From f71d159c4d423ff6bb4c5562bec370cab8ab9f9f Mon Sep 17 00:00:00 2001
From: Daneyon Hansen <danehans@cisco.com>
Date: Tue, 6 Aug 2013 06:12:43 +0000
Subject: [PATCH] Improve Proxy Signing Directory Support

1. The signing_dir was being created on every swift node
when it's only needed on proxies:

  http://docs.openstack.org/grizzly/openstack-compute/install/apt/content/installing-and-configuring-the-proxy-node.html

2. The signing_dir was not configurable, even though
the OpenStack doc's show multiple references
(/var/cache/swift and /home/swift/keystone-signing).

Change-Id: I3eb00046fc535a32d7a1800d15489e9fe071373b
---
 manifests/init.pp                          |  4 ----
 manifests/proxy/authtoken.pp               | 12 +++++++++++-
 spec/classes/swift_proxy_authtoken_spec.rb | 20 ++++++++++++++++++--
 spec/classes/swift_spec.rb                 |  3 ---
 templates/proxy/authtoken.conf.erb         |  2 +-
 5 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 8548e695..cd905673 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -69,8 +69,4 @@ class swift(
     content => template('swift/swift.conf.erb'),
   }
 
-  file { '/var/cache/swift':
-    ensure => directory,
-  }
-
 }
diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp
index 1b77ad49..7d681dda 100644
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@@ -27,6 +27,8 @@
 #  [auth_uri] The public auth url to redirect unauthenticated requests.
 #    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
 #    Should be set to your public keystone endpoint (without version).
+#  [signing_dir] The cache directory for signing certificates.
+#    Defaults to '/var/cache/swift'
 #
 # == Authors
 #
@@ -47,7 +49,8 @@ class swift::proxy::authtoken(
   $auth_admin_prefix   = false,
   $auth_uri            = false,
   $delay_auth_decision = 1,
-  $admin_token         = false
+  $admin_token         = false,
+  $signing_dir         = '/var/cache/swift'
 ) {
 
   if $auth_uri {
@@ -61,6 +64,13 @@ class swift::proxy::authtoken(
     validate_re($auth_admin_prefix, '^(/.+[^/])?$')
   }
 
+  file { $signing_dir:
+    ensure => directory,
+    mode   => '0700',
+    owner  => 'swift',
+    group  => 'swift',
+  }
+
   concat::fragment { 'swift_authtoken':
     target  => '/etc/swift/proxy-server.conf',
     content => template('swift/proxy/authtoken.conf.erb'),
diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb
index d3aab9e2..893ea553 100644
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@@ -15,6 +15,19 @@ describe 'swift::proxy::authtoken' do
     '
   end
 
+  describe 'when using the default signing directory' do
+    let :file_defaults do
+      {
+        :mode    => '0700',
+        :owner   => 'swift',
+        :group   => 'swift',
+      }
+    end
+    it {should contain_file('/var/cache/swift').with(
+      {:ensure => 'directory'}.merge(file_defaults)
+    )}
+  end
+
   let :fragment_file do
     "/var/lib/puppet/concat/_etc_swift_proxy-server.conf/fragments/22_swift_authtoken"
   end
@@ -24,7 +37,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
-          'signing_dir=/var/cache/swift',
+          'signing_dir = /var/cache/swift',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = 127.0.0.1',
           'auth_port = 35357',
@@ -50,6 +63,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
+          'signing_dir = /var/cache/swift',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = 127.0.0.1',
           'auth_port = 35357',
@@ -72,7 +86,8 @@ describe 'swift::proxy::authtoken' do
         :admin_tenant_name   => 'admin',
         :admin_user          => 'swiftuser',
         :admin_password      => 'swiftpassword',
-        :delay_auth_decision => '0'
+        :delay_auth_decision => '0',
+        :signing_dir         => '/home/swift/keystone-signing'
       }
     end
 
@@ -80,6 +95,7 @@ describe 'swift::proxy::authtoken' do
       verify_contents(subject, fragment_file,
         [
           '[filter:authtoken]',
+          'signing_dir = /home/swift/keystone-signing',
           'paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory',
           'auth_host = some.host',
           'auth_port = 443',
diff --git a/spec/classes/swift_spec.rb b/spec/classes/swift_spec.rb
index a6c3abf0..8736c0db 100644
--- a/spec/classes/swift_spec.rb
+++ b/spec/classes/swift_spec.rb
@@ -42,9 +42,6 @@ describe 'swift' do
     it {should contain_file('/var/run/swift').with(
       {:ensure => 'directory'}.merge(file_defaults)
     )}
-    it {should contain_file('/var/cache/swift').with(
-      {:ensure => 'directory'}.merge(file_defaults)
-    )}
     it {should contain_file('/etc/swift/swift.conf').with(
       {:ensure  => 'present',
        :mode    => '0660',
diff --git a/templates/proxy/authtoken.conf.erb b/templates/proxy/authtoken.conf.erb
index a18c35ca..c3eca2f8 100644
--- a/templates/proxy/authtoken.conf.erb
+++ b/templates/proxy/authtoken.conf.erb
@@ -1,5 +1,5 @@
 [filter:authtoken]
-signing_dir=/var/cache/swift
+signing_dir = <%= @signing_dir %>
 paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
 auth_host = <%= @auth_host %>
 auth_port = <%= @auth_port %>