4d997af2cd
Under Debian, /var/cache/swift is set with unix rights 0755. This is a problem when using it as signing dir. Instead, it's much better to use /var/lib/swift, which is using 0750. This patch changes the default value to be stored in params.pp, and which now depends on the OS package type. It also fixes the matching tests. Change-Id: I4a73f8fc10a2bb9f62c9597b50d0ea3abe69f36e
166 lines
5.1 KiB
Puppet
166 lines
5.1 KiB
Puppet
#
|
|
# This class can be used to manage keystone's authtoken middleware
|
|
# for swift proxy
|
|
#
|
|
# == Parameters
|
|
#
|
|
# [*delay_auth_decision*]
|
|
# (Optional) Do not handle authorization requests within the middleware, but
|
|
# delegate the authorization decision to downstream WSGI components. Boolean value
|
|
# Defaults to 1
|
|
#
|
|
# [*signing_dir*]
|
|
# The cache directory for signing certificates.
|
|
# Defaults to $::swift::params::signing_dir
|
|
#
|
|
# [*cache*]
|
|
# The cache backend to use
|
|
# Optional. Defaults to 'swift.cache'
|
|
#
|
|
# [*auth_uri*]
|
|
# (Optional) Complete public Identity API endpoint.
|
|
# Defaults to 'http://127.0.0.1:5000'
|
|
#
|
|
# [*auth_url*]
|
|
# (Optional) The URL to use for authentication.
|
|
# Defaults to 'http://127.0.0.1:5000'
|
|
#
|
|
# [*auth_plugin*]
|
|
# (Optional) The plugin for authentication
|
|
# Defaults to 'password'
|
|
#
|
|
# [*username*]
|
|
# (Optional) The name of the service user
|
|
# Defaults to 'swift'
|
|
#
|
|
# [*password*]
|
|
# (Optional) The password for the user
|
|
# Defaults to 'password'
|
|
#
|
|
# [*project_name*]
|
|
# (Optional) Service project name
|
|
# Defaults to 'services'
|
|
#
|
|
# [*project_domain_id*]
|
|
# (Optional) id of domain for $project_name
|
|
# Defaults to 'default'
|
|
#
|
|
# [*user_domain_id*]
|
|
# (Optional) id of domain for $username
|
|
# Defaults to 'default'
|
|
#
|
|
# [*include_service_catalog*]
|
|
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
|
|
# middleware will not ask for service catalog on token validation and will
|
|
# not set the X-Service-Catalog header. Boolean value.
|
|
# Defaults to false
|
|
#
|
|
# == DEPRECATED
|
|
#
|
|
# [*admin_token*]
|
|
# (optional) Deprecated.
|
|
# Defaults to undef
|
|
#
|
|
# [*identity_uri*]
|
|
# (optional) Deprecated. Use auth_url instead.
|
|
# Defaults to undef
|
|
#
|
|
# [*admin_user*]
|
|
# (optional) Deprecated. Use username instead.
|
|
# Defaults to undef
|
|
#
|
|
# [*admin_tenant_name*]
|
|
# (optional) Deprecated. Use project_name instead.
|
|
# Defaults to undef
|
|
#
|
|
# [*admin_password*]
|
|
# (optional) Deprecated. Use password instead.
|
|
# Defaults to undef
|
|
#
|
|
# == Authors
|
|
#
|
|
# Dan Bode dan@puppetlabs.com
|
|
#
|
|
# == Copyright
|
|
#
|
|
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
|
|
#
|
|
class swift::proxy::authtoken(
|
|
$delay_auth_decision = 1,
|
|
$signing_dir = $::swift::params::signing_dir,
|
|
$cache = 'swift.cache',
|
|
$auth_uri = 'http://127.0.0.1:5000',
|
|
$auth_url = 'http://127.0.0.1:5000',
|
|
$auth_plugin = 'password',
|
|
$project_domain_id = 'default',
|
|
$user_domain_id = 'default',
|
|
$project_name = 'services',
|
|
$username = 'swift',
|
|
$password = 'password',
|
|
$include_service_catalog = false,
|
|
# DEPRECATED PARAMETERS
|
|
$admin_user = undef,
|
|
$admin_tenant_name = undef,
|
|
$admin_password = undef,
|
|
$identity_uri = undef,
|
|
$admin_token = undef,
|
|
) inherits swift::params {
|
|
|
|
include ::swift::deps
|
|
|
|
if $admin_token {
|
|
warning('admin_token is deprecated, has no usage and will be removed in the O release')
|
|
}
|
|
|
|
if $identity_uri {
|
|
warning('identity_uri is deprecated and will be removed, please use auth_url instead')
|
|
}
|
|
|
|
if $admin_user {
|
|
warning('admin_user is deprecated and will be removed, please use username instead')
|
|
}
|
|
|
|
if $admin_tenant_name {
|
|
warning('admin_tenant_name is deprecated and will be removed, please use project_name instead')
|
|
}
|
|
|
|
if $admin_password {
|
|
warning('admin_password is deprecated and will be removed, please use password instead')
|
|
}
|
|
|
|
$auth_url_real = pick($identity_uri, $auth_url)
|
|
$username_real = pick($admin_user, $username)
|
|
$project_name_real = pick($admin_tenant_name, $project_name)
|
|
$password_real = pick($admin_password, $password)
|
|
|
|
if ($::os_package_type != 'debian') {
|
|
file { $signing_dir:
|
|
ensure => directory,
|
|
mode => '0700',
|
|
owner => 'swift',
|
|
group => 'swift',
|
|
selinux_ignore_defaults => true,
|
|
require => Anchor['swift::config::begin'],
|
|
before => Anchor['swift::config::end'],
|
|
}
|
|
}
|
|
|
|
|
|
swift_proxy_config {
|
|
'filter:authtoken/log_name': value => 'swift';
|
|
'filter:authtoken/signing_dir': value => $signing_dir;
|
|
'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory';
|
|
'filter:authtoken/www_authenticate_uri': value => $auth_uri;
|
|
'filter:authtoken/auth_url': value => $auth_url_real;
|
|
'filter:authtoken/auth_plugin': value => $auth_plugin;
|
|
'filter:authtoken/project_domain_id': value => $project_domain_id;
|
|
'filter:authtoken/user_domain_id': value => $user_domain_id;
|
|
'filter:authtoken/project_name': value => $project_name_real;
|
|
'filter:authtoken/username': value => $username_real;
|
|
'filter:authtoken/password': value => $password_real;
|
|
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
|
|
'filter:authtoken/cache': value => $cache;
|
|
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
|
|
}
|
|
}
|