openstack/puppet-swift
Code Issues Proposed changes
Files
d443048fae953e03e4a9db53d5b5f518e6a17d2f
puppet-swift/manifests/proxy/s3token.pp
Takashi Kajinami 2f2183e9d6 Accept system scope credentials for Keystone API request 
This change is the first step to support secure RBAC and allows usage
of system scope credentials for Keystone API request.

This change covers the following three items.
 - assignment of system scope roles to system user
 - credential parameters for authtoken middleware
 - credential parameters for s3token middleware
 - credential parameters for ceilometer middleware

Depends-on: https://review.opendev.org/804325
Change-Id: I1923a5aed12a503f450c7d2e4a7784e4746fb46c
2022-01-25 15:20:39 +09:00

135 lines
4.0 KiB
Puppet
Raw Blame History

# == Class: swift::proxy::s3token
#
# Configure swift s3token.
#
# === Parameters
#
# [*auth_uri*]
# (optional) The Keystone server uri
# Defaults to http://127.0.0.1:5000
#
# [*reseller_prefix*]
# Prefix that will be prepended to the project to
# form the account
# Default to 'AUTH_'
#
# [*delay_auth_decision*]
# Enable downstream WSGI components to decide the
# validation of s3-style requests.
# Default to False
#
# [*http_timeout*]
# Connection timeout to be used during communicating
# with Keystone
# Default to $::os_service_default
#
# [*secret_cache_duration*]
# The number of seconds that secrets can be cached.
# Set this to some number greater than zero to enable
# caching, which will help to reduce latency for the
# client and load on Keystone.
# Default to 0
#
# [*auth_url*]
# (Optional) Keystone credentials used for secret caching
# The URL to use for authentication.
# Defaults to 'http://127.0.0.1:5000'
#
# [*auth_type*]
# (Optional) Keystone credentials used for secret caching
# The plugin for authentication
# Defaults to password
#
# [*username*]
# (Optional) Keystone credentials used for secret caching
# The name of the service user
# Defaults to swift
#
# [*user_domain_id*]
# (Optional) Keystone credentials used for secret caching
# id of domain for $username
# Defaults to default
#
# [*password*]
# (Optional) Keystone credentials used for secret caching
# The password for the user
# Defaults to password
#
# [*project_name*]
# (Optional) Keystone credentials used for secret caching
# Service project name
# Defaults to services
#
# [*project_domain_id*]
# (Optional) Keystone credentials used for secret caching
# id of domain for $project_name
# Defaults to default
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $::os_service_default
#
# == Dependencies
#
# == Examples
#
# == Authors
#
# Francois Charlier fcharlier@ploup.net
#
# == Copyright
#
# Copyright 2012 eNovance licensing@enovance.com
#
class swift::proxy::s3token(
$auth_uri = 'http://127.0.0.1:5000',
$reseller_prefix = 'AUTH_',
$delay_auth_decision = false,
$http_timeout = $::os_service_default,
$secret_cache_duration = 0,
$auth_url = 'http://127.0.0.1:5000',
$auth_type = 'password',
$username = 'swift',
$user_domain_id = 'default',
$password = undef,
$project_name = 'services',
$project_domain_id = 'default',
$system_scope = $::os_service_default,
) {
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_id_real = $project_domain_id
} else {
$project_name_real = $::os_service_default
$project_domain_id_real = $::os_service_default
}
swift_proxy_config {
'filter:s3token/use': value => 'egg:swift#s3token';
'filter:s3token/auth_uri': value => $auth_uri;
'filter:s3token/reseller_prefix': value => $reseller_prefix;
'filter:s3token/delay_auth_decision': value => $delay_auth_decision;
'filter:s3token/http_timeout': value => $http_timeout;
'filter:s3token/secret_cache_duration': value => $secret_cache_duration;
'filter:s3token/auth_url': value => $auth_url;
'filter:s3token/auth_type': value => $auth_type;
'filter:s3token/username': value => $username;
'filter:s3token/user_domain_id': value => $user_domain_id;
'filter:s3token/password': value => $password_real, secret => true;
'filter:s3token/project_name': value => $project_name_real;
'filter:s3token/project_domain_id': value => $project_domain_id_real;
'filter:s3token/system_scope': value => $system_scope;
}
}
View Git Blame Copy Permalink