openstack/puppet-keystone
Code Issues Proposed changes
5039a59e19
puppet-keystone/manifests/resource/authtoken.pp
Matt Fischer a5da52ec52 Keystone hooks support 
This code moves all deps to an external class so that Keystone can be
installed with mechanisms besides packages (like venv or docker). This
also cleans-up the dependency tree by removing false or confusing
dependencies.

Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8
Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
2016-03-15 20:11:25 -06:00

256 lines
9.4 KiB
Puppet
Raw Blame History

# == Definition: keystone::resource::authtoken
#
# This resource configures Keystone authentication resources for an OpenStack
# service. It will manage the [keystone_authtoken] section in the given
# config resource. It supports all of the authentication parameters specified
# at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
# with the addition of the default domain for user and project.
#
# The username and project_name parameters may be given in the form
# "name::domainname". The authtoken resource will use the domains in
# the following order:
# 1) The given domain parameter (user_domain_name or project_domain_name)
# 2) The domain given as the "::domainname" part of username or project_name
# 3) The default_domain_name
#
# For example, instead of doing this::
#
# glance_api_config {
# 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
# 'keystone_authtoken/admin_user' : value => $keystone_user;
# 'keystone_authtoken/admin_password' : value => $keystone_password;
# secret => true;
# ...
# }
#
# manifests should do this instead::
#
# keystone::resource::authtoken { 'glance_api_config':
# username => $keystone_user,
# password => $keystone_password,
# auth_url => $real_identity_uri,
# project_name => $keystone_tenant,
# user_domain_name => $keystone_user_domain,
# project_domain_name => $keystone_project_domain,
# default_domain_name => $keystone_default_domain,
# cacert => $ca_file,
# ...
# }
#
# The use of `keystone::resource::authtoken` makes it easy to avoid mistakes,
# and makes it easier to support some of the newer authentication types coming
# with Keystone Kilo and later, such as Kerberos, Federation, etc.
#
# == Parameters:
#
# [*name*]
# The name of the resource corresponding to the config file. For example,
# keystone::resource::authtoken { 'glance_api_config': ... }
# Where 'glance_api_config' is the name of the resource used to manage
# the glance api configuration.
# string; required
#
# [*username*]
# The name of the service user;
# string; required
#
# [*password*]
# Password to create for the service user;
# string; required
#
# [*auth_url*]
# The URL to use for authentication.
# string; required
#
# [*auth_plugin*]
# The plugin to use for authentication.
# string; optional: default to 'password'
#
# [*user_id*]
# The ID of the service user;
# string; optional: default to undef
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to undef
#
# [*user_domain_id*]
# (Optional) ID of domain for $username
# Defaults to undef
#
# [*project_name*]
# Service project name;
# string; optional: default to undef
#
# [*project_id*]
# Service project ID;
# string; optional: default to undef
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to undef
#
# [*project_domain_id*]
# (Optional) ID of domain for $project_name
# Defaults to undef
#
# [*domain_name*]
# (Optional) Use this for auth to obtain a domain-scoped token.
# If using this option, do not specify $project_name or $project_id.
# Defaults to undef
#
# [*domain_id*]
# (Optional) Use this for auth to obtain a domain-scoped token.
# If using this option, do not specify $project_name or $project_id.
# Defaults to undef
#
# [*default_domain_name*]
# (Optional) Name of domain for $username and $project_name
# If user_domain_name is not specified, use $default_domain_name
# If project_domain_name is not specified, use $default_domain_name
# Defaults to undef
#
# [*default_domain_id*]
# (Optional) ID of domain for $user_id and $project_id
# If user_domain_id is not specified, use $default_domain_id
# If project_domain_id is not specified, use $default_domain_id
# Defaults to undef
#
# [*trust_id*]
# (Optional) Trust ID
# Defaults to undef
#
# [*cacert*]
# (Optional) CA certificate file for TLS (https)
# Defaults to undef
#
# [*cert*]
# (Optional) Certificate file for TLS (https)
# Defaults to undef
#
# [*key*]
# (Optional) Key file for TLS (https)
# Defaults to undef
#
# [*insecure*]
# If true, explicitly allow TLS without checking server cert against any
# certificate authorities. WARNING: not recommended. Use with caution.
# boolean; Defaults to false (which means be secure)
#
define keystone::resource::authtoken(
$username,
$password,
$auth_url,
$auth_plugin = 'password',
$user_id = undef,
$user_domain_name = undef,
$user_domain_id = undef,
$project_name = undef,
$project_id = undef,
$project_domain_name = undef,
$project_domain_id = undef,
$domain_name = undef,
$domain_id = undef,
$default_domain_name = undef,
$default_domain_id = undef,
$trust_id = undef,
$cacert = undef,
$cert = undef,
$key = undef,
$insecure = false,
) {
include ::keystone::deps
if !$project_name and !$project_id and !$domain_name and !$domain_id {
fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
}
if ($project_name or $project_id) and ($domain_name or $domain_id) {
fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)')
}
$user_and_domain_array = split($username, '::')
$real_username = $user_and_domain_array[0]
$real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name, '__nodomain__')
$project_and_domain_array = split($project_name, '::')
$real_project_name = $project_and_domain_array[0]
$real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name, '__nodomain__')
create_resources($name, {'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin}})
create_resources($name, {'keystone_authtoken/auth_url' => {'value' => $auth_url}})
create_resources($name, {'keystone_authtoken/username' => {'value' => $real_username}})
create_resources($name, {'keystone_authtoken/password' => {'value' => $password, 'secret' => true}})
if $user_id {
create_resources($name, {'keystone_authtoken/user_id' => {'value' => $user_id}})
} else {
create_resources($name, {'keystone_authtoken/user_id' => {'ensure' => 'absent'}})
}
if $real_user_domain_name == '__nodomain__' {
create_resources($name, {'keystone_authtoken/user_domain_name' => {'ensure' => 'absent'}})
} else {
create_resources($name, {'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name}})
}
if $user_domain_id {
create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $user_domain_id}})
} elsif $default_domain_id {
create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $default_domain_id}})
} else {
create_resources($name, {'keystone_authtoken/user_domain_id' => {'ensure' => 'absent'}})
}
if $project_name {
create_resources($name, {'keystone_authtoken/project_name' => {'value' => $real_project_name}})
} else {
create_resources($name, {'keystone_authtoken/project_name' => {'ensure' => 'absent'}})
}
if $project_id {
create_resources($name, {'keystone_authtoken/project_id' => {'value' => $project_id}})
} else {
create_resources($name, {'keystone_authtoken/project_id' => {'ensure' => 'absent'}})
}
if $real_project_domain_name == '__nodomain__' {
create_resources($name, {'keystone_authtoken/project_domain_name' => {'ensure' => 'absent'}})
} else {
create_resources($name, {'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name}})
}
if $project_domain_id {
create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $project_domain_id}})
} elsif $default_domain_id {
create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $default_domain_id}})
} else {
create_resources($name, {'keystone_authtoken/project_domain_id' => {'ensure' => 'absent'}})
}
if $domain_name {
create_resources($name, {'keystone_authtoken/domain_name' => {'value' => $domain_name}})
} else {
create_resources($name, {'keystone_authtoken/domain_name' => {'ensure' => 'absent'}})
}
if $domain_id {
create_resources($name, {'keystone_authtoken/domain_id' => {'value' => $domain_id}})
} else {
create_resources($name, {'keystone_authtoken/domain_id' => {'ensure' => 'absent'}})
}
if $trust_id {
create_resources($name, {'keystone_authtoken/trust_id' => {'value' => $trust_id}})
} else {
create_resources($name, {'keystone_authtoken/trust_id' => {'ensure' => 'absent'}})
}
if $cacert {
create_resources($name, {'keystone_authtoken/cacert' => {'value' => $cacert}})
} else {
create_resources($name, {'keystone_authtoken/cacert' => {'ensure' => 'absent'}})
}
if $cert {
create_resources($name, {'keystone_authtoken/cert' => {'value' => $cert}})
} else {
create_resources($name, {'keystone_authtoken/cert' => {'ensure' => 'absent'}})
}
if $key {
create_resources($name, {'keystone_authtoken/key' => {'value' => $key}})
} else {
create_resources($name, {'keystone_authtoken/key' => {'ensure' => 'absent'}})
}
create_resources($name, {'keystone_authtoken/insecure' => {'value' => $insecure}})
}
View Git Blame Copy Permalink