Move magnum to authtoken

Allow magnum to configure the keystone_authtoken section in magnum.conf with all new parameters from Keystone Middleware using the keystone::resource::authtoken from puppet-keystone This will also add support to authentication using Keystone v3. Change-Id: I4a69bd72e6114e287520548587a14ac0e44b1e84 Closes-Bug: #1604463
2016-08-06 11:59:03 +08:00 · 2016-08-06 11:59:03 +08:00 · 987e53f94d
commit 987e53f94d
parent c151016278
6 changed files with 446 additions and 85 deletions
--- a/examples/magnum.pp
+++ b/examples/magnum.pp
@ -27,11 +27,12 @@
    domain_password => 'oh_my_no_secret',
  }

+  class { '::magnum::keystone::authtoken':
+    password => 'a_big_secret',
+  }
+
  class { '::magnum::api':
-    admin_password => 'a_big_secret',
-    auth_uri       => 'http://127.0.0.1:5000/',
-    identity_uri   => 'http://127.0.0.1:35357/',
-    host           => '127.0.0.1',
+    host => '127.0.0.1',
  }

  class { '::magnum::keystone::auth':
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -4,69 +4,43 @@
 #
 # === Parameters
 #
-# [*admin_password*]
-#  (Required) The password to set for the magnum user in keystone.
-#
 # [*package_ensure*]
-#  (Optional) Sets the ensure parameter for the package resource.
-#  Defaults to 'present'
+#   (Optional) Sets the ensure parameter for the package resource.
+#   Defaults to 'present'
 #
 # [*enabled*]
-#  (Optional) Define if the service should be enabled or not.
-#  Defaults to true
+#   (Optional) Define if the service should be enabled or not.
+#   Defaults to true
 #
 # [*port*]
-#  (Optional) The port for the Magnum API server.
-#  Defaults to '9511'
+#   (Optional) The port for the Magnum API server.
+#   Defaults to '9511'
 #
 # [*host*]
-#  (Optional) The listen IP for the Magnum API server.
-#  Defaults to '127.0.0.1'
+#   (Optional) The listen IP for the Magnum API server.
+#   Defaults to '127.0.0.1'
 #
 # [*max_limit*]
-#  (Optional) The maximum number of items returned in a single response
-#  from a collection resource.
-#  Defaults to '1000'
-#
-# [*auth_uri*]
-#  (Optional) Complete public identity API endpoint.
-#  Defaults to 'http://127.0.0.1:5000/'
-#
-# [*identity_uri*]
-#  (Optional) Complete admin identity API endpoint.
-#  Defaults to 'http://127.0.0.1:35357/'
-#
-# [*auth_version*]
-#  (Optional) API version of the admin identity API endpoint. For example,
-#  use 'v3' for the keystone version 3 API.
-#  Defaults to false
+#   (Optional) The maximum number of items returned in a single response
+#   from a collection resource.
+#   Defaults to '1000'
 #
 # [*sync_db*]
-#  (Optional) Enable DB sync
-#  Defaults to true
+#   (Optional) Enable DB sync
+#   Defaults to true
 #
-# [*admin_tenant_name*]
-#  (Optional) The name of the tenant to create in keystone for use by Magnum services.
-#  Defaults to 'services'
+# [*auth_strategy*]
+#   (optional) Type of authentication to be used.
+#   Defaults to 'keystone'
 #
-# [*admin_user*]
-#  (Optional) The name of the user to create in keystone for use by Magnum services.
-#  Defaults to 'magnum'
-#
-
 class magnum::api(
-  $admin_password,
-  $package_ensure    = 'present',
-  $enabled           = true,
-  $port              = '9511',
-  $host              = '127.0.0.1',
-  $max_limit         = '1000',
-  $auth_uri          = 'http://127.0.0.1:5000/',
-  $identity_uri      = 'http://127.0.0.1:35357/',
-  $auth_version      = false,
-  $sync_db           = true,
-  $admin_tenant_name = 'services',
-  $admin_user        = 'magnum',
+  $package_ensure = 'present',
+  $enabled        = true,
+  $port           = '9511',
+  $host           = '127.0.0.1',
+  $max_limit      = '1000',
+  $sync_db        = true,
+  $auth_strategy  = 'keystone',
 ) {

  include ::magnum::params
@ -112,18 +86,8 @@ class magnum::api(
    tag       => ['magnum-service', 'magnum-db-sync-service'],
  }

-  if $auth_version {
-    magnum_config { 'keystone_authtoken/auth_version' : value => $auth_version; }
-  } else {
-    magnum_config { 'keystone_authtoken/auth_version' : ensure => absent; }
-  }
-
-  magnum_config {
-    'keystone_authtoken/auth_uri' :          value => $auth_uri;
-    'keystone_authtoken/identity_uri' :      value => $identity_uri;
-    'keystone_authtoken/admin_tenant_name' : value => $admin_tenant_name;
-    'keystone_authtoken/admin_user' :        value => $admin_user;
-    'keystone_authtoken/admin_password' :    value => $admin_password, secret => true;
+  if $auth_strategy == 'keystone' {
+    include ::magnum::keystone::authtoken
  }

 }
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@ -0,0 +1,259 @@
+# class: magnum::keystone::authtoken
+#
+# Configure the keystone_authtoken section in the configuration file
+#
+# === Parameters
+#
+# [*password*]
+#   (Required) Password to create for the service user
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'magnum'
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http://localhost:35357'
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#   (Optional) Name of domain for $project_name
+#   Defaults to $::os_service_default
+#
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with caution.
+#   Defaults to $:os_service_default
+#
+# [*auth_section*]
+#   (Optional) Config Section from which to load plugin specific options
+#   Defaults to $::os_service_default.
+#
+# [*auth_type*]
+#   (Optional) Authentication type to load
+#   Defaults to 'password'
+#
+# [*auth_uri*]
+#   (Optional) Complete public Identity API endpoint.
+#   Defaults to 'http://localhost:5000'
+#
+# [*auth_version*]
+#   (Optional) API version of the admin Identity API endpoint.
+#   Defaults to $::os_service_default.
+#
+# [*cache*]
+#   (Optional) Env key for the swift cache.
+#   Defaults to $::os_service_default.
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+#   Defaults to $::os_service_default.
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*delay_auth_decision*]
+#   (Optional) Do not handle authorization requests within the middleware, but
+#   delegate the authorization decision to downstream WSGI components.
+#   Boolean value
+#   Defaults to $::os_service_default.
+#
+# [*enforce_token_bind*]
+#   (Optional) Used to control the use and type of token binding. Can be set
+#   to: "disabled" to not check token binding. "permissive" (default) to
+#   validate binding information if the bind type is of a form known to the
+#   server and ignore it if not. "strict" like "permissive" but if the bind
+#   type is unknown the token will be rejected. "required" any form of token
+#   binding is needed to be allowed. Finally the name of a binding method that
+#   must be present in tokens. String value.
+#   Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+#   (Optional) Request timeout value for communicating with Identity API server.
+#   Defaults to $::os_service_default.
+#
+# [*http_request_max_retries*]
+#   (Optional) How many times are we trying to reconnect when communicating
+#   with Identity API Server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*include_service_catalog*]
+#   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#   middleware will not ask for service catalog on token validation and will not
+#   set the X-Service-Catalog header. Boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+#   (Optional) Number of seconds that an operation will wait to get a memcached
+#   client connection from the pool. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+#   (Optional) Number of seconds memcached server is considered dead before it
+#   is tried again. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+#   (Optional) Maximum total number of open connections to every memcached
+#   server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+#   (Optional, mandatory if memcache_security_strategy is defined) This string
+#   is used for key derivation.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+#   (Optional) If defined, indicate whether token data should be authenticated
+#   or authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
+#   in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+#   cache. If the value is not one of these options or empty, auth_token will
+#   raise an exception on initialization.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+#   (Optional)  Use the advanced (eventlet safe) memcached client pool. The
+#   advanced pool will only work under python 2.x Boolean value
+#   Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+#   (Optional) Optionally specify a list of memcached server(s) to use for
+#   caching. If left undefined, tokens will instead be cached in-process.
+#   Defaults to $::os_service_default.
+#
+# [*region_name*]
+#   (Optional) The region in which the identity server can be found.
+#   Defaults to $::os_service_default.
+#
+# [*revocation_cache_time*]
+#   (Optional) Determines the frequency at which the list of revoked tokens is
+#   retrieved from the Identity service (in seconds). A high number of
+#   revocation events combined with a low cache duration may significantly
+#   reduce performance. Only valid for PKI tokens. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*signing_dir*]
+#   (Optional) Directory used to cache files related to PKI tokens.
+#   Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+#   (Optional) In order to prevent excessive effort spent validating tokens,
+#   the middleware caches previously-seen tokens for a configurable duration
+#   (in seconds). Set to -1 to disable caching completely. Integer value
+#   Defaults to $::os_service_default.
+#
+class magnum::keystone::authtoken(
+  $password,
+  $username                       = 'magnum',
+  $auth_url                       = 'http://localhost:35357',
+  $project_name                   = 'services',
+  $user_domain_name               = $::os_service_default,
+  $project_domain_name            = $::os_service_default,
+  $insecure                       = $::os_service_default,
+  $auth_section                   = $::os_service_default,
+  $auth_type                      = 'password',
+  $auth_uri                       = 'http://localhost:5000',
+  $auth_version                   = $::os_service_default,
+  $cache                          = $::os_service_default,
+  $cafile                         = $::os_service_default,
+  $certfile                       = $::os_service_default,
+  $check_revocations_for_cached   = $::os_service_default,
+  $delay_auth_decision            = $::os_service_default,
+  $enforce_token_bind             = $::os_service_default,
+  $hash_algorithms                = $::os_service_default,
+  $http_connect_timeout           = $::os_service_default,
+  $http_request_max_retries       = $::os_service_default,
+  $include_service_catalog        = $::os_service_default,
+  $keyfile                        = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcache_secret_key            = $::os_service_default,
+  $memcache_security_strategy     = $::os_service_default,
+  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcached_servers              = $::os_service_default,
+  $region_name                    = $::os_service_default,
+  $revocation_cache_time          = $::os_service_default,
+  $signing_dir                    = $::os_service_default,
+  $token_cache_time               = $::os_service_default,
+) {
+
+  keystone::resource::authtoken { 'magnum_config':
+    username                       => $username,
+    password                       => $password,
+    project_name                   => $project_name,
+    auth_url                       => $auth_url,
+    auth_uri                       => $auth_uri,
+    auth_version                   => $auth_version,
+    auth_type                      => $auth_type,
+    auth_section                   => $auth_section,
+    user_domain_name               => $user_domain_name,
+    project_domain_name            => $project_domain_name,
+    insecure                       => $insecure,
+    cache                          => $cache,
+    cafile                         => $cafile,
+    certfile                       => $certfile,
+    check_revocations_for_cached   => $check_revocations_for_cached,
+    delay_auth_decision            => $delay_auth_decision,
+    enforce_token_bind             => $enforce_token_bind,
+    hash_algorithms                => $hash_algorithms,
+    http_connect_timeout           => $http_connect_timeout,
+    http_request_max_retries       => $http_request_max_retries,
+    include_service_catalog        => $include_service_catalog,
+    keyfile                        => $keyfile,
+    memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+    memcache_pool_dead_retry       => $memcache_pool_dead_retry,
+    memcache_pool_maxsize          => $memcache_pool_maxsize,
+    memcache_pool_socket_timeout   => $memcache_pool_socket_timeout,
+    memcache_secret_key            => $memcache_secret_key,
+    memcache_security_strategy     => $memcache_security_strategy,
+    memcache_use_advanced_pool     => $memcache_use_advanced_pool,
+    memcache_pool_unused_timeout   => $memcache_pool_unused_timeout,
+    memcached_servers              => $memcached_servers,
+    region_name                    => $region_name,
+    revocation_cache_time          => $revocation_cache_time,
+    signing_dir                    => $signing_dir,
+    token_cache_time               => $token_cache_time,
+  }
+}
--- a/spec/acceptance/basic_magnum_spec.rb
+++ b/spec/acceptance/basic_magnum_spec.rb
@ -38,6 +38,10 @@ describe 'basic magnum' do
        admin_url    => 'http://127.0.0.1:9511/v1',
      }

+      class { '::magnum::keystone::authtoken':
+        password => 'a_big_secret',
+      }
+
      class { '::magnum::db::mysql':
        password => 'magnum',
      }
@ -60,9 +64,6 @@ describe 'basic magnum' do
       }

       class { '::magnum::api':
-        admin_password => 'a_big_secret',
-        auth_uri       => 'http://127.0.0.1:5000/',
-        identity_uri   => 'http://127.0.0.1:35357/',
        host           => '127.0.0.1',
      }

--- a/spec/classes/magnum_api_spec.rb
+++ b/spec/classes/magnum_api_spec.rb
@ -5,22 +5,22 @@ require 'spec_helper'

 describe 'magnum::api' do

+  let :pre_condition do
+    'class { "magnum::keystone::authtoken": password => "secret", }'
+  end
+
  let :default_params do
    { :package_ensure    => 'present',
      :enabled           => true,
      :port              => '9511',
      :host              => '127.0.0.1',
      :max_limit         => '1000',
-      :auth_uri          => 'http://127.0.0.1:5000/',
-      :identity_uri      => 'http://127.0.0.1:35357/',
      :sync_db           => 'true',
-      :admin_tenant_name => 'services',
-      :admin_user        => 'magnum',
    }
  end

  let :params do
-    { :admin_password => 'secrete' }
+    {}
  end

  shared_examples_for 'magnum-api' do
@ -53,11 +53,6 @@ describe 'magnum::api' do
      is_expected.to contain_magnum_config('api/port').with_value(p[:port])
      is_expected.to contain_magnum_config('api/host').with_value(p[:host])
      is_expected.to contain_magnum_config('api/max_limit').with_value(p[:max_limit])
-      is_expected.to contain_magnum_config('keystone_authtoken/admin_password').with_value(p[:admin_password]).with_secret(true)
-      is_expected.to contain_magnum_config('keystone_authtoken/admin_user').with_value(p[:admin_user])
-      is_expected.to contain_magnum_config('keystone_authtoken/admin_tenant_name').with_value(p[:admin_tenant_name])
-      is_expected.to contain_magnum_config('keystone_authtoken/auth_uri').with_value(p[:auth_uri])
-      is_expected.to contain_magnum_config('keystone_authtoken/identity_uri').with_value(p[:identity_uri])
    end

    context 'when overriding parameters' do
@ -66,8 +61,6 @@ describe 'magnum::api' do
          :port         => '1234',
          :host         => '0.0.0.0',
          :max_limit    => '10',
-          :auth_uri     => 'http://127.0.0.1:5000/',
-          :identity_uri => 'http://127.0.0.1:35357/',
        )
      end

@ -75,11 +68,6 @@ describe 'magnum::api' do
        is_expected.to contain_magnum_config('api/port').with_value(p[:port])
        is_expected.to contain_magnum_config('api/host').with_value(p[:host])
        is_expected.to contain_magnum_config('api/max_limit').with_value(p[:max_limit])
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_password').with_value(p[:admin_password]).with_secret(true)
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_user').with_value(p[:admin_user])
-        is_expected.to contain_magnum_config('keystone_authtoken/admin_tenant_name').with_value(p[:admin_tenant_name])
-        is_expected.to contain_magnum_config('keystone_authtoken/auth_uri').with_value(p[:auth_uri])
-        is_expected.to contain_magnum_config('keystone_authtoken/identity_uri').with_value(p[:identity_uri])
      end
    end

--- a/spec/classes/magnum_keystone_authtoken_spec.rb
+++ b/spec/classes/magnum_keystone_authtoken_spec.rb
@ -0,0 +1,148 @@
+require 'spec_helper'
+
+describe 'magnum::keystone::authtoken' do
+
+  let :params do
+    { :password => 'magnum_password', }
+  end
+
+  shared_examples_for 'magnum authtoken' do
+
+    context 'without required password parameter' do
+      before { params.delete(:password) }
+      it { expect { is_expected.to raise_error(Puppet::Error) } }
+    end
+
+    context 'with default parameters' do
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_magnum_config('keystone_authtoken/username').with_value('magnum')
+        is_expected.to contain_magnum_config('keystone_authtoken/password').with_value('magnum_password')
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_url').with_value('http://localhost:35357')
+        is_expected.to contain_magnum_config('keystone_authtoken/project_name').with_value('services')
+        is_expected.to contain_magnum_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_type').with_value('password')
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_uri').with_value('http://localhost:5000')
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_magnum_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when overriding parameters' do
+      before do
+        params.merge!({
+          :auth_uri                             => 'https://10.0.0.1:9999/',
+          :username                             => 'myuser',
+          :password                             => 'mypasswd',
+          :auth_url                             => 'http://:127.0.0.1:35357',
+          :project_name                         => 'service_project',
+          :user_domain_name                     => 'domainX',
+          :project_domain_name                  => 'domainX',
+          :insecure                             => false,
+          :auth_section                         => 'new_section',
+          :auth_type                            => 'password',
+          :auth_version                         => 'v3',
+          :cache                                => 'somevalue',
+          :cafile                               => '/opt/stack/data/cafile.pem',
+          :certfile                             => 'certfile.crt',
+          :check_revocations_for_cached         => false,
+          :delay_auth_decision                  => false,
+          :enforce_token_bind                   => 'permissive',
+          :hash_algorithms                      => 'md5',
+          :http_connect_timeout                 => '300',
+          :http_request_max_retries             => '3',
+          :include_service_catalog              => true,
+          :keyfile                              => 'keyfile',
+          :memcache_pool_conn_get_timeout       => '9',
+          :memcache_pool_dead_retry             => '302',
+          :memcache_pool_maxsize                => '11',
+          :memcache_pool_socket_timeout         => '2',
+          :memcache_pool_unused_timeout         => '61',
+          :memcache_secret_key                  => 'secret_key',
+          :memcache_security_strategy           => 'ENCRYPT',
+          :memcache_use_advanced_pool           => true,
+          :memcached_servers                    => ['memcached01:11211','memcached02:11211'],
+          :region_name                          => 'region2',
+          :revocation_cache_time                => '11',
+          :signing_dir                          => '/var/cache',
+          :token_cache_time                     => '301',
+        })
+      end
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
+        is_expected.to contain_magnum_config('keystone_authtoken/username').with_value(params[:username])
+        is_expected.to contain_magnum_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
+        is_expected.to contain_magnum_config('keystone_authtoken/project_name').with_value(params[:project_name])
+        is_expected.to contain_magnum_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_magnum_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_magnum_config('keystone_authtoken/insecure').with_value(params[:insecure])
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
+        is_expected.to contain_magnum_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_magnum_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_magnum_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_magnum_config('keystone_authtoken/certfile').with_value(params[:certfile])
+        is_expected.to contain_magnum_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
+        is_expected.to contain_magnum_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
+        is_expected.to contain_magnum_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
+        is_expected.to contain_magnum_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
+        is_expected.to contain_magnum_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
+        is_expected.to contain_magnum_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
+        is_expected.to contain_magnum_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_magnum_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
+        is_expected.to contain_magnum_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
+        is_expected.to contain_magnum_config('keystone_authtoken/region_name').with_value(params[:region_name])
+        is_expected.to contain_magnum_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
+        is_expected.to contain_magnum_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
+        is_expected.to contain_magnum_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+      it_configures 'magnum authtoken'
+    end
+  end
+
+end