Use common auth parameters for novajoin auth

- Deprecate service_username and service_password so that we can use more simple parameter names like username. - Deprecate user_domain_id because we use user_domain_name generally. - Change the defaut value of project_domain_name because Default instead of default is now used generally for default domain name. Change-Id: I69565d6888d778a109b0e39108d660a871a8202d
2020-04-18 23:24:03 +09:00
parent ad25ec1ab9
commit 78fca7cade
3 changed files with 113 additions and 42 deletions
--- a/manifests/metadata/novajoin/api.pp
+++ b/manifests/metadata/novajoin/api.pp
@@ -5,7 +5,7 @@
 #
 # === Parameters
 #
-# [*service_password*]
+# [*password*]
 #   (required) Password for the novajoin service user.
 #
 # [*transport_url*]
@@ -76,22 +76,22 @@
 #   (optional) If Puppet should manage service startup / shutdown.
 #   Defaults to true.
 #
-# [*service_user*]
+# [*user_domain_name*]
 #   (optional) Domain name for novajoin user.
 #   Defaults to 'Default'
 #
 # [*username*]
 #   (optional) User that the novajoin services run as.
 #   Defaults to 'novajoin'
 #
 # [*project_domain_name*]
 #   (optional) Domain name containing project (for novajoin auth).
-#   Defaults to 'default'
+#   Defaults to 'Default'
 #
 # [*project_name*]
 #   (optional) Project name (for novajoin auth).
 #   Defaults to 'services'
 #
 # [*user_domain_id*]
 #   (optional) Domain for novajoin user.
 #   Defaults to 'default'
 #
 # [*configure_kerberos*]
 #   (optional) Whether or not to create a kerberos configuration file.
 #   Defaults to false
@@ -101,6 +101,20 @@
 #   take the domain and upcase it.
 #   Defaults to undef
 #
 # DEPRECATED PARAMETERS
 #
 # [*service_password*]
 #   (optional) Password for the novajoin service user.
 #   Defaults to undef
 #
 # [*service_user*]
 #   (optional) User that the novajoin services run as.
 #   Defaults to undef
 #
 # [*user_domain_id*]
 #   (optional) Domain for novajoin user.
 #   Defaults to undef
 #
 class nova::metadata::novajoin::api (
  $transport_url,
  $bind_address              = '127.0.0.1',
@@ -119,24 +133,44 @@ class nova::metadata::novajoin::api (
  $keytab                    = '/etc/novajoin/krb5.keytab',
  $log_dir                   = '/var/log/novajoin',
  $manage_service            = true,
-  $service_password          = undef,
+  $password                  = undef,
-  $service_user              = 'novajoin',
+  $user_domain_name          = 'Default',
-  $project_domain_name       = 'default',
+  $username                  = 'novajoin',
  $project_domain_name       = 'Default',
  $project_name              = 'services',
  $user_domain_id            = 'default',
  $configure_kerberos        = false,
  $ipa_realm                 = undef,
  # DEPRECATED PARAMETERS
  $service_password          = undef,
  $service_user              = undef,
  $user_domain_id            = undef,
 ) {
  include nova::params
  include nova::metadata::novajoin::authtoken
  include nova::metadata::novajoin::policy
-  if ! $service_user {
+  if $service_user != undef {
-    fail('service_user is missing')
+    warning('nova::metadata::novajoin::api::service_user is deprecated. \
 Use username parameter instead')
    $username_real = $service_user
  } else {
    $username_real = $username
  }
-  if ! $service_password {
+  if $service_password != undef {
-    fail('service_password is missing')
+    warning('nova::metadata::novajoin::api::service_password is deprecated. \
 Use password parameter instead')
    $password_real = $service_password
  } else {
    $password_real = $password
  }
  if ! $username_real {
    fail('username is missing')
  }
  if ! $password_real {
    fail('password is missing')
  }
  if $nova::params::novajoin_package_name == undef {
@@ -162,8 +196,8 @@ class nova::metadata::novajoin::api (
  file { '/var/log/novajoin':
    ensure  => directory,
-    owner   => $service_user,
+    owner   => $username_real,
-    group   => $service_user,
+    group   => $username_real,
    recurse => true,
  }
@@ -185,8 +219,8 @@ class nova::metadata::novajoin::api (
    file { '/etc/novajoin/krb5.conf':
      content => template('nova/krb5.conf.erb'),
-      owner   => $service_user,
+      owner   => $username_real,
-      group   => $service_user,
+      group   => $username_real,
    }
  }
@@ -203,14 +237,25 @@ class nova::metadata::novajoin::api (
    'DEFAULT/transport_url':                   value => $transport_url;
    'service_credentials/auth_type':           value => $auth_type;
    'service_credentials/auth_url':            value => $keystone_auth_url;
-    'service_credentials/password':            value => $service_password;
+    'service_credentials/password':            value => $password_real;
-    'service_credentials/username':            value => $service_user;
+    'service_credentials/username':            value => $username_real;
    'service_credentials/project_name':        value => $project_name;
    'service_credentials/user_domain_id':      value => $user_domain_id;
    'service_credentials/project_domain_name':
      value => $project_domain_name;
  }
  if $user_domain_id != undef {
    warning('nova::metadata::novajoin::api::user_domain_id is deprecated. \
 Use user_domain_name instead')
    novajoin_config {
      'service_credentials/user_domain_id': value => $user_domain_id;
    }
  } else {
    novajoin_config {
      'service_credentials/user_domain_name': value => $user_domain_name;
    }
  }
  if $manage_service {
    if $enabled {
      $service_ensure = 'running'
@@ -243,7 +288,7 @@ class nova::metadata::novajoin::api (
    creates => $keytab,
  }
-  ensure_resource('file', $keytab, { owner => $service_user, require => Exec['get-service-user-keytab'] })
+  ensure_resource('file', $keytab, { owner => $username_real, require => Exec['get-service-user-keytab'] })
  Package<| tag == 'novajoin-package' |> -> Exec['get-service-user-keytab']
  Novajoin_config<||> ~> Service<| title == 'novajoin-server'|>
--- a/releasenotes/notes/novajoin-common-auth-parameters-1d77e8a770041548.yaml
+++ b/releasenotes/notes/novajoin-common-auth-parameters-1d77e8a770041548.yaml
@@ -0,0 +1,14 @@
 ---
 features:
  - |
    service_username and service_password in nova::metadata::novajoin::api are
    now deprecated and will be removed in a future release. Use username and
    password instead.
  - |
    The nova::metadata::novajoin::user_domain_id parameter is deprecated now.
    Use user_domain_name instead.
 upgrade:
  - |
    The default value for nova::metadata::novajoin::project_domain_name is now
    ``Default`` instead of ``default`` to be consistent with general domain
    setup in OpenStack.
--- a/spec/classes/nova_metadata_novajoin_api_spec.rb
+++ b/spec/classes/nova_metadata_novajoin_api_spec.rb
@@ -17,13 +17,13 @@ describe 'nova::metadata::novajoin::api' do
      :keytab                    => '/etc/novajoin/krb5.keytab',
      :log_dir                   => '/var/log/novajoin',
      :manage_service            => true,
-      :service_user              => 'novajoin',
+      :username                  => 'novajoin',
-      :project_domain_name       => 'default',
+      :project_domain_name       => 'Default',
      :project_name              => 'services',
-      :user_domain_id            => 'default',
+      :user_domain_name          => 'Default',
      :ipa_domain                => 'EXAMPLE.COM',
      :keystone_auth_url         => 'https://keystone.example.com:5000',
-      :service_password          => 'my_secret_password',
+      :password                  => 'my_secret_password',
      :transport_url             => 'rabbit:rabbit_pass@rabbit_host',
    }
  end
@@ -52,13 +52,13 @@ describe 'nova::metadata::novajoin::api' do
       :keytab                    => '/etc/krb5.conf',
       :log_dir                   => '/var/log/novajoin',
       :manage_service            => true,
-       :service_user              => 'novajoin1',
+       :username                  => 'novajoin1',
-       :project_domain_name       => 'default',
+       :project_domain_name       => 'Default',
       :project_name              => 'services',
-       :user_domain_id            => 'default',
+       :user_domain_name          => 'Default',
       :ipa_domain                => 'EXAMPLE2.COM',
       :keystone_auth_url         => 'https://keystone2.example.com:5000',
-       :service_password          => 'my_secret_password2',
+       :password                  => 'my_secret_password2',
       :transport_url             => 'rabbit:rabbit_pass2@rabbit_host',
     }
    ].each do |param_set|
@@ -106,11 +106,12 @@ describe 'nova::metadata::novajoin::api' do
        it {
          should contain_novajoin_config('service_credentials/auth_type').with_value(param_hash[:auth_type])
          should contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url])
-          should contain_novajoin_config('service_credentials/password').with_value(param_hash[:service_password])
+          should contain_novajoin_config('service_credentials/password').with_value(param_hash[:password])
          should contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name])
-          should contain_novajoin_config('service_credentials/user_domain_id').with_value(param_hash[:user_domain_id])
+          should_not contain_novajoin_config('service_credentials/user_domain_id')
          should contain_novajoin_config('service_credentials/user_domain_name').with_value(param_hash[:user_domain_name])
          should contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name])
-          should contain_novajoin_config('service_credentials/username').with_value(param_hash[:service_user])
+          should contain_novajoin_config('service_credentials/username').with_value(param_hash[:username])
        }
        it {
@@ -129,26 +130,37 @@ describe 'nova::metadata::novajoin::api' do
        it { should contain_file("/var/log/novajoin").with(
          'ensure'  => 'directory',
-          'owner'   => "#{param_hash[:service_user]}",
+          'owner'   => "#{param_hash[:username]}",
-          'group'   => "#{param_hash[:service_user]}",
+          'group'   => "#{param_hash[:username]}",
          'recurse' => true
        )}
        it { should contain_file("#{param_hash[:keytab]}").with(
-          'owner'   => "#{param_hash[:service_user]}",
+          'owner'   => "#{param_hash[:username]}",
          'require' => 'Exec[get-service-user-keytab]',
        )}
      end
    end
    context 'with deprecated user_domain_id' do
      let :params do
        default_params.merge({ :user_domain_id => 'default' })
      end
      it {
          should contain_novajoin_config('service_credentials/user_domain_id').with_value('default')
          should_not contain_novajoin_config('service_credentials/user_domain_name')
      }
    end
    context 'with disabled service managing' do
      let :params do
        {
-          :manage_service    => false,
+          :manage_service => false,
-          :enabled           => false,
+          :enabled        => false,
-          :ipa_domain        => 'EXAMPLE.COM',
+          :ipa_domain     => 'EXAMPLE.COM',
-          :service_password  => 'my_secret_password',
+          :password       => 'my_secret_password',
-          :transport_url     => 'rabbit:rabbit_pass@rabbit_host',
+          :transport_url  => 'rabbit:rabbit_pass@rabbit_host',
        }
      end