}
  1074. )
  1075. ensure_resource(
  1076. 'keystone_config',
  1077. 'identity/domain_config_dir',
  1078. {'value' => $domain_config_directory}
  1079. )
  1080. }
  1081. }