From 09a78bfd9d28d8b8f32c2a8ada3e7dc1f63f5b79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Charlier?= Date: Tue, 14 May 2013 17:18:00 +0200 Subject: [PATCH] Add auth_admin_prefix and custom auth_uri params auth_admin_prefix allows the prepend of a prefix to the URL used for admin tasks. See: https://review.openstack.org/#/c/7156/ for implementation in Keystone. auth_uri allows to specify the public authentication url (Keystone's public endpoint) if it can't be guessed from $auth_host + $auth_protocol Implements blueprint serve-keystone-from-wsgi Change-Id: Ic66727f78406d70b5ab5bc07fcc074477df2303c --- manifests/proxy/authtoken.pp | 18 ++++- spec/classes/swift_proxy_authtoken_spec.rb | 79 +++++++++++++++++++++- templates/proxy/authtoken.conf.erb | 5 +- 3 files changed, 98 insertions(+), 4 deletions(-) diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index aecf6a2a..f3a17341 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -21,6 +21,12 @@ # Defaults to 3557. # [auth_protocol] Protocol to use to communicate with keystone. Optional. # Defaults to https. +# [auth_admin_prefix] path part of the auth url. Optional. +# This allows admin auth URIs like http://host/keystone/admin/v2.0. +# Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'. +# [auth_uri] The public auth url to redirect unauthenticated requests. +# Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'. +# Should be set to your public keystone endpoint (without version). # # == Authors # @@ -38,13 +44,23 @@ class swift::proxy::authtoken( $auth_host = '127.0.0.1', $auth_port = '35357', $auth_protocol = 'http', + $auth_admin_prefix = false, + $auth_uri = false, $delay_auth_decision = 1, $admin_token = false ) { - $auth_uri = "${auth_protocol}://${auth_host}:5000" + if $auth_uri { + $auth_uri_real = $auth_uri + } else { + $auth_uri_real = "${auth_protocol}://${auth_host}:5000" + } $fragment_title = regsubst($name, '/', '_', 'G') + if $auth_admin_prefix { + validate_re($auth_admin_prefix, '^(/.+[^/])?$') + } + concat::fragment { "swift_authtoken": target => '/etc/swift/proxy-server.conf', content => template('swift/proxy/authtoken.conf.erb'), diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb index f7647765..054db6f4 100644 --- a/spec/classes/swift_proxy_authtoken_spec.rb +++ b/spec/classes/swift_proxy_authtoken_spec.rb @@ -39,15 +39,90 @@ describe 'swift::proxy::authtoken' do end end - describe "when override parameters" do + describe "when overriding admin_token" do let :params do { :admin_token => 'ADMINTOKEN' } end - it { should contain_file(fragment_file).with_content(/admin_token = ADMINTOKEN/) } + it 'should build the fragment with correct parameters' do + verify_contents(subject, fragment_file, + [ + '[filter:authtoken]', + 'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory', + 'signing_dir = /etc/swift', + 'auth_host = 127.0.0.1', + 'auth_port = 35357', + 'auth_protocol = http', + 'auth_uri = http://127.0.0.1:5000', + 'admin_token = ADMINTOKEN', + 'delay_auth_decision = 1', + ] + ) + end + end + + describe "when overriding parameters" do + let :params do + { + :auth_host => 'some.host', + :auth_port => '443', + :auth_protocol => 'https', + :auth_admin_prefix => '/keystone/admin', + :admin_tenant_name => 'admin', + :admin_user => 'swiftuser', + :admin_password => 'swiftpassword', + :delay_auth_decision => '0' + } + end + + it 'should build the fragment with correct parameters' do + verify_contents(subject, fragment_file, + [ + '[filter:authtoken]', + 'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory', + 'signing_dir = /etc/swift', + 'auth_host = some.host', + 'auth_port = 443', + 'auth_protocol = https', + 'auth_admin_prefix = /keystone/admin', + 'auth_uri = https://some.host:5000', + 'admin_tenant_name = admin', + 'admin_user = swiftuser', + 'admin_password = swiftpassword', + 'delay_auth_decision = 0', + ] + ) + end + end + + describe 'when overriding auth_uri' do + let :params do + { :auth_uri => 'http://public.host/keystone/main' } + end + + it { should contain_file(fragment_file).with_content(/auth_uri = http:\/\/public.host\/keystone\/main/)} + end + + [ + 'keystone', + 'keystone/', + '/keystone/', + '/keystone/admin/', + 'keystone/admin/', + 'keystone/admin' + ].each do |auth_admin_prefix| + describe "when overriding auth_admin_prefix with incorrect value #{auth_admin_prefix}" do + let :params do + { :auth_admin_prefix => auth_admin_prefix } + end + + it { expect { should contain_file(fragment_file).with_content(/auth_admin_prefix = #{auth_admin_prefix}/) }.to \ + raise_error(Puppet::Error, /validate_re\(\): "#{auth_admin_prefix}" does not match/) } + end end + end diff --git a/templates/proxy/authtoken.conf.erb b/templates/proxy/authtoken.conf.erb index f380c105..4975218c 100644 --- a/templates/proxy/authtoken.conf.erb +++ b/templates/proxy/authtoken.conf.erb @@ -4,7 +4,10 @@ signing_dir = /etc/swift auth_host = <%= auth_host %> auth_port = <%= auth_port %> auth_protocol = <%= auth_protocol %> -auth_uri = <%= auth_uri %> +<% if auth_admin_prefix -%> +auth_admin_prefix = <%= auth_admin_prefix %> +<% end -%> +auth_uri = <%= auth_uri_real %> # if its defined <% if admin_token -%> admin_token = <%= admin_token %>