puppet-swift/manifests/proxy/authtoken.pp

#
# This class can be used to manage keystone's authtoken middleware
# for swift proxy
#
# == Parameters
#
#  [*admin_token*]
#    Keystone admin token that can serve as a shared secret
#    for authenticating. If this is choosen if is used instead of a user,tenant,password.
#    Optional. Defaults to false.
#
#  [*admin_user*]
#    User used to authenticate service.
#    Optional. Defaults to 'swift'.
#
#  [*admin_tenant_name*]
#    Tenant used to authenticate service.
#    Optional. Defaults to 'services'.
#
#  [*admin_password*]
#    Password used with user to authenticate service.
#    Optional. Defaults to 'password'.
#
#  [*delay_auth_decision*]
#    Set to 1 to support token-less access (anonymous access, tempurl, ...)
#    Optional, Defaults to 0
#
#  [*auth_host*]
#    Host providing the keystone service API endpoint. Optional.
#    Defaults to 127.0.0.1
#
#  [*auth_port*]
#    Port where keystone service is listening. Optional.
#    Defaults to 3557.
#
#  [*auth_protocol*]
#    Protocol to use to communicate with keystone. Optional.
#    Defaults to https.
#
#  [*auth_admin_prefix*]
#    Path part of the auth url. Optional.
#    This allows admin auth URIs like http://host/keystone/admin/v2.0.
#    Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'.
#
#  [*auth_uri*]
#    The public auth url to redirect unauthenticated requests.
#    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
#    Should be set to your public keystone endpoint (without version).
#
#  [*identity_uri*]
#    identity_uri points to the Keystone Admin service. This information is
#    used by the middleware to actually query Keystone about the validity of the
#    authentication tokens. It is not necessary to append any Keystone API version
#    number to this URI.
#    Defaults to false.
#
#  [*signing_dir*]
#    The cache directory for signing certificates.
#    Defaults to '/var/cache/swift'
#
#  [*cache*]
#    The cache backend to use
#    Optional. Defaults to 'swift.cache'
#
# == Authors
#
#   Dan Bode dan@puppetlabs.com
#
# == Copyright
#
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class swift::proxy::authtoken(
  $admin_user          = 'swift',
  $admin_tenant_name   = 'services',
  $admin_password      = 'password',
  $auth_uri            = false,
  $identity_uri        = false,
  $delay_auth_decision = 1,
  $admin_token         = false,
  $signing_dir         = '/var/cache/swift',
  $cache               = 'swift.cache',
  # DEPRECATED PARAMETERS
  $auth_host           = '127.0.0.1',
  $auth_port           = '35357',
  $auth_protocol       = 'http',
  $auth_admin_prefix   = false,
) {

  if $auth_uri {
    $auth_uri_real = $auth_uri
  } else {
    $auth_uri_real = "${auth_protocol}://${auth_host}:5000"
  }

  # if both auth_uri and identity_uri are set we skip these deprecated warnings
  if !$auth_uri or !$identity_uri {
    if $auth_host {
      warning('The auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_port {
      warning('The auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_protocol {
      warning('The auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
    }
    if $auth_admin_prefix {
      warning('The auth_admin_prefix parameter is deprecated. Please use auth_uri and identity_uri instead.')
      validate_re($auth_admin_prefix, '^(/.+[^/])?$')
    }
  }

  file { $signing_dir:
    ensure                  => directory,
    mode                    => '0700',
    owner                   => 'swift',
    group                   => 'swift',
    selinux_ignore_defaults => true,
  }

  concat::fragment { 'swift_authtoken':
    target  => '/etc/swift/proxy-server.conf',
    content => template('swift/proxy/authtoken.conf.erb'),
    order   => '22',
  }

}