From 183e14ab35c7cf379546b235ea98983c1c9d0259 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 24 Jan 2022 12:01:16 +0900 Subject: [PATCH] Create a separate class to manage authtoken parameters Change-Id: Iab27f6be5d1356963a5eec95bfca25e10ebc3508 --- manifests/init.pp | 100 ++++--- manifests/keystone/authtoken.pp | 281 ++++++++++++++++++ .../authtoken-opts-62d2537d52e7c14a.yaml | 19 ++ spec/classes/murano_init_spec.rb | 26 -- .../classes/murano_keystone_authtoken_spec.rb | 152 ++++++++++ 5 files changed, 504 insertions(+), 74 deletions(-) create mode 100644 manifests/keystone/authtoken.pp create mode 100644 releasenotes/notes/authtoken-opts-62d2537d52e7c14a.yaml create mode 100644 spec/classes/murano_keystone_authtoken_spec.rb diff --git a/manifests/init.pp b/manifests/init.pp index fd0b8f4..0a4473b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -202,36 +202,6 @@ # (Optional) Enable dbsync # Defaults to true. # -# == keystone authentication options -# -# [*admin_user*] -# (Optional) Username for murano credentials -# Defaults to 'murano' -# -# [*admin_password*] -# (Required) Password for murano credentials -# -# [*admin_tenant_name*] -# (Optional) Tenant for admin_username -# Defaults to 'services' -# -# [*www_authenticate_uri*] -# (Optional) Public identity endpoint -# Defaults to 'http://127.0.0.1:5000/v3' -# -# [*user_domain_name*] -# (Optional) Name of domain for $username -# Defaults to 'Default' -# -# [*project_domain_name*] -# (Optional) Name of domain for $project_name -# Defaults to 'Default' -# -# [*memcached_servers*] -# (optinal) a list of memcached server(s) to use for caching. If left -# undefined, tokens will instead be cached in-process. -# Defaults to $::os_service_default. -# # [*purge_config*] # (optional) Whether to set only the specified config options # in the murano config. @@ -241,14 +211,42 @@ # # [*identity_uri*] # (Optional) Admin identity endpoint -# Defaults to 'http://127.0.0.1:5000/' +# Defaults to undef. # # [*database_min_pool_size*] # (optional) Minimum number of SQL connections to keep open in a pool. # Defaults to undef. # +# [*admin_user*] +# (Optional) Username for murano credentials +# Defaults to undef. +# +# [*admin_password*] +# (Optional) Password for murano credentials +# Defaults to undef. +# +# [*admin_tenant_name*] +# (Optional) Tenant for admin_username +# Defaults to undef. +# +# [*www_authenticate_uri*] +# (Optional) Public identity endpoint +# Defaults to undef. +# +# [*user_domain_name*] +# (Optional) Name of domain for $username +# Defaults to undef. +# +# [*project_domain_name*] +# (Optional) Name of domain for $project_name +# Defaults to undef. +# +# [*memcached_servers*] +# (optinal) a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. +# Defaults to undef. +# class murano( - $admin_password, $package_ensure = 'present', $data_dir = '/var/cache/murano', $notification_transport_url = $::os_service_default, @@ -293,17 +291,18 @@ class murano( $database_retry_interval = undef, $database_max_overflow = undef, $sync_db = true, - $admin_user = 'murano', - $admin_tenant_name = 'services', - $www_authenticate_uri = 'http://127.0.0.1:5000/v3', - $user_domain_name = 'Default', - $project_domain_name = 'Default', - $memcached_servers = $::os_service_default, $purge_config = false, $amqp_durable_queues = $::os_service_default, # Deprecated - $identity_uri = 'http://127.0.0.1:5000/', + $identity_uri = undef, $database_min_pool_size = undef, + $admin_user = undef, + $admin_password = undef, + $admin_tenant_name = undef, + $www_authenticate_uri = undef, + $user_domain_name = undef, + $project_domain_name = undef, + $memcached_servers = undef, ) inherits murano::params { include murano::deps @@ -386,15 +385,20 @@ class murano( 'engine/packages_service': value => $packages_service, } - keystone::resource::authtoken { 'murano_config': - www_authenticate_uri => $www_authenticate_uri, - auth_url => $identity_uri, - username => $admin_user, - password => $admin_password, - project_name => $admin_tenant_name, - user_domain_name => $user_domain_name, - project_domain_name => $project_domain_name, - memcached_servers => $memcached_servers, + [ + 'www_authenticate_uri', + 'identity_uri', + 'admin_user', + 'admin_password', + 'admin_domain_name', + 'user_domain_name', + 'project_domain_name', + 'memcached_servers' + ].each |String $opt| { + if getvar($opt) != undef { + warning("The ${opt} parameter is deprecated. Use the murano::keystone::authtoken class instead") + include murano::keystone::authtoken + } } oslo::messaging::rabbit { 'murano_config': diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp new file mode 100644 index 0000000..f07506c --- /dev/null +++ b/manifests/keystone/authtoken.pp @@ -0,0 +1,281 @@ +# class: murano::keystone::authtoken +# +# Configure the keystone_authtoken section in the configuration file +# +# === Parameters +# +# [*password*] +# (Required) Password to create for the service user +# +# [*username*] +# (Optional) The name of the service user +# Defaults to 'murano' +# +# [*auth_url*] +# (Optional) The URL to use for authentication. +# Defaults to 'http://localhost:5000' +# +# [*project_name*] +# (Optional) Service project name +# Defaults to 'services' +# +# [*user_domain_name*] +# (Optional) Name of domain for $username +# Defaults to 'Default' +# +# [*project_domain_name*] +# (Optional) Name of domain for $project_name +# Defaults to 'Default' +# +# [*insecure*] +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. WARNING: not recommended. Use with +# caution. +# Defaults to $::os_service_default +# +# [*auth_section*] +# (Optional) Config Section from which to load plugin specific options +# Defaults to $::os_service_default. +# +# [*auth_type*] +# (Optional) Authentication type to load +# Defaults to 'password' +# +# [*www_authenticate_uri*] +# (Optional) Complete public Identity API endpoint. +# Defaults to 'http://localhost:5000' +# +# [*auth_version*] +# (Optional) API version of the admin Identity API endpoint. +# Defaults to $::os_service_default. +# +# [*cache*] +# (Optional) Env key for the swift cache. +# Defaults to $::os_service_default. +# +# [*cafile*] +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. +# +# [*certfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*delay_auth_decision*] +# (Optional) Do not handle authorization requests within the middleware, but +# delegate the authorization decision to downstream WSGI components. Boolean +# value +# Defaults to $::os_service_default. +# +# [*enforce_token_bind*] +# (Optional) Used to control the use and type of token binding. Can be set +# to: "disabled" to not check token binding. "permissive" (default) to +# validate binding information if the bind type is of a form known to the +# server and ignore it if not. "strict" like "permissive" but if the bind +# type is unknown the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a binding method that +# must be present in tokens. String value. +# Defaults to $::os_service_default. +# +# [*http_connect_timeout*] +# (Optional) Request timeout value for communicating with Identity API +# server. +# Defaults to $::os_service_default. +# +# [*http_request_max_retries*] +# (Optional) How many times are we trying to reconnect when communicating +# with Identity API Server. Integer value +# Defaults to $::os_service_default. +# +# [*include_service_catalog*] +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will +# not set the X-Service-Catalog header. Boolean value. +# Defaults to $::os_service_default. +# +# [*keyfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*memcache_pool_conn_get_timeout*] +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. Integer value +# Defaults to $::os_service_default. +# +# [*memcache_pool_dead_retry*] +# (Optional) Number of seconds memcached server is considered dead before it +# is tried again. Integer value +# Defaults to $::os_service_default. +# +# [*memcache_pool_maxsize*] +# (Optional) Maximum total number of open connections to every memcached +# server. Integer value +# Defaults to $::os_service_default. +# +# [*memcache_pool_socket_timeout*] +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. +# +# [*memcache_pool_unused_timeout*] +# (Optional) Number of seconds a connection to memcached is held unused in +# the pool before it is closed. Integer value +# Defaults to $::os_service_default. +# +# [*memcache_secret_key*] +# (Optional, mandatory if memcache_security_strategy is defined) This string +# is used for key derivation. +# Defaults to $::os_service_default. +# +# [*memcache_security_strategy*] +# (Optional) If defined, indicate whether token data should be authenticated +# or authenticated and encrypted. If MAC, token data is authenticated (with +# HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. +# Defaults to $::os_service_default. +# +# [*memcache_use_advanced_pool*] +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x Boolean value +# Defaults to $::os_service_default. +# +# [*memcached_servers*] +# (Optional) Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached in-process. +# Defaults to $::os_service_default. +# +# [*manage_memcache_package*] +# (Optional) Whether to install the python-memcache package. +# Defaults to false. +# +# [*region_name*] +# (Optional) The region in which the identity server can be found. +# Defaults to $::os_service_default. +# +# [*token_cache_time*] +# (Optional) In order to prevent excessive effort spent validating tokens, +# the middleware caches previously-seen tokens for a configurable duration +# (in seconds). Set to -1 to disable caching completely. Integer value +# Defaults to $::os_service_default. +# +# [*service_token_roles*] +# (Optional) A choice of roles that must be present in a service token. +# Service tokens are allowed to request that an expired token +# can be used and so this check should tightly control that +# only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list +# must be present. For backwards compatibility reasons this +# currently only affects the allow_expired check. (list value) +# Defaults to $::os_service_default. +# +# [*service_token_roles_required*] +# (optional) backwards compatibility to ensure that the service tokens are +# compared against a list of possible roles for validity +# true/false +# Defaults to $::os_service_default. +# +# [*service_type*] +# (Optional) The name or type of the service as it appears in the service +# catalog. This is used to validate tokens that have restricted access rules. +# Defaults to $::os_service_default. +# +# [*interface*] +# (Optional) Interface to use for the Identity API endpoint. Valid values are +# "public", "internal" or "admin". +# Defaults to $::os_service_default. +# +class murano::keystone::authtoken( + $password = $::os_service_default, + $username = 'murano', + $auth_url = 'http://localhost:5000', + $project_name = 'services', + $user_domain_name = 'Default', + $project_domain_name = 'Default', + $insecure = $::os_service_default, + $auth_section = $::os_service_default, + $auth_type = 'password', + $www_authenticate_uri = 'http://localhost:5000', + $auth_version = $::os_service_default, + $cache = $::os_service_default, + $cafile = $::os_service_default, + $certfile = $::os_service_default, + $delay_auth_decision = $::os_service_default, + $enforce_token_bind = $::os_service_default, + $http_connect_timeout = $::os_service_default, + $http_request_max_retries = $::os_service_default, + $include_service_catalog = $::os_service_default, + $keyfile = $::os_service_default, + $memcache_pool_conn_get_timeout = $::os_service_default, + $memcache_pool_dead_retry = $::os_service_default, + $memcache_pool_maxsize = $::os_service_default, + $memcache_pool_socket_timeout = $::os_service_default, + $memcache_pool_unused_timeout = $::os_service_default, + $memcache_secret_key = $::os_service_default, + $memcache_security_strategy = $::os_service_default, + $memcache_use_advanced_pool = $::os_service_default, + $memcached_servers = $::os_service_default, + $manage_memcache_package = false, + $region_name = $::os_service_default, + $token_cache_time = $::os_service_default, + $service_token_roles = $::os_service_default, + $service_token_roles_required = $::os_service_default, + $service_type = $::os_service_default, + $interface = $::os_service_default, +) { + + include murano::deps + + $www_authenticate_uri_real = pick($::murano::www_authenticate_uri, $www_authenticate_uri) + $auth_url_real = pick($::murano::identity_uri, $auth_url) + $username_real = pick($::murano::admin_user, $username) + $password_real = pick($::murano::admin_password, $password) + $project_name_real = pick($::murano::admin_tenant_name, $project_name) + $user_domain_name_real = pick($::murano::user_domain_name, $user_domain_name) + $project_domain_name_real = pick($::murano::project_domain_name, $project_domain_name) + $memcached_servers_real = pick($::murano::memcached_servers, $memcached_servers) + + if is_service_default($password_real) { + fail('The password parameter should be set') + } + + keystone::resource::authtoken { 'murano_config': + username => $username_real, + password => $password_real, + project_name => $project_name_real, + auth_url => $auth_url_real, + www_authenticate_uri => $www_authenticate_uri_real, + auth_version => $auth_version, + auth_type => $auth_type, + auth_section => $auth_section, + user_domain_name => $user_domain_name_real, + project_domain_name => $project_domain_name_real, + insecure => $insecure, + cache => $cache, + cafile => $cafile, + certfile => $certfile, + delay_auth_decision => $delay_auth_decision, + enforce_token_bind => $enforce_token_bind, + http_connect_timeout => $http_connect_timeout, + http_request_max_retries => $http_request_max_retries, + include_service_catalog => $include_service_catalog, + keyfile => $keyfile, + memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout, + memcache_pool_dead_retry => $memcache_pool_dead_retry, + memcache_pool_maxsize => $memcache_pool_maxsize, + memcache_pool_socket_timeout => $memcache_pool_socket_timeout, + memcache_secret_key => $memcache_secret_key, + memcache_security_strategy => $memcache_security_strategy, + memcache_use_advanced_pool => $memcache_use_advanced_pool, + memcache_pool_unused_timeout => $memcache_pool_unused_timeout, + memcached_servers => $memcached_servers_real, + manage_memcache_package => $manage_memcache_package, + region_name => $region_name, + token_cache_time => $token_cache_time, + service_token_roles => $service_token_roles, + service_token_roles_required => $service_token_roles_required, + service_type => $service_type, + interface => $interface, + } +} diff --git a/releasenotes/notes/authtoken-opts-62d2537d52e7c14a.yaml b/releasenotes/notes/authtoken-opts-62d2537d52e7c14a.yaml new file mode 100644 index 0000000..10ca1f6 --- /dev/null +++ b/releasenotes/notes/authtoken-opts-62d2537d52e7c14a.yaml @@ -0,0 +1,19 @@ +--- +features: + - | + The new ``murano::keystone::authtoken`` class has been added. + +deprecations: + - | + The following parameters of the ``murano`` class have been deprecated and + will be removed in a future release. The ``murano::keystone::authtoken`` + should be used instead. + + - ``www_authenticate_uri`` + - ``identity_uri`` + - ``admin_user`` + - ``admin_password`` + - ``admin_tenant_name`` + - ``user_domain_name`` + - ``project_domain_name`` + - ``memcached_servers`` diff --git a/spec/classes/murano_init_spec.rb b/spec/classes/murano_init_spec.rb index c129c78..1a1cb4f 100644 --- a/spec/classes/murano_init_spec.rb +++ b/spec/classes/murano_init_spec.rb @@ -8,7 +8,6 @@ describe 'murano' do shared_examples_for 'murano' do let :params do { - :admin_password => 'secrete', :purge_config => false, } end @@ -63,14 +62,6 @@ describe 'murano' do it { is_expected.to contain_murano_config('networking/create_router').with_value(true) } it { is_expected.to contain_murano_config('networking/external_network').with_value('public') } - it { is_expected.to contain_murano_config('keystone_authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000/v3') } - it { is_expected.to contain_murano_config('keystone_authtoken/username').with_value('murano') } - it { is_expected.to contain_murano_config('keystone_authtoken/project_name').with_value('services') } - it { is_expected.to contain_murano_config('keystone_authtoken/password').with_value('secrete') } - it { is_expected.not_to contain_murano_config('keystone_authtoken/auth_url').with_value('http://10.255.0.1:5000/') } - it { is_expected.to contain_murano_config('keystone_authtoken/user_domain_name').with_value('Default') } - it { is_expected.to contain_murano_config('keystone_authtoken/project_domain_name').with_value('Default') } - it { is_expected.to contain_murano_config('keystone_authtoken/memcached_servers').with_value('') } it { is_expected.to contain_murano_config('engine/packages_service').with_value('') } it { is_expected.to contain_exec('murano-dbmanage') } @@ -79,7 +70,6 @@ describe 'murano' do context 'with parameters override' do let :params do { - :admin_password => 'secrete', :package_ensure => 'latest', :notification_transport_url => 'rabbit://user:pass@host:1234/virt', :notification_topics => 'openstack', @@ -110,16 +100,9 @@ describe 'murano' do :default_nameservers => '["8.8.8.8"]', :use_trusts => true, :sync_db => false, - :admin_user => 'muranoy', - :admin_tenant_name => 'secrete', - :www_authenticate_uri => 'http://10.255.0.1:5000/v3/', - :identity_uri => 'http://10.255.0.1:5000/', - :user_domain_name => 'new_domain', - :project_domain_name => 'new_domain', :kombu_reconnect_delay => '1.0', :kombu_failover_strategy => 'round-robin', :kombu_compression => 'gzip', - :memcached_servers => '1.1.1.1:11211', } end @@ -161,15 +144,6 @@ describe 'murano' do it { is_expected.to contain_murano_config('rabbitmq/virtual_host').with_value('murano_vhost') } it { is_expected.to contain_murano_config('rabbitmq/ssl').with_value(true) } - it { is_expected.to contain_murano_config('keystone_authtoken/www_authenticate_uri').with_value('http://10.255.0.1:5000/v3/') } - it { is_expected.to contain_murano_config('keystone_authtoken/username').with_value('muranoy') } - it { is_expected.to contain_murano_config('keystone_authtoken/project_name').with_value('secrete') } - it { is_expected.to contain_murano_config('keystone_authtoken/auth_url').with_value('http://10.255.0.1:5000/') } - it { is_expected.to contain_murano_config('keystone_authtoken/password').with_value('secrete') } - it { is_expected.to contain_murano_config('keystone_authtoken/memcached_servers').with_value('1.1.1.1:11211') } - it { is_expected.to contain_murano_config('keystone_authtoken/user_domain_name').with_value('new_domain') } - it { is_expected.to contain_murano_config('keystone_authtoken/project_domain_name').with_value('new_domain') } - it { is_expected.to contain_murano_config('networking/external_network').with_value('murano-net') } it { is_expected.to contain_murano_config('networking/router_name').with_value('murano-router') } it { is_expected.to contain_murano_config('networking/create_router').with_value(true) } diff --git a/spec/classes/murano_keystone_authtoken_spec.rb b/spec/classes/murano_keystone_authtoken_spec.rb new file mode 100644 index 0000000..b4c8257 --- /dev/null +++ b/spec/classes/murano_keystone_authtoken_spec.rb @@ -0,0 +1,152 @@ +require 'spec_helper' + +describe 'murano::keystone::authtoken' do + + let :params do + { :password => 'murano_password', } + end + + shared_examples 'murano::keystone::authtoken' do + + context 'with default parameters' do + + it 'configure keystone_authtoken' do + is_expected.to contain_keystone__resource__authtoken('murano_config').with( + :username => 'murano', + :password => 'murano_password', + :auth_url => 'http://localhost:5000', + :project_name => 'services', + :user_domain_name => 'Default', + :project_domain_name => 'Default', + :insecure => '', + :auth_section => '', + :auth_type => 'password', + :www_authenticate_uri => 'http://localhost:5000', + :auth_version => '', + :cache => '', + :cafile => '', + :certfile => '', + :delay_auth_decision => '', + :enforce_token_bind => '', + :http_connect_timeout => '', + :http_request_max_retries => '', + :include_service_catalog => '', + :keyfile => '', + :memcache_pool_conn_get_timeout => '', + :memcache_pool_dead_retry => '', + :memcache_pool_maxsize => '', + :memcache_pool_socket_timeout => '', + :memcache_pool_unused_timeout => '', + :memcache_secret_key => '', + :memcache_security_strategy => '', + :memcache_use_advanced_pool => '', + :memcached_servers => '', + :manage_memcache_package => false, + :region_name => '', + :token_cache_time => '', + :service_token_roles => '', + :service_token_roles_required => '', + :service_type => '', + :interface => '', + ) + end + end + + context 'when overriding parameters' do + before do + params.merge!({ + :www_authenticate_uri => 'https://10.0.0.1:9999/', + :username => 'myuser', + :password => 'mypasswd', + :auth_url => 'http://127.0.0.1:5000', + :project_name => 'service_project', + :user_domain_name => 'domainX', + :project_domain_name => 'domainX', + :insecure => false, + :auth_section => 'new_section', + :auth_type => 'password', + :auth_version => 'v3', + :cache => 'somevalue', + :cafile => '/opt/stack/data/cafile.pem', + :certfile => 'certfile.crt', + :delay_auth_decision => false, + :enforce_token_bind => 'permissive', + :http_connect_timeout => '300', + :http_request_max_retries => '3', + :include_service_catalog => true, + :keyfile => 'keyfile', + :memcache_pool_conn_get_timeout => '9', + :memcache_pool_dead_retry => '302', + :memcache_pool_maxsize => '11', + :memcache_pool_socket_timeout => '2', + :memcache_pool_unused_timeout => '61', + :memcache_secret_key => 'secret_key', + :memcache_security_strategy => 'ENCRYPT', + :memcache_use_advanced_pool => true, + :memcached_servers => ['memcached01:11211','memcached02:11211'], + :manage_memcache_package => true, + :region_name => 'region2', + :token_cache_time => '301', + :service_token_roles => ['service'], + :service_token_roles_required => false, + :service_type => 'identity', + :interface => 'internal', + }) + end + + it 'configure keystone_authtoken' do + is_expected.to contain_keystone__resource__authtoken('murano_config').with( + :www_authenticate_uri => 'https://10.0.0.1:9999/', + :username => 'myuser', + :password => 'mypasswd', + :auth_url => 'http://127.0.0.1:5000', + :project_name => 'service_project', + :user_domain_name => 'domainX', + :project_domain_name => 'domainX', + :insecure => false, + :auth_section => 'new_section', + :auth_type => 'password', + :auth_version => 'v3', + :cache => 'somevalue', + :cafile => '/opt/stack/data/cafile.pem', + :certfile => 'certfile.crt', + :delay_auth_decision => false, + :enforce_token_bind => 'permissive', + :http_connect_timeout => '300', + :http_request_max_retries => '3', + :include_service_catalog => true, + :keyfile => 'keyfile', + :memcache_pool_conn_get_timeout => '9', + :memcache_pool_dead_retry => '302', + :memcache_pool_maxsize => '11', + :memcache_pool_socket_timeout => '2', + :memcache_pool_unused_timeout => '61', + :memcache_secret_key => 'secret_key', + :memcache_security_strategy => 'ENCRYPT', + :memcache_use_advanced_pool => true, + :memcached_servers => ['memcached01:11211','memcached02:11211'], + :manage_memcache_package => true, + :region_name => 'region2', + :token_cache_time => '301', + :service_token_roles => ['service'], + :service_token_roles_required => false, + :service_type => 'identity', + :interface => 'internal', + ) + end + end + end + + on_supported_os({ + :supported_os => OSDefaults.get_supported_os + }).each do |os,facts| + context "on #{os}" do + let (:facts) do + facts.merge!(OSDefaults.get_facts()) + end + + it_configures 'murano::keystone::authtoken' + end + end + +end