--- /dev/null
+# == Definition: keystone::resource::authtoken
+#
+# This resource configures Keystone authentication resources for an OpenStack
+# service. It will manage the [keystone_authtoken] section in the given
+# config resource. It supports all of the authentication parameters specified
+# at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
+# with the addition of the default domain for user and project.
+#
+# The username and project_name parameters may be given in the form
+# "name::domainname". The authtoken resource will use the domains in
+# the following order:
+# 1) The given domain parameter (user_domain_name or project_domain_name)
+# 2) The domain given as the "::domainname" part of username or project_name
+# 3) The default_domain_name
+#
+# For example, instead of doing this::
+#
+# glance_api_config {
+# 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
+# 'keystone_authtoken/admin_user' : value => $keystone_user;
+# 'keystone_authtoken/admin_password' : value => $keystone_password;
+# secret => true;
+# ...
+# }
+#
+# manifests should do this instead::
+#
+# keystone::resource::authtoken { 'glance_api_config':
+# username => $keystone_user,
+# password => $keystone_password,
+# auth_url => $real_identity_uri,
+# project_name => $keystone_tenant,
+# user_domain_name => $keystone_user_domain,
+# project_domain_name => $keystone_project_domain,
+# default_domain_name => $keystone_default_domain,
+# cacert => $ca_file,
+# ...
+# }
+#
+# The use of `keystone::resource::authtoken` makes it easy to avoid mistakes,
+# and makes it easier to support some of the newer authentication types coming
+# with Keystone Kilo and later, such as Kerberos, Federation, etc.
+#
+# == Parameters:
+#
+# [*name*]
+# The name of the resource corresponding to the config file. For example,
+# keystone::resource::authtoken { 'glance_api_config': ... }
+# Where 'glance_api_config' is the name of the resource used to manage
+# the glance api configuration.
+# string; required
+#
+# [*username*]
+# The name of the service user;
+# string; required
+#
+# [*password*]
+# Password to create for the service user;
+# string; required
+#
+# [*auth_url*]
+# The URL to use for authentication.
+# string; required
+#
+# [*auth_plugin*]
+# The plugin to use for authentication.
+# string; optional: default to 'password'
+#
+# [*user_id*]
+# The ID of the service user;
+# string; optional: default to undef
+#
+# [*user_domain_name*]
+# (Optional) Name of domain for $username
+# Defaults to undef
+#
+# [*user_domain_id*]
+# (Optional) ID of domain for $username
+# Defaults to undef
+#
+# [*project_name*]
+# Service project name;
+# string; optional: default to undef
+#
+# [*project_id*]
+# Service project ID;
+# string; optional: default to undef
+#
+# [*project_domain_name*]
+# (Optional) Name of domain for $project_name
+# Defaults to undef
+#
+# [*project_domain_id*]
+# (Optional) ID of domain for $project_name
+# Defaults to undef
+#
+# [*domain_name*]
+# (Optional) Use this for auth to obtain a domain-scoped token.
+# If using this option, do not specify $project_name or $project_id.
+# Defaults to undef
+#
+# [*domain_id*]
+# (Optional) Use this for auth to obtain a domain-scoped token.
+# If using this option, do not specify $project_name or $project_id.
+# Defaults to undef
+#
+# [*default_domain_name*]
+# (Optional) Name of domain for $username and $project_name
+# If user_domain_name is not specified, use $default_domain_name
+# If project_domain_name is not specified, use $default_domain_name
+# Defaults to undef
+#
+# [*default_domain_id*]
+# (Optional) ID of domain for $user_id and $project_id
+# If user_domain_id is not specified, use $default_domain_id
+# If project_domain_id is not specified, use $default_domain_id
+# Defaults to undef
+#
+# [*trust_id*]
+# (Optional) Trust ID
+# Defaults to undef
+#
+# [*cacert*]
+# (Optional) CA certificate file for TLS (https)
+# Defaults to undef
+#
+# [*cert*]
+# (Optional) Certificate file for TLS (https)
+# Defaults to undef
+#
+# [*key*]
+# (Optional) Key file for TLS (https)
+# Defaults to undef
+#
+# [*insecure*]
+# If true, explicitly allow TLS without checking server cert against any
+# certificate authorities. WARNING: not recommended. Use with caution.
+# boolean; Defaults to false (which means be secure)
+#
+define keystone::resource::authtoken(
+ $username,
+ $password,
+ $auth_url,
+ $auth_plugin = 'password',
+ $user_id = undef,
+ $user_domain_name = undef,
+ $user_domain_id = undef,
+ $project_name = undef,
+ $project_id = undef,
+ $project_domain_name = undef,
+ $project_domain_id = undef,
+ $domain_name = undef,
+ $domain_id = undef,
+ $default_domain_name = undef,
+ $default_domain_id = undef,
+ $trust_id = undef,
+ $cacert = undef,
+ $cert = undef,
+ $key = undef,
+ $insecure = false,
+) {
+
+ if !$project_name and !$project_id and !$domain_name and !$domain_id {
+ fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
+ }
+
+ if ($project_name or $project_id) and ($domain_name or $domain_id) {
+ fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)')
+ }
+
+ $user_and_domain_array = split($username, '::')
+ $real_username = $user_and_domain_array[0]
+ $real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name, '__nodomain__')
+
+ $project_and_domain_array = split($project_name, '::')
+ $real_project_name = $project_and_domain_array[0]
+ $real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name, '__nodomain__')
+
+ create_resources($name, {'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin}})
+ create_resources($name, {'keystone_authtoken/auth_url' => {'value' => $auth_url}})
+ create_resources($name, {'keystone_authtoken/username' => {'value' => $real_username}})
+ create_resources($name, {'keystone_authtoken/password' => {'value' => $password, 'secret' => true}})
+ if $user_id {
+ create_resources($name, {'keystone_authtoken/user_id' => {'value' => $user_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/user_id' => {'ensure' => 'absent'}})
+ }
+ if $real_user_domain_name == '__nodomain__' {
+ create_resources($name, {'keystone_authtoken/user_domain_name' => {'ensure' => 'absent'}})
+ } else {
+ create_resources($name, {'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name}})
+ }
+ if $user_domain_id {
+ create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $user_domain_id}})
+ } elsif $default_domain_id {
+ create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $default_domain_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/user_domain_id' => {'ensure' => 'absent'}})
+ }
+ if $project_name {
+ create_resources($name, {'keystone_authtoken/project_name' => {'value' => $real_project_name}})
+ } else {
+ create_resources($name, {'keystone_authtoken/project_name' => {'ensure' => 'absent'}})
+ }
+ if $project_id {
+ create_resources($name, {'keystone_authtoken/project_id' => {'value' => $project_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/project_id' => {'ensure' => 'absent'}})
+ }
+ if $real_project_domain_name == '__nodomain__' {
+ create_resources($name, {'keystone_authtoken/project_domain_name' => {'ensure' => 'absent'}})
+ } else {
+ create_resources($name, {'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name}})
+ }
+ if $project_domain_id {
+ create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $project_domain_id}})
+ } elsif $default_domain_id {
+ create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $default_domain_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/project_domain_id' => {'ensure' => 'absent'}})
+ }
+ if $domain_name {
+ create_resources($name, {'keystone_authtoken/domain_name' => {'value' => $domain_name}})
+ } else {
+ create_resources($name, {'keystone_authtoken/domain_name' => {'ensure' => 'absent'}})
+ }
+ if $domain_id {
+ create_resources($name, {'keystone_authtoken/domain_id' => {'value' => $domain_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/domain_id' => {'ensure' => 'absent'}})
+ }
+ if $trust_id {
+ create_resources($name, {'keystone_authtoken/trust_id' => {'value' => $trust_id}})
+ } else {
+ create_resources($name, {'keystone_authtoken/trust_id' => {'ensure' => 'absent'}})
+ }
+ if $cacert {
+ create_resources($name, {'keystone_authtoken/cacert' => {'value' => $cacert}})
+ } else {
+ create_resources($name, {'keystone_authtoken/cacert' => {'ensure' => 'absent'}})
+ }
+ if $cert {
+ create_resources($name, {'keystone_authtoken/cert' => {'value' => $cert}})
+ } else {
+ create_resources($name, {'keystone_authtoken/cert' => {'ensure' => 'absent'}})
+ }
+ if $key {
+ create_resources($name, {'keystone_authtoken/key' => {'value' => $key}})
+ } else {
+ create_resources($name, {'keystone_authtoken/key' => {'ensure' => 'absent'}})
+ }
+ create_resources($name, {'keystone_authtoken/insecure' => {'value' => $insecure}})
+}