Keystoneification

manifests/api.pp

@@ -17,5 +17,11 @@ class nova::api(
     enabled      => $enabled,
     package_name => $::nova::params::api_package_name,
     service_name => $::nova::params::api_service_name,
+    require      => File["/etc/nova/api-paste.ini"],
+  }
+
+  file { "/etc/nova/api-paste.ini":
+    content => template("nova/api-paste.ini.erb"),
+    require => Class[nova]
   }
 }

manifests/init.pp

@@ -25,7 +25,15 @@ class nova(
   $nodaemon = false,
   $periodic_interval = '60',
   $report_interval = '10',
-  $root_helper = $::nova::params::root_helper
+  $root_helper = $::nova::params::root_helper,
+  $auth_strategy = "keystone",
+  $auth_host = '127.0.0.1',
+  $auth_port = 35357,
+  $auth_protocol = 'http',
+  $auth_uri = 'http://127.0.0.1:5000/v2.0',
+  $admin_tenant_name = 'services',
+  $admin_user = 'nova',
+  $admin_password = 'passw0rd',
 ) inherits nova::params {
 
   # all nova_config resources should be applied
@@ -135,6 +143,7 @@ class nova(
     'network_manager': value => $network_manager;
     'use_deprecated_auth': value => true;
     'root_helper': value => $root_helper;
+    'auth_strategy': value => $auth_strategy;
   }
 
   exec { 'post-nova_config':

templates/api-paste.ini.erb

@@ -0,0 +1,155 @@
+############
+# Metadata #
+############
+[composite:metadata]
+use = egg:Paste#urlmap
+/: metaversions
+/latest: meta
+/1.0: meta
+/2007-01-19: meta
+/2007-03-01: meta
+/2007-08-29: meta
+/2007-10-10: meta
+/2007-12-15: meta
+/2008-02-01: meta
+/2008-09-01: meta
+/2009-04-04: meta
+
+[pipeline:metaversions]
+pipeline = ec2faultwrap logrequest metaverapp
+
+[pipeline:meta]
+pipeline = ec2faultwrap logrequest metaapp
+
+[app:metaverapp]
+paste.app_factory = nova.api.metadata.handler:Versions.factory
+
+[app:metaapp]
+paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
+
+#######
+# EC2 #
+#######
+
+[composite:ec2]
+use = egg:Paste#urlmap
+/services/Cloud: ec2cloud
+
+[composite:ec2cloud]
+use = call:nova.api.auth:pipeline_factory
+noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
+deprecated = ec2faultwrap logrequest authenticate cloudrequest validator ec2executor
+keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor
+
+[filter:ec2faultwrap]
+paste.filter_factory = nova.api.ec2:FaultWrapper.factory
+
+[filter:logrequest]
+paste.filter_factory = nova.api.ec2:RequestLogging.factory
+
+[filter:ec2lockout]
+paste.filter_factory = nova.api.ec2:Lockout.factory
+
+[filter:totoken]
+paste.filter_factory = nova.api.ec2:EC2Token.factory
+
+[filter:ec2keystoneauth]
+paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
+
+[filter:ec2noauth]
+paste.filter_factory = nova.api.ec2:NoAuth.factory
+
+[filter:authenticate]
+paste.filter_factory = nova.api.ec2:Authenticate.factory
+
+[filter:cloudrequest]
+controller = nova.api.ec2.cloud.CloudController
+paste.filter_factory = nova.api.ec2:Requestify.factory
+
+[filter:authorizer]
+paste.filter_factory = nova.api.ec2:Authorizer.factory
+
+[filter:validator]
+paste.filter_factory = nova.api.ec2:Validator.factory
+
+[app:ec2executor]
+paste.app_factory = nova.api.ec2:Executor.factory
+
+#############
+# Openstack #
+#############
+
+[composite:osapi_compute]
+use = call:nova.api.openstack.urlmap:urlmap_factory
+/: oscomputeversions
+/v1.1: openstack_compute_api_v2
+/v2: openstack_compute_api_v2
+
+[composite:osapi_volume]
+use = call:nova.api.openstack.urlmap:urlmap_factory
+/: osvolumeversions
+/v1: openstack_volume_api_v1
+
+[composite:openstack_compute_api_v2]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_compute_app_v2
+deprecated = faultwrap auth ratelimit osapi_compute_app_v2
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
+keystone_nolimit = faultwrap authtoken keystonecontext osapi_compute_app_v2
+
+[composite:openstack_volume_api_v1]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap noauth ratelimit osapi_volume_app_v1
+deprecated = faultwrap auth ratelimit osapi_volume_app_v1
+keystone = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
+keystone_nolimit = faultwrap authtoken keystonecontext osapi_volume_app_v1
+
+[filter:faultwrap]
+paste.filter_factory = nova.api.openstack:FaultWrapper.factory
+
+[filter:auth]
+paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
+
+[filter:ratelimit]
+paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
+
+[app:osapi_compute_app_v2]
+paste.app_factory = nova.api.openstack.compute:APIRouter.factory
+
+[pipeline:oscomputeversions]
+pipeline = faultwrap oscomputeversionapp
+
+[app:osapi_volume_app_v1]
+paste.app_factory = nova.api.openstack.volume:APIRouter.factory
+
+[app:oscomputeversionapp]
+paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
+
+[pipeline:osvolumeversions]
+pipeline = faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = nova.api.openstack.volume.versions:Versions.factory
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystone.middleware.auth_token:filter_factory
+service_protocol = http
+service_host = 127.0.0.1
+service_port = 5000
+auth_host = <%= scope.lookupvar('nova::auth_host') %>
+auth_port = <%= scope.lookupvar('nova::auth_port') %>
+auth_protocol = <%= scope.lookupvar('nova::auth_protocol') %>
+auth_uri = <%= scope.lookupvar('nova::auth_uri') %>
+admin_tenant_name = <%= scope.lookupvar('nova::admin_tenant_name') %>
+admin_user = <%= scope.lookupvar('nova::admin_user') %>
+admin_password = <%= scope.lookupvar('nova::admin_password') %>