X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Finit.pp;h=20c2011e318bcd25156700e38c4f17c33f94f73a;hb=71a236efd9f45828d875a0a5fd025108bb1dcada;hp=d43bcd2ee57f52d8db7857eb747a25e315873001;hpb=b8fa2c1a5ec9dbcd1d2f9e9b41afdde4c603aa35;p=dsa-puppet.git diff --git a/3rdparty/modules/keystone/manifests/init.pp b/3rdparty/modules/keystone/manifests/init.pp index d43bcd2e..20c2011e 100644 --- a/3rdparty/modules/keystone/manifests/init.pp +++ b/3rdparty/modules/keystone/manifests/init.pp @@ -3,160 +3,240 @@ # # == Parameters # -# [package_ensure] Desired ensure state of packages. Optional. Defaults to present. -# accepts latest or specific versions. -# [bind_host] Host that keystone binds to. -# [bind_port] Port that keystone binds to. -# [public_port] -# [compute_port] -# [admin_port] -# [admin_port] Port that can be used for admin tasks. -# [admin_token] Admin token that can be used to authenticate as a keystone -# admin. Required. -# [verbose] Rather keystone should log at verbose level. Optional. -# Defaults to False. -# [debug] Rather keystone should log at debug level. Optional. -# Defaults to False. -# [use_syslog] Use syslog for logging. Optional. -# Defaults to False. -# [log_facility] Syslog facility to receive log lines. Optional. -# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional. -# Defaults to sql. (Also accepts template) -# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional. -# Setting this value will override and ignore catalog_type. -# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'. -# Defaults to '/etc/keystone/default_catalog.templates' -# [token_provider] Format keystone uses for tokens. Optional. -# Defaults to 'keystone.token.providers.uuid.Provider' -# Supports PKI and UUID. -# [token_driver] Driver to use for managing tokens. -# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token' -# [token_expiration] Amount of time a token should remain valid (seconds). -# Optional. Defaults to 3600 (1 hour). -# [token_format] Deprecated: Use token_provider instead. -# [cache_dir] Directory created when token_provider is pki. Optional. -# Defaults to /var/cache/keystone. -# -# [memcache_servers] -# List of memcache servers in format of server:port. -# Used with token_driver 'keystone.token.backends.memcache.Token'. -# Optional. Defaults to false. Example: ['localhost:11211'] -# -# [cache_backend] -# Dogpile.cache backend module. It is recommended that Memcache with pooling -# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. -# This has no effects unless 'memcache_servers' is set. -# Optional. Defaults to 'keystone.common.cache.noop' -# -# [cache_backend_argument] -# List of arguments in format of argname:value supplied to the backend module. -# Specify this option once per argument to be passed to the dogpile.cache backend. -# This has no effects unless 'memcache_servers' is set. -# Optional. Default to undef. -# -# [debug_cache_backend] -# Extra debugging from the cache backend (cache keys, get/set/delete calls). -# This has no effects unless 'memcache_servers' is set. -# Optional. Default to false. -# -# [token_caching] -# Toggle for token system caching. This has no effects unless 'memcache_servers' is set. -# Optional. Default to true. -# -# [enabled] If the keystone services should be enabled. Optional. Default to true. -# -# [*database_connection*] -# (optional) Url used to connect to database. -# Defaults to sqlite:////var/lib/keystone/keystone.db -# -# [*sql_connection*] -# (optional) Deprecated. Use database_connection instead. -# -# [*database_idle_timeout*] -# (optional) Timeout when db connections should be reaped. -# Defaults to 200. -# -# [*idle_timeout*] -# (optional) Deprecated. Use database_idle_timeout instead. -# -# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and -# revocation lists if it doesn't already exist. This generates a cert and key stored in file -# locations based on the signing_certfile and signing_keyfile paramters below. If you are -# providing your own signing cert, make this false. -# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists. -# Optional. Note that if this file already exists (i.e. you are providing your own signing cert), -# the file will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/certs/signing_cert.pem -# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional. -# Note that if this file already exists (i.e. you are providing your own signing cert), the file -# will not be overwritten, even if enable_pki_setup is set to true. -# Default: /etc/keystone/ssl/private/signing_key.pem -# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for -# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem -# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing -# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem -# -# [*signing_cert_subject*] +# [*package_ensure*] +# (optional) Desired ensure state of packages. +# accepts latest or specific versions. +# Defaults to present. +# +# [*client_package_ensure*] +# (optional) Desired ensure state of the client package. +# accepts latest or specific versions. +# Defaults to present. +# +# [*public_port*] +# (optional) Port that keystone binds to. +# Defaults to '5000' +# +# [*compute_port*] +# (optional) DEPRECATED The port for compute servie. +# Defaults to '8774' +# +# [*admin_port*] +# (optional) Port that can be used for admin tasks. +# Defaults to '35357' +# +# [*admin_token*] +# Admin token that can be used to authenticate as a keystone +# admin. Required. +# +# [*verbose*] +# (optional) Rather keystone should log at verbose level. +# Defaults to false. +# +# [*debug*] +# (optional) Rather keystone should log at debug level. +# Defaults to False. +# +# [*use_syslog*] +# (optional) Use syslog for logging. +# Defaults to false. +# +# [*log_facility*] +# (optional) Syslog facility to receive log lines. +# Defaults to 'LOG_USER'. +# +# [*catalog_type*] +# (optional) Type of catalog that keystone uses to store endpoints,services. +# Defaults to sql. (Also accepts template) +# +# [*catalog_driver*] +# (optional) Catalog driver used by Keystone to store endpoints and services. +# Setting this value will override and ignore catalog_type. +# Defaults to false. +# +# [*catalog_template_file*] +# (optional) Path to the catalog used if catalog_type equals 'template'. +# Defaults to '/etc/keystone/default_catalog.templates' +# +# [*token_provider*] +# (optional) Format keystone uses for tokens. +# Defaults to 'keystone.token.providers.uuid.Provider' +# Supports PKI, PKIZ, Fernet, and UUID. +# +# [*token_driver*] +# (optional) Driver to use for managing tokens. +# Defaults to 'keystone.token.persistence.backends.sql.Token' +# +# [*token_expiration*] +# (optional) Amount of time a token should remain valid (seconds). +# Defaults to 3600 (1 hour). +# +# [*revoke_driver*] +# (optional) Driver for token revocation. +# Defaults to 'keystone.contrib.revoke.backends.sql.Revoke' +# +# [*cache_dir*] +# (optional) Directory created when token_provider is pki. +# Defaults to /var/cache/keystone. +# +# [*memcache_servers*] +# (optional) List of memcache servers in format of server:port. +# Used with token_driver 'keystone.token.backends.memcache.Token'. +# Defaults to false. Example: ['localhost:11211'] +# +# [*cache_backend*] +# (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling +# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production. +# This has no effects unless 'memcache_servers' is set. +# Defaults to 'keystone.common.cache.noop' +# +# [*cache_backend_argument*] +# (optional) List of arguments in format of argname:value supplied to the backend module. +# Specify this option once per argument to be passed to the dogpile.cache backend. +# This has no effects unless 'memcache_servers' is set. +# Default to undef. +# +# [*debug_cache_backend*] +# (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls). +# This has no effects unless 'memcache_servers' is set. +# Default to false. +# +# [*token_caching*] +# (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set. +# Default to true. +# +# [*manage_service*] +# (Optional) If Puppet should manage service startup / shutdown. +# Defaults to true. +# +# [*enabled*] +# (optional) If the keystone services should be enabled. +# Default to true. +# +# [*database_connection*] +# (optional) Url used to connect to database. +# Defaults to sqlite:////var/lib/keystone/keystone.db +# +# [*database_idle_timeout*] +# (optional) Timeout when db connections should be reaped. +# Defaults to 200. +# +# [*enable_pki_setup*] +# (optional) Enable call to pki_setup to generate the cert for signing pki tokens and +# revocation lists if it doesn't already exist. This generates a cert and key stored in file +# locations based on the signing_certfile and signing_keyfile paramters below. If you are +# providing your own signing cert, make this false. +# Default to true. +# +# [*signing_certfile*] +# (optional) Location of the cert file for signing pki tokens and revocation lists. +# Note that if this file already exists (i.e. you are providing your own signing cert), +# the file will not be overwritten, even if enable_pki_setup is set to true. +# Default: /etc/keystone/ssl/certs/signing_cert.pem +# +# [*signing_keyfile*] +# (optional) Location of the key file for signing pki tokens and revocation lists. +# Note that if this file already exists (i.e. you are providing your own signing cert), the file +# will not be overwritten, even if enable_pki_setup is set to true. +# Default: /etc/keystone/ssl/private/signing_key.pem +# +# [*signing_ca_certs*] +# (optional) Use this CA certs file along with signing_certfile/signing_keyfile for +# signing pki tokens and revocation lists. +# Default: /etc/keystone/ssl/certs/ca.pem +# +# [*signing_ca_key*] +# (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing +# pki tokens and revocation lists. +# Default: /etc/keystone/ssl/private/cakey.pem +# +# [*signing_cert_subject*] # (optional) Certificate subject (auto generated certificate) for token signing. # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com' # -# [*signing_key_size*] +# [*signing_key_size*] # (optional) Key size (in bits) for token signing cert (auto generated certificate) # Defaults to 2048 # -# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost. -# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672. -# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef. -# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest. -# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest. -# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /. +# [*rabbit_host*] +# (optional) Location of rabbitmq installation. +# Defaults to localhost. # -# [*rabbit_use_ssl*] -# (optional) Connect over SSL for RabbitMQ -# Defaults to false +# [*rabbit_port*] +# (optional) Port for rabbitmq instance. +# Defaults to 5672. # -# [*kombu_ssl_ca_certs*] -# (optional) SSL certification authority file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_hosts*] +# (optional) Location of rabbitmq installation. +# Defaults to undef. # -# [*kombu_ssl_certfile*] -# (optional) SSL cert file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_password*] +# (optional) Password used to connect to rabbitmq. +# Defaults to guest. # -# [*kombu_ssl_keyfile*] -# (optional) SSL key file (valid only if SSL enabled). -# Defaults to undef +# [*rabbit_userid*] +# (optional) User used to connect to rabbitmq. +# Defaults to guest. # -# [*kombu_ssl_version*] -# (optional) SSL version to use (valid only if SSL enabled). -# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be -# available on some distributions. -# Defaults to 'TLSv1' +# [*rabbit_virtual_host*] +# (optional) The RabbitMQ virtual host. +# Defaults to /. # -# [notification_driver] RPC driver. Not enabled by default -# [notification_topics] AMQP topics to publish to when using the RPC notification driver. -# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid +# [*rabbit_use_ssl*] +# (optional) Connect over SSL for RabbitMQ +# Defaults to false +# +# [*kombu_ssl_ca_certs*] +# (optional) SSL certification authority file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_certfile*] +# (optional) SSL cert file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_keyfile*] +# (optional) SSL key file (valid only if SSL enabled). +# Defaults to undef +# +# [*kombu_ssl_version*] +# (optional) SSL version to use (valid only if SSL enabled). +# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be +# available on some distributions. +# Defaults to 'TLSv1' +# +# [*notification_driver*] +# RPC driver. Not enabled by default +# +# [*notification_topics*] +# (optional) AMQP topics to publish to when using the RPC notification driver. +# Default to false. +# +# [*notification_format*] +# Format for the notifications. Valid values are 'basic' and 'cadf'. +# Default to undef +# +# [*control_exchange*] +# (optional) AMQP exchange to connect to if using RabbitMQ or Qpid +# Default to false. # -# [*public_bind_host*] +# [*public_bind_host*] # (optional) The IP address of the public network interface to listen on -# Deprecates bind_host # Default to '0.0.0.0'. # -# [*admin_bind_host*] +# [*admin_bind_host*] # (optional) The IP address of the public network interface to listen on -# Deprecates bind_host # Default to '0.0.0.0'. # -# [*log_dir*] +# [*log_dir*] # (optional) Directory where logs should be stored # If set to boolean false, it will not log to any directory # Defaults to '/var/log/keystone' # -# [*log_file*] +# [*log_file*] # (optional) Where to log # Defaults to false # -# [*public_endpoint*] +# [*public_endpoint*] # (optional) The base public endpoint URL for keystone that are # advertised to clients (NOTE: this does NOT affect how # keystone listens for connections) (string value) @@ -164,7 +244,7 @@ # Sample value: 'http://localhost:5000/' # Defaults to false # -# [*admin_endpoint*] +# [*admin_endpoint*] # (optional) The base admin endpoint URL for keystone that are # advertised to clients (NOTE: this does NOT affect how keystone listens # for connections) (string value) @@ -172,63 +252,63 @@ # Sample value: 'http://localhost:35357/' # Defaults to false # -# [*enable_ssl*] +# [*enable_ssl*] # (optional) Toggle for SSL support on the keystone eventlet servers. # (boolean value) # Defaults to false # -# [*ssl_certfile*] +# [*ssl_certfile*] # (optional) Path of the certfile for SSL. (string value) # Defaults to '/etc/keystone/ssl/certs/keystone.pem' # -# [*ssl_keyfile*] +# [*ssl_keyfile*] # (optional) Path of the keyfile for SSL. (string value) # Defaults to '/etc/keystone/ssl/private/keystonekey.pem' # -# [*ssl_ca_certs*] +# [*ssl_ca_certs*] # (optional) Path of the ca cert file for SSL. (string value) # Defaults to '/etc/keystone/ssl/certs/ca.pem' # -# [*ssl_ca_key*] +# [*ssl_ca_key*] # (optional) Path of the CA key file for SSL (string value) # Defaults to '/etc/keystone/ssl/private/cakey.pem' # -# [*ssl_cert_subject*] +# [*ssl_cert_subject*] # (optional) SSL Certificate Subject (auto generated certificate) # (string value) # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost' # -# [*mysql_module*] +# [*mysql_module*] # (optional) Deprecated. Does nothing. # -# [*validate_service*] +# [*validate_service*] # (optional) Whether to validate keystone connections after # the service is started. # Defaults to false # -# [*validate_insecure*] +# [*validate_insecure*] # (optional) Whether to validate keystone connections # using the --insecure option with keystone client. # Defaults to false # -# [*validate_cacert*] +# [*validate_cacert*] # (optional) Whether to validate keystone connections # using the specified argument with the --os-cacert option # with keystone client. # Defaults to undef # -# [*validate_auth_url*] +# [*validate_auth_url*] # (optional) The url to validate keystone against # Defaults to undef # -# [*service_provider*] +# [*service_provider*] # (optional) Provider, that can be used for keystone service. # Default value defined in keystone::params for given operation system. # If you use Pacemaker or another Cluster Resource Manager, you can make # custom service provider for changing start/stop/status behavior of service, # and set it here. # -# [*service_name*] +# [*service_name*] # (optional) Name of the service that will be providing the # server functionality of keystone. For example, the default # is just 'keystone', which means keystone will be run as a @@ -242,8 +322,46 @@ # web service. For example, after calling class {'keystone'...} # use class { 'keystone::wsgi::apache'...} to make keystone be # a web app using apache mod_wsgi. -# Defaults to 'keystone' -# NOTE: validate_service only applies if the value is 'keystone' +# Defaults to '$::keystone::params::service_name' +# NOTE: validate_service only applies if the default value is used. +# +# [*paste_config*] +# (optional) Name of the paste configuration file that defines the +# available pipelines. (string value) +# Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and +# undef on other platforms. +# +# [*max_token_size*] +# (optional) maximum allowable Keystone token size +# Defaults to undef +# +# [*admin_workers*] +# (optional) The number of worker processes to serve the admin WSGI application. +# Defaults to max($::processorcount, 2) +# +# [*public_workers*] +# (optional) The number of worker processes to serve the public WSGI application. +# Defaults to max($::processorcount, 2) +# +# [*sync_db*] +# (Optional) Run db sync on the node. +# Defaults to true +# +# [*enable_fernet_setup*] +# (Optional) Setup keystone for fernet tokens. This is typically only +# run on a single node, then the keys are replicated to the other nodes +# in a cluster. You would typically also pair this with a fernet token +# provider setting. +# Defaults to false +# +# [*fernet_key_repository*] +# (Optional) Location for the fernet key repository. This value must +# be set if enable_fernet_setup is set to true. +# Defaults to '/etc/keystone/fernet-keys' +# +# [*fernet_max_active_keys*] +# (Optional) Number of maximum active Fernet keys. Integer > 0. +# Defaults to undef # # == Dependencies # None @@ -277,12 +395,11 @@ class keystone( $admin_token, $package_ensure = 'present', - $bind_host = false, + $client_package_ensure = 'present', $public_bind_host = '0.0.0.0', $admin_bind_host = '0.0.0.0', $public_port = '5000', $admin_port = '35357', - $compute_port = '8774', $verbose = false, $debug = false, $log_dir = '/var/log/keystone', @@ -292,10 +409,10 @@ class keystone( $catalog_type = 'sql', $catalog_driver = false, $catalog_template_file = '/etc/keystone/default_catalog.templates', - $token_format = false, $token_provider = 'keystone.token.providers.uuid.Provider', $token_driver = 'keystone.token.persistence.backends.sql.Token', $token_expiration = 3600, + $revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke', $public_endpoint = false, $admin_endpoint = false, $enable_ssl = false, @@ -306,6 +423,7 @@ class keystone( $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', $cache_dir = '/var/cache/keystone', $memcache_servers = false, + $manage_service = true, $cache_backend = 'keystone.common.cache.noop', $cache_backend_argument = undef, $debug_cache_backend = false, @@ -333,17 +451,25 @@ class keystone( $kombu_ssl_version = 'TLSv1', $notification_driver = false, $notification_topics = false, + $notification_format = undef, $control_exchange = false, $validate_service = false, $validate_insecure = false, $validate_auth_url = false, $validate_cacert = undef, + $paste_config = $::keystone::params::paste_config, $service_provider = $::keystone::params::service_provider, - $service_name = 'keystone', + $service_name = $::keystone::params::service_name, + $max_token_size = undef, + $admin_workers = max($::processorcount, 2), + $public_workers = max($::processorcount, 2), + $sync_db = true, + $enable_fernet_setup = false, + $fernet_key_repository = '/etc/keystone/fernet-keys', + $fernet_max_active_keys = undef, # DEPRECATED PARAMETERS $mysql_module = undef, - $sql_connection = undef, - $idle_timeout = undef, + $compute_port = undef, ) inherits keystone::params { if ! $catalog_driver { @@ -354,20 +480,6 @@ class keystone( warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.') } - if $sql_connection { - warning('The sql_connection parameter is deprecated, use database_connection instead.') - $database_connection_real = $sql_connection - } else { - $database_connection_real = $database_connection - } - - if $idle_timeout { - warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.') - $database_idle_timeout_real = $idle_timeout - } else { - $database_idle_timeout_real = $database_idle_timeout - } - if ($admin_endpoint and 'v2.0' in $admin_endpoint) { warning('Version string /v2.0/ should not be included in keystone::admin_endpoint') } @@ -391,6 +503,8 @@ class keystone( File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name] Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|> Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|> + Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|> + include ::keystone::params package { 'keystone': @@ -398,10 +512,12 @@ class keystone( name => $::keystone::params::package_name, tag => 'openstack', } - # TODO: Move this to openstacklib::openstackclient in Kilo - package { 'python-openstackclient': - ensure => present, - tag => 'openstack', + if $client_package_ensure == 'present' { + include '::openstacklib::openstackclient' + } else { + class { '::openstacklib::openstackclient': + package_ensure => $client_package_ensure, + } } group { 'keystone': @@ -435,27 +551,27 @@ class keystone( notify => Service[$service_name], } - if $bind_host { - warning('The bind_host parameter is deprecated, use public_bind_host and admin_bind_host instead.') - $public_bind_host_real = $bind_host - $admin_bind_host_real = $bind_host - } else { - $public_bind_host_real = $public_bind_host - $admin_bind_host_real = $admin_bind_host - } - - # default config keystone_config { 'DEFAULT/admin_token': value => $admin_token, secret => true; - 'DEFAULT/public_bind_host': value => $public_bind_host_real; - 'DEFAULT/admin_bind_host': value => $admin_bind_host_real; + 'DEFAULT/public_bind_host': value => $public_bind_host; + 'DEFAULT/admin_bind_host': value => $admin_bind_host; 'DEFAULT/public_port': value => $public_port; 'DEFAULT/admin_port': value => $admin_port; - 'DEFAULT/compute_port': value => $compute_port; 'DEFAULT/verbose': value => $verbose; 'DEFAULT/debug': value => $debug; } + if $compute_port { + warning('The compute_port parameter is deprecated and will be removed in L') + keystone_config { + 'DEFAULT/compute_port': value => $compute_port; + } + } else { + keystone_config { + 'DEFAULT/compute_port': ensure => absent; + } + } + # Endpoint configuration if $public_endpoint { keystone_config { @@ -489,6 +605,16 @@ class keystone( 'token/expiration': value => $token_expiration; } + if $revoke_driver { + keystone_config { + 'revoke/driver': value => $revoke_driver; + } + } else { + keystone_config { + 'revoke/driver': ensure => absent; + } + } + # ssl config if ($enable_ssl) { keystone_config { @@ -505,15 +631,15 @@ class keystone( } } - if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) { + if($database_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) { require 'mysql::bindings' require 'mysql::bindings::python' - } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) { + } elsif($database_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) { - } elsif($database_connection_real =~ /sqlite:\/\//) { + } elsif($database_connection =~ /sqlite:\/\//) { } else { - fail("Invalid db connection ${database_connection_real}") + fail("Invalid db connection ${database_connection}") } # memcache connection config @@ -550,8 +676,8 @@ class keystone( # db connection config keystone_config { - 'database/connection': value => $database_connection_real, secret => true; - 'database/idle_timeout': value => $database_idle_timeout_real; + 'database/connection': value => $database_connection, secret => true; + 'database/idle_timeout': value => $database_idle_timeout; } # configure based on the catalog backend @@ -570,13 +696,6 @@ class keystone( 'catalog/template_file': value => $catalog_template_file; } - if $token_format { - warning('token_format parameter is deprecated. Use token_provider instead.') - } - - # remove the old format in case of an upgrade - keystone_config { 'signing/token_format': ensure => absent } - # Set the signing key/cert configuration values. keystone_config { 'signing/certfile': value => $signing_certfile; @@ -607,12 +726,12 @@ class keystone( } } - if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' { - keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' } - } elsif $token_format == 'UUID' { - keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' } + keystone_config { 'token/provider': value => $token_provider } + + if $max_token_size { + keystone_config { 'DEFAULT/max_token_size': value => $max_token_size } } else { - keystone_config { 'token/provider': value => $token_provider } + keystone_config { 'DEFAULT/max_token_size': ensure => absent } } if $notification_driver { @@ -625,6 +744,11 @@ class keystone( } else { keystone_config { 'DEFAULT/notification_topics': ensure => absent } } + if $notification_format { + keystone_config { 'DEFAULT/notification_format': value => $notification_format } + } else { + keystone_config { 'DEFAULT/notification_format': ensure => absent } + } if $control_exchange { keystone_config { 'DEFAULT/control_exchange': value => $control_exchange } } else { @@ -664,13 +788,22 @@ class keystone( } } - if $enabled { - $service_ensure = 'running' + keystone_config { + 'DEFAULT/admin_workers': value => $admin_workers; + 'DEFAULT/public_workers': value => $public_workers; + } + + if $manage_service { + if $enabled { + $service_ensure = 'running' + } else { + $service_ensure = 'stopped' + } } else { - $service_ensure = 'stopped' + warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.') } - if $service_name == 'keystone' { + if $service_name == $::keystone::params::service_name { if $validate_service { if $validate_auth_url { $v_auth_url = $validate_auth_url @@ -678,9 +811,9 @@ class keystone( $v_auth_url = $admin_endpoint } - class { 'keystone::service': + class { '::keystone::service': ensure => $service_ensure, - service_name => $::keystone::params::service_name, + service_name => $service_name, enable => $enabled, hasstatus => true, hasrestart => true, @@ -692,9 +825,9 @@ class keystone( cacert => $validate_cacert, } } else { - class { 'keystone::service': + class { '::keystone::service': ensure => $service_ensure, - service_name => $::keystone::params::service_name, + service_name => $service_name, enable => $enabled, hasstatus => true, hasrestart => true, @@ -702,9 +835,19 @@ class keystone( validate => false, } } + } elsif $service_name == 'httpd' { + class { '::keystone::service': + ensure => 'stopped', + service_name => $::keystone::params::service_name, + enable => false, + provider => $service_provider, + validate => false, + } + } else { + fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server') } - if $enabled { + if $sync_db { include ::keystone::db::sync Class['::keystone::db::sync'] ~> Service[$service_name] } @@ -740,4 +883,48 @@ class keystone( } } + if $paste_config { + keystone_config { + 'paste_deploy/config_file': value => $paste_config; + } + } else { + keystone_config { + 'paste_deploy/config_file': ensure => absent; + } + } + + # Fernet tokens support + if $enable_fernet_setup { + validate_string($fernet_key_repository) + + exec { 'keystone-manage fernet_setup': + path => '/usr/bin', + user => 'keystone', + refreshonly => true, + creates => "${fernet_key_repository}/0", + notify => Service[$service_name], + subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']], + } + } + + if $fernet_key_repository { + keystone_config { + 'fernet_tokens/key_repository': value => $fernet_key_repository; + } + } else { + keystone_config { + 'fernet_tokens/key_repository': ensure => absent; + } + } + + if $fernet_max_active_keys { + keystone_config { + 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys; + } + } else { + keystone_config { + 'fernet_tokens/max_active_keys': ensure => absent; + } + } + }