Add auth/authtoken manifests for novajoin

novajoin has usually just used the nova user for running and even file permissions; however, as nova now supports passing the keystone token for the vendordata plugin, and as novajoin should support being run in a node (or container) where nova is not available, it makes sense to start having an own user for this vendordata plugin service. Thus, this commit adds that. Change-Id: I190a84a5aaf1fcc301f0605931b24d5de6999a8b
2017-03-21 09:45:59 +02:00 · 2017-03-21 09:45:59 +02:00 · bb6c415893
parent c4470d686e
commit bb6c415893
7 changed files with 704 additions and 3 deletions
--- a/manifests/metadata/novajoin/api.pp
+++ b/manifests/metadata/novajoin/api.pp
@ -116,6 +116,7 @@ class nova::metadata::novajoin::api (
  $project_name              = 'service',
  $user_domain_id            = 'default',
 ) {
+  include ::nova::metadata::novajoin::authtoken

  case $::osfamily {
    'RedHat': {
--- a/manifests/metadata/novajoin/auth.pp
+++ b/manifests/metadata/novajoin/auth.pp
@ -0,0 +1,96 @@
+# == Class: nova::metadata::novajoin::auth
+#
+# Creates nova endpoints and service account in keystone
+#
+# === Parameters:
+#
+# [*password*]
+#   Password to create for the service user
+#
+# [*auth_name*]
+#   (optional) The name of the novajoin service user
+#   Defaults to 'novajoin'
+#
+# [*service_name*]
+#   (optional) Name of the service.
+#   Defaults to 'novajoin'.
+#
+# [*service_description*]
+#   (optional) Description for keystone service.
+#   Defaults to 'Openstack Compute Service'.
+#
+# [*public_url*]
+#   (optional) The endpoint's public url.
+#   Defaults to 'http://127.0.0.1:8774/v2.1'
+#
+# [*internal_url*]
+#   (optional) The endpoint's internal url.
+#   Defaults to 'http://127.0.0.1:8774/v2.1'
+#
+# [*admin_url*]
+#   (optional) The endpoint's admin url.
+#   Defaults to 'http://127.0.0.1:8774/v2.1'
+#
+# [*region*]
+#   (optional) The region in which to place the endpoints
+#   Defaults to 'RegionOne'
+#
+# [*tenant*]
+#   (optional) The tenant to use for the novajoin service user
+#   Defaults to 'services'
+#
+# [*email*]
+#   (optional) The email address for the novajoin service user
+#   Defaults to 'novajoin@localhost'
+#
+# [*configure_endpoint*]
+#   (optional) Whether to create the endpoint.
+#   Defaults to true
+#
+# [*configure_user*]
+#   (optional) Whether to create the service user.
+#   Defaults to true
+#
+# [*configure_user_role*]
+#   (optional) Whether to configure the admin role for the service user.
+#   Defaults to true
+#
+class nova::metadata::novajoin::auth(
+  $password,
+  $auth_name               = 'novajoin',
+  $service_name            = 'novajoin',
+  $service_description     = 'Novajoin vendordata plugin',
+  $region                  = 'RegionOne',
+  $tenant                  = 'services',
+  $email                   = 'novajoin@localhost',
+  $public_url              = 'http://127.0.0.1:9090',
+  $internal_url            = 'http://127.0.0.1:9090',
+  $admin_url               = 'http://127.0.0.1:9090',
+  $configure_endpoint      = false,
+  $configure_user          = true,
+  $configure_user_role     = true,
+) {
+
+  if $configure_endpoint {
+    Keystone_endpoint["${region}/${service_name}::compute-vendordata-plugin"] ~> Service <| name == 'novajoin-server' |>
+    Keystone_endpoint["${region}/${service_name}::compute-vendordata-plugin"] ~> Service <| name == 'novajoin-notify' |>
+  }
+
+  keystone::resource::service_identity { 'novajoin':
+    configure_user      => $configure_user,
+    configure_user_role => $configure_user_role,
+    configure_endpoint  => $configure_endpoint,
+    service_type        => 'compute-vendordata-plugin',
+    service_description => $service_description,
+    service_name        => $service_name,
+    region              => $region,
+    auth_name           => $auth_name,
+    password            => $password,
+    email               => $email,
+    tenant              => $tenant,
+    public_url          => $public_url,
+    admin_url           => $admin_url,
+    internal_url        => $internal_url,
+  }
+
+}
--- a/manifests/metadata/novajoin/authtoken.pp
+++ b/manifests/metadata/novajoin/authtoken.pp
@ -0,0 +1,267 @@
+# class: nova::metadata::novajoin::authtoken
+#
+# Configure the keystone_authtoken section in the configuration file
+#
+# === Parameters
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'novajoin'
+#
+# [*password*]
+#   (Optional) Password to create for the service user
+#   Defaults to $::os_service_default
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http:://127.0.0.1:35357'
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#   (Optional) Name of domain for $project_name
+#   Defaults to $::os_service_default
+#
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $:os_service_default
+#
+# [*auth_section*]
+#   (Optional) Config Section from which to load plugin specific options
+#   Defaults to $::os_service_default.
+#
+# [*auth_type*]
+#   (Optional) Authentication type to load
+#   Defaults to $::os_service_default
+#
+# [*auth_uri*]
+#   (Optional) Complete public Identity API endpoint.
+#   Defaults to 'http://127.0.0.1:5000/'.
+#
+# [*auth_version*]
+#   (Optional) API version of the admin Identity API endpoint.
+#   Defaults to $::os_service_default.
+#
+# [*cache*]
+#   (Optional) Env key for the swift cache.
+#   Defaults to $::os_service_default.
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $::os_service_default.
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*delay_auth_decision*]
+#   (Optional) Do not handle authorization requests within the middleware, but
+#   delegate the authorization decision to downstream WSGI components. Boolean
+#   value
+#   Defaults to $::os_service_default.
+#
+# [*enforce_token_bind*]
+#   (Optional) Used to control the use and type of token binding. Can be set
+#   to: "disabled" to not check token binding. "permissive" (default) to
+#   validate binding information if the bind type is of a form known to the
+#   server and ignore it if not. "strict" like "permissive" but if the bind
+#   type is unknown the token will be rejected. "required" any form of token
+#   binding is needed to be allowed. Finally the name of a binding method that
+#   must be present in tokens. String value.
+#   Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+#   (Optional) Request timeout value for communicating with Identity API
+#   server.
+#   Defaults to $::os_service_default.
+#
+# [*http_request_max_retries*]
+#   (Optional) How many times are we trying to reconnect when communicating
+#   with Identity API Server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*include_service_catalog*]
+#   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#   middleware will not ask for service catalog on token validation and will
+#   not set the X-Service-Catalog header. Boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+#   (Optional) Number of seconds that an operation will wait to get a memcached
+#   client connection from the pool. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+#   (Optional) Number of seconds memcached server is considered dead before it
+#   is tried again. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+#   (Optional) Maximum total number of open connections to every memcached
+#    server. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+#   (Optional, mandatory if memcache_security_strategy is defined) This string
+#   is used for key derivation.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+#   (Optional) If defined, indicate whether token data should be authenticated
+#   or authenticated and encrypted. If MAC, token data is authenticated (with
+#   HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+#   cache. If the value is not one of these options or empty, auth_token will
+#   raise an exception on initialization.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+#   (Optional)  Use the advanced (eventlet safe) memcached client pool. The
+#   advanced pool will only work under python 2.x Boolean value
+#   Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+#   (Optional) Optionally specify a list of memcached server(s) to use for
+#   caching. If left undefined, tokens will instead be cached in-process.
+#   Defaults to $::os_service_default.
+#
+# [*manage_memcache_package*]
+#  (Optional) Whether to install the python-memcache package.
+#  Defaults to false.
+#
+# [*region_name*]
+#   (Optional) The region in which the identity server can be found.
+#   Defaults to $::os_service_default.
+#
+# [*revocation_cache_time*]
+#   (Optional) Determines the frequency at which the list of revoked tokens is
+#   retrieved from the Identity service (in seconds). A high number of
+#   revocation events combined with a low cache duration may significantly
+#   reduce performance. Only valid for PKI tokens. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+#   (Optional) In order to prevent excessive effort spent validating tokens,
+#   the middleware caches previously-seen tokens for a configurable duration
+#   (in seconds). Set to -1 to disable caching completely. Integer value
+#   Defaults to $::os_service_default.
+#
+class nova::metadata::novajoin::authtoken(
+  $username                       = 'novajoin',
+  $password                       = $::os_service_default,
+  $auth_url                       = 'http://127.0.0.1:35357/',
+  $project_name                   = 'services',
+  $user_domain_name               = $::os_service_default,
+  $project_domain_name            = $::os_service_default,
+  $insecure                       = $::os_service_default,
+  $auth_section                   = $::os_service_default,
+  $auth_type                      = 'password',
+  $auth_uri                       = 'http://127.0.0.1:5000/',
+  $auth_version                   = $::os_service_default,
+  $cache                          = $::os_service_default,
+  $cafile                         = $::os_service_default,
+  $certfile                       = $::os_service_default,
+  $check_revocations_for_cached   = $::os_service_default,
+  $delay_auth_decision            = $::os_service_default,
+  $enforce_token_bind             = $::os_service_default,
+  $hash_algorithms                = $::os_service_default,
+  $http_connect_timeout           = $::os_service_default,
+  $http_request_max_retries       = $::os_service_default,
+  $include_service_catalog        = $::os_service_default,
+  $keyfile                        = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcache_secret_key            = $::os_service_default,
+  $memcache_security_strategy     = $::os_service_default,
+  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcached_servers              = $::os_service_default,
+  $manage_memcache_package        = false,
+  $region_name                    = $::os_service_default,
+  $revocation_cache_time          = $::os_service_default,
+  $token_cache_time               = $::os_service_default,
+) {
+
+  if is_service_default($password) {
+    fail('Please set password for novajoin service user')
+  }
+
+  keystone::resource::authtoken { 'novajoin_config':
+    username                       => $username,
+    password                       => $password,
+    project_name                   => $project_name,
+    auth_url                       => $auth_url,
+    auth_uri                       => $auth_uri,
+    auth_version                   => $auth_version,
+    auth_type                      => $auth_type,
+    auth_section                   => $auth_section,
+    user_domain_name               => $user_domain_name,
+    project_domain_name            => $project_domain_name,
+    insecure                       => $insecure,
+    cache                          => $cache,
+    cafile                         => $cafile,
+    certfile                       => $certfile,
+    check_revocations_for_cached   => $check_revocations_for_cached,
+    delay_auth_decision            => $delay_auth_decision,
+    enforce_token_bind             => $enforce_token_bind,
+    hash_algorithms                => $hash_algorithms,
+    http_connect_timeout           => $http_connect_timeout,
+    http_request_max_retries       => $http_request_max_retries,
+    include_service_catalog        => $include_service_catalog,
+    keyfile                        => $keyfile,
+    memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+    memcache_pool_dead_retry       => $memcache_pool_dead_retry,
+    memcache_pool_maxsize          => $memcache_pool_maxsize,
+    memcache_pool_socket_timeout   => $memcache_pool_socket_timeout,
+    memcache_secret_key            => $memcache_secret_key,
+    memcache_security_strategy     => $memcache_security_strategy,
+    memcache_use_advanced_pool     => $memcache_use_advanced_pool,
+    memcache_pool_unused_timeout   => $memcache_pool_unused_timeout,
+    memcached_servers              => $memcached_servers,
+    manage_memcache_package        => $manage_memcache_package,
+    region_name                    => $region_name,
+    revocation_cache_time          => $revocation_cache_time,
+    token_cache_time               => $token_cache_time,
+  }
+}
--- a/releasenotes/notes/Add-novajoin-auth-and-authtoken-settings-9cf98dc1a84bab26.yaml
+++ b/releasenotes/notes/Add-novajoin-auth-and-authtoken-settings-9cf98dc1a84bab26.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - One can now create a keystone service user and configure the authtoken
+    settings for the novajoin vendordata plugin via its own auth and authtoken
+    manifests.
--- a/spec/classes/nova_metadata_novajoin_api_spec.rb
+++ b/spec/classes/nova_metadata_novajoin_api_spec.rb
@ -78,9 +78,17 @@ describe 'nova::metadata::novajoin::api' do
      end

      let :pre_condition do
-        'class { "::ipaclient": password => "join_otp", }'
+        "class { '::ipaclient':
+           password => 'join_otp'
+         }
+         class { '::nova::metadata::novajoin::authtoken':
+           password => 'passw0rd',
+         }
+        "
      end

+      it { is_expected.to contain_class('nova::metadata::novajoin::authtoken') }
+
      it { is_expected.to contain_service('novajoin-server').with(
        'ensure'     => (param_hash[:manage_service] && param_hash[:enabled]) ? 'running': 'stopped',
        'enable'     => param_hash[:enabled],
@ -156,7 +164,10 @@ describe 'nova::metadata::novajoin::api' do
    end

    let :pre_condition do
-      'class { "::ipaclient": password => "join_otp", }'
+      "class { '::ipaclient': password => 'join_otp', }
+       class { '::nova::metadata::novajoin::authtoken':
+         password => 'passw0rd',
+       }"
    end

    it { is_expected.to contain_service('novajoin-server').with(
@ -187,7 +198,10 @@ describe 'nova::metadata::novajoin::api' do
    let(:params) { default_params }

    let :pre_condition do
-      'class { "::ipaclient": password => "join_otp", }'
+      "class { '::ipaclient': password => 'join_otp', }
+       class { '::nova::metadata::novajoin::authtoken':
+         password => 'passw0rd',
+       }"
    end

    it { is_expected.to contain_package('python-novajoin').with(
--- a/spec/classes/nova_metadata_novajoin_auth_spec.rb
+++ b/spec/classes/nova_metadata_novajoin_auth_spec.rb
@ -0,0 +1,169 @@
+require 'spec_helper'
+
+describe 'nova::metadata::novajoin::auth' do
+
+  let :params do
+    {:password => 'novajoin_password'}
+  end
+
+  let :default_params do
+    { :auth_name              => 'novajoin',
+      :service_name           => 'novajoin',
+      :region                 => 'RegionOne',
+      :tenant                 => 'services',
+      :email                  => 'novajoin@localhost',
+      :public_url             => 'http://127.0.0.1:9090',
+      :internal_url           => 'http://127.0.0.1:9090',
+      :admin_url              => 'http://127.0.0.1:9090' }
+  end
+
+  context 'with default parameters' do
+
+    it { is_expected.to contain_keystone_user('novajoin').with(
+      :ensure   => 'present',
+      :password => 'novajoin_password'
+    ) }
+
+    it { is_expected.to contain_keystone_user_role('novajoin@services').with(
+      :ensure => 'present',
+      :roles  => ['admin']
+    )}
+
+    it { is_expected.to contain_keystone_service('novajoin::compute-vendordata-plugin').with(
+      :ensure      => 'present',
+      :description => 'Novajoin vendordata plugin'
+    )}
+
+    it { is_expected.to_not contain_keystone_endpoint('RegionOne/novajoin::compute-vendordata-plugin') }
+  end
+
+  context 'when setting auth name' do
+    before do
+      params.merge!( :auth_name => 'foo' )
+    end
+
+    it { is_expected.to contain_keystone_user('foo').with(
+      :ensure   => 'present',
+      :password => 'novajoin_password'
+    ) }
+
+    it { is_expected.to contain_keystone_user_role('foo@services').with(
+      :ensure => 'present',
+      :roles  => ['admin']
+    )}
+
+    it { is_expected.to contain_keystone_service('novajoin::compute-vendordata-plugin').with(
+      :ensure      => 'present',
+      :description => 'Novajoin vendordata plugin'
+    )}
+
+  end
+
+  context 'when creating endpoint with default parameters' do
+    before do
+      params.merge!( :configure_endpoint => true )
+    end
+    it { is_expected.to contain_keystone_endpoint('RegionOne/novajoin::compute-vendordata-plugin').with(
+      :ensure       => 'present',
+      :public_url   => 'http://127.0.0.1:9090',
+      :admin_url    => 'http://127.0.0.1:9090',
+      :internal_url => 'http://127.0.0.1:9090'
+    )}
+  end
+
+  context 'when overriding endpoint parameters' do
+    before do
+      params.merge!(
+        :configure_endpoint => true,
+        :region       => 'RegionTwo',
+        :public_url   => 'https://10.0.0.1:9090',
+        :internal_url => 'https://10.0.0.3:9090',
+        :admin_url    => 'https://10.0.0.2:9090',
+      )
+    end
+
+    it { is_expected.to contain_keystone_endpoint('RegionTwo/novajoin::compute-vendordata-plugin').with(
+      :ensure       => 'present',
+      :public_url   => params[:public_url],
+      :internal_url => params[:internal_url],
+      :admin_url    => params[:admin_url]
+    )}
+
+  end
+
+  describe 'when disabling user configuration' do
+    before do
+      params.merge!( :configure_user => false )
+    end
+
+    it { is_expected.to_not contain_keystone_user('novajoin') }
+    it { is_expected.to contain_keystone_user_role('novajoin@services') }
+    it { is_expected.to contain_keystone_service('novajoin::compute-vendordata-plugin').with(
+      :ensure      => 'present',
+      :description => 'Novajoin vendordata plugin'
+    )}
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'novajoin_password'
+      }
+    end
+
+    it { is_expected.to_not contain_keystone_user('novajoin') }
+    it { is_expected.to_not contain_keystone_user_role('novajoin@services') }
+    it { is_expected.to contain_keystone_service('novajoin::compute-vendordata-plugin').with(
+      :ensure      => 'present',
+      :description => 'Novajoin vendordata plugin'
+    )}
+  end
+
+  describe 'when configuring novajoin and the keystone endpoint' do
+    let :pre_condition do
+      "class { '::nova::metadata::novajoin::authtoken':
+         password => 'secrete',
+       }
+      class { '::ipaclient': password => 'join_otp', }
+       class { '::nova::metadata::novajoin::api':
+         nova_password => 'secrete',
+         transport_url => 'rabbit://127.0.0.1//',
+       }"
+    end
+
+    let :facts do
+      @default_facts.merge({
+        :osfamily               => 'RedHat',
+        :operatingsystem        => 'RedHat',
+        :operatingsystemrelease => '7.0',
+      })
+    end
+
+    let :params do
+      {
+        :password => 'test',
+        :configure_endpoint => true,
+      }
+    end
+
+    it { is_expected.to contain_keystone_endpoint('RegionOne/novajoin::compute-vendordata-plugin').with_notify(['Service[novajoin-server]', 'Service[novajoin-notify]']) }
+  end
+
+  describe 'when overriding service names' do
+
+    let :params do
+      {
+        :service_name => 'novajoin_service',
+        :password     => 'novajoin_password'
+      }
+    end
+
+    it { is_expected.to contain_keystone_user('novajoin') }
+    it { is_expected.to contain_keystone_user_role('novajoin@services') }
+    it { is_expected.to contain_keystone_service('novajoin_service::compute-vendordata-plugin') }
+
+  end
+
+end
--- a/spec/classes/nova_metadata_novajoin_authtoken_spec.rb
+++ b/spec/classes/nova_metadata_novajoin_authtoken_spec.rb
@ -0,0 +1,149 @@
+require 'spec_helper'
+
+describe 'nova::metadata::novajoin::authtoken' do
+
+  let :params do
+    { :password => 'novajoin_password', }
+  end
+
+  shared_examples 'novajoin authtoken' do
+
+    context 'with default parameters' do
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_novajoin_config('keystone_authtoken/username').with_value('novajoin')
+        is_expected.to contain_novajoin_config('keystone_authtoken/password').with_value('novajoin_password')
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_url').with_value('http://127.0.0.1:35357/')
+        is_expected.to contain_novajoin_config('keystone_authtoken/project_name').with_value('services')
+        is_expected.to contain_novajoin_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_type').with_value('password')
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000/')
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_novajoin_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when overriding parameters' do
+      before do
+        params.merge!({
+          :auth_uri                             => 'https://10.0.0.1:9999/',
+          :username                             => 'myuser',
+          :password                             => 'mypasswd',
+          :auth_url                             => 'http://:127.0.0.1:35357',
+          :project_name                         => 'service_project',
+          :user_domain_name                     => 'domainX',
+          :project_domain_name                  => 'domainX',
+          :insecure                             => false,
+          :auth_section                         => 'new_section',
+          :auth_type                            => 'password',
+          :auth_version                         => 'v3',
+          :cache                                => 'somevalue',
+          :cafile                               =>
+'/opt/stack/data/cafile.pem',
+          :certfile                             => 'certfile.crt',
+          :check_revocations_for_cached         => false,
+          :delay_auth_decision                  => false,
+          :enforce_token_bind                   => 'permissive',
+          :hash_algorithms                      => 'md5',
+          :http_connect_timeout                 => '300',
+          :http_request_max_retries             => '3',
+          :include_service_catalog              => true,
+          :keyfile                              => 'keyfile',
+          :memcache_pool_conn_get_timeout       => '9',
+          :memcache_pool_dead_retry             => '302',
+          :memcache_pool_maxsize                => '11',
+          :memcache_pool_socket_timeout         => '2',
+          :memcache_pool_unused_timeout         => '61',
+          :memcache_secret_key                  => 'secret_key',
+          :memcache_security_strategy           => 'ENCRYPT',
+          :memcache_use_advanced_pool           => true,
+          :memcached_servers                    =>
+['memcached01:11211','memcached02:11211'],
+          :manage_memcache_package              => true,
+          :region_name                          => 'region2',
+          :revocation_cache_time                => '11',
+          :token_cache_time                     => '301',
+        })
+      end
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
+        is_expected.to contain_novajoin_config('keystone_authtoken/username').with_value(params[:username])
+        is_expected.to contain_novajoin_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
+        is_expected.to contain_novajoin_config('keystone_authtoken/project_name').with_value(params[:project_name])
+        is_expected.to contain_novajoin_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_novajoin_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_novajoin_config('keystone_authtoken/insecure').with_value(params[:insecure])
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
+        is_expected.to contain_novajoin_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_novajoin_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_novajoin_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_novajoin_config('keystone_authtoken/certfile').with_value(params[:certfile])
+        is_expected.to contain_novajoin_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
+        is_expected.to contain_novajoin_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
+        is_expected.to contain_novajoin_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
+        is_expected.to contain_novajoin_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
+        is_expected.to contain_novajoin_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
+        is_expected.to contain_novajoin_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
+        is_expected.to contain_novajoin_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_novajoin_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
+        is_expected.to contain_novajoin_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
+        is_expected.to contain_novajoin_config('keystone_authtoken/region_name').with_value(params[:region_name])
+        is_expected.to contain_novajoin_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
+        is_expected.to contain_novajoin_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+      end
+
+      it 'installs python memcache package' do
+        is_expected.to contain_package('python-memcache')
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'novajoin authtoken'
+    end
+  end
+
+end