From db49f73ef956946a59b060d6ca41e44a9de63e1b Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 23 May 2017 14:35:03 +0300 Subject: [PATCH] Use novajoin-specific user and directory This uses novajoin's user and directory for the novajoin service instead of relying on the nova service user and /etc/nova. It also removes some nova-specific parameters related to auth, to replace them with more generic names. Change-Id: I5e02164854542ad08b1b517f52334187913ee4e8 --- manifests/metadata/novajoin/api.pp | 78 +++++++++++++------ ...c-user-and-directory-2141e8c0bfc68c24.yaml | 5 ++ .../nova_metadata_novajoin_api_spec.rb | 30 +++---- .../nova_metadata_novajoin_auth_spec.rb | 2 +- 4 files changed, 77 insertions(+), 38 deletions(-) create mode 100644 releasenotes/notes/Use-novajoin-specific-user-and-directory-2141e8c0bfc68c24.yaml diff --git a/manifests/metadata/novajoin/api.pp b/manifests/metadata/novajoin/api.pp index d2aa443ad..1d9d7d0ae 100644 --- a/manifests/metadata/novajoin/api.pp +++ b/manifests/metadata/novajoin/api.pp @@ -5,8 +5,8 @@ # # === Parameters # -# [*nova_password*] -# (required) Password for the nova service user. +# [*service_password*] +# (required) Password for the novajoin service user. # # [*transport_url*] # (required) Transport URL for notifier service to talk to @@ -18,7 +18,7 @@ # # [*api_paste_config*] # (optional) Filename for the paste deploy file. -# Defaults to '/etc/nova/join-api-paste.ini'. +# Defaults to '/etc/novajoin/join-api-paste.ini'. # # [*auth_strategy*] # (optional) Strategy to use for authentication. @@ -66,7 +66,7 @@ # # [*keytab*] # (optional) Kerberos client keytab file. -# Defaults to '/etc/nova/krb5.keytab' +# Defaults to '/etc/novajoin/krb5.keytab' # # [*log_dir*] # (optional) log directory. @@ -76,27 +76,35 @@ # (optional) If Puppet should manage service startup / shutdown. # Defaults to true. # +# [*service_user*] +# (optional) User that the novajoin services run as. +# Defaults to 'novajoin' +# +# [*project_domain_name*] +# (optional) Domain name containing project (for novajoin auth). +# Defaults to 'default' +# +# [*project_name*] +# (optional) Project name (for novajoin auth). +# Defaults to 'service' +# +# [*user_domain_id*] +# (optional) Domain for novajoin user. +# Defaults to 'default' +# +# DEPRECATED PARAMETERS +# # [*nova_user*] # (optional) User that nova services run as. # Defaults to 'nova' # -# [*project_domain_name*] -# (optional) Domain name containing project (for nova auth). -# Defaults to 'default' -# -# [*project_name*] -# (optional) Project name (for nova auth). -# Defaults to 'service' -# -# [*user_domain_id*] -# (optional) Domain for nova user. -# Defaults to 'default' +# [*nova_password*] +# (required) Password for the nova service user. # class nova::metadata::novajoin::api ( - $nova_password, $transport_url, $bind_address = '127.0.0.1', - $api_paste_config = '/etc/nova/join-api-paste.ini', + $api_paste_config = '/etc/novajoin/join-api-paste.ini', $auth_strategy = $::os_service_default, $auth_type = 'password', $cacert = '/etc/ipa/ca.crt', @@ -108,16 +116,42 @@ class nova::metadata::novajoin::api ( $ipa_domain = undef, $join_listen_port = $::os_service_default, $keystone_auth_url = 'http://127.0.0.1:35357/', - $keytab = '/etc/nova/krb5.keytab', + $keytab = '/etc/novajoin/krb5.keytab', $log_dir = '/var/log/novajoin', $manage_service = true, - $nova_user = 'nova', + $service_password = undef, + $service_user = 'novajoin', $project_domain_name = 'default', $project_name = 'service', $user_domain_id = 'default', + # DEPRECATED PARAMETERS + $nova_user = 'nova', + $nova_password = undef, ) { include ::nova::metadata::novajoin::authtoken + if $service_user { + $service_user_real = $service_user + } else { + warning('The nova_user parameter is deprecated. use service_user instead') + $service_user_real = $nova_user + } + + if ! $service_user_real { + fail('service_user is missing') + } + + if $service_password { + $service_password_real = $service_password + } else { + warning('The nova_password parameter is deprecated. use service_password instead') + $service_password_real = $nova_password + } + + if ! $service_password_real { + fail('service_password is missing') + } + case $::osfamily { 'RedHat': { $package_name = 'python-novajoin' @@ -158,8 +192,8 @@ class nova::metadata::novajoin::api ( 'DEFAULT/transport_url': value => $transport_url; 'service_credentials/auth_type': value => $auth_type; 'service_credentials/auth_url': value => $keystone_auth_url; - 'service_credentials/password': value => $nova_password; - 'service_credentials/username': value => $nova_user; + 'service_credentials/password': value => $service_password_real; + 'service_credentials/username': value => $service_user_real; 'service_credentials/project_name': value => $project_name; 'service_credentials/user_domain_id': value => $user_domain_id; 'service_credentials/project_domain_name': @@ -199,7 +233,7 @@ class nova::metadata::novajoin::api ( require => Package['python-novajoin'] } - ensure_resource('file', $keytab, { owner => $nova_user, require => Exec['get-service-user-keytab'] }) + ensure_resource('file', $keytab, { owner => $service_user, require => Exec['get-service-user-keytab'] }) Novajoin_config<||> ~> Service<| title == 'novajoin-server'|> Novajoin_config<||> ~> Service<| title == 'novajoin-notify'|> diff --git a/releasenotes/notes/Use-novajoin-specific-user-and-directory-2141e8c0bfc68c24.yaml b/releasenotes/notes/Use-novajoin-specific-user-and-directory-2141e8c0bfc68c24.yaml new file mode 100644 index 000000000..f31a9ed25 --- /dev/null +++ b/releasenotes/notes/Use-novajoin-specific-user-and-directory-2141e8c0bfc68c24.yaml @@ -0,0 +1,5 @@ +--- +other: + - Novajoin now uses it's own user and configuration directory by default. As + to separate from the nova user and have it easier to use in containerized + environments. diff --git a/spec/classes/nova_metadata_novajoin_api_spec.rb b/spec/classes/nova_metadata_novajoin_api_spec.rb index a413d257a..42f6af132 100644 --- a/spec/classes/nova_metadata_novajoin_api_spec.rb +++ b/spec/classes/nova_metadata_novajoin_api_spec.rb @@ -16,7 +16,7 @@ describe 'nova::metadata::novajoin::api' do let :default_params do { :bind_address => '127.0.0.1', - :api_paste_config => '/etc/nova/join-api-paste.ini', + :api_paste_config => '/etc/novajoin/join-api-paste.ini', :auth_strategy => '', :auth_type => 'password', :cacert => '/etc/ipa/ca.crt', @@ -26,16 +26,16 @@ describe 'nova::metadata::novajoin::api' do :enable_ipa_client_install => true, :ensure_package => 'present', :join_listen_port => '', - :keytab => '/etc/nova/krb5.keytab', + :keytab => '/etc/novajoin/krb5.keytab', :log_dir => '/var/log/novajoin', :manage_service => true, - :nova_user => 'nova', + :service_user => 'novajoin', :project_domain_name => 'default', :project_name => 'service', :user_domain_id => 'default', :ipa_domain => 'EXAMPLE.COM', :keystone_auth_url => 'https://keystone.example.com:35357', - :nova_password => 'my_secret_password', + :service_password => 'my_secret_password', :transport_url => 'rabbit:rabbit_pass@rabbit_host', } end @@ -43,7 +43,7 @@ describe 'nova::metadata::novajoin::api' do [{}, { :bind_address => '0.0.0.0', - :api_paste_config => '/etc/nova/join-api-paste.ini', + :api_paste_config => '/etc/novajoin/join-api-paste.ini', :auth_strategy => 'noauth2', :auth_type => 'password', :cacert => '/etc/ipa/ca.crt', @@ -56,13 +56,13 @@ describe 'nova::metadata::novajoin::api' do :keytab => '/etc/krb5.conf', :log_dir => '/var/log/novajoin', :manage_service => true, - :nova_user => 'nova1', + :service_user => 'novajoin1', :project_domain_name => 'default', :project_name => 'service', :user_domain_id => 'default', :ipa_domain => 'EXAMPLE2.COM', :keystone_auth_url => 'https://keystone2.example.com:35357', - :nova_password => 'my_secret_password2', + :service_password => 'my_secret_password2', :transport_url => 'rabbit:rabbit_pass2@rabbit_host', } ].each do |param_set| @@ -122,11 +122,11 @@ describe 'nova::metadata::novajoin::api' do it 'is_expected.to configure service credentials' do is_expected.to contain_novajoin_config('service_credentials/auth_type').with_value(param_hash[:auth_type]) is_expected.to contain_novajoin_config('service_credentials/auth_url').with_value(param_hash[:keystone_auth_url]) - is_expected.to contain_novajoin_config('service_credentials/password').with_value(param_hash[:nova_password]) + is_expected.to contain_novajoin_config('service_credentials/password').with_value(param_hash[:service_password]) is_expected.to contain_novajoin_config('service_credentials/project_name').with_value(param_hash[:project_name]) is_expected.to contain_novajoin_config('service_credentials/user_domain_id').with_value(param_hash[:user_domain_id]) is_expected.to contain_novajoin_config('service_credentials/project_domain_name').with_value(param_hash[:project_domain_name]) - is_expected.to contain_novajoin_config('service_credentials/username').with_value(param_hash[:nova_user]) + is_expected.to contain_novajoin_config('service_credentials/username').with_value(param_hash[:service_user]) end it 'is_expected.to get service user keytab' do @@ -137,7 +137,7 @@ describe 'nova::metadata::novajoin::api' do end it { is_expected.to contain_file("#{param_hash[:keytab]}").with( - 'owner' => "#{param_hash[:nova_user]}", + 'owner' => "#{param_hash[:service_user]}", 'require' => 'Exec[get-service-user-keytab]', )} @@ -155,11 +155,11 @@ describe 'nova::metadata::novajoin::api' do let :params do { - :manage_service => false, - :enabled => false, - :ipa_domain => 'EXAMPLE.COM', - :nova_password => 'my_secret_password', - :transport_url => 'rabbit:rabbit_pass@rabbit_host', + :manage_service => false, + :enabled => false, + :ipa_domain => 'EXAMPLE.COM', + :service_password => 'my_secret_password', + :transport_url => 'rabbit:rabbit_pass@rabbit_host', } end diff --git a/spec/classes/nova_metadata_novajoin_auth_spec.rb b/spec/classes/nova_metadata_novajoin_auth_spec.rb index aba96f41b..a8bf11f45 100644 --- a/spec/classes/nova_metadata_novajoin_auth_spec.rb +++ b/spec/classes/nova_metadata_novajoin_auth_spec.rb @@ -128,7 +128,7 @@ describe 'nova::metadata::novajoin::auth' do } class { '::ipaclient': password => 'join_otp', } class { '::nova::metadata::novajoin::api': - nova_password => 'secrete', + service_password => 'secrete', transport_url => 'rabbit://127.0.0.1//', }" end