X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;ds=sidebyside;f=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Fresource%2Fauthtoken.pp;fp=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Fresource%2Fauthtoken.pp;h=5165abb3a1bd5df7b4c6cc3d526e65829ffc8a19;hb=2dc39f2a756f82040d82cba324b21f44fad8ef3f;hp=0000000000000000000000000000000000000000;hpb=d4b6110c989169c702f039a4c7dc1b309685bba3;p=dsa-puppet.git diff --git a/3rdparty/modules/keystone/manifests/resource/authtoken.pp b/3rdparty/modules/keystone/manifests/resource/authtoken.pp new file mode 100644 index 00000000..5165abb3 --- /dev/null +++ b/3rdparty/modules/keystone/manifests/resource/authtoken.pp @@ -0,0 +1,253 @@ +# == Definition: keystone::resource::authtoken +# +# This resource configures Keystone authentication resources for an OpenStack +# service. It will manage the [keystone_authtoken] section in the given +# config resource. It supports all of the authentication parameters specified +# at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/ +# with the addition of the default domain for user and project. +# +# The username and project_name parameters may be given in the form +# "name::domainname". The authtoken resource will use the domains in +# the following order: +# 1) The given domain parameter (user_domain_name or project_domain_name) +# 2) The domain given as the "::domainname" part of username or project_name +# 3) The default_domain_name +# +# For example, instead of doing this:: +# +# glance_api_config { +# 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant; +# 'keystone_authtoken/admin_user' : value => $keystone_user; +# 'keystone_authtoken/admin_password' : value => $keystone_password; +# secret => true; +# ... +# } +# +# manifests should do this instead:: +# +# keystone::resource::authtoken { 'glance_api_config': +# username => $keystone_user, +# password => $keystone_password, +# auth_url => $real_identity_uri, +# project_name => $keystone_tenant, +# user_domain_name => $keystone_user_domain, +# project_domain_name => $keystone_project_domain, +# default_domain_name => $keystone_default_domain, +# cacert => $ca_file, +# ... +# } +# +# The use of `keystone::resource::authtoken` makes it easy to avoid mistakes, +# and makes it easier to support some of the newer authentication types coming +# with Keystone Kilo and later, such as Kerberos, Federation, etc. +# +# == Parameters: +# +# [*name*] +# The name of the resource corresponding to the config file. For example, +# keystone::resource::authtoken { 'glance_api_config': ... } +# Where 'glance_api_config' is the name of the resource used to manage +# the glance api configuration. +# string; required +# +# [*username*] +# The name of the service user; +# string; required +# +# [*password*] +# Password to create for the service user; +# string; required +# +# [*auth_url*] +# The URL to use for authentication. +# string; required +# +# [*auth_plugin*] +# The plugin to use for authentication. +# string; optional: default to 'password' +# +# [*user_id*] +# The ID of the service user; +# string; optional: default to undef +# +# [*user_domain_name*] +# (Optional) Name of domain for $username +# Defaults to undef +# +# [*user_domain_id*] +# (Optional) ID of domain for $username +# Defaults to undef +# +# [*project_name*] +# Service project name; +# string; optional: default to undef +# +# [*project_id*] +# Service project ID; +# string; optional: default to undef +# +# [*project_domain_name*] +# (Optional) Name of domain for $project_name +# Defaults to undef +# +# [*project_domain_id*] +# (Optional) ID of domain for $project_name +# Defaults to undef +# +# [*domain_name*] +# (Optional) Use this for auth to obtain a domain-scoped token. +# If using this option, do not specify $project_name or $project_id. +# Defaults to undef +# +# [*domain_id*] +# (Optional) Use this for auth to obtain a domain-scoped token. +# If using this option, do not specify $project_name or $project_id. +# Defaults to undef +# +# [*default_domain_name*] +# (Optional) Name of domain for $username and $project_name +# If user_domain_name is not specified, use $default_domain_name +# If project_domain_name is not specified, use $default_domain_name +# Defaults to undef +# +# [*default_domain_id*] +# (Optional) ID of domain for $user_id and $project_id +# If user_domain_id is not specified, use $default_domain_id +# If project_domain_id is not specified, use $default_domain_id +# Defaults to undef +# +# [*trust_id*] +# (Optional) Trust ID +# Defaults to undef +# +# [*cacert*] +# (Optional) CA certificate file for TLS (https) +# Defaults to undef +# +# [*cert*] +# (Optional) Certificate file for TLS (https) +# Defaults to undef +# +# [*key*] +# (Optional) Key file for TLS (https) +# Defaults to undef +# +# [*insecure*] +# If true, explicitly allow TLS without checking server cert against any +# certificate authorities. WARNING: not recommended. Use with caution. +# boolean; Defaults to false (which means be secure) +# +define keystone::resource::authtoken( + $username, + $password, + $auth_url, + $auth_plugin = 'password', + $user_id = undef, + $user_domain_name = undef, + $user_domain_id = undef, + $project_name = undef, + $project_id = undef, + $project_domain_name = undef, + $project_domain_id = undef, + $domain_name = undef, + $domain_id = undef, + $default_domain_name = undef, + $default_domain_id = undef, + $trust_id = undef, + $cacert = undef, + $cert = undef, + $key = undef, + $insecure = false, +) { + + if !$project_name and !$project_id and !$domain_name and !$domain_id { + fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)') + } + + if ($project_name or $project_id) and ($domain_name or $domain_id) { + fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)') + } + + $user_and_domain_array = split($username, '::') + $real_username = $user_and_domain_array[0] + $real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name, '__nodomain__') + + $project_and_domain_array = split($project_name, '::') + $real_project_name = $project_and_domain_array[0] + $real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name, '__nodomain__') + + create_resources($name, {'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin}}) + create_resources($name, {'keystone_authtoken/auth_url' => {'value' => $auth_url}}) + create_resources($name, {'keystone_authtoken/username' => {'value' => $real_username}}) + create_resources($name, {'keystone_authtoken/password' => {'value' => $password, 'secret' => true}}) + if $user_id { + create_resources($name, {'keystone_authtoken/user_id' => {'value' => $user_id}}) + } else { + create_resources($name, {'keystone_authtoken/user_id' => {'ensure' => 'absent'}}) + } + if $real_user_domain_name == '__nodomain__' { + create_resources($name, {'keystone_authtoken/user_domain_name' => {'ensure' => 'absent'}}) + } else { + create_resources($name, {'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name}}) + } + if $user_domain_id { + create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $user_domain_id}}) + } elsif $default_domain_id { + create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $default_domain_id}}) + } else { + create_resources($name, {'keystone_authtoken/user_domain_id' => {'ensure' => 'absent'}}) + } + if $project_name { + create_resources($name, {'keystone_authtoken/project_name' => {'value' => $real_project_name}}) + } else { + create_resources($name, {'keystone_authtoken/project_name' => {'ensure' => 'absent'}}) + } + if $project_id { + create_resources($name, {'keystone_authtoken/project_id' => {'value' => $project_id}}) + } else { + create_resources($name, {'keystone_authtoken/project_id' => {'ensure' => 'absent'}}) + } + if $real_project_domain_name == '__nodomain__' { + create_resources($name, {'keystone_authtoken/project_domain_name' => {'ensure' => 'absent'}}) + } else { + create_resources($name, {'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name}}) + } + if $project_domain_id { + create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $project_domain_id}}) + } elsif $default_domain_id { + create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $default_domain_id}}) + } else { + create_resources($name, {'keystone_authtoken/project_domain_id' => {'ensure' => 'absent'}}) + } + if $domain_name { + create_resources($name, {'keystone_authtoken/domain_name' => {'value' => $domain_name}}) + } else { + create_resources($name, {'keystone_authtoken/domain_name' => {'ensure' => 'absent'}}) + } + if $domain_id { + create_resources($name, {'keystone_authtoken/domain_id' => {'value' => $domain_id}}) + } else { + create_resources($name, {'keystone_authtoken/domain_id' => {'ensure' => 'absent'}}) + } + if $trust_id { + create_resources($name, {'keystone_authtoken/trust_id' => {'value' => $trust_id}}) + } else { + create_resources($name, {'keystone_authtoken/trust_id' => {'ensure' => 'absent'}}) + } + if $cacert { + create_resources($name, {'keystone_authtoken/cacert' => {'value' => $cacert}}) + } else { + create_resources($name, {'keystone_authtoken/cacert' => {'ensure' => 'absent'}}) + } + if $cert { + create_resources($name, {'keystone_authtoken/cert' => {'value' => $cert}}) + } else { + create_resources($name, {'keystone_authtoken/cert' => {'ensure' => 'absent'}}) + } + if $key { + create_resources($name, {'keystone_authtoken/key' => {'value' => $key}}) + } else { + create_resources($name, {'keystone_authtoken/key' => {'ensure' => 'absent'}}) + } + create_resources($name, {'keystone_authtoken/insecure' => {'value' => $insecure}}) +}