OpenStack Keystone Puppet Module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

authtoken.pp 16KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368
  1. # == Definition: keystone::resource::authtoken
  2. #
  3. # This resource configures Keystone authentication resources for an OpenStack
  4. # service. It will manage the [keystone_authtoken] section in the given
  5. # config resource. It supports all of the authentication parameters specified
  6. # at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
  7. # with the addition of the default domain for user and project.
  8. #
  9. # For example, instead of doing this::
  10. #
  11. # glance_api_config {
  12. # 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
  13. # 'keystone_authtoken/admin_user' : value => $keystone_user;
  14. # 'keystone_authtoken/admin_password' : value => $keystone_password;
  15. # secret => true;
  16. # ...
  17. # }
  18. #
  19. # manifests should do this instead::
  20. #
  21. # keystone::resource::authtoken { 'glance_api_config':
  22. # username => $keystone_user,
  23. # password => $keystone_password,
  24. # auth_url => $real_identity_uri,
  25. # project_name => $keystone_tenant,
  26. # user_domain_name => $keystone_user_domain,
  27. # project_domain_name => $keystone_project_domain,
  28. # cacert => $ca_file,
  29. # ...
  30. # }
  31. #
  32. # The use of `keystone::resource::authtoken` makes it easy to avoid mistakes,
  33. # and makes it easier to support some of the newer authentication types coming
  34. # with Keystone Kilo and later, such as Kerberos, Federation, etc.
  35. #
  36. # == Parameters:
  37. #
  38. # [*name*]
  39. # (Required) The name of the resource corresponding to the config file.
  40. # For example, keystone::resource::authtoken { 'glance_api_config': ... }
  41. # Where 'glance_api_config' is the name of the resource used to manage
  42. # the glance api configuration.
  43. #
  44. # [*username*]
  45. # (Required) The name of the service user
  46. #
  47. # [*password*]
  48. # (Required) Password to create for the service user
  49. #
  50. # [*auth_url*]
  51. # (Required) The URL to use for authentication.
  52. #
  53. # [*project_name*]
  54. # (Required) Service project name
  55. #
  56. # [*user_domain_name*]
  57. # (Optional) Name of domain for $username
  58. # Defaults to $::os_service_default
  59. #
  60. # [*project_domain_name*]
  61. # (Optional) Name of domain for $project_name
  62. # Defaults to $::os_service_default
  63. #
  64. # [*insecure*]
  65. # (Optional) If true, explicitly allow TLS without checking server cert
  66. # against any certificate authorities. WARNING: not recommended. Use with
  67. # caution.
  68. # Defaults to $::os_service_default
  69. #
  70. # [*auth_section*]
  71. # (Optional) Config Section from which to load plugin specific options
  72. # Defaults to $::os_service_default.
  73. #
  74. # [*auth_type*]
  75. # (Optional) Authentication type to load
  76. # Defaults to $::os_service_default
  77. #
  78. # [*www_authenticate_uri*]
  79. # (Optional) Complete public Identity API endpoint.
  80. # Defaults to $::os_service_default.
  81. #
  82. # [*auth_version*]
  83. # (Optional) API version of the admin Identity API endpoint.
  84. # Defaults to $::os_service_default.
  85. #
  86. # [*cache*]
  87. # (Optional) Env key for the swift cache.
  88. # Defaults to $::os_service_default.
  89. #
  90. # [*cafile*]
  91. # (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
  92. # connections.
  93. # Defaults to $::os_service_default.
  94. #
  95. # [*certfile*]
  96. # (Optional) Required if identity server requires client certificate
  97. # Defaults to $::os_service_default.
  98. #
  99. # [*collect_timing*]
  100. # (Optional) If true, collect per-method timing information for each API call.
  101. # Defaults to $::os_service_default.
  102. #
  103. # [*delay_auth_decision*]
  104. # (Optional) Do not handle authorization requests within the middleware, but
  105. # delegate the authorization decision to downstream WSGI components. Boolean value
  106. # Defaults to $::os_service_default.
  107. #
  108. # [*enforce_token_bind*]
  109. # (Optional) Used to control the use and type of token binding. Can be set
  110. # to: "disabled" to not check token binding. "permissive" (default) to
  111. # validate binding information if the bind type is of a form known to the
  112. # server and ignore it if not. "strict" like "permissive" but if the bind
  113. # type is unknown the token will be rejected. "required" any form of token
  114. # binding is needed to be allowed. Finally the name of a binding method that
  115. # must be present in tokens. String value.
  116. # Defaults to $::os_service_default.
  117. #
  118. # [*http_connect_timeout*]
  119. # (Optional) Request timeout value for communicating with Identity API server.
  120. # Defaults to $::os_service_default.
  121. #
  122. # [*http_request_max_retries*]
  123. # (Optional) How many times are we trying to reconnect when communicating
  124. # with Identity API Server. Integer value
  125. # Defaults to $::os_service_default.
  126. #
  127. # [*include_service_catalog*]
  128. # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
  129. # middleware will not ask for service catalog on token validation and will not
  130. # set the X-Service-Catalog header. Boolean value.
  131. # Defaults to $::os_service_default.
  132. #
  133. # [*keyfile*]
  134. # (Optional) Required if identity server requires client certificate
  135. # Defaults to $::os_service_default.
  136. #
  137. # [*memcache_pool_conn_get_timeout*]
  138. # (Optional) Number of seconds that an operation will wait to get a memcached
  139. # client connection from the pool. Integer value
  140. # Defaults to $::os_service_default.
  141. #
  142. # [*memcache_pool_dead_retry*]
  143. # (Optional) Number of seconds memcached server is considered dead before it
  144. # is tried again. Integer value
  145. # Defaults to $::os_service_default.
  146. #
  147. # [*memcache_pool_maxsize*]
  148. # (Optional) Maximum total number of open connections to every memcached
  149. # server. Integer value
  150. # Defaults to $::os_service_default.
  151. #
  152. # [*memcache_pool_socket_timeout*]
  153. # (Optional) Number of seconds a connection to memcached is held unused in the
  154. # pool before it is closed. Integer value
  155. # Defaults to $::os_service_default.
  156. #
  157. # [*memcache_pool_unused_timeout*]
  158. # (Optional) Number of seconds a connection to memcached is held unused in the
  159. # pool before it is closed. Integer value
  160. # Defaults to $::os_service_default.
  161. #
  162. # [*memcache_secret_key*]
  163. # (Optional, mandatory if memcache_security_strategy is defined) This string
  164. # is used for key derivation.
  165. # Defaults to $::os_service_default.
  166. #
  167. # [*memcache_security_strategy*]
  168. # (Optional) If defined, indicate whether token data should be authenticated or
  169. # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
  170. # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
  171. # cache. If the value is not one of these options or empty, auth_token will
  172. # raise an exception on initialization.
  173. # Defaults to $::os_service_default.
  174. #
  175. # [*memcache_use_advanced_pool*]
  176. # (Optional) Use the advanced (eventlet safe) memcached client pool. The
  177. # advanced pool will only work under python 2.x Boolean value
  178. # Defaults to $::os_service_default.
  179. #
  180. # [*memcached_servers*]
  181. # (Optional) Optionally specify a list of memcached server(s) to use for
  182. # caching. If left undefined, tokens will instead be cached in-process.
  183. # Defaults to $::os_service_default.
  184. #
  185. # [*region_name*]
  186. # (Optional) The region in which the identity server can be found.
  187. # Defaults to $::os_service_default.
  188. #
  189. # [*token_cache_time*]
  190. # (Optional) In order to prevent excessive effort spent validating tokens,
  191. # the middleware caches previously-seen tokens for a configurable duration
  192. # (in seconds). Set to -1 to disable caching completely. Integer value
  193. # Defaults to $::os_service_default.
  194. #
  195. # [*manage_memcache_package*]
  196. # (Optional) Whether to install the python-memcache package.
  197. # Defaults to false.
  198. #
  199. # [*service_token_roles*]
  200. # (Optional) A choice of roles that must be present in a service token.
  201. # Service tokens are allowed to request that an expired token
  202. # can be used and so this check should tightly control that
  203. # only actual services should be sending this token. Roles
  204. # here are applied as an ANY check so any role in this list
  205. # must be present. For backwards compatibility reasons this
  206. # currently only affects the allow_expired check. (list value)
  207. # Defaults to $::os_service_default.
  208. #
  209. # [*service_token_roles_required*]
  210. # (optional) backwards compatibility to ensure that the service tokens are
  211. # compared against a list of possible roles for validity
  212. # true/false
  213. # Defaults to $::os_service_default.
  214. #
  215. # DEPRECATED PARAMETERS
  216. #
  217. # [*auth_uri*]
  218. # (Optional) Complete public Identity API endpoint.
  219. # Defaults to undef
  220. #
  221. # [*check_revocations_for_cached*]
  222. # (Optional) If true, the revocation list will be checked for cached tokens.
  223. # This requires that PKI tokens are configured on the identity server.
  224. # boolean value.
  225. # Defaults to undef
  226. #
  227. # [*hash_algorithms*]
  228. # (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
  229. # single algorithm or multiple. The algorithms are those supported by Python
  230. # standard hashlib.new(). The hashes will be tried in the order given, so put
  231. # the preferred one first for performance. The result of the first hash will
  232. # be stored in the cache. This will typically be set to multiple values only
  233. # while migrating from a less secure algorithm to a more secure one. Once all
  234. # the old tokens are expired this option should be set to a single value for
  235. # better performance. List value.
  236. # Defaults to undef
  237. #
  238. define keystone::resource::authtoken(
  239. $username,
  240. $password,
  241. $auth_url,
  242. $project_name,
  243. $user_domain_name = $::os_service_default,
  244. $project_domain_name = $::os_service_default,
  245. $insecure = $::os_service_default,
  246. $auth_section = $::os_service_default,
  247. $auth_type = $::os_service_default,
  248. $www_authenticate_uri = $::os_service_default,
  249. $auth_version = $::os_service_default,
  250. $cache = $::os_service_default,
  251. $cafile = $::os_service_default,
  252. $certfile = $::os_service_default,
  253. $collect_timing = $::os_service_default,
  254. $delay_auth_decision = $::os_service_default,
  255. $enforce_token_bind = $::os_service_default,
  256. $http_connect_timeout = $::os_service_default,
  257. $http_request_max_retries = $::os_service_default,
  258. $include_service_catalog = $::os_service_default,
  259. $keyfile = $::os_service_default,
  260. $memcache_pool_conn_get_timeout = $::os_service_default,
  261. $memcache_pool_dead_retry = $::os_service_default,
  262. $memcache_pool_maxsize = $::os_service_default,
  263. $memcache_pool_socket_timeout = $::os_service_default,
  264. $memcache_pool_unused_timeout = $::os_service_default,
  265. $memcache_secret_key = $::os_service_default,
  266. $memcache_security_strategy = $::os_service_default,
  267. $memcache_use_advanced_pool = $::os_service_default,
  268. $memcached_servers = $::os_service_default,
  269. $region_name = $::os_service_default,
  270. $token_cache_time = $::os_service_default,
  271. $manage_memcache_package = false,
  272. $service_token_roles = $::os_service_default,
  273. $service_token_roles_required = $::os_service_default,
  274. # DEPRECATED PARAMETERS
  275. $auth_uri = undef,
  276. $check_revocations_for_cached = undef,
  277. $hash_algorithms = undef,
  278. ) {
  279. include ::keystone::params
  280. include ::keystone::deps
  281. if $auth_uri {
  282. warning('The auth_uri parameter is deprecated. Please use www_authenticate_uri instead.')
  283. }
  284. $www_authenticate_uri_real = pick($auth_uri, $www_authenticate_uri)
  285. if $check_revocations_for_cached {
  286. warning('keystone::resource::authtoken::check_revocations_for_cached is deprecated and will be removed')
  287. }
  288. if $hash_algorithms {
  289. warning('keystone::resource::authtoken::hash_algorithms is deprecated and will be removed')
  290. }
  291. if !is_service_default($include_service_catalog) {
  292. validate_legacy(Boolean, 'validate_bool', $include_service_catalog)
  293. }
  294. if !is_service_default($memcache_use_advanced_pool) {
  295. validate_legacy(Boolean, 'validate_bool', $memcache_use_advanced_pool)
  296. }
  297. if! ($memcache_security_strategy in [$::os_service_default,'MAC','ENCRYPT']) {
  298. fail('memcache_security_strategy can be set only to MAC or ENCRYPT')
  299. }
  300. if !is_service_default($memcache_security_strategy) and is_service_default($memcache_secret_key) {
  301. fail('memcache_secret_key is required when memcache_security_strategy is defined')
  302. }
  303. if !is_service_default($delay_auth_decision) {
  304. validate_legacy(Boolean, 'validate_bool', $delay_auth_decision)
  305. }
  306. if !is_service_default($memcached_servers) and !empty($memcached_servers){
  307. $memcached_servers_real = join(any2array($memcached_servers), ',')
  308. if $manage_memcache_package {
  309. ensure_packages('python-memcache', {
  310. ensure => present,
  311. name => $::keystone::params::python_memcache_package_name,
  312. tag => ['openstack'],
  313. })
  314. }
  315. } else {
  316. $memcached_servers_real = $::os_service_default
  317. }
  318. $keystonemiddleware_options = {
  319. 'keystone_authtoken/auth_section' => {'value' => $auth_section},
  320. 'keystone_authtoken/www_authenticate_uri' => {'value' => $www_authenticate_uri_real},
  321. #TODO(aschultz): needs to be defined until all providers have been cut over
  322. 'keystone_authtoken/auth_uri' => {'value' => $www_authenticate_uri_real},
  323. 'keystone_authtoken/auth_type' => {'value' => $auth_type},
  324. 'keystone_authtoken/auth_version' => {'value' => $auth_version},
  325. 'keystone_authtoken/cache' => {'value' => $cache},
  326. 'keystone_authtoken/cafile' => {'value' => $cafile},
  327. 'keystone_authtoken/certfile' => {'value' => $certfile},
  328. 'keystone_authtoken/collect_timing' => {'value' => $collect_timing},
  329. 'keystone_authtoken/delay_auth_decision' => {'value' => $delay_auth_decision},
  330. 'keystone_authtoken/enforce_token_bind' => {'value' => $enforce_token_bind},
  331. 'keystone_authtoken/http_connect_timeout' => {'value' => $http_connect_timeout},
  332. 'keystone_authtoken/http_request_max_retries' => {'value' => $http_request_max_retries},
  333. 'keystone_authtoken/include_service_catalog' => {'value' => $include_service_catalog},
  334. 'keystone_authtoken/keyfile' => {'value' => $keyfile},
  335. 'keystone_authtoken/memcache_pool_conn_get_timeout' => {'value' => $memcache_pool_conn_get_timeout},
  336. 'keystone_authtoken/memcache_pool_dead_retry' => {'value' => $memcache_pool_dead_retry},
  337. 'keystone_authtoken/memcache_pool_maxsize' => {'value' => $memcache_pool_maxsize},
  338. 'keystone_authtoken/memcache_pool_socket_timeout' => {'value' => $memcache_pool_socket_timeout},
  339. 'keystone_authtoken/memcache_pool_unused_timeout' => {'value' => $memcache_pool_unused_timeout},
  340. 'keystone_authtoken/memcache_secret_key' => {'value' => $memcache_secret_key, 'secret' => true},
  341. 'keystone_authtoken/memcache_security_strategy' => {'value' => $memcache_security_strategy},
  342. 'keystone_authtoken/memcache_use_advanced_pool' => {'value' => $memcache_use_advanced_pool},
  343. 'keystone_authtoken/memcached_servers' => {'value' => $memcached_servers_real},
  344. 'keystone_authtoken/region_name' => {'value' => $region_name},
  345. 'keystone_authtoken/token_cache_time' => {'value' => $token_cache_time},
  346. 'keystone_authtoken/auth_url' => {'value' => $auth_url},
  347. 'keystone_authtoken/username' => {'value' => $username},
  348. 'keystone_authtoken/password' => {'value' => $password, 'secret' => true},
  349. 'keystone_authtoken/user_domain_name' => {'value' => $user_domain_name},
  350. 'keystone_authtoken/project_name' => {'value' => $project_name},
  351. 'keystone_authtoken/project_domain_name' => {'value' => $project_domain_name},
  352. 'keystone_authtoken/insecure' => {'value' => $insecure},
  353. 'keystone_authtoken/service_token_roles' => {'value' => $service_token_roles},
  354. 'keystone_authtoken/service_token_roles_required' => {'value' => $service_token_roles_required},
  355. }
  356. create_resources($name, $keystonemiddleware_options)
  357. }