mod 'nanliu/staging', '1.0.3'
mod 'stackforge/openstacklib', '5.1.0'
-mod 'stackforge/keystone', '5.1.0'
mod 'aimonb/aviator', '0.5.1'
+++ /dev/null
-source 'https://rubygems.org'
-
-group :development, :test do
- gem 'puppetlabs_spec_helper', :require => false
- gem 'puppet-lint', '~> 0.3.2'
- gem 'metadata-json-lint'
- gem 'rspec-puppet', '~> 1.0.1'
- gem 'rake', '10.1.1'
-end
-
-if puppetversion = ENV['PUPPET_GEM_VERSION']
- gem 'puppet', puppetversion, :require => false
-else
- gem 'puppet', :require => false
-end
-
-# vim:ft=ruby
+++ /dev/null
-Puppet Labs Keystone Module - Puppet module for managing Keystone
-
-Copyright (C) 2012 Puppet Labs Inc
-
-Puppet Labs can be contacted at: info@puppetlabs.com
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+++ /dev/null
-keystone
-=======
-
-5.1.0 - 2014.2 - Juno
-
-#### Table of Contents
-
-1. [Overview - What is the keystone module?](#overview)
-2. [Module Description - What does the module do?](#module-description)
-3. [Setup - The basics of getting started with keystone](#setup)
-4. [Implementation - An under-the-hood peek at what the module is doing](#implementation)
-5. [Limitations - OS compatibility, etc.](#limitations)
-6. [Development - Guide for contributing to the module](#development)
-7. [Contributors - Those with commits](#contributors)
-8. [Release Notes - Notes on the most recent updates to the module](#release-notes)
-
-Overview
---------
-
-The keystone module is a part of [Stackforge](https://github.com/stackfoge), an effort by the Openstack infrastructure team to provide continuous integration testing and code review for Openstack and Openstack community projects not part of the core software. The module its self is used to flexibly configure and manage the identify service for Openstack.
-
-Module Description
-------------------
-
-The keystone module is a thorough attempt to make Puppet capable of managing the entirety of keystone. This includes manifests to provision region specific endpoint and database connections. Types are shipped as part of the keystone module to assist in manipulation of configuration files.
-
-This module is tested in combination with other modules needed to build and leverage an entire Openstack software stack. These modules can be found, all pulled together in the [openstack module](https://github.com/stackfoge/puppet-openstack).
-
-Setup
------
-
-**What the keystone module affects**
-
-* keystone, the identify service for Openstack.
-
-### Installing keystone
-
- example% puppet module install puppetlabs/keystone
-
-### Beginning with keystone
-
-To utilize the keystone module's functionality you will need to declare multiple resources. The following is a modified excerpt from the [openstack module](https://github.com/stackfoge/puppet-openstack). This is not an exhaustive list of all the components needed, we recommend you consult and understand the [openstack module](https://github.com/stackforge/puppet-openstack) and the [core openstack](http://docs.openstack.org) documentation.
-
-**Define a keystone node**
-
-```puppet
-class { 'keystone':
- verbose => True,
- catalog_type => 'sql',
- admin_token => 'random_uuid',
- sql_connection => 'mysql://keystone_admin:super_secret_db_password@openstack-controller.example.com/keystone',
-}
-
-# Adds the admin credential to keystone.
-class { 'keystone::roles::admin':
- email => 'admin@example.com',
- password => 'super_secret',
-}
-
-# Installs the service user endpoint.
-class { 'keystone::endpoint':
- public_address => '10.16.0.101',
- admin_address => '10.16.1.101',
- internal_address => '10.16.2.101',
- region => 'example-1',
-}
-```
-
-**Leveraging the Native Types**
-
-Keystone ships with a collection of native types that can be used to interact with the data stored in keystone. The following, related to user management could live throughout your Puppet code base. They even support puppet's ability to introspect the current environment much the same as `puppet resource user`, `puppet resouce keystone_tenant` will print out all the currently stored tenants and their parameters.
-
-```puppet
-keystone_tenant { 'openstack':
- ensure => present,
- enabled => True,
-}
-keystone_user { 'openstack':
- ensure => present,
- enabled => True,
-}
-keystone_role { 'admin':
- ensure => present,
-}
-keystone_user_role { 'admin@openstack':
- roles => ['admin', 'superawesomedude'],
- ensure => present
-}
-```
-
-These two will seldom be used outside openstack related classes, like nova or cinder. These are modified examples form Class['nova::keystone::auth'].
-
-```puppet
-# Setup the nova keystone service
-keystone_service { 'nova':
- ensure => present,
- type => 'compute',
- description => 'Openstack Compute Service',
-}
-
-# Setup nova keystone endpoint
-keystone_endpoint { 'example-1-west/nova':
- ensure => present,
- public_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
- admin_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
- internal_url => "http://127.0.0.1:8774/v2/%(tenant_id)s",
-}
-```
-
-**Setting up a database for keystone**
-
-A keystone database can be configured separately from the keystone services.
-
-If one needs to actually install a fresh database they have the choice of mysql or postgres. Use the mysql::server or postgreql::server classes to do this setup then the Class['keystone::db::mysql'] or Class['keystone::db::postgresql'] for adding the needed databases and users that will be needed by keystone.
-
-* For mysql
-
-```puppet
-class { 'mysql::server': }
-
-class { 'keystone::db::mysql':
- password => 'super_secret_db_password',
- allowed_hosts => '%',
-}
-```
-
-* For postgresql
-
-```puppet
-class { 'postgresql::server': }
-
-class { 'keystone::db::postgresql': password => 'super_secret_db_password', }
-```
-
-Implementation
---------------
-
-### keystone
-
-keystone is a combination of Puppet manifest and ruby code to delivery configuration and extra functionality through types and providers.
-
-Limitations
-------------
-
-* All the keystone types use the CLI tools and so need to be ran on the keystone node.
-
-### Upgrade warning
-
-* If you've setup Openstack using previous versions of this module you need to be aware that it used UUID as the dedault to the token_format parameter but now defaults to PKI. If you're using this module to manage a Grizzly Openstack deployment that was set up using a development release of the modules or are attempting an upgrade from Folsom then you'll need to make sure you set the token_format to UUID at classification time.
-
-Development
------------
-
-Developer documentation for the entire puppet-openstack project.
-
-* https://wiki.openstack.org/wiki/Puppet-openstack#Developer_documentation
-
-Contributors
-------------
-
-* https://github.com/stackforge/puppet-keystone/graphs/contributors
-
-Release Notes
--------------
-
-**5.1.0**
-
-* Allow disabling or delaying the token_flush cron
-* crontab: ensure the script is run with shell
-* Use openstackclient for keystone_* providers
-* Add lib directories to $LOAD_PATH if not present
-* Remove keystone.rb provider for keystone_endpoint
-* Add timeout to API requests
-* Test keystone_user password with Net::HTTP
-* service_identity: add user/role ordering
-* Fix password check for SSL endpoints
-* add require json for to_json dependency
-* spec: pin rspec-puppet to 1.0.1
-* Switch to TLSv1
-* handle missing project/tenant when using ldap backend
-* Add support for LDAP connection pools
-* Sync keystone.py with upstream to function with Juno
-* Create resource cache upon creation
-* Implement caching lookup for keystone_user_role
-* Remove warnings from openstack responses
-* Properly handle embedded newlines in csv
-* support the ldap user_enabled_invert parameter
-* Shorten HTTP request timeout length
-* Tag packages with 'openstack'
-* Allow Keystone to be queried when using IPv6 ::0
-* Add ::keystone::policy class for policy management
-* New option replace_password for keystone_user
-* Pin puppetlabs-concat to 1.2.1 in fixtures
-* Set WSGI process display-name
-* Rename resource instance variable
-* Add native types for keystone paste configuration
-* Update .gitreview file for project rename
-
-**5.0.0**
-
-* Stable Juno release
-* Updated token driver, logging, and ldap config parameters for Juno
-* Changed admin_roles parameter to accept an array in order to configure multiple admin roles
-* Installs python-ldappool package for ldap
-* Added new parameters to keystone class to configure pki signing
-* Changed keystone class to inherit from keystone::params
-* Changed pki_setup to run regardless of token provider
-* Made UUID the default token provider
-* Made keystone_user_role idempotent
-* Added parameters to control whether to configure users
-* Stopped managing _member_ role since it is created automatically
-* Stopped overriding token_flush log file
-* Changed the usage of admin_endpoint to not include the API version
-* Allowed keystone_user_role to accept email as username
-* Added ability to set up keystone using Apache mod_wsgi
-* Migrated the keystone::db::mysql class to use openstacklib::db::mysql and deprecated the mysql_module parameter
-* Installs python-memcache when using token driver memcache
-* Enabled setting cert and key paths for PKI token signing
-* Added parameters for SSL communication between keystone and rabbitmq
-* Added parameter ignore_default_tenant to keystone::role::admin
-* Added parameter service_provider to keystone class
-* Added parameters for service validation to keystone class
-
-**4.2.0**
-
-* Added class for extended logging options
-* Fixed rabbit password leaking
-* Added parameters to set tenant descriptions
-* Fixed keystone user authorization error handling
-
-**4.1.0**
-
-* Added token flushing with cron.
-* Updated database api for consistency with other projects.
-* Fixed admin_token with secret parameter.
-* Fixed deprecated catalog driver.
-
-**4.0.0**
-
-* Stable Icehouse release.
-* Added template_file parameter to specify catalog.
-* Added keystone::config to handle additional custom options.
-* Added notification parameters.
-* Added support for puppetlabs-mysql 2.2 and greater.
-* Fixed deprecated sql section header in keystone.conf.
-* Fixed deprecated bind_host parameter.
-* Fixed example for native type keystone_service.
-* Fixed LDAP module bugs.
-* Fixed variable for host_access dependency.
-* Reduced default token duration to one hour.
-
-**3.2.0**
-
-* Added ability to configure any catalog driver.
-* Ensures log_file is absent when using syslog.
-
-**3.1.1**
-
-* Fixed inconsistent variable for mysql allowed hosts.
-
-**3.1.0**
-
-* Added ability to disable pki_setup.
-* Load tenant un-lazily if needed.
-* Add log_dir param, with option to disable.
-* Updated endpoint argument.
-* Added support to enable SSL.
-* Removes setting of Keystone endpoint by default.
-* Relaxed regex when keystone refuses connections.
-
-**3.0.0**
-
-* Major release for OpenStack Havana.
-* Fixed duplicated keystone endpoints.
-* Refactored keystone_endpoint to use prefetch and flush paradigm.
-* Switched from signing/format to token/provider.
-* Created memcache_servers option to allow for multiple cache servers.
-* Enabled serving Keystone from Apache mod_wsgi.
-* Moved db_sync to its own class.
-* Removed creation of Member role.
-* Improved performance of Keystone providers.
-* Updated endpoints to support paths and ssl.
-* Added support for token expiration parameter.
-
-**2.2.0**
-
-* Optimized tenant and user queries.
-* Added syslog support.
-* Added support for token driver backend.
-* Various bug and lint fixes.
-
-**2.1.0**
-
-* Tracks release of puppet-quantum
-* Fixed allowed_hosts contitional statement
-* Pinned depedencies
-* Select keystone endpoint based on SSL setting
-* Improved tenant_hash usage in keystone_tenant
-* Various cleanup and bug fixes.
-
-**2.0.0**
-
-* Upstream is now part of stackfoge.
-* keystone_user can be used to change passwords.
-* service tenant name now configurable.
-* keystone_user is now idempotent.
-* Various cleanups and bug fixes.
+++ /dev/null
-require 'puppetlabs_spec_helper/rake_tasks'
-require 'puppet-lint/tasks/puppet-lint'
-
-PuppetLint.configuration.fail_on_warnings = true
-PuppetLint.configuration.send('disable_80chars')
-PuppetLint.configuration.send('disable_class_inherits_from_params_class')
-PuppetLint.configuration.send('disable_class_parameter_defaults')
+++ /dev/null
-{
- "Gemfile": "bda594bd6e3cc9ee1db4c29e55220505",
- "LICENSE": "88c9def20bf88cdd1cf474cfb53f16ab",
- "README.md": "d150d6dc30f3dd54b319317b681e1e14",
- "Rakefile": "68e2a46cd546eeb34bab6dc1512b549d",
- "examples/apache_dropin.pp": "c40c6fe26b4211c85fe2c55926d10bb2",
- "examples/apache_with_paths.pp": "3113e40e01bb70b391b52b7e17509678",
- "examples/ldap_full.pp": "284fd9fd95fc7091b924177a4e3f5c76",
- "examples/ldap_identity.pp": "63f00b0a413163542e348d96a87c9f68",
- "ext/keystone_test.rb": "d403c8c80616f94d0cac9ff12c327b9a",
- "files/httpd/keystone.py": "a359685b85254d738c13b167c7e84e6b",
- "lib/puppet/provider/keystone.rb": "c754d86f1ef111030c17b3690c063a6c",
- "lib/puppet/provider/keystone_config/ini_setting.rb": "b3c3813be1c155f49fedf0a1178fe905",
- "lib/puppet/provider/keystone_endpoint/openstack.rb": "1864e99269b8f707cb16dbf501bc5587",
- "lib/puppet/provider/keystone_paste_ini/ini_setting.rb": "df7e671676104f090a07942f774844e3",
- "lib/puppet/provider/keystone_role/openstack.rb": "54d3dda0ac3427bd1180df9190a5166f",
- "lib/puppet/provider/keystone_service/openstack.rb": "279e16db49cf59734ef98ce6cbf581f8",
- "lib/puppet/provider/keystone_tenant/openstack.rb": "9f443449581c23e54cd5bf0b1d62172a",
- "lib/puppet/provider/keystone_user/openstack.rb": "032358692dae948d29d9464c97793f78",
- "lib/puppet/provider/keystone_user_role/openstack.rb": "a9a3ba9b455c7cb6d630d7b6235ebd14",
- "lib/puppet/provider/openstack.rb": "86e27a181394e3e8630c5a3934ba320b",
- "lib/puppet/type/keystone_config.rb": "01069a89da581af00fed130fc373c2c3",
- "lib/puppet/type/keystone_endpoint.rb": "78ee04053d0e8362b3d57eecd4dbb020",
- "lib/puppet/type/keystone_paste_ini.rb": "5429630bad1a33ab3f14b45f403ed2af",
- "lib/puppet/type/keystone_role.rb": "31a7dc4bdf4179b19f01021d03327e93",
- "lib/puppet/type/keystone_service.rb": "f1ceb0d168964a4211fed962cf0ff156",
- "lib/puppet/type/keystone_tenant.rb": "a7c8b678ceec538cdc22d6dfc9861e13",
- "lib/puppet/type/keystone_user.rb": "f0ba9956b6631a7ae07b763fa2c9479c",
- "lib/puppet/type/keystone_user_role.rb": "01e72389db896e4cf4a3ed8b15fb771c",
- "lib/puppet/util/openstack.rb": "34cea508fb3cbd0cf2ac426004842c21",
- "manifests/client.pp": "519836300977db1d5476112864d4782c",
- "manifests/config.pp": "5e27a3b503cd4931e410a2d41d89fda1",
- "manifests/cron/token_flush.pp": "4f2ce0209fbb9696eda2758ef84c18d2",
- "manifests/db/mysql.pp": "c3cb8dc2e1e61392f00f0dc54ee0bc1b",
- "manifests/db/postgresql.pp": "18cea325841979f63426633794157254",
- "manifests/db/sync.pp": "3caf7ccd37b6f62714bf3b77d0dbf0f9",
- "manifests/dev/install.pp": "49ce7909a859d2424cf1fbe5404eab0c",
- "manifests/endpoint.pp": "da60281981160a38c5e3ca8bc744dca7",
- "manifests/init.pp": "f9e76044c913474134eb7f58c60a7e7d",
- "manifests/ldap.pp": "c49c737867f03d49f3fdff6ac46e9c51",
- "manifests/logging.pp": "5774990dea77d17dfceaad4a8777824c",
- "manifests/params.pp": "b2cbc2011a21fa630022a36d2975f946",
- "manifests/policy.pp": "c8a8998316ea42f611a1c7ae6a563461",
- "manifests/python.pp": "036cd9a1f400a6a150a1967dcb6f1427",
- "manifests/resource/service_identity.pp": "cd6a8d9c451c6310c840149d50decf79",
- "manifests/roles/admin.pp": "45b2a2826ff205a28ba30f7c63b0cf45",
- "manifests/service.pp": "bae5e366e100ea38d9fd5c1885b0cf3b",
- "manifests/wsgi/apache.pp": "b4215a0b8a59d4c39919b6f893820c97",
- "metadata.json": "0995a4802848cf7cb6a90293f45aa3a5",
- "spec/classes/keystone_client_spec.rb": "85457ed6327e795237afca58be906da6",
- "spec/classes/keystone_cron_token_flush_spec.rb": "4648a3bba9210d5b7d51b9a6c8fff586",
- "spec/classes/keystone_db_mysql_spec.rb": "6cb71468e5610210be2955305938dcfe",
- "spec/classes/keystone_db_postgresql_spec.rb": "88f188cea91bd3bc7c46ecc7033e62df",
- "spec/classes/keystone_endpoint_spec.rb": "581f77946576aaebce9df3b4dad6800e",
- "spec/classes/keystone_ldap_spec.rb": "c25daffe970799d8619aa690c4c396bb",
- "spec/classes/keystone_logging_spec.rb": "fe193b49405672cbf75e41b140d3f9b9",
- "spec/classes/keystone_policy_spec.rb": "24dfcbd1e807015214c31d9e4a313619",
- "spec/classes/keystone_python_spec.rb": "84f15d4d969b2cb7ab2d770d7ab0278f",
- "spec/classes/keystone_roles_admin_spec.rb": "6b11c426e9dd91c7b766ef8c707ca129",
- "spec/classes/keystone_service_spec.rb": "688f35435c12152a021ae39020296186",
- "spec/classes/keystone_spec.rb": "14dfbd437ce31988a43332752b586c91",
- "spec/classes/keystone_wsgi_apache_spec.rb": "5af4f3b9ee305f99df34753db9aa8fe1",
- "spec/defines/keystone_resource_service_identity_spec.rb": "485bd7d1a7d189d88d4b86f5d50df8d0",
- "spec/shared_examples.rb": "172c63c57efca8c741f297494ed9ef0f",
- "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c",
- "spec/spec_helper.rb": "c6521798536b607695fa32a60c8466aa",
- "spec/unit/provider/keystone_endpoint/openstack_spec.rb": "8417a7da443c4cfe7c779536c07a2972",
- "spec/unit/provider/keystone_paste_ini/ini_setting_spec.rb": "8b583280cfc7c67d64a2dfd8caa7a130",
- "spec/unit/provider/keystone_role/openstack_spec.rb": "3dabd6528075e0f4496b10f4faf769b5",
- "spec/unit/provider/keystone_service/openstack_spec.rb": "1badc29e61628e320509ce86e076e641",
- "spec/unit/provider/keystone_spec.rb": "3eaa3720884b2c3096102b1cb37334cb",
- "spec/unit/provider/keystone_tenant/openstack_spec.rb": "63ac277a61271577ecbcd5c729868cf2",
- "spec/unit/provider/keystone_user/openstack_spec.rb": "0c68dda06669b26d9d1285196cfed0ec",
- "spec/unit/provider/keystone_user_role/openstack_spec.rb": "d78aab324756f7183997b2f8300e9309",
- "spec/unit/provider/openstack_spec.rb": "f06998179568513c4b83d19212d6427b",
- "spec/unit/type/keystone_endpoint_spec.rb": "5dbd0b540a452bae36218b2a8794a41e",
- "spec/unit/type/keystone_paste_ini_spec.rb": "9037113f96850d5567e9dc7c540915ae",
- "spec/unit/type/keystone_user_role_spec.rb": "a03cfa9f55028d6a7f2a351582c1a93d",
- "tests/site.pp": "0b2eb2ec36b10520aad1517b9a116e50"
-}
\ No newline at end of file
+++ /dev/null
-# Example using apache to serve keystone
-#
-# To be sure everything is working, run:
-# $ export OS_USERNAME=admin
-# $ export OS_PASSWORD=ChangeMe
-# $ export OS_TENANT_NAME=openstack
-# $ export OS_AUTH_URL=http://keystone.local/keystone/main/v2.0
-# $ keystone catalog
-# Service: identity
-# +-------------+----------------------------------------------+
-# | Property | Value |
-# +-------------+----------------------------------------------+
-# | adminURL | http://keystone.local:80/keystone/admin/v2.0 |
-# | id | 4f0f55f6789d4c73a53c51f991559b72 |
-# | internalURL | http://keystone.local:80/keystone/main/v2.0 |
-# | publicURL | http://keystone.local:80/keystone/main/v2.0 |
-# | region | RegionOne |
-# +-------------+----------------------------------------------+
-#
-
-Exec { logoutput => 'on_failure' }
-
-class { 'mysql::server': }
-class { 'keystone::db::mysql':
- password => 'keystone',
-}
-class { 'keystone':
- verbose => true,
- debug => true,
- sql_connection => 'mysql://keystone:keystone@127.0.0.1/keystone',
- catalog_type => 'sql',
- admin_token => 'admin_token',
- enabled => false,
-}
-class { 'keystone::roles::admin':
- email => 'test@puppetlabs.com',
- password => 'ChangeMe',
-}
-class { 'keystone::endpoint':
- public_url => "https://${::fqdn}:5000/",
- admin_url => "https://${::fqdn}:35357/",
-}
-
-keystone_config { 'ssl/enable': value => true }
-
-include apache
-class { 'keystone::wsgi::apache':
- ssl => true
-}
+++ /dev/null
-# Example using apache to serve keystone
-#
-# To be sure everything is working, run:
-# $ export OS_USERNAME=admin
-# $ export OS_PASSWORD=ChangeMe
-# $ export OS_TENANT_NAME=openstack
-# $ export OS_AUTH_URL=http://keystone.local/keystone/main/v2.0
-# $ keystone catalog
-# Service: identity
-# +-------------+----------------------------------------------+
-# | Property | Value |
-# +-------------+----------------------------------------------+
-# | adminURL | http://keystone.local:80/keystone/admin/v2.0 |
-# | id | 4f0f55f6789d4c73a53c51f991559b72 |
-# | internalURL | http://keystone.local:80/keystone/main/v2.0 |
-# | publicURL | http://keystone.local:80/keystone/main/v2.0 |
-# | region | RegionOne |
-# +-------------+----------------------------------------------+
-#
-
-Exec { logoutput => 'on_failure' }
-
-class { 'mysql::server': }
-class { 'keystone::db::mysql':
- password => 'keystone',
-}
-class { 'keystone':
- verbose => true,
- debug => true,
- sql_connection => 'mysql://keystone_admin:keystone@127.0.0.1/keystone',
- catalog_type => 'sql',
- admin_token => 'admin_token',
- enabled => true,
-}
-class { 'keystone::cron::token_flush': }
-class { 'keystone::roles::admin':
- email => 'test@puppetlabs.com',
- password => 'ChangeMe',
-}
-class { 'keystone::endpoint':
- public_url => "https://${::fqdn}:443/main/",
- admin_address => "https://${::fqdn}:443/admin/",
-}
-
-keystone_config { 'ssl/enable': ensure => absent }
-
-include apache
-class { 'keystone::wsgi::apache':
- ssl => true,
- public_port => 443,
- admin_port => 443,
- public_path => '/main/',
- admin_path => '/admin/'
-}
+++ /dev/null
-# A full example from a real deployment that allows Keystone to modify
-# everything except users, uses enabled_emulation, and ldaps
-
-# Ensure this matches what is in LDAP or keystone will try to recreate
-# the admin user
-class { 'keystone::roles::admin':
- email => 'test@example.com',
- password => 'ChangeMe',
-}
-
-# You can test this connection with ldapsearch first to ensure it works.
-# LDAP configurations are *highly* dependent on your setup and this file
-# will need to be tweaked. This sample talks to ldap.example.com, here is
-# an example of ldapsearch that will search users on this box:
-# ldapsearch -v -x -H 'ldap://example.com:389' -D \
-# "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
-# -b cn=users,cn=accounts,dc=example,dc=com
-class { 'keystone:ldap':
- url => 'ldap://ldap.example.com:389',
- user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
- password => 'SecretPass',
- suffix => 'dc=example,dc=com',
- query_scope => 'sub',
- user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
- user_id_attribute => 'uid',
- user_name_attribute => 'uid',
- user_mail_attribute => 'mail',
- user_allow_create => 'False',
- user_allow_update => 'False',
- user_allow_delete => 'False',
- user_enabled_emulation => 'True',
- user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
- group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
- group_objectclass => 'organizationalRole',
- group_id_attribute => 'cn',
- group_name_attribute => 'cn',
- group_member_attribute => 'RoleOccupant',
- group_desc_attribute => 'description',
- group_allow_create => 'True',
- group_allow_update => 'True',
- group_allow_delete => 'True',
- project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
- project_objectclass => 'organizationalUnit',
- project_id_attribute => 'ou',
- project_member_attribute => 'member',
- project_name_attribute => 'ou',
- project_desc_attribute => 'description',
- project_allow_create => 'True',
- project_allow_update => 'True',
- project_allow_delete => 'True',
- project_enabled_emulation => 'True',
- project_enabled_emulation_dn=> 'cn=enabled,ou=openstack,dc=example,dc=com',
- role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
- role_objectclass => 'organizationalRole',
- role_id_attribute => 'cn',
- role_name_attribute => 'cn',
- role_member_attribute => 'roleOccupant',
- role_allow_create => 'True',
- role_allow_update => 'True',
- role_allow_delete => 'True',
- identity_driver => 'keystone.identity.backends.ldap.Identity',
- assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
- use_tls => 'True',
- tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
- tls_req_cert => 'demand',
- use_pool => 'True',
- use_auth_pool => 'True',
- pool_size => 5,
- auth_pool_size => 5,
- pool_retry_max => 3,
- pool_connection_timeout => 120,
-}
+++ /dev/null
-# Example using LDAP to manage user identity only.
-# This setup will not allow changes to users.
-
-# Ensure this matches what is in LDAP or keystone will try to recreate
-# the admin user
-class { 'keystone::roles::admin':
- email => 'test@example.com',
- password => 'ChangeMe',
-}
-
-# You can test this connection with ldapsearch first to ensure it works.
-# This was tested against a FreeIPA box, you will likely need to change the
-# attributes to match your configuration.
-class { 'keystone:ldap':
- identity_driver => 'keystone.identity.backends.ldap.Identity',
- url => 'ldap://ldap.example.com:389',
- user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
- password => 'SecretPass',
- suffix => 'dc=example,dc=com',
- query_scope => 'sub',
- user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
- user_id_attribute => 'uid',
- user_name_attribute => 'uid',
- user_mail_attribute => 'mail',
- user_allow_create => 'False',
- user_allow_update => 'False',
- user_allow_delete => 'False'
-}
+++ /dev/null
-#!/usr/bin/env ruby
-# this script verifies that keystone has
-# been successfully installed using the instructions
-# found here: http://keystone.openstack.org/configuration.html
-
-begin
- require 'rubygems'
-rescue
- puts 'Could not require rubygems. This assumes puppet is not installed as a gem'
-end
-require 'open3'
-require 'fileutils'
-require 'puppet'
-
-username='admin'
-password='admin_password'
-# required to get a real services catalog
-tenant='openstack'
-
-# shared secret
-service_token='service_token'
-
-def run_command(cmd)
- Open3.popen3(cmd) do |stdin, stdout, stderr|
- begin
- stdout = stdout.read
- puts "Response from token request:#{stdout}"
- return stdout
- rescue Exception => e
- puts "Request failed, this sh*t is borked :( : details: #{e}"
- exit 1
- end
- end
-end
-
-puts `puppet apply -e "package {curl: ensure => present }"`
-
-get_token = %(curl -d '{"auth":{"passwordCredentials":{"username": "#{username}", "password": "#{password}"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens)
-token = nil
-
-puts "Running auth command: #{get_token}"
-token = PSON.load(run_command(get_token))["access"]["token"]["id"]
-
-if token
- puts "We were able to retrieve a token"
- puts token
- verify_token = "curl -H 'X-Auth-Token: #{service_token}' http://localhost:35357/v2.0/tokens/#{token}"
- puts 'verifying token'
- run_command(verify_token)
- ['endpoints', 'tenants', 'users'].each do |x|
- puts "getting #{x}"
- get_keystone_data = "curl -H 'X-Auth-Token: #{service_token}' http://localhost:35357/v2.0/#{x}"
- run_command(get_keystone_data)
- end
-end
+++ /dev/null
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import logging
-import os
-
-from oslo import i18n
-
-
-# NOTE(dstanek): i18n.enable_lazy() must be called before
-# keystone.i18n._() is called to ensure it has the desired lazy lookup
-# behavior. This includes cases, like keystone.exceptions, where
-# keystone.i18n._() is called at import time.
-i18n.enable_lazy()
-
-
-from keystone import backends
-from keystone.common import dependency
-from keystone.common import environment
-from keystone.common import sql
-from keystone import config
-from keystone.openstack.common import log
-from keystone import service
-
-
-CONF = config.CONF
-
-config.configure()
-sql.initialize()
-config.set_default_for_default_log_levels()
-
-CONF(project='keystone')
-config.setup_logging()
-
-environment.use_stdlib()
-name = os.path.basename(__file__)
-
-if CONF.debug:
- CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
-
-
-drivers = backends.load_backends()
-
-# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
-# The following is a reference to Python Paste Deploy documentation
-# http://pythonpaste.org/deploy/
-application = service.loadapp('config:%s' % config.find_paste_config(), name)
-
-dependency.resolve_future_dependencies()
+++ /dev/null
-require 'puppet/util/inifile'
-require 'puppet/provider/openstack'
-class Puppet::Provider::Keystone < Puppet::Provider::Openstack
-
- def request(service, action, object, credentials, *properties)
- begin
- super
- rescue Puppet::Error::OpenstackAuthInputError => error
- keystone_request(service, action, object, credentials, error, *properties)
- end
- end
-
- def self.request(service, action, object, credentials, *properties)
- begin
- super
- rescue Puppet::Error::OpenstackAuthInputError => error
- keystone_request(service, action, object, credentials, error, *properties)
- end
- end
-
- def keystone_request(service, action, object, credentials, error, *properties)
- self.class.keystone_request(service, action, object, credentials, error, *properties)
- end
-
- def self.keystone_request(service, action, object, credentials, error, *properties)
- credentials = {
- 'token' => get_admin_token,
- 'auth_url' => get_admin_endpoint,
- }
- raise error unless (credentials['token'] && credentials['auth_url'])
- auth_args = token_auth_args(credentials)
- args = [object, properties, auth_args].flatten.compact
- authenticate_request(service, action, args)
- end
-
- def self.admin_token
- @admin_token ||= get_admin_token
- end
-
- def self.get_admin_token
- if keystone_file and keystone_file['DEFAULT'] and keystone_file['DEFAULT']['admin_token']
- return "#{keystone_file['DEFAULT']['admin_token'].strip}"
- else
- return nil
- end
- end
-
- def self.admin_endpoint
- @admin_endpoint ||= get_admin_endpoint
- end
-
- def get_admin_token
- self.class.get_admin_token
- end
-
-
- def self.get_admin_endpoint
- if keystone_file
- if keystone_file['DEFAULT']
- if keystone_file['DEFAULT']['admin_endpoint']
- auth_url = keystone_file['DEFAULT']['admin_endpoint'].strip.chomp('/')
- return "#{auth_url}/v2.0/"
- end
-
- if keystone_file['DEFAULT']['admin_port']
- admin_port = keystone_file['DEFAULT']['admin_port'].strip
- else
- admin_port = '35357'
- end
-
- if keystone_file['DEFAULT']['admin_bind_host']
- host = keystone_file['DEFAULT']['admin_bind_host'].strip
- if host == "0.0.0.0"
- host = "127.0.0.1"
- elsif host == '::0'
- host = '[::1]'
- end
- else
- host = "127.0.0.1"
- end
- end
-
- if keystone_file['ssl'] && keystone_file['ssl']['enable'] && keystone_file['ssl']['enable'].strip.downcase == 'true'
- protocol = 'https'
- else
- protocol = 'http'
- end
- end
-
- "#{protocol}://#{host}:#{admin_port}/v2.0/"
- end
-
- def get_admin_endpoint
- self.class.get_admin_endpoint
- end
-
- def self.keystone_file
- return @keystone_file if @keystone_file
- @keystone_file = Puppet::Util::IniConfig::File.new
- @keystone_file.read('/etc/keystone/keystone.conf')
- @keystone_file
- end
-
- def keystone_file
- self.class.keystone_file
- end
-
- # Helper functions to use on the pre-validated enabled field
- def bool_to_sym(bool)
- bool == true ? :true : :false
- end
-
- def sym_to_bool(sym)
- sym == :true ? true : false
- end
-
-end
+++ /dev/null
-Puppet::Type.type(:keystone_config).provide(
- :ini_setting,
- :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
-) do
-
- def section
- resource[:name].split('/', 2).first
- end
-
- def setting
- resource[:name].split('/', 2).last
- end
-
- def separator
- '='
- end
-
- def self.file_path
- '/etc/keystone/keystone.conf'
- end
-
- # added for backwards compatibility with older versions of inifile
- def file_path
- self.class.file_path
- end
-
-end
+++ /dev/null
-require 'puppet/provider/keystone'
-
-Puppet::Type.type(:keystone_endpoint).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc "Provider to manage keystone endpoints."
-
- def initialize(value={})
- super(value)
- @property_flush = {}
- end
-
- def create
- properties = []
- # The region property is just ignored. We should fix this in kilo.
- region, name = resource[:name].split('/')
- properties << '--region'
- properties << region
- if resource[:public_url]
- properties << '--publicurl'
- properties << resource[:public_url]
- end
- if resource[:internal_url]
- properties << '--internalurl'
- properties << resource[:internal_url]
- end
- if resource[:admin_url]
- properties << '--adminurl'
- properties << resource[:admin_url]
- end
- @instance = request('endpoint', 'create', name, resource[:auth], properties)
- end
-
- def exists?
- ! instance(resource[:name]).empty?
- end
-
- def destroy
- id = instance(resource[:name])[:id]
- request('endpoint', 'delete', id, resource[:auth])
- end
-
-
- def region
- instance(resource[:name])[:region]
- end
-
-
- def public_url=(value)
- @property_flush[:public_url] = value
- end
-
- def public_url
- instance(resource[:name])[:public_url]
- end
-
-
- def internal_url=(value)
- @property_flush[:internal_url] = value
- end
-
- def internal_url
- instance(resource[:name])[:internal_url]
- end
-
-
- def admin_url=(value)
- @property_flush[:admin_url] = value
- end
-
- def admin_url
- instance(resource[:name])[:admin_url]
- end
-
- def id
- instance(resource[:name])[:id]
- end
-
- def self.instances
- list = request('endpoint', 'list', nil, nil, '--long')
- list.collect do |endpoint|
- new(
- :name => "#{endpoint[:region]}/#{endpoint[:service_name]}",
- :ensure => :present,
- :id => endpoint[:id],
- :region => endpoint[:region],
- :public_url => endpoint[:publicurl],
- :internal_url => endpoint[:internalurl],
- :admin_url => endpoint[:adminurl]
- )
- end
- end
-
- def instances
- instances = request('endpoint', 'list', nil, resource[:auth], '--long')
- instances.collect do |endpoint|
- {
- :name => "#{endpoint[:region]}/#{endpoint[:service_name]}",
- :id => endpoint[:id],
- :region => endpoint[:region],
- :public_url => endpoint[:publicurl],
- :internal_url => endpoint[:internalurl],
- :admin_url => endpoint[:adminurl]
- }
- end
- end
-
- def instance(name)
- @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
- end
-
- def flush
- if ! @property_flush.empty?
- destroy
- create
- @property_flush.clear
- end
- end
-
-end
+++ /dev/null
-Puppet::Type.type(:keystone_paste_ini).provide(
- :ini_setting,
- :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
-) do
-
- def section
- resource[:name].split('/', 2).first
- end
-
- def setting
- resource[:name].split('/', 2).last
- end
-
- def separator
- '='
- end
-
- def self.file_path
- '/etc/keystone/keystone-paste.ini'
- end
-
- # this needs to be removed. This has been replaced with the class method
- def file_path
- self.class.file_path
- end
-
-end
+++ /dev/null
-require 'puppet/provider/keystone'
-
-Puppet::Type.type(:keystone_role).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc 'Provider for keystone roles.'
-
- def create
- properties = []
- @instance = request('role', 'create', resource[:name], resource[:auth], properties)
- end
-
- def exists?
- ! instance(resource[:name]).empty?
- end
-
- def destroy
- request('role', 'delete', resource[:name], resource[:auth])
- end
-
- def id
- instance(resource[:name])[:id]
- end
-
- def self.instances
- list = request('role', 'list', nil, nil)
- list.collect do |role|
- new(
- :name => role[:name],
- :ensure => :present,
- :id => role[:id]
- )
- end
- end
-
- def instances
- instances = request('role', 'list', nil, resource[:auth])
- instances.collect do |role|
- {
- :name => role[:name],
- :id => role[:id]
- }
- end
- end
-
- def instance(name)
- @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
- end
-
-end
+++ /dev/null
-require 'puppet/provider/keystone'
-
-Puppet::Type.type(:keystone_service).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc "Provider to manage keystone services."
-
- def initialize(value={})
- super(value)
- @property_flush = {}
- end
-
- def create
- properties = []
- if resource[:description]
- properties << '--description'
- properties << resource[:description]
- end
- if resource[:type]
- properties << '--type'
- properties << resource[:type]
- end
- @instance = request('service', 'create', resource[:name], resource[:auth], properties)
- end
-
- def exists?
- ! instance(resource[:name]).empty?
- end
-
- def destroy
- request('service', 'delete', resource[:name], resource[:auth])
- end
-
-
- def description=(value)
- raise(Puppet::Error, "Updating the service is not currently supported.")
- end
-
- def description
- instance(resource[:name])[:description]
- end
-
-
- def type=(value)
- raise(Puppet::Error, "Updating the service is not currently supported.")
- end
-
- def type
- instance(resource[:name])[:type]
- end
-
-
- def id
- instance(resource[:name])[:id]
- end
-
- def self.instances
- list = request('service', 'list', nil, nil, '--long')
- list.collect do |service|
- new(
- :name => service[:name],
- :ensure => :present,
- :type => service[:type],
- :description => service[:description],
- :id => service[:id]
- )
- end
- end
-
- def instances
- instances = request('service', 'list', nil, resource[:auth], '--long')
- instances.collect do |service|
- {
- :name => service[:name],
- :type => service[:type],
- :description => service[:description],
- :id => service[:id]
- }
- end
- end
-
- def instance(name)
- @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
- end
-
- def flush
- options = []
- if @property_flush
- # There is a --description flag for the set command, but it does not work if the value is empty
- (options << '--property' << "type=#{resource[:type]}") if @property_flush[:type]
- (options << '--property' << "description=#{resource[:description]}") if @property_flush[:description]
- request('project', 'set', resource[:name], resource[:auth], options) unless options.empty?
- end
- end
-
-end
+++ /dev/null
-require 'puppet/provider/keystone'
-
-Puppet::Type.type(:keystone_tenant).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc "Provider to manage keystone tenants/projects."
-
- def initialize(value={})
- super(value)
- @property_flush = {}
- end
-
- def create
- properties = []
- if resource[:enabled] == :true
- properties << '--enable'
- elsif resource[:enabled] == :false
- properties << '--disable'
- end
- if resource[:description]
- properties << '--description'
- properties << resource[:description]
- end
- @instance = request('project', 'create', resource[:name], resource[:auth], properties)
- end
-
- def exists?
- ! instance(resource[:name]).empty?
- end
-
- def destroy
- request('project', 'delete', resource[:name], resource[:auth])
- end
-
-
- def enabled=(value)
- @property_flush[:enabled] = value
- end
-
- def enabled
- bool_to_sym(instance(resource[:name])[:enabled])
- end
-
-
- def description=(value)
- @property_flush[:description] = value
- end
-
- def description
- instance(resource[:name])[:description]
- end
-
-
- def id
- instance(resource[:name])[:id]
- end
-
- def self.instances
- list = request('project', 'list', nil, nil, '--long')
- list.collect do |project|
- new(
- :name => project[:name],
- :ensure => :present,
- :enabled => project[:enabled].downcase.chomp == 'true' ? true : false,
- :description => project[:description],
- :id => project[:id]
- )
- end
- end
-
- def instances
- instances = request('project', 'list', nil, resource[:auth], '--long')
- instances.collect do |project|
- {
- :name => project[:name],
- :enabled => project[:enabled].downcase.chomp == 'true' ? true : false,
- :description => project[:description],
- :id => project[:id]
- }
- end
- end
-
- def instance(name)
- @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
- end
-
- def flush
- options = []
- if @property_flush
- (options << '--enable') if @property_flush[:enabled] == :true
- (options << '--disable') if @property_flush[:enabled] == :false
- # There is a --description flag for the set command, but it does not work if the value is empty
- (options << '--property' << "description=#{resource[:description]}") if @property_flush[:description]
- request('project', 'set', resource[:name], resource[:auth], options) unless options.empty?
- end
- end
-
-end
+++ /dev/null
-require 'net/http'
-require 'json'
-require 'puppet/provider/keystone'
-Puppet::Type.type(:keystone_user).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc "Provider to manage keystone users."
-
- def initialize(value={})
- super(value)
- @property_flush = {}
- end
-
- def create
- properties = []
- if resource[:enabled] == :true
- properties << '--enable'
- elsif resource[:enabled] == :false
- properties << '--disable'
- end
- if resource[:password]
- properties << '--password'
- properties << resource[:password]
- end
- if resource[:tenant]
- properties << '--project'
- properties << resource[:tenant]
- end
- if resource[:email]
- properties << '--email'
- properties << resource[:email]
- end
- @instance = request('user', 'create', resource[:name], resource[:auth], properties)
- end
-
- def exists?
- ! instance(resource[:name]).empty?
- end
-
- def destroy
- request('user', 'delete', resource[:name], resource[:auth])
- end
-
-
- def enabled=(value)
- @property_flush[:enabled] = value
- end
-
- def enabled
- bool_to_sym(instance(resource[:name])[:enabled])
- end
-
-
- def password=(value)
- @property_flush[:password] = value
- end
-
- def password
- # if we don't know a password we can't test it
- return nil if resource[:password] == nil
- # if the user is disabled then the password can't be changed
- return resource[:password] if resource[:enabled] == :false
- # if replacing password is disabled, then don't change it
- return resource[:password] if resource[:replace_password] == :false
- # we can't get the value of the password but we can test to see if the one we know
- # about works, if it doesn't then return nil, causing it to be reset
- endpoint = nil
- if password_credentials_set?(resource[:auth]) || service_credentials_set?(resource[:auth])
- endpoint = (resource[:auth])['auth_url']
- elsif openrc_set?(resource[:auth])
- endpoint = get_credentials_from_openrc(resource[:auth])['auth_url']
- elsif env_vars_set?
- endpoint = ENV['OS_AUTH_URL']
- else
- # try to get endpoint from keystone.conf
- endpoint = get_admin_endpoint
- end
- if endpoint == nil
- raise(Puppet::Error::OpenstackAuthInputError, 'Could not find auth url to check user password.')
- else
- auth_params = {
- 'username' => resource[:name],
- 'password' => resource[:password],
- 'tenant_name' => resource[:tenant],
- 'auth_url' => endpoint,
- }
- # LP#1408754
- # Ideally this would be checked with the `openstack token issue` command,
- # but that command is not available with version 0.3.0 of openstackclient
- # which is what ships on Ubuntu during Juno.
- # Instead we'll check whether the user can authenticate with curl.
- creds_hash = {
- :auth => {
- :passwordCredentials => {
- :username => auth_params['username'],
- :password => auth_params['password'],
- }
- }
- }
- url = URI.parse(endpoint)
- # There is issue with ipv6 where address has to be in brackets, this causes the
- # underlying ruby TCPSocket to fail. Net::HTTP.new will fail without brackets on
- # joining the ipv6 address with :port or passing brackets to TCPSocket. It was
- # found that if we use Net::HTTP.start with url.hostname the incriminated code
- # won't be hit.
- use_ssl = url.scheme == "https" ? true : false
- http = Net::HTTP.start(url.hostname, url.port, {:use_ssl => use_ssl})
- request = Net::HTTP::Post.new('/v2.0/tokens')
- request.body = creds_hash.to_json
- request.content_type = 'application/json'
- response = http.request(request)
- if response.code.to_i == 401 || response.code.to_i == 403 # 401 => unauthorized, 403 => userDisabled
- return nil
- elsif ! (response.code == 200 || response.code == 203)
- return resource[:password]
- else
- raise(Puppet::Error, "Received bad response while trying to authenticate user: #{response.body}")
- end
- end
- end
-
- def tenant=(value)
- begin
- request('user', 'set', resource[:name], resource[:auth], '--project', value)
- rescue Puppet::ExecutionFailure => e
- if e.message =~ /You are not authorized to perform the requested action: LDAP user update/
- # read-only LDAP identity backend - just fall through
- else
- raise e
- end
- # note: read-write ldap will silently fail, not raise an exception
- end
- set_project(value)
- end
-
- def tenant
- return resource[:tenant] if sym_to_bool(resource[:ignore_default_tenant])
- # use the one returned from instances
- tenant_name = instance(resource[:name])[:project]
- if tenant_name.nil? or tenant_name.empty?
- # if none (i.e. ldap backend) use the given one
- tenant_name = resource[:tenant]
- else
- return tenant_name
- end
- if tenant_name.nil? or tenant_name.empty?
- return nil # nothing found, nothing given
- end
- # If the user list command doesn't report the project, it might still be there
- # We don't need to know exactly what it is, we just need to know whether it's
- # the one we're trying to set.
- roles = request('user role', 'list', resource[:name], resource[:auth], ['--project', tenant_name])
- if roles.empty?
- return nil
- else
- return tenant_name
- end
- end
-
- def replace_password
- instance(resource[:name])[:replace_password]
- end
-
- def replace_password=(value)
- @property_flush[:replace_password] = value
- end
-
- def email=(value)
- @property_flush[:email] = value
- end
-
- def email
- instance(resource[:name])[:email]
- end
-
- def id
- instance(resource[:name])[:id]
- end
-
- def self.instances
- list = request('user', 'list', nil, nil, '--long')
- list.collect do |user|
- new(
- :name => user[:name],
- :ensure => :present,
- :enabled => user[:enabled].downcase.chomp == 'true' ? true : false,
- :password => user[:password],
- :tenant => user[:project],
- :email => user[:email],
- :id => user[:id]
- )
- end
- end
-
- def instances
- instances = request('user', 'list', nil, resource[:auth], '--long')
- instances.collect do |user|
- {
- :name => user[:name],
- :enabled => user[:enabled].downcase.chomp == 'true' ? true : false,
- :password => user[:password],
- :project => user[:project],
- :email => user[:email],
- :id => user[:id]
- }
- end
- end
-
- def instance(name)
- @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
- end
-
- def set_project(newproject)
- # some backends do not store the project/tenant in the user object, so we have to
- # to modify the project/tenant instead
- # First, see if the project actually needs to change
- roles = request('user role', 'list', resource[:name], resource[:auth], ['--project', newproject])
- unless roles.empty?
- return # if already set, just skip
- end
- # Currently the only way to assign a user to a tenant not using user-create
- # is to use user-role-add - this means we also need a role - there is usual
- # a default role called _member_ which can be used for this purpose. What
- # usually happens in a puppet module is that immediately after calling
- # keystone_user, the module will then assign a role to that user. It is
- # ok for a user to have the _member_ role and another role.
- default_role = "_member_"
- begin
- request('role', 'show', default_role, resource[:auth])
- rescue
- debug("Keystone role #{default_role} does not exist - creating")
- request('role', 'create', default_role, resource[:auth])
- end
- request('role', 'add', default_role, resource[:auth],
- '--project', newproject, '--user', resource[:name])
- end
-
- def flush
- options = []
- if @property_flush
- (options << '--enable') if @property_flush[:enabled] == :true
- (options << '--disable') if @property_flush[:enabled] == :false
- # There is a --description flag for the set command, but it does not work if the value is empty
- (options << '--password' << resource[:password]) if @property_flush[:password]
- (options << '--email' << resource[:email]) if @property_flush[:email]
- # project handled in tenant= separately
- request('user', 'set', resource[:name], resource[:auth], options) unless options.empty?
- end
- end
-
-end
+++ /dev/null
-require 'puppet/provider/keystone'
-
-Puppet::Type.type(:keystone_user_role).provide(
- :openstack,
- :parent => Puppet::Provider::Keystone
-) do
-
- desc "Provider to manage keystone role assignments to users."
-
- def create
- properties = []
- properties << '--project' << get_project
- properties << '--user' << get_user
- if resource[:roles]
- resource[:roles].each do |role|
- request('role', 'add', role, resource[:auth], properties)
- end
- end
- end
-
- def exists?
- # If we just ran self.instances, no need to make the request again
- # instance() will find it cached in @user_role_hash
- if self.class.user_role_hash
- return ! instance(resource[:name]).empty?
- # If we don't have the hash ready, we don't need to rebuild the
- # whole thing just to check on one particular user/role
- else
- roles = request('user role', 'list', nil, resource[:auth], ['--project', get_project, get_user])
- # Since requesting every combination of users, roles, and
- # projects is so expensive, construct the property hash here
- # instead of in self.instances so it can be used in the role
- # and destroy methods
- @property_hash[:name] = resource[:name]
- if roles.empty?
- @property_hash[:ensure] = :absent
- else
- @property_hash[:ensure] = :present
- @property_hash[:roles] = roles.collect do |role|
- role[:name]
- end
- end
- return @property_hash[:ensure] == :present
- end
- end
-
- def destroy
- properties = []
- properties << '--project' << get_project
- properties << '--user' << get_user
- if @property_hash[:roles]
- @property_hash[:roles].each do |role|
- request('role', 'remove', role, resource[:auth], properties)
- end
- end
- @property_hash[:ensure] = :absent
- end
-
-
- def roles
- @property_hash[:roles]
- end
-
- def roles=(value)
- current_roles = roles
- # determine the roles to be added and removed
- remove = current_roles - Array(value)
- add = Array(value) - current_roles
- user = get_user
- project = get_project
- add.each do |role_name|
- request('role', 'add', role_name, resource[:auth], ['--project', project, '--user', user])
- end
- remove.each do |role_name|
- request('role', 'remove', role_name, resource[:auth], ['--project', project, '--user', user])
- end
- end
-
-
- def self.instances
- instances = build_user_role_hash
- instances.collect do |title, roles|
- new(
- :name => title,
- :ensure => :present,
- :roles => roles
- )
- end
- end
-
- def instance(name)
- self.class.user_role_hash.select { |role_name, roles| role_name == name } || {}
- end
-
- private
-
- def get_user
- resource[:name].rpartition('@').first
- end
-
- def get_project
- resource[:name].rpartition('@').last
- end
-
- # We split get_projects into class and instance methods
- # so that the appropriate request method gets called
- def get_projects
- request('project', 'list', nil, resource[:auth]).collect do |project|
- project[:name]
- end
- end
-
- def self.get_projects
- request('project', 'list', nil, nil).collect do |project|
- project[:name]
- end
- end
-
- def get_users(project)
- request('user', 'list', nil, resource[:auth], ['--project', project]).collect do |user|
- user[:name]
- end
- end
-
- def self.get_users(project)
- request('user', 'list', nil, nil, ['--project', project]).collect do |user|
- user[:name]
- end
- end
-
- # Class methods for caching user_role_hash so both class and instance
- # methods can access the value
- def self.set_user_role_hash(user_role_hash)
- @user_role_hash = user_role_hash
- end
-
- def self.user_role_hash
- @user_role_hash
- end
-
- def self.build_user_role_hash
- hash = user_role_hash || {}
- return hash unless hash.empty?
- projects = get_projects
- projects.each do |project|
- users = get_users(project)
- users.each do |user|
- user_roles = request('user role', 'list', nil, nil, ['--project', project, user])
- hash["#{user}@#{project}"] = []
- user_roles.each do |role|
- hash["#{user}@#{project}"] << role[:name]
- end
- end
- end
- set_user_role_hash(hash)
- hash
- end
-
-end
+++ /dev/null
-# TODO: This needs to be extracted out into openstacklib in the Kilo cycle
-require 'csv'
-require 'puppet'
-
-class Puppet::Error::OpenstackAuthInputError < Puppet::Error
-end
-
-class Puppet::Error::OpenstackUnauthorizedError < Puppet::Error
-end
-
-class Puppet::Provider::Openstack < Puppet::Provider
-
- initvars # so commands will work
- commands :openstack => 'openstack'
-
- def request(service, action, object, credentials, *properties)
- if password_credentials_set?(credentials)
- auth_args = password_auth_args(credentials)
- elsif openrc_set?(credentials)
- credentials = get_credentials_from_openrc(credentials['openrc'])
- auth_args = password_auth_args(credentials)
- elsif service_credentials_set?(credentials)
- auth_args = token_auth_args(credentials)
- elsif env_vars_set?
- # noop; auth needs no extra arguments
- auth_args = nil
- else # All authentication efforts failed
- raise(Puppet::Error::OpenstackAuthInputError, 'No credentials provided.')
- end
- args = [object, properties, auth_args].flatten.compact
- authenticate_request(service, action, args)
- end
-
- def self.request(service, action, object, *properties)
- if env_vars_set?
- # noop; auth needs no extra arguments
- auth_args = nil
- else # All authentication efforts failed
- raise(Puppet::Error::OpenstackAuthInputError, 'No credentials provided.')
- end
- args = [object, properties, auth_args].flatten.compact
- authenticate_request(service, action, args)
- end
-
- # Returns an array of hashes, where the keys are the downcased CSV headers
- # with underscores instead of spaces
- def self.authenticate_request(service, action, *args)
- rv = nil
- timeout = 10
- end_time = Time.now.to_i + timeout
- loop do
- begin
- if(action == 'list')
- response = openstack(service, action, '--quiet', '--format', 'csv', args)
- response = parse_csv(response)
- keys = response.delete_at(0) # ID,Name,Description,Enabled
- rv = response.collect do |line|
- hash = {}
- keys.each_index do |index|
- key = keys[index].downcase.gsub(/ /, '_').to_sym
- hash[key] = line[index]
- end
- hash
- end
- elsif(action == 'show' || action == 'create')
- rv = {}
- # shell output is name="value"\nid="value2"\ndescription="value3" etc.
- openstack(service, action, '--format', 'shell', args).split("\n").each do |line|
- # key is everything before the first "="
- key, val = line.split("=", 2)
- next unless val # Ignore warnings
- # value is everything after the first "=", with leading and trailing double quotes stripped
- val = val.gsub(/\A"|"\Z/, '')
- rv[key.downcase.to_sym] = val
- end
- else
- rv = openstack(service, action, args)
- end
- break
- rescue Puppet::ExecutionFailure => e
- if e.message =~ /HTTP 401/
- raise(Puppet::Error::OpenstackUnauthorizedError, 'Could not authenticate.')
- elsif e.message =~ /Unable to establish connection/
- current_time = Time.now.to_i
- if current_time > end_time
- break
- else
- wait = end_time - current_time
- Puppet::debug("Non-fatal error: \"#{e.message}\"; retrying for #{wait} more seconds.")
- if wait > timeout - 2 # Only notice the first time
- notice("#{service} service is unavailable. Will retry for up to #{wait} seconds.")
- end
- end
- sleep(2)
- else
- raise e
- end
- end
- end
- return rv
- end
-
- def authenticate_request(service, action, *args)
- self.class.authenticate_request(service, action, *args)
- end
-
- private
-
- def password_credentials_set?(auth_params)
- auth_params && auth_params['username'] && auth_params['password'] && auth_params['tenant_name'] && auth_params['auth_url']
- end
-
-
- def openrc_set?(auth_params)
- auth_params && auth_params['openrc']
- end
-
-
- def service_credentials_set?(auth_params)
- auth_params && auth_params['token'] && auth_params['auth_url']
- end
-
-
- def self.env_vars_set?
- ENV['OS_USERNAME'] && ENV['OS_PASSWORD'] && ENV['OS_TENANT_NAME'] && ENV['OS_AUTH_URL']
- end
-
-
- def env_vars_set?
- self.class.env_vars_set?
- end
-
-
-
- def self.password_auth_args(credentials)
- ['--os-username', credentials['username'],
- '--os-password', credentials['password'],
- '--os-tenant-name', credentials['tenant_name'],
- '--os-auth-url', credentials['auth_url']]
- end
-
- def password_auth_args(credentials)
- self.class.password_auth_args(credentials)
- end
-
-
- def self.token_auth_args(credentials)
- ['--os-token', credentials['token'],
- '--os-url', credentials['auth_url']]
- end
-
- def token_auth_args(credentials)
- self.class.token_auth_args(credentials)
- end
-
- def get_credentials_from_openrc(file)
- creds = {}
- File.open(file).readlines.delete_if{|l| l=~ /^#/}.each do |line|
- key, value = line.split('=')
- key = key.split(' ').last.downcase.sub(/^os_/, '')
- value = value.chomp.gsub(/'/, '')
- creds[key] = value
- end
- return creds
- end
-
-
- def self.get_credentials_from_env
- env = ENV.to_hash.dup.delete_if { |key, _| ! (key =~ /^OS_/) }
- credentials = {}
- env.each do |name, value|
- credentials[name.downcase.sub(/^os_/, '')] = value
- end
- credentials
- end
-
- def get_credentials_from_env
- self.class.get_credentials_from_env
- end
-
- def self.parse_csv(text)
- # Ignore warnings - assume legitimate output starts with a double quoted
- # string. Errors will be caught and raised prior to this
- text = text.split("\n").drop_while { |line| line !~ /^\".*\"/ }.join("\n")
- return CSV.parse(text + "\n")
- end
-
-end
+++ /dev/null
-Puppet::Type.newtype(:keystone_config) do
-
- ensurable
-
- newparam(:name, :namevar => true) do
- desc 'Section/setting name to manage from keystone.conf'
- newvalues(/\S+\/\S+/)
- end
-
- newproperty(:value) do
- desc 'The value of the setting to be defined.'
- munge do |value|
- value = value.to_s.strip
- value.capitalize! if value =~ /^(true|false)$/i
- value
- end
- newvalues(/^[\S ]*$/)
-
- def is_to_s( currentvalue )
- if resource.secret?
- return '[old secret redacted]'
- else
- return currentvalue
- end
- end
-
- def should_to_s( newvalue )
- if resource.secret?
- return '[new secret redacted]'
- else
- return newvalue
- end
- end
- end
-
- newparam(:secret, :boolean => true) do
- desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
-
- newvalues(:true, :false)
-
- defaultto false
- end
-
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_endpoint) do
-
- desc 'Type for managing keystone endpoints.'
-
- ensurable
-
- newparam(:name, :namevar => true) do
- newvalues(/\S+\/\S+/)
- end
-
- newproperty(:id) do
- validate do |v|
- raise(Puppet::Error, 'This is a read only property')
- end
- end
-
- newproperty(:region) do
- end
-
- newproperty(:public_url) do
- end
-
- newproperty(:internal_url) do
- end
-
- newproperty(:admin_url) do
- end
-
- # we should not do anything until the keystone service is started
- autorequire(:service) do
- ['keystone']
- end
-
- autorequire(:keystone_service) do
- (region, service_name) = self[:name].split('/')
- [service_name]
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-Puppet::Type.newtype(:keystone_paste_ini) do
-
- ensurable
-
- newparam(:name, :namevar => true) do
- desc 'Section/setting name to manage from keystone/keystone-paste.ini'
- newvalues(/\S+\/\S+/)
- end
-
- newproperty(:value) do
- desc 'The value of the setting to be defined.'
- munge do |value|
- value = value.to_s.strip
- value.capitalize! if value =~ /^(true|false)$/i
- value
- end
-
- def is_to_s( currentvalue )
- if resource.secret?
- return '[old secret redacted]'
- else
- return currentvalue
- end
- end
-
- def should_to_s( newvalue )
- if resource.secret?
- return '[new secret redacted]'
- else
- return newvalue
- end
- end
- end
-
- newparam(:secret, :boolean => true) do
- desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
-
- newvalues(:true, :false)
-
- defaultto false
- end
-
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_role) do
-
- desc <<-EOT
- This is currently used to model the creation of
- keystone roles.
- EOT
-
- ensurable
-
- newparam(:name, :namevar => true) do
- newvalues(/\S+/)
- end
-
- newproperty(:id) do
- validate do |v|
- raise(Puppet::Error, 'This is a read only property')
- end
- end
-
- # we should not do anything until the keystone service is started
- autorequire(:service) do
- ['keystone']
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_service) do
-
- desc 'This type can be used to manage keystone services.'
-
- ensurable
-
- newparam(:name, :namevar => true) do
- desc 'The name of the service.'
- newvalues(/\S+/)
- end
-
- newproperty(:id) do
- validate do |v|
- raise(Puppet::Error, 'This is a read only property')
- end
- end
-
- newproperty(:type) do
- desc 'The type of service'
- validate do |value|
- fail('The service type is required.') unless value
- end
- end
-
- newproperty(:description) do
- desc 'A description of the service.'
- defaultto('')
- end
-
- # This ensures the service is started and therefore the keystone
- # config is configured IF we need them for authentication.
- # If there is no keystone config, authentication credentials
- # need to come from another source.
- autorequire(:service) do
- ['keystone']
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_tenant) do
-
- desc 'This type can be used to manage keystone tenants.'
-
- ensurable
-
- newparam(:name, :namevar => true) do
- desc 'The name of the tenant.'
- newvalues(/\w+/)
- end
-
- newproperty(:enabled) do
- desc 'Whether the tenant should be enabled. Defaults to true.'
- newvalues(/(t|T)rue/, /(f|F)alse/, true, false )
- defaultto(true)
- munge do |value|
- value.to_s.downcase.to_sym
- end
- end
-
- newproperty(:description) do
- desc 'A description of the tenant.'
- defaultto('')
- end
-
- newproperty(:id) do
- desc 'Read-only property of the tenant.'
- validate do |v|
- raise(Puppet::Error, 'This is a read only property')
- end
- end
-
- # This ensures the service is started and therefore the keystone
- # config is configured IF we need them for authentication.
- # If there is no keystone config, authentication credentials
- # need to come from another source.
- autorequire(:service) do
- ['keystone']
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_user) do
-
- desc 'Type for managing keystone users.'
-
- ensurable
-
- newparam(:name, :namevar => true) do
- newvalues(/\S+/)
- end
-
- newparam(:ignore_default_tenant) do
- newvalues(/(t|T)rue/, /(f|F)alse/, true, false)
- defaultto(false)
- munge do |value|
- value.to_s.downcase.to_sym
- end
- end
-
- newproperty(:enabled) do
- newvalues(/(t|T)rue/, /(f|F)alse/, true, false)
- defaultto(true)
- munge do |value|
- value.to_s.downcase.to_sym
- end
- end
-
- newproperty(:password) do
- newvalues(/\S+/)
- def change_to_s(currentvalue, newvalue)
- if currentvalue == :absent
- return "created password"
- else
- return "changed password"
- end
- end
-
- def is_to_s( currentvalue )
- return '[old password redacted]'
- end
-
- def should_to_s( newvalue )
- return '[new password redacted]'
- end
- end
-
- newproperty(:tenant) do
- newvalues(/\S+/)
- end
-
- newproperty(:email) do
- newvalues(/^(\S+@\S+)|$/)
- end
-
- newproperty(:id) do
- validate do |v|
- raise(Puppet::Error, 'This is a read only property')
- end
- end
-
- newparam(:replace_password) do
- newvalues(/(t|T)rue/, /(f|F)alse/, true, false)
- defaultto(true)
- munge do |value|
- value.to_s.downcase.to_sym
- end
- end
-
- autorequire(:keystone_tenant) do
- self[:tenant]
- end
-
- # we should not do anything until the keystone service is started
- autorequire(:service) do
- ['keystone']
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-# LP#1408531
-File.expand_path('../..', File.dirname(__FILE__)).tap { |dir| $LOAD_PATH.unshift(dir) unless $LOAD_PATH.include?(dir) }
-require 'puppet/util/openstack'
-Puppet::Type.newtype(:keystone_user_role) do
-
- desc <<-EOT
- This is currently used to model the creation of
- keystone users roles.
-
- User roles are an assignment of a role to a user on
- a certain tenant. The combination of all of these
- attributes is unique.
- EOT
-
- ensurable
-
- newparam(:name, :namevar => true) do
- newvalues(/^\S+@\S+$/)
- end
-
- newproperty(:roles, :array_matching => :all) do
- def insync?(is)
- return false unless is.is_a? Array
- # order of roles does not matter
- is.sort == self.should.sort
- end
- end
-
- autorequire(:keystone_user) do
- self[:name].rpartition('@').first
- end
-
- autorequire(:keystone_tenant) do
- self[:name].rpartition('@').last
- end
-
- autorequire(:keystone_role) do
- self[:roles]
- end
-
- # we should not do anything until the keystone service is started
- autorequire(:service) do
- ['keystone']
- end
-
- auth_param_doc=<<EOT
-If no other credentials are present, the provider will search in
-/etc/keystone/keystone.conf for an admin token and auth url.
-EOT
- Puppet::Util::Openstack.add_openstack_type_methods(self, auth_param_doc)
-end
+++ /dev/null
-# TODO: This should be extracted into openstacklib during the kilo cycle
-# Add the auth parameter to whatever type is given
-module Puppet::Util::Openstack
- def self.add_openstack_type_methods(type, comment)
-
- type.newparam(:auth) do
-
- desc <<EOT
-Hash of authentication credentials. Credentials can be specified as
-password credentials, e.g.:
-
-auth => {
- 'username' => 'test',
- 'password' => 'passw0rd',
- 'tenant_name' => 'test',
- 'auth_url' => 'http://localhost:35357/v2.0',
-}
-
-or a path to an openrc file containing these credentials, e.g.:
-
-auth => {
- 'openrc' => '/root/openrc',
-}
-
-or a service token and host, e.g.:
-
-auth => {
- 'service_token' => 'ADMIN',
- 'auth_url' => 'http://localhost:35357/v2.0',
-}
-
-If not present, the provider will look for environment variables for
-password credentials.
-
-#{comment}
-EOT
-
- validate do |value|
- raise(Puppet::Error, 'This property must be a hash') unless value.is_a?(Hash)
- end
- end
-
- type.autorequire(:package) do
- 'python-openstackclient'
- end
-
- end
-end
+++ /dev/null
-# == Class: keystone::client
-#
-# Installs Keystone client.
-#
-# === Parameters
-#
-# [*ensure*]
-# (optional) Ensure state of the package. Defaults to 'present'.
-#
-class keystone::client (
- $ensure = 'present'
-) {
-
- package { 'python-keystoneclient':
- ensure => $ensure,
- tag => 'openstack',
- }
-}
+++ /dev/null
-# == Class: keystone::config
-#
-# This class is used to manage arbitrary keystone configurations.
-#
-# === Parameters
-#
-# [*keystone_config*]
-# (optional) Allow configuration of arbitrary keystone configurations.
-# The value is an hash of keystone_config resources. Example:
-# { 'DEFAULT/foo' => { value => 'fooValue'},
-# 'DEFAULT/bar' => { value => 'barValue'}
-# }
-# In yaml format, Example:
-# keystone_config:
-# DEFAULT/foo:
-# value: fooValue
-# DEFAULT/bar:
-# value: barValue
-#
-# NOTE: The configuration MUST NOT be already handled by this module
-# or Puppet catalog compilation will fail with duplicate resources.
-#
-class keystone::config (
- $keystone_config = {},
-) {
-
- validate_hash($keystone_config)
-
- create_resources('keystone_config', $keystone_config)
-}
+++ /dev/null
-#
-# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
-#
-# Author: Emilien Macchi <emilien.macchi@enovance.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-#
-# == Class: keystone::cron::token_flush
-#
-# Installs a cron job to purge expired tokens.
-#
-# === Parameters
-#
-# [*ensure*]
-# (optional) Defaults to present.
-# Valid values are present, absent.
-#
-# [*minute*]
-# (optional) Defaults to '1'.
-#
-# [*hour*]
-# (optional) Defaults to '0'.
-#
-# [*monthday*]
-# (optional) Defaults to '*'.
-#
-# [*month*]
-# (optional) Defaults to '*'.
-#
-# [*weekday*]
-# (optional) Defaults to '*'.
-#
-# [*maxdelay*]
-# (optional) Seconds. Defaults to 0. Should be a positive integer.
-# Induces a random delay before running the cronjob to avoid running all
-# cron jobs at the same time on all hosts this job is configured.
-#
-class keystone::cron::token_flush (
- $ensure = present,
- $minute = 1,
- $hour = 0,
- $monthday = '*',
- $month = '*',
- $weekday = '*',
- $maxdelay = 0,
-) {
-
- if $maxdelay == 0 {
- $sleep = ''
- } else {
- $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
- }
-
- cron { 'keystone-manage token_flush':
- ensure => $ensure,
- command => "${sleep}keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1",
- environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
- user => 'keystone',
- minute => $minute,
- hour => $hour,
- monthday => $monthday,
- month => $month,
- weekday => $weekday
- }
-}
+++ /dev/null
-# The keystone::db::mysql class implements mysql backend for keystone
-#
-# This class can be used to create tables, users and grant
-# privelege for a mysql keystone database.
-#
-# == parameters
-#
-# [password] Password that will be used for the keystone db user.
-# Optional. Defaults to: 'keystone_default_password'
-#
-# [dbname] Name of keystone database. Optional. Defaults to keystone.
-#
-# [user] Name of keystone user. Optional. Defaults to keystone.
-#
-# [host] Host where user should be allowed all priveleges for database.
-# Optional. Defaults to 127.0.0.1.
-#
-# [allowed_hosts] Hosts allowed to use the database
-#
-# [*mysql_module*] Deprecated. Does nothing.
-#
-# == Dependencies
-# Class['mysql::server']
-#
-# == Examples
-# == Authors
-#
-# Dan Bode dan@puppetlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone::db::mysql(
- $password,
- $dbname = 'keystone',
- $user = 'keystone',
- $host = '127.0.0.1',
- $charset = 'utf8',
- $collate = 'utf8_unicode_ci',
- $mysql_module = undef,
- $allowed_hosts = undef
-) {
-
- if $mysql_module {
- warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
- }
-
- validate_string($password)
-
- ::openstacklib::db::mysql { 'keystone':
- user => $user,
- password_hash => mysql_password($password),
- dbname => $dbname,
- host => $host,
- charset => $charset,
- collate => $collate,
- allowed_hosts => $allowed_hosts,
- }
-
- ::Openstacklib::Db::Mysql['keystone'] ~> Exec<| title == 'keystone-manage db_sync' |>
-}
+++ /dev/null
-#
-# implements postgresql backend for keystone
-#
-# This class can be used to create tables, users and grant
-# privelege for a postgresql keystone database.
-#
-# Requires Puppetlabs Postgresql module.
-#
-# [*Parameters*]
-#
-# [password] Password that will be used for the keystone db user.
-# Optional. Defaults to: 'keystone_default_password'
-#
-# [dbname] Name of keystone database. Optional. Defaults to keystone.
-#
-# [user] Name of keystone user. Optional. Defaults to keystone.
-#
-# == Dependencies
-# Class['postgresql::server']
-#
-# == Examples
-# == Authors
-#
-# Etienne Pelletier epelletier@morphlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Etienne Pelletier, unless otherwise noted.
-#
-class keystone::db::postgresql(
- $password,
- $dbname = 'keystone',
- $user = 'keystone'
-) {
-
- Class['keystone::db::postgresql'] -> Service<| title == 'keystone' |>
-
- require postgresql::python
-
- postgresql::db { $dbname:
- user => $user,
- password => $password,
- }
-
- Postgresql::Db[$dbname] ~> Exec<| title == 'keystone-manage db_sync' |>
-
-}
+++ /dev/null
-#
-# Class to execute "keystone-manage db_sync
-#
-class keystone::db::sync {
- exec { 'keystone-manage db_sync':
- path => '/usr/bin',
- user => 'keystone',
- refreshonly => true,
- subscribe => [Package['keystone'], Keystone_config['database/connection']],
- require => User['keystone'],
- }
-
- Exec['keystone-manage db_sync'] ~> Service<| title == 'keystone' |>
-}
+++ /dev/null
-#
-# Installs keystone from source. This is not yet fully implemented
-#
-# == Dependencies
-# == Examples
-# == Authors
-#
-# Dan Bode dan@puppetlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone::dev::install(
- $source_dir = '/usr/local/keystone'
-) {
- # make sure that I have python 2.7 installed
-
- Class['openstack::dev'] -> Class['keystone::dev::install']
-
- # there are likely conficts with other packages
- # introduced by these resources
- package { [
- 'python-dev',
- 'libxml2-dev',
- 'libxslt1-dev',
- 'libsasl2-dev',
- 'libsqlite3-dev',
- 'libssl-dev',
- 'libldap2-dev',
- 'sqlite3'
- ]:
- ensure => latest,
- }
-
- vcsrepo { $source_dir:
- ensure => present,
- provider => git,
- source => 'git://github.com/openstack/keystone.git',
- }
-
- Exec {
- cwd => $source_dir,
- path => '/usr/bin',
- refreshonly => true,
- subscribe => Vcsrepo[$source_dir],
- logoutput => true,
- # I have disabled timeout since this seems to take forever
- # this may be a bad idea :)
- timeout => 0,
- }
-
- # TODO - really, I need a way to take this file and
- # convert it into package resources
- exec { 'install_dev_deps':
- command => 'pip install -r tools/pip-requires',
- }
-
- exec { 'install_keystone_source':
- command => 'python setup.py develop',
- require => Exec['install_dev_deps'],
- }
-
-}
+++ /dev/null
-# == Class: keystone::endpoint
-#
-# Creates the auth endpoints for keystone
-#
-# === Parameters
-#
-# [*public_url*]
-# (optional) Public url for keystone endpoint. (Defaults to 'http://127.0.0.1:5000')
-# This url should *not* contain any version or trailing '/'.
-#
-# [*internal_url*]
-# (optional) Internal url for keystone endpoint. (Defaults to $public_url)
-# This url should *not* contain any version or trailing '/'.
-#
-# [*admin_url*]
-# (optional) Admin url for keystone endpoint. (Defaults to 'http://127.0.0.1:35357')
-# This url should *not* contain any version or trailing '/'.
-#
-# [*region*]
-# (optional) Region for endpoint. (Defaults to 'RegionOne')
-#
-# [*version*]
-# (optional) API version for endpoint. Appended to all endpoint urls. (Defaults to 'v2.0')
-#
-# [*public_protocol*]
-# (optional) DEPRECATED: Use public_url instead.
-# Protocol for public access to keystone endpoint. (Defaults to 'http')
-# Setting this parameter overrides public_url parameter.
-#
-# [*public_address*]
-# (optional) DEPRECATED: Use public_url instead.
-# Public address for keystone endpoint. (Defaults to '127.0.0.1')
-# Setting this parameter overrides public_url parameter.
-#
-# [*public_port*]
-# (optional) DEPRECATED: Use public_url instead.
-# Port for non-admin access to keystone endpoint. (Defaults to 5000)
-# Setting this parameter overrides public_url parameter.
-#
-# [*internal_address*]
-# (optional) DEPRECATED: Use internal_url instead.
-# Internal address for keystone endpoint. (Defaults to '127.0.0.1')
-# Setting this parameter overrides internal_url parameter.
-#
-# [*internal_port*]
-# (optional) DEPRECATED: Use internal_url instead.
-# Port for internal access to keystone endpoint. (Defaults to $public_port)
-# Setting this parameter overrides internal_url parameter.
-#
-# [*admin_address*]
-# (optional) DEPRECATED: Use admin_url instead.
-# Admin address for keystone endpoint. (Defaults to '127.0.0.1')
-# Setting this parameter overrides admin_url parameter.
-#
-# [*admin_port*]
-# (optional) DEPRECATED: Use admin_url instead.
-# Port for admin access to keystone endpoint. (Defaults to 35357)
-# Setting this parameter overrides admin_url parameter.
-#
-# === Deprecation notes
-#
-# If any value is provided for public_protocol, public_address or public_port parameters,
-# public_url will be completely ignored. The same applies for internal and admin parameters.
-#
-# === Examples
-#
-# class { 'keystone::endpoint':
-# public_url => 'https://154.10.10.23:5000',
-# internal_url => 'https://11.0.1.7:5000',
-# admin_url => 'https://10.0.1.7:35357',
-# }
-#
-class keystone::endpoint (
- $public_url = 'http://127.0.0.1:5000',
- $internal_url = undef,
- $admin_url = 'http://127.0.0.1:35357',
- $version = 'v2.0',
- $region = 'RegionOne',
- # DEPRECATED PARAMETERS
- $public_protocol = undef,
- $public_address = undef,
- $public_port = undef,
- $internal_address = undef,
- $internal_port = undef,
- $admin_address = undef,
- $admin_port = undef,
-) {
-
- warning('keystone::endpoint class is deprecated, use keystone::resource::service_identity instead.')
-
- if $public_port {
- warning('The public_port parameter is deprecated, use public_url instead.')
- }
-
- if $public_protocol {
- warning('The public_protocol parameter is deprecated, use public_url instead.')
- }
-
- if $public_address {
- warning('The public_address parameter is deprecated, use public_url instead.')
- }
-
- if $internal_address {
- warning('The internal_address parameter is deprecated, use internal_url instead.')
- }
-
- if $internal_port {
- warning('The internal_port parameter is deprecated, use internal_url instead.')
- }
-
- if $admin_address {
- warning('The admin_address parameter is deprecated, use admin_url instead.')
- }
-
- if $admin_port {
- warning('The admin_port parameter is deprecated, use admin_url instead.')
- }
-
- $public_url_real = inline_template('<%=
- if (!@public_protocol.nil?) || (!@public_address.nil?) || (!@public_port.nil?)
- @public_protocol ||= "http"
- @public_address ||= "127.0.0.1"
- @public_port ||= "5000"
- "#{@public_protocol}://#{@public_address}:#{@public_port}/#{@version}"
- else
- "#{@public_url}/#{@version}"
- end %>')
-
- $internal_url_real = inline_template('<%=
- if (!@internal_address.nil?) || (!@internal_port.nil?) || (!@public_port.nil?)
- @internal_address ||= @public_address ||= "127.0.0.1"
- @internal_port ||= @public_port ||= "5000"
- "http://#{@internal_address}:#{@internal_port}/#{@version}"
- elsif (!@internal_url.nil?)
- "#{@internal_url}/#{@version}"
- else
- "#{@public_url}/#{@version}"
- end %>')
-
- $admin_url_real = inline_template('<%=
- if (!@admin_address.nil?) || (!@admin_port.nil?)
- @admin_address ||= "127.0.0.1"
- @admin_port ||= "35357"
- "http://#{@admin_address}:#{@admin_port}/#{@version}"
- else
- "#{@admin_url}/#{@version}"
- end %>')
-
- keystone::resource::service_identity { 'keystone':
- configure_user => false,
- configure_user_role => false,
- service_type => 'identity',
- service_description => 'OpenStack Identity Service',
- public_url => $public_url_real,
- admin_url => $admin_url_real,
- internal_url => $internal_url_real,
- region => $region,
- }
-
-}
+++ /dev/null
-#
-# Module for managing keystone config.
-#
-# == Parameters
-#
-# [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
-# accepts latest or specific versions.
-# [bind_host] Host that keystone binds to.
-# [bind_port] Port that keystone binds to.
-# [public_port]
-# [compute_port]
-# [admin_port]
-# [admin_port] Port that can be used for admin tasks.
-# [admin_token] Admin token that can be used to authenticate as a keystone
-# admin. Required.
-# [verbose] Rather keystone should log at verbose level. Optional.
-# Defaults to False.
-# [debug] Rather keystone should log at debug level. Optional.
-# Defaults to False.
-# [use_syslog] Use syslog for logging. Optional.
-# Defaults to False.
-# [log_facility] Syslog facility to receive log lines. Optional.
-# [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
-# Defaults to sql. (Also accepts template)
-# [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
-# Setting this value will override and ignore catalog_type.
-# [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
-# Defaults to '/etc/keystone/default_catalog.templates'
-# [token_provider] Format keystone uses for tokens. Optional.
-# Defaults to 'keystone.token.providers.uuid.Provider'
-# Supports PKI and UUID.
-# [token_driver] Driver to use for managing tokens.
-# Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
-# [token_expiration] Amount of time a token should remain valid (seconds).
-# Optional. Defaults to 3600 (1 hour).
-# [token_format] Deprecated: Use token_provider instead.
-# [cache_dir] Directory created when token_provider is pki. Optional.
-# Defaults to /var/cache/keystone.
-#
-# [memcache_servers]
-# List of memcache servers in format of server:port.
-# Used with token_driver 'keystone.token.backends.memcache.Token'.
-# Optional. Defaults to false. Example: ['localhost:11211']
-#
-# [cache_backend]
-# Dogpile.cache backend module. It is recommended that Memcache with pooling
-# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Defaults to 'keystone.common.cache.noop'
-#
-# [cache_backend_argument]
-# List of arguments in format of argname:value supplied to the backend module.
-# Specify this option once per argument to be passed to the dogpile.cache backend.
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to undef.
-#
-# [debug_cache_backend]
-# Extra debugging from the cache backend (cache keys, get/set/delete calls).
-# This has no effects unless 'memcache_servers' is set.
-# Optional. Default to false.
-#
-# [token_caching]
-# Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
-# Optional. Default to true.
-#
-# [enabled] If the keystone services should be enabled. Optional. Default to true.
-#
-# [*database_connection*]
-# (optional) Url used to connect to database.
-# Defaults to sqlite:////var/lib/keystone/keystone.db
-#
-# [*sql_connection*]
-# (optional) Deprecated. Use database_connection instead.
-#
-# [*database_idle_timeout*]
-# (optional) Timeout when db connections should be reaped.
-# Defaults to 200.
-#
-# [*idle_timeout*]
-# (optional) Deprecated. Use database_idle_timeout instead.
-#
-# [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
-# revocation lists if it doesn't already exist. This generates a cert and key stored in file
-# locations based on the signing_certfile and signing_keyfile paramters below. If you are
-# providing your own signing cert, make this false.
-# [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
-# Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
-# the file will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/certs/signing_cert.pem
-# [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
-# Note that if this file already exists (i.e. you are providing your own signing cert), the file
-# will not be overwritten, even if enable_pki_setup is set to true.
-# Default: /etc/keystone/ssl/private/signing_key.pem
-# [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
-# signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
-# [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
-# pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
-#
-# [*signing_cert_subject*]
-# (optional) Certificate subject (auto generated certificate) for token signing.
-# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
-#
-# [*signing_key_size*]
-# (optional) Key size (in bits) for token signing cert (auto generated certificate)
-# Defaults to 2048
-#
-# [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
-# [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
-# [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
-# [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
-# [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
-# [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
-#
-# [*rabbit_use_ssl*]
-# (optional) Connect over SSL for RabbitMQ
-# Defaults to false
-#
-# [*kombu_ssl_ca_certs*]
-# (optional) SSL certification authority file (valid only if SSL enabled).
-# Defaults to undef
-#
-# [*kombu_ssl_certfile*]
-# (optional) SSL cert file (valid only if SSL enabled).
-# Defaults to undef
-#
-# [*kombu_ssl_keyfile*]
-# (optional) SSL key file (valid only if SSL enabled).
-# Defaults to undef
-#
-# [*kombu_ssl_version*]
-# (optional) SSL version to use (valid only if SSL enabled).
-# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
-# available on some distributions.
-# Defaults to 'TLSv1'
-#
-# [notification_driver] RPC driver. Not enabled by default
-# [notification_topics] AMQP topics to publish to when using the RPC notification driver.
-# [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
-#
-# [*public_bind_host*]
-# (optional) The IP address of the public network interface to listen on
-# Deprecates bind_host
-# Default to '0.0.0.0'.
-#
-# [*admin_bind_host*]
-# (optional) The IP address of the public network interface to listen on
-# Deprecates bind_host
-# Default to '0.0.0.0'.
-#
-# [*log_dir*]
-# (optional) Directory where logs should be stored
-# If set to boolean false, it will not log to any directory
-# Defaults to '/var/log/keystone'
-#
-# [*log_file*]
-# (optional) Where to log
-# Defaults to false
-#
-# [*public_endpoint*]
-# (optional) The base public endpoint URL for keystone that are
-# advertised to clients (NOTE: this does NOT affect how
-# keystone listens for connections) (string value)
-# If set to false, no public_endpoint will be defined in keystone.conf.
-# Sample value: 'http://localhost:5000/'
-# Defaults to false
-#
-# [*admin_endpoint*]
-# (optional) The base admin endpoint URL for keystone that are
-# advertised to clients (NOTE: this does NOT affect how keystone listens
-# for connections) (string value)
-# If set to false, no admin_endpoint will be defined in keystone.conf.
-# Sample value: 'http://localhost:35357/'
-# Defaults to false
-#
-# [*enable_ssl*]
-# (optional) Toggle for SSL support on the keystone eventlet servers.
-# (boolean value)
-# Defaults to false
-#
-# [*ssl_certfile*]
-# (optional) Path of the certfile for SSL. (string value)
-# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
-#
-# [*ssl_keyfile*]
-# (optional) Path of the keyfile for SSL. (string value)
-# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
-#
-# [*ssl_ca_certs*]
-# (optional) Path of the ca cert file for SSL. (string value)
-# Defaults to '/etc/keystone/ssl/certs/ca.pem'
-#
-# [*ssl_ca_key*]
-# (optional) Path of the CA key file for SSL (string value)
-# Defaults to '/etc/keystone/ssl/private/cakey.pem'
-#
-# [*ssl_cert_subject*]
-# (optional) SSL Certificate Subject (auto generated certificate)
-# (string value)
-# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
-#
-# [*mysql_module*]
-# (optional) Deprecated. Does nothing.
-#
-# [*validate_service*]
-# (optional) Whether to validate keystone connections after
-# the service is started.
-# Defaults to false
-#
-# [*validate_insecure*]
-# (optional) Whether to validate keystone connections
-# using the --insecure option with keystone client.
-# Defaults to false
-#
-# [*validate_cacert*]
-# (optional) Whether to validate keystone connections
-# using the specified argument with the --os-cacert option
-# with keystone client.
-# Defaults to undef
-#
-# [*validate_auth_url*]
-# (optional) The url to validate keystone against
-# Defaults to undef
-#
-# [*service_provider*]
-# (optional) Provider, that can be used for keystone service.
-# Default value defined in keystone::params for given operation system.
-# If you use Pacemaker or another Cluster Resource Manager, you can make
-# custom service provider for changing start/stop/status behavior of service,
-# and set it here.
-#
-# [*service_name*]
-# (optional) Name of the service that will be providing the
-# server functionality of keystone. For example, the default
-# is just 'keystone', which means keystone will be run as a
-# standalone eventlet service, and will able to be managed
-# separately by the operating system's service manager. For
-# example, you will be able to use
-# service openstack-keystone restart
-# to restart the service.
-# If the value is 'httpd', this means keystone will be a web
-# service, and you must use another class to configure that
-# web service. For example, after calling class {'keystone'...}
-# use class { 'keystone::wsgi::apache'...} to make keystone be
-# a web app using apache mod_wsgi.
-# Defaults to 'keystone'
-# NOTE: validate_service only applies if the value is 'keystone'
-#
-# == Dependencies
-# None
-#
-# == Examples
-#
-# class { 'keystone':
-# log_verbose => 'True',
-# admin_token => 'my_special_token',
-# }
-#
-# OR
-#
-# class { 'keystone':
-# ...
-# service_name => 'httpd',
-# ...
-# }
-# class { 'keystone::wsgi::apache':
-# ...
-# }
-#
-# == Authors
-#
-# Dan Bode dan@puppetlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone(
- $admin_token,
- $package_ensure = 'present',
- $bind_host = false,
- $public_bind_host = '0.0.0.0',
- $admin_bind_host = '0.0.0.0',
- $public_port = '5000',
- $admin_port = '35357',
- $compute_port = '8774',
- $verbose = false,
- $debug = false,
- $log_dir = '/var/log/keystone',
- $log_file = false,
- $use_syslog = false,
- $log_facility = 'LOG_USER',
- $catalog_type = 'sql',
- $catalog_driver = false,
- $catalog_template_file = '/etc/keystone/default_catalog.templates',
- $token_format = false,
- $token_provider = 'keystone.token.providers.uuid.Provider',
- $token_driver = 'keystone.token.persistence.backends.sql.Token',
- $token_expiration = 3600,
- $public_endpoint = false,
- $admin_endpoint = false,
- $enable_ssl = false,
- $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
- $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
- $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
- $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
- $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
- $cache_dir = '/var/cache/keystone',
- $memcache_servers = false,
- $cache_backend = 'keystone.common.cache.noop',
- $cache_backend_argument = undef,
- $debug_cache_backend = false,
- $token_caching = true,
- $enabled = true,
- $database_connection = 'sqlite:////var/lib/keystone/keystone.db',
- $database_idle_timeout = '200',
- $enable_pki_setup = true,
- $signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
- $signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
- $signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
- $signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
- $signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
- $signing_key_size = 2048,
- $rabbit_host = 'localhost',
- $rabbit_hosts = false,
- $rabbit_password = 'guest',
- $rabbit_port = '5672',
- $rabbit_userid = 'guest',
- $rabbit_virtual_host = '/',
- $rabbit_use_ssl = false,
- $kombu_ssl_ca_certs = undef,
- $kombu_ssl_certfile = undef,
- $kombu_ssl_keyfile = undef,
- $kombu_ssl_version = 'TLSv1',
- $notification_driver = false,
- $notification_topics = false,
- $control_exchange = false,
- $validate_service = false,
- $validate_insecure = false,
- $validate_auth_url = false,
- $validate_cacert = undef,
- $service_provider = $::keystone::params::service_provider,
- $service_name = 'keystone',
- # DEPRECATED PARAMETERS
- $mysql_module = undef,
- $sql_connection = undef,
- $idle_timeout = undef,
-) inherits keystone::params {
-
- if ! $catalog_driver {
- validate_re($catalog_type, 'template|sql')
- }
-
- if $mysql_module {
- warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
- }
-
- if $sql_connection {
- warning('The sql_connection parameter is deprecated, use database_connection instead.')
- $database_connection_real = $sql_connection
- } else {
- $database_connection_real = $database_connection
- }
-
- if $idle_timeout {
- warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.')
- $database_idle_timeout_real = $idle_timeout
- } else {
- $database_idle_timeout_real = $database_idle_timeout
- }
-
- if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
- warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
- }
-
- if ($public_endpoint and 'v2.0' in $public_endpoint) {
- warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
- }
-
- if $rabbit_use_ssl {
- if !$kombu_ssl_ca_certs {
- fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
- }
- if !$kombu_ssl_certfile {
- fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
- }
- if !$kombu_ssl_keyfile {
- fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
- }
- }
-
- File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
- Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
- Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
- include ::keystone::params
-
- package { 'keystone':
- ensure => $package_ensure,
- name => $::keystone::params::package_name,
- tag => 'openstack',
- }
- # TODO: Move this to openstacklib::openstackclient in Kilo
- package { 'python-openstackclient':
- ensure => present,
- tag => 'openstack',
- }
-
- group { 'keystone':
- ensure => present,
- system => true,
- require => Package['keystone'],
- }
-
- user { 'keystone':
- ensure => 'present',
- gid => 'keystone',
- system => true,
- require => Package['keystone'],
- }
-
- file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
- ensure => directory,
- mode => '0750',
- owner => 'keystone',
- group => 'keystone',
- require => Package['keystone'],
- notify => Service[$service_name],
- }
-
- file { '/etc/keystone/keystone.conf':
- ensure => present,
- mode => '0600',
- owner => 'keystone',
- group => 'keystone',
- require => Package['keystone'],
- notify => Service[$service_name],
- }
-
- if $bind_host {
- warning('The bind_host parameter is deprecated, use public_bind_host and admin_bind_host instead.')
- $public_bind_host_real = $bind_host
- $admin_bind_host_real = $bind_host
- } else {
- $public_bind_host_real = $public_bind_host
- $admin_bind_host_real = $admin_bind_host
- }
-
- # default config
- keystone_config {
- 'DEFAULT/admin_token': value => $admin_token, secret => true;
- 'DEFAULT/public_bind_host': value => $public_bind_host_real;
- 'DEFAULT/admin_bind_host': value => $admin_bind_host_real;
- 'DEFAULT/public_port': value => $public_port;
- 'DEFAULT/admin_port': value => $admin_port;
- 'DEFAULT/compute_port': value => $compute_port;
- 'DEFAULT/verbose': value => $verbose;
- 'DEFAULT/debug': value => $debug;
- }
-
- # Endpoint configuration
- if $public_endpoint {
- keystone_config {
- 'DEFAULT/public_endpoint': value => $public_endpoint;
- }
- } else {
- keystone_config {
- 'DEFAULT/public_endpoint': ensure => absent;
- }
- }
- if $admin_endpoint {
- keystone_config {
- 'DEFAULT/admin_endpoint': value => $admin_endpoint;
- }
- } else {
- keystone_config {
- 'DEFAULT/admin_endpoint': ensure => absent;
- }
- }
- # requirements for memcache token driver
- if ($token_driver =~ /memcache/ ) {
- package { 'python-memcache':
- ensure => present,
- name => $::keystone::params::python_memcache_package_name,
- }
- }
-
- # token driver config
- keystone_config {
- 'token/driver': value => $token_driver;
- 'token/expiration': value => $token_expiration;
- }
-
- # ssl config
- if ($enable_ssl) {
- keystone_config {
- 'ssl/enable': value => true;
- 'ssl/certfile': value => $ssl_certfile;
- 'ssl/keyfile': value => $ssl_keyfile;
- 'ssl/ca_certs': value => $ssl_ca_certs;
- 'ssl/ca_key': value => $ssl_ca_key;
- 'ssl/cert_subject': value => $ssl_cert_subject;
- }
- } else {
- keystone_config {
- 'ssl/enable': value => false;
- }
- }
-
- if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
- require 'mysql::bindings'
- require 'mysql::bindings::python'
- } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
-
- } elsif($database_connection_real =~ /sqlite:\/\//) {
-
- } else {
- fail("Invalid db connection ${database_connection_real}")
- }
-
- # memcache connection config
- if $memcache_servers {
- validate_array($memcache_servers)
- Service<| title == 'memcached' |> -> Service['keystone']
- keystone_config {
- 'cache/enabled': value => true;
- 'cache/backend': value => $cache_backend;
- 'cache/debug_cache_backend': value => $debug_cache_backend;
- 'token/caching': value => $token_caching;
- 'memcache/servers': value => join($memcache_servers, ',');
- }
- if $cache_backend_argument {
- validate_array($cache_backend_argument)
- keystone_config {
- 'cache/backend_argument': value => join($cache_backend_argument, ',');
- }
- } else {
- keystone_config {
- 'cache/backend_argument': ensure => absent;
- }
- }
- } else {
- keystone_config {
- 'cache/enabled': ensure => absent;
- 'cache/backend': ensure => absent;
- 'cache/backend_argument': ensure => absent;
- 'cache/debug_cache_backend': ensure => absent;
- 'token/caching': ensure => absent;
- 'memcache/servers': ensure => absent;
- }
- }
-
- # db connection config
- keystone_config {
- 'database/connection': value => $database_connection_real, secret => true;
- 'database/idle_timeout': value => $database_idle_timeout_real;
- }
-
- # configure based on the catalog backend
- if $catalog_driver {
- $catalog_driver_real = $catalog_driver
- }
- elsif ($catalog_type == 'template') {
- $catalog_driver_real = 'keystone.catalog.backends.templated.Catalog'
- }
- elsif ($catalog_type == 'sql') {
- $catalog_driver_real = 'keystone.catalog.backends.sql.Catalog'
- }
-
- keystone_config {
- 'catalog/driver': value => $catalog_driver_real;
- 'catalog/template_file': value => $catalog_template_file;
- }
-
- if $token_format {
- warning('token_format parameter is deprecated. Use token_provider instead.')
- }
-
- # remove the old format in case of an upgrade
- keystone_config { 'signing/token_format': ensure => absent }
-
- # Set the signing key/cert configuration values.
- keystone_config {
- 'signing/certfile': value => $signing_certfile;
- 'signing/keyfile': value => $signing_keyfile;
- 'signing/ca_certs': value => $signing_ca_certs;
- 'signing/ca_key': value => $signing_ca_key;
- 'signing/cert_subject': value => $signing_cert_subject;
- 'signing/key_size': value => $signing_key_size;
- }
-
- # Create cache directory used for signing.
- file { $cache_dir:
- ensure => directory,
- }
-
- # Only do pki_setup if we were asked to do so. This is needed
- # regardless of the token provider since token revocation lists
- # are always signed.
- if $enable_pki_setup {
- exec { 'keystone-manage pki_setup':
- path => '/usr/bin',
- user => 'keystone',
- refreshonly => true,
- creates => $signing_keyfile,
- notify => Service[$service_name],
- subscribe => Package['keystone'],
- require => User['keystone'],
- }
- }
-
- if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
- keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
- } elsif $token_format == 'UUID' {
- keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
- } else {
- keystone_config { 'token/provider': value => $token_provider }
- }
-
- if $notification_driver {
- keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
- } else {
- keystone_config { 'DEFAULT/notification_driver': ensure => absent }
- }
- if $notification_topics {
- keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
- } else {
- keystone_config { 'DEFAULT/notification_topics': ensure => absent }
- }
- if $control_exchange {
- keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
- } else {
- keystone_config { 'DEFAULT/control_exchange': ensure => absent }
- }
-
- keystone_config {
- 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
- 'DEFAULT/rabbit_userid': value => $rabbit_userid;
- 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
- }
-
- if $rabbit_hosts {
- keystone_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') }
- keystone_config { 'DEFAULT/rabbit_ha_queues': value => true }
- } else {
- keystone_config { 'DEFAULT/rabbit_host': value => $rabbit_host }
- keystone_config { 'DEFAULT/rabbit_port': value => $rabbit_port }
- keystone_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" }
- keystone_config { 'DEFAULT/rabbit_ha_queues': value => false }
- }
-
- keystone_config { 'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl }
- if $rabbit_use_ssl {
- keystone_config {
- 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
- 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
- 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
- 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version;
- }
- } else {
- keystone_config {
- 'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
- 'DEFAULT/kombu_ssl_certfile': ensure => absent;
- 'DEFAULT/kombu_ssl_keyfile': ensure => absent;
- 'DEFAULT/kombu_ssl_version': ensure => absent;
- }
- }
-
- if $enabled {
- $service_ensure = 'running'
- } else {
- $service_ensure = 'stopped'
- }
-
- if $service_name == 'keystone' {
- if $validate_service {
- if $validate_auth_url {
- $v_auth_url = $validate_auth_url
- } else {
- $v_auth_url = $admin_endpoint
- }
-
- class { 'keystone::service':
- ensure => $service_ensure,
- service_name => $::keystone::params::service_name,
- enable => $enabled,
- hasstatus => true,
- hasrestart => true,
- provider => $service_provider,
- validate => true,
- admin_endpoint => $v_auth_url,
- admin_token => $admin_token,
- insecure => $validate_insecure,
- cacert => $validate_cacert,
- }
- } else {
- class { 'keystone::service':
- ensure => $service_ensure,
- service_name => $::keystone::params::service_name,
- enable => $enabled,
- hasstatus => true,
- hasrestart => true,
- provider => $service_provider,
- validate => false,
- }
- }
- }
-
- if $enabled {
- include ::keystone::db::sync
- Class['::keystone::db::sync'] ~> Service[$service_name]
- }
-
- # Syslog configuration
- if $use_syslog {
- keystone_config {
- 'DEFAULT/use_syslog': value => true;
- 'DEFAULT/syslog_log_facility': value => $log_facility;
- }
- } else {
- keystone_config {
- 'DEFAULT/use_syslog': value => false;
- }
- }
-
- if $log_file {
- keystone_config {
- 'DEFAULT/log_file': value => $log_file;
- 'DEFAULT/log_dir': value => $log_dir;
- }
- } else {
- if $log_dir {
- keystone_config {
- 'DEFAULT/log_dir': value => $log_dir;
- 'DEFAULT/log_file': ensure => absent;
- }
- } else {
- keystone_config {
- 'DEFAULT/log_dir': ensure => absent;
- 'DEFAULT/log_file': ensure => absent;
- }
- }
- }
-
-}
+++ /dev/null
-#
-# Implements ldap configuration for keystone.
-#
-# == Dependencies
-# == Examples
-# == Authors
-#
-# Dan Bode dan@puppetlabs.com
-# Matt Fischer matt.fischer@twcable.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone::ldap(
- $url = undef,
- $user = undef,
- $password = undef,
- $suffix = undef,
- $query_scope = undef,
- $page_size = undef,
- $user_tree_dn = undef,
- $user_filter = undef,
- $user_objectclass = undef,
- $user_id_attribute = undef,
- $user_name_attribute = undef,
- $user_mail_attribute = undef,
- $user_enabled_attribute = undef,
- $user_enabled_mask = undef,
- $user_enabled_default = undef,
- $user_enabled_invert = undef,
- $user_attribute_ignore = undef,
- $user_default_project_id_attribute = undef,
- $user_allow_create = undef,
- $user_allow_update = undef,
- $user_allow_delete = undef,
- $user_pass_attribute = undef,
- $user_enabled_emulation = undef,
- $user_enabled_emulation_dn = undef,
- $user_additional_attribute_mapping = undef,
- $tenant_tree_dn = undef, #DEPRECATED
- $project_tree_dn = undef,
- $tenant_filter = undef, #DEPRECATED
- $project_filter = undef,
- $tenant_objectclass = undef, #DEPRECATED
- $project_objectclass = undef,
- $tenant_id_attribute = undef, #DEPRECATED
- $project_id_attribute = undef,
- $tenant_member_attribute = undef, #DEPRECATED
- $project_member_attribute = undef,
- $tenant_desc_attribute = undef, #DEPRECATED
- $project_desc_attribute = undef,
- $tenant_name_attribute = undef, #DEPRECATED
- $project_name_attribute = undef,
- $tenant_enabled_attribute = undef, #DEPRECATED
- $project_enabled_attribute = undef,
- $tenant_domain_id_attribute = undef, #DEPRECATED
- $project_domain_id_attribute = undef,
- $tenant_attribute_ignore = undef, #DEPRECATED
- $project_attribute_ignore = undef,
- $tenant_allow_create = undef, #DEPRECATED
- $project_allow_create = undef,
- $tenant_allow_update = undef, #DEPRECATED
- $project_allow_update = undef,
- $tenant_allow_delete = undef, #DEPRECATED
- $project_allow_delete = undef,
- $tenant_enabled_emulation = undef, #DEPRECATED
- $project_enabled_emulation = undef,
- $tenant_enabled_emulation_dn = undef, #DEPRECATED
- $project_enabled_emulation_dn = undef,
- $tenant_additional_attribute_mapping = undef, #DEPRECATED
- $project_additional_attribute_mapping= undef,
- $role_tree_dn = undef,
- $role_filter = undef,
- $role_objectclass = undef,
- $role_id_attribute = undef,
- $role_name_attribute = undef,
- $role_member_attribute = undef,
- $role_attribute_ignore = undef,
- $role_allow_create = undef,
- $role_allow_update = undef,
- $role_allow_delete = undef,
- $role_additional_attribute_mapping = undef,
- $group_tree_dn = undef,
- $group_filter = undef,
- $group_objectclass = undef,
- $group_id_attribute = undef,
- $group_name_attribute = undef,
- $group_member_attribute = undef,
- $group_desc_attribute = undef,
- $group_attribute_ignore = undef,
- $group_allow_create = undef,
- $group_allow_update = undef,
- $group_allow_delete = undef,
- $group_additional_attribute_mapping = undef,
- $use_tls = undef,
- $tls_cacertdir = undef,
- $tls_cacertfile = undef,
- $tls_req_cert = undef,
- $identity_driver = undef,
- $assignment_driver = undef,
- $use_pool = false,
- $pool_size = 10,
- $pool_retry_max = 3,
- $pool_retry_delay = 0.1,
- $pool_connection_timeout = -1,
- $pool_connection_lifetime = 600,
- $use_auth_pool = false,
- $auth_pool_size = 100,
- $auth_pool_connection_lifetime = 60,
-) {
-
- # In Juno the term "tenant" was deprecated in the config in favor of "project"
- # Let's assume project_ is being used and warning otherwise. If both are set we will
- # fail, because having both set may cause unexpected results in Keystone.
- if ($tenant_tree_dn) {
- $project_tree_dn_real = $tenant_tree_dn
- warning ('tenant_tree_dn is deprecated in Juno. switch to project_tree_dn')
- if ($project_tree_dn) {
- fail ('tenant_tree_dn and project_tree_dn are both set. results may be unexpected')
- }
- }
- else {
- $project_tree_dn_real = $project_tree_dn
- }
-
- if ($tenant_filter) {
- $project_filter_real = $tenant_filter
- warning ('tenant_filter is deprecated in Juno. switch to project_filter')
- if ($project_filter) {
- fail ('tenant_filter and project_filter are both set. results may be unexpected')
- }
- }
- else {
- $project_filter_real = $project_filter
- }
-
- if ($tenant_objectclass) {
- $project_objectclass_real = $tenant_objectclass
- warning ('tenant_objectclass is deprecated in Juno. switch to project_objectclass')
- if ($project_objectclass) {
- fail ('tenant_objectclass and project_objectclass are both set. results may be unexpected')
- }
- }
- else {
- $project_objectclass_real = $project_objectclass
- }
-
- if ($tenant_id_attribute) {
- $project_id_attribute_real = $tenant_id_attribute
- warning ('tenant_id_attribute is deprecated in Juno. switch to project_id_attribute')
- if ($project_id_attribute) {
- fail ('tenant_id_attribute and project_id_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_id_attribute_real = $project_id_attribute
- }
-
- if ($tenant_member_attribute) {
- $project_member_attribute_real = $tenant_member_attribute
- warning ('tenant_member_attribute is deprecated in Juno. switch to project_member_attribute')
- if ($project_member_attribute) {
- fail ('tenant_member_attribute and project_member_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_member_attribute_real = $project_member_attribute
- }
-
- if ($tenant_desc_attribute) {
- $project_desc_attribute_real = $tenant_desc_attribute
- warning ('tenant_desc_attribute is deprecated in Juno. switch to project_desc_attribute')
- if ($project_desc_attribute) {
- fail ('tenant_desc_attribute and project_desc_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_desc_attribute_real = $project_desc_attribute
- }
-
- if ($tenant_name_attribute) {
- $project_name_attribute_real = $tenant_name_attribute
- warning ('tenant_name_attribute is deprecated in Juno. switch to project_name_attribute')
- if ($project_name_attribute) {
- fail ('tenant_name_attribute and project_name_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_name_attribute_real = $project_name_attribute
- }
-
- if ($tenant_enabled_attribute) {
- $project_enabled_attribute_real = $tenant_enabled_attribute
- warning ('tenant_enabled_attribute is deprecated in Juno. switch to project_enabled_attribute')
- if ($project_enabled_attribute) {
- fail ('tenant_enabled_attribute and project_enabled_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_enabled_attribute_real = $project_enabled_attribute
- }
-
- if ($tenant_attribute_ignore) {
- $project_attribute_ignore_real = $tenant_attribute_ignore
- warning ('tenant_attribute_ignore is deprecated in Juno. switch to project_attribute_ignore')
- if ($project_attribute_ignore) {
- fail ('tenant_attribute_ignore and project_attribute_ignore are both set. results may be unexpected')
- }
- }
- else {
- $project_attribute_ignore_real = $project_attribute_ignore
- }
-
- if ($tenant_domain_id_attribute) {
- $project_domain_id_attribute_real = $tenant_domain_id_attribute
- warning ('tenant_domain_id_attribute is deprecated in Juno. switch to project_domain_id_attribute')
- if ($project_domain_id_attribute) {
- fail ('tenant_domain_id_attribute and project_domain_id_attribute are both set. results may be unexpected')
- }
- }
- else {
- $project_domain_id_attribute_real = $project_domain_id_attribute
- }
-
- if ($tenant_allow_create) {
- $project_allow_create_real = $tenant_allow_create
- warning ('tenant_allow_create is deprecated in Juno. switch to project_allow_create')
- if ($project_allow_create) {
- fail ('tenant_allow_create and project_allow_create are both set. results may be unexpected')
- }
- }
- else {
- $project_allow_create_real = $project_allow_create
- }
-
- if ($tenant_allow_update) {
- $project_allow_update_real = $tenant_allow_update
- warning ('tenant_allow_update is deprecated in Juno. switch to project_allow_update')
- if ($project_allow_update) {
- fail ('tenant_allow_update and project_allow_update are both set. results may be unexpected')
- }
- }
- else {
- $project_allow_update_real = $project_allow_update
- }
-
- if ($tenant_allow_delete) {
- $project_allow_delete_real = $tenant_allow_delete
- warning ('tenant_allow_delete is deprecated in Juno. switch to project_allow_delete')
- if ($project_allow_delete) {
- fail ('tenant_allow_delete and project_allow_delete are both set. results may be unexpected')
- }
- }
- else {
- $project_allow_delete_real = $project_allow_delete
- }
-
- if ($tenant_enabled_emulation) {
- $project_enabled_emulation_real = $tenant_enabled_emulation
- warning ('tenant_enabled_emulation is deprecated in Juno. switch to project_enabled_emulation')
- if ($project_enabled_emulation) {
- fail ('tenant_enabled_emulation and project_enabled_emulation are both set. results may be unexpected')
- }
- }
- else {
- $project_enabled_emulation_real = $project_enabled_emulation
- }
-
- if ($tenant_enabled_emulation_dn) {
- $project_enabled_emulation_dn_real = $tenant_enabled_emulation_dn
- warning ('tenant_enabled_emulation_dn is deprecated in Juno. switch to project_enabled_emulation_dn')
- if ($project_enabled_emulation_dn) {
- fail ('tenant_enabled_emulation_dn and project_enabled_emulation_dn are both set. results may be unexpected')
- }
- }
- else {
- $project_enabled_emulation_dn_real = $project_enabled_emulation_dn
- }
-
- if ($tenant_additional_attribute_mapping) {
- $project_additional_attribute_mapping_real = $tenant_additional_attribute_mapping
- warning ('tenant_additional_attribute_mapping is deprecated in Juno. switch to project_additional_attribute_mapping')
- if ($project_additional_attribute_mapping) {
- fail ('tenant_additional_attribute_mapping and project_additional_attribute_mapping are both set. results may be unexpected')
- }
- }
- else {
- $project_additional_attribute_mapping_real = $project_additional_attribute_mapping
- }
-
- $ldap_packages = ['python-ldap', 'python-ldappool']
- package { $ldap_packages:
- ensure => present,
- }
-
- # check for some common driver name mistakes
- if ($assignment_driver != undef) {
- if ! ($assignment_driver =~ /^keystone.assignment.backends.*Assignment$/) {
- fail('assigment driver should be of the form \'keystone.assignment.backends.*Assignment\'')
- }
- }
-
- if ($identity_driver != undef) {
- if ! ($identity_driver =~ /^keystone.identity.backends.*Identity$/) {
- fail('identity driver should be of the form \'keystone.identity.backends.*Identity\'')
- }
- }
-
- if ($tls_cacertdir != undef) {
- file { $tls_cacertdir:
- ensure => directory
- }
- }
-
- keystone_config {
- 'ldap/url': value => $url;
- 'ldap/user': value => $user;
- 'ldap/password': value => $password, secret => true;
- 'ldap/suffix': value => $suffix;
- 'ldap/query_scope': value => $query_scope;
- 'ldap/page_size': value => $page_size;
- 'ldap/user_tree_dn': value => $user_tree_dn;
- 'ldap/user_filter': value => $user_filter;
- 'ldap/user_objectclass': value => $user_objectclass;
- 'ldap/user_id_attribute': value => $user_id_attribute;
- 'ldap/user_name_attribute': value => $user_name_attribute;
- 'ldap/user_mail_attribute': value => $user_mail_attribute;
- 'ldap/user_enabled_attribute': value => $user_enabled_attribute;
- 'ldap/user_enabled_mask': value => $user_enabled_mask;
- 'ldap/user_enabled_default': value => $user_enabled_default;
- 'ldap/user_enabled_invert': value => $user_enabled_invert;
- 'ldap/user_attribute_ignore': value => $user_attribute_ignore;
- 'ldap/user_default_project_id_attribute': value => $user_default_project_id_attribute;
- 'ldap/user_allow_create': value => $user_allow_create;
- 'ldap/user_allow_update': value => $user_allow_update;
- 'ldap/user_allow_delete': value => $user_allow_delete;
- 'ldap/user_pass_attribute': value => $user_pass_attribute;
- 'ldap/user_enabled_emulation': value => $user_enabled_emulation;
- 'ldap/user_enabled_emulation_dn': value => $user_enabled_emulation_dn;
- 'ldap/user_additional_attribute_mapping': value => $user_additional_attribute_mapping;
- 'ldap/project_tree_dn': value => $project_tree_dn_real;
- 'ldap/project_filter': value => $project_filter_real;
- 'ldap/project_objectclass': value => $project_objectclass_real;
- 'ldap/project_id_attribute': value => $project_id_attribute_real;
- 'ldap/project_member_attribute': value => $project_member_attribute_real;
- 'ldap/project_desc_attribute': value => $project_desc_attribute_real;
- 'ldap/project_name_attribute': value => $project_name_attribute_real;
- 'ldap/project_enabled_attribute': value => $project_enabled_attribute_real;
- 'ldap/project_attribute_ignore': value => $project_attribute_ignore_real;
- 'ldap/project_domain_id_attribute': value => $project_domain_id_attribute_real;
- 'ldap/project_allow_create': value => $project_allow_create_real;
- 'ldap/project_allow_update': value => $project_allow_update_real;
- 'ldap/project_allow_delete': value => $project_allow_delete_real;
- 'ldap/project_enabled_emulation': value => $project_enabled_emulation_real;
- 'ldap/project_enabled_emulation_dn': value => $project_enabled_emulation_dn_real;
- 'ldap/project_additional_attribute_mapping': value => $project_additional_attribute_mapping_real;
- 'ldap/role_tree_dn': value => $role_tree_dn;
- 'ldap/role_filter': value => $role_filter;
- 'ldap/role_objectclass': value => $role_objectclass;
- 'ldap/role_id_attribute': value => $role_id_attribute;
- 'ldap/role_name_attribute': value => $role_name_attribute;
- 'ldap/role_member_attribute': value => $role_member_attribute;
- 'ldap/role_attribute_ignore': value => $role_attribute_ignore;
- 'ldap/role_allow_create': value => $role_allow_create;
- 'ldap/role_allow_update': value => $role_allow_update;
- 'ldap/role_allow_delete': value => $role_allow_delete;
- 'ldap/role_additional_attribute_mapping': value => $role_additional_attribute_mapping;
- 'ldap/group_tree_dn': value => $group_tree_dn;
- 'ldap/group_filter': value => $group_filter;
- 'ldap/group_objectclass': value => $group_objectclass;
- 'ldap/group_id_attribute': value => $group_id_attribute;
- 'ldap/group_name_attribute': value => $group_name_attribute;
- 'ldap/group_member_attribute': value => $group_member_attribute;
- 'ldap/group_desc_attribute': value => $group_desc_attribute;
- 'ldap/group_attribute_ignore': value => $group_attribute_ignore;
- 'ldap/group_allow_create': value => $group_allow_create;
- 'ldap/group_allow_update': value => $group_allow_update;
- 'ldap/group_allow_delete': value => $group_allow_delete;
- 'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping;
- 'ldap/use_tls': value => $use_tls;
- 'ldap/tls_cacertdir': value => $tls_cacertdir;
- 'ldap/tls_cacertfile': value => $tls_cacertfile;
- 'ldap/tls_req_cert': value => $tls_req_cert;
- 'ldap/use_pool': value => $use_pool;
- 'ldap/pool_size': value => $pool_size;
- 'ldap/pool_retry_max': value => $pool_retry_max;
- 'ldap/pool_retry_delay': value => $pool_retry_delay;
- 'ldap/pool_connection_timeout': value => $pool_connection_timeout;
- 'ldap/pool_connection_lifetime': value => $pool_connection_lifetime;
- 'ldap/use_auth_pool': value => $use_auth_pool;
- 'ldap/auth_pool_size': value => $auth_pool_size;
- 'ldap/auth_pool_connection_lifetime': value => $auth_pool_connection_lifetime;
- 'identity/driver': value => $identity_driver;
- 'assignment/driver': value => $assignment_driver;
- }
-}
+++ /dev/null
-# Class keystone::logging
-#
-# keystone extended logging configuration
-#
-# == parameters
-#
-# [*logging_context_format_string*]
-# (optional) Format string to use for log messages with context.
-# Defaults to undef.
-# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
-# [%(request_id)s %(user_identity)s] %(instance)s%(message)s'
-#
-# [*logging_default_format_string*]
-# (optional) Format string to use for log messages without context.
-# Defaults to undef.
-# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\
-# [-] %(instance)s%(message)s'
-#
-# [*logging_debug_format_suffix*]
-# (optional) Formatted data to append to log format when level is DEBUG.
-# Defaults to undef.
-# Example: '%(funcName)s %(pathname)s:%(lineno)d'
-#
-# [*logging_exception_prefix*]
-# (optional) Prefix each line of exception output with this format.
-# Defaults to undef.
-# Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s'
-#
-# [*log_config_append*]
-# The name of an additional logging configuration file.
-# Defaults to undef.
-# See https://docs.python.org/2/howto/logging.html
-#
-# [*default_log_levels*]
-# (optional) Hash of logger (keys) and level (values) pairs.
-# Defaults to undef.
-# Example:
-# { 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
-# 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
-# 'oslo.messaging' => 'INFO', 'iso8601' => 'WARN',
-# 'requests.packages.urllib3.connectionpool' => 'WARN',
-# 'urllib3.connectionpool' => 'WARN',
-# 'websocket' => 'WARN', 'keystonemiddleware' => 'WARN',
-# 'routes.middleware' => 'WARN', stevedore => 'WARN' }
-#
-# [*publish_errors*]
-# (optional) Publish error events (boolean value).
-# Defaults to undef (false if unconfigured).
-#
-# [*fatal_deprecations*]
-# (optional) Make deprecations fatal (boolean value)
-# Defaults to undef (false if unconfigured).
-#
-# [*instance_format*]
-# (optional) If an instance is passed with the log message, format it
-# like this (string value).
-# Defaults to undef.
-# Example: '[instance: %(uuid)s] '
-#
-# [*instance_uuid_format*]
-# (optional) If an instance UUID is passed with the log message, format
-# it like this (string value).
-# Defaults to undef.
-# Example: instance_uuid_format='[instance: %(uuid)s] '
-
-# [*log_date_format*]
-# (optional) Format string for %%(asctime)s in log records.
-# Defaults to undef.
-# Example: 'Y-%m-%d %H:%M:%S'
-
-class keystone::logging(
- $logging_context_format_string = undef,
- $logging_default_format_string = undef,
- $logging_debug_format_suffix = undef,
- $logging_exception_prefix = undef,
- $log_config_append = undef,
- $default_log_levels = undef,
- $publish_errors = undef,
- $fatal_deprecations = undef,
- $instance_format = undef,
- $instance_uuid_format = undef,
- $log_date_format = undef,
-) {
-
- if $logging_context_format_string {
- keystone_config {
- 'DEFAULT/logging_context_format_string' :
- value => $logging_context_format_string;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/logging_context_format_string' : ensure => absent;
- }
- }
-
- if $logging_default_format_string {
- keystone_config {
- 'DEFAULT/logging_default_format_string' :
- value => $logging_default_format_string;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/logging_default_format_string' : ensure => absent;
- }
- }
-
- if $logging_debug_format_suffix {
- keystone_config {
- 'DEFAULT/logging_debug_format_suffix' :
- value => $logging_debug_format_suffix;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/logging_debug_format_suffix' : ensure => absent;
- }
- }
-
- if $logging_exception_prefix {
- keystone_config {
- 'DEFAULT/logging_exception_prefix' : value => $logging_exception_prefix;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/logging_exception_prefix' : ensure => absent;
- }
- }
-
- if $log_config_append {
- keystone_config {
- 'DEFAULT/log_config_append' : value => $log_config_append;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/log_config_append' : ensure => absent;
- }
- }
-
- if $default_log_levels {
- keystone_config {
- 'DEFAULT/default_log_levels' :
- value => join(sort(join_keys_to_values($default_log_levels, '=')), ',');
- }
- }
- else {
- keystone_config {
- 'DEFAULT/default_log_levels' : ensure => absent;
- }
- }
-
- if $publish_errors {
- keystone_config {
- 'DEFAULT/publish_errors' : value => $publish_errors;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/publish_errors' : ensure => absent;
- }
- }
-
- if $fatal_deprecations {
- keystone_config {
- 'DEFAULT/fatal_deprecations' : value => $fatal_deprecations;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/fatal_deprecations' : ensure => absent;
- }
- }
-
- if $instance_format {
- keystone_config {
- 'DEFAULT/instance_format' : value => $instance_format;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/instance_format' : ensure => absent;
- }
- }
-
- if $instance_uuid_format {
- keystone_config {
- 'DEFAULT/instance_uuid_format' : value => $instance_uuid_format;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/instance_uuid_format' : ensure => absent;
- }
- }
-
- if $log_date_format {
- keystone_config {
- 'DEFAULT/log_date_format' : value => $log_date_format;
- }
- }
- else {
- keystone_config {
- 'DEFAULT/log_date_format' : ensure => absent;
- }
- }
-
-
-}
+++ /dev/null
-#
-# This class contains the platform differences for keystone
-#
-class keystone::params {
- $client_package_name = 'python-keystone'
-
- case $::osfamily {
- 'Debian': {
- $package_name = 'keystone'
- $service_name = 'keystone'
- $keystone_wsgi_script_path = '/usr/lib/cgi-bin/keystone'
- $python_memcache_package_name = 'python-memcache'
- case $::operatingsystem {
- 'Debian': {
- $service_provider = undef
- $keystone_wsgi_script_source = '/usr/share/keystone/wsgi.py'
- }
- default: {
- # NOTE: Ubuntu does not currently provide the keystone wsgi script in the
- # keystone packages. When Ubuntu does provide the script, change this
- # to use the correct path (which I'm assuming will be the same as Debian).
- $service_provider = 'upstart'
- $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
- }
- }
- }
- 'RedHat': {
- $package_name = 'openstack-keystone'
- $service_name = 'openstack-keystone'
- $keystone_wsgi_script_path = '/var/www/cgi-bin/keystone'
- $python_memcache_package_name = 'python-memcached'
- $service_provider = undef
- $keystone_wsgi_script_source = '/usr/share/keystone/keystone.wsgi'
- }
- }
-}
+++ /dev/null
-# == Class: keystone::policy
-#
-# Configure the keystone policies
-#
-# === Parameters
-#
-# [*policies*]
-# (optional) Set of policies to configure for keystone
-# Example :
-# {
-# 'keystone-context_is_admin' => {
-# 'key' => 'context_is_admin',
-# 'value' => 'true'
-# },
-# 'keystone-default' => {
-# 'key' => 'default',
-# 'value' => 'rule:admin_or_owner'
-# }
-# }
-# Defaults to empty hash.
-#
-# [*policy_path*]
-# (optional) Path to the nova policy.json file
-# Defaults to /etc/keystone/policy.json
-#
-class keystone::policy (
- $policies = {},
- $policy_path = '/etc/keystone/policy.json',
-) {
-
- validate_hash($policies)
-
- Openstacklib::Policy::Base {
- file_path => $policy_path,
- }
-
- create_resources('openstacklib::policy::base', $policies)
-
-}
+++ /dev/null
-#
-# installs client python libraries for keystone
-#
-#
-class keystone::python (
- $client_package_name = $keystone::params::client_package_name,
- $ensure = 'present'
-) inherits keystone::params {
-
- package { 'python-keystone' :
- ensure => $ensure,
- name => $client_package_name,
- }
-
-}
+++ /dev/null
-#
-# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
-#
-# Author: Emilien Macchi <emilien.macchi@enovance.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-#
-# == Definition: keystone::resource::service_identity
-#
-# This resource configures Keystone resources for an OpenStack service.
-#
-# == Parameters:
-#
-# [*password*]
-# Password to create for the service user;
-# string; required
-#
-# [*auth_name*]
-# The name of the service user;
-# string; optional; default to the $title of the resource, i.e. 'nova'
-#
-# [*service_name*]
-# Name of the service;
-# string; required
-#
-# [*service_type*]
-# Type of the service;
-# string; required
-#
-# [*service_description*]
-# Description of the service;
-# string; optional: default to '$name service'
-#
-# [*public_url*]
-# Public endpoint URL;
-# string; required
-#
-# [*internal_url*]
-# Internal endpoint URL;
-# string; required
-#
-# [*admin_url*]
-# Admin endpoint URL;
-# string; required
-#
-# [*region*]
-# Endpoint region;
-# string; optional: default to 'RegionOne'
-#
-# [*tenant*]
-# Service tenant;
-# string; optional: default to 'services'
-#
-# [*ignore_default_tenant*]
-# Ignore setting the default tenant value when the user is created.
-# string; optional: default to false
-#
-# [*roles*]
-# List of roles;
-# string; optional: default to ['admin']
-#
-# [*domain*]
-# User domain (keystone v3), not implemented yet.
-# string; optional: default to undef
-#
-# [*email*]
-# Service email;
-# string; optional: default to '$auth_name@localhost'
-#
-# [*configure_endpoint*]
-# Whether to create the endpoint.
-# string; optional: default to True
-#
-# [*configure_user*]
-# Whether to create the user.
-# string; optional: default to True
-#
-# [*configure_user_role*]
-# Whether to create the user role.
-# string; optional: default to True
-#
-# [*configure_service*]
-# Whether to create the service.
-# string; optional: default to True
-#
-define keystone::resource::service_identity(
- $admin_url = false,
- $internal_url = false,
- $password = false,
- $public_url = false,
- $service_type = false,
- $auth_name = $name,
- $configure_endpoint = true,
- $configure_user = true,
- $configure_user_role = true,
- $configure_service = true,
- $domain = undef,
- $email = "${name}@localhost",
- $region = 'RegionOne',
- $service_name = undef,
- $service_description = "${name} service",
- $tenant = 'services',
- $ignore_default_tenant = false,
- $roles = ['admin'],
-) {
-
- if $domain {
- warning('Keystone domains are not yet managed by puppet-keystone.')
- }
-
- if $service_name == undef {
- $service_name_real = $auth_name
- } else {
- $service_name_real = $service_name
- }
-
- if $configure_user {
- ensure_resource('keystone_user', $auth_name, {
- 'ensure' => 'present',
- 'enabled' => true,
- 'password' => $password,
- 'email' => $email,
- 'tenant' => $tenant,
- 'ignore_default_tenant' => $ignore_default_tenant,
- })
- }
-
- if $configure_user_role {
- ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
- 'ensure' => 'present',
- 'roles' => $roles,
- })
- if $configure_user {
- Keystone_user[$auth_name] -> Keystone_user_role["${auth_name}@${tenant}"]
- }
- }
-
- if $configure_service {
- ensure_resource('keystone_service', $service_name_real, {
- 'ensure' => 'present',
- 'type' => $service_type,
- 'description' => $service_description,
- })
- }
-
- if $configure_endpoint {
- ensure_resource('keystone_endpoint', "${region}/${service_name_real}", {
- 'ensure' => 'present',
- 'public_url' => $public_url,
- 'admin_url' => $admin_url,
- 'internal_url' => $internal_url,
- })
- }
-}
+++ /dev/null
-#
-# This class implements some reasonable admin defaults for keystone.
-#
-# It creates the following keystone objects:
-# * service tenant (tenant used by all service users)
-# * "admin" tenant (defaults to "openstack")
-# * admin user (that defaults to the "admin" tenant)
-# * admin role
-# * adds admin role to admin user on the "admin" tenant
-#
-# [*Parameters*]
-#
-# [email] The email address for the admin. Required.
-# [password] The admin password. Required.
-# [admin_roles] The list of the roles with admin privileges. Optional. Defaults to ['admin'].
-# [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack.
-# [admin] Admin user. Optional. Defaults to admin.
-# [ignore_default_tenant] Ignore setting the default tenant value when the user is created. Optional. Defaults to false.
-# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant'
-# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services'
-# [configure_user] Optional. Should the admin user be created? Defaults to 'true'.
-# [configure_user_role] Optional. Should the admin role be configured for the admin user? Defaulst to 'true'.
-#
-# == Dependencies
-# == Examples
-# == Authors
-#
-# Dan Bode dan@puppetlabs.com
-#
-# == Copyright
-#
-# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
-#
-class keystone::roles::admin(
- $email,
- $password,
- $admin = 'admin',
- $admin_tenant = 'openstack',
- $admin_roles = ['admin'],
- $service_tenant = 'services',
- $ignore_default_tenant = false,
- $admin_tenant_desc = 'admin tenant',
- $service_tenant_desc = 'Tenant for the openstack services',
- $configure_user = true,
- $configure_user_role = true,
-) {
-
- keystone_tenant { $service_tenant:
- ensure => present,
- enabled => true,
- description => $service_tenant_desc,
- }
- keystone_tenant { $admin_tenant:
- ensure => present,
- enabled => true,
- description => $admin_tenant_desc,
- }
- keystone_role { 'admin':
- ensure => present,
- }
-
- if $configure_user {
- keystone_user { $admin:
- ensure => present,
- enabled => true,
- tenant => $admin_tenant,
- email => $email,
- password => $password,
- ignore_default_tenant => $ignore_default_tenant,
- }
- }
-
- if $configure_user_role {
- keystone_user_role { "${admin}@${admin_tenant}":
- ensure => present,
- roles => $admin_roles,
- }
- }
-
-}
+++ /dev/null
-# == Class keystone::service
-#
-# Encapsulates the keystone service to a class.
-# This allows resources that require keystone to
-# require this class, which can optionally
-# validate that the service can actually accept
-# connections.
-#
-# === Parameters
-#
-# [*ensure*]
-# (optional) The desired state of the keystone service
-# Defaults to 'running'
-#
-# [*service_name*]
-# (optional) The name of the keystone service
-# Defaults to $::keystone::params::service_name
-#
-# [*enable*]
-# (optional) Whether to enable the keystone service
-# Defaults to true
-#
-# [*hasstatus*]
-# (optional) Whether the keystone service has status
-# Defaults to true
-#
-# [*hasrestart*]
-# (optional) Whether the keystone service has restart
-# Defaults to true
-#
-# [*provider*]
-# (optional) Provider for keystone service
-# Defaults to $::keystone::params::service_provider
-#
-# [*validate*]
-# (optional) Whether to validate the service is working
-# after any service refreshes
-# Defaults to false
-#
-# [*admin_token*]
-# (optional) The admin token to use for validation
-# Defaults to undef
-#
-# [*admin_endpoint*]
-# (optional) The admin endpont to use for validation
-# Defaults to 'http://localhost:35357/v2.0'
-#
-# [*retries*]
-# (optional) Number of times to retry validation
-# Defaults to 10
-#
-# [*delay*]
-# (optional) Number of seconds between validation attempts
-# Defaults to 2
-#
-# [*insecure*]
-# (optional) Whether to validate keystone connections
-# using the --insecure option with keystone client.
-# Defaults to false
-#
-# [*cacert*]
-# (optional) Whether to validate keystone connections
-# using the specified argument with the --os-cacert option
-# with keystone client.
-# Defaults to undef
-#
-class keystone::service(
- $ensure = 'running',
- $service_name = $::keystone::params::service_name,
- $enable = true,
- $hasstatus = true,
- $hasrestart = true,
- $provider = $::keystone::params::service_provider,
- $validate = false,
- $admin_token = undef,
- $admin_endpoint = 'http://localhost:35357/v2.0',
- $retries = 10,
- $delay = 2,
- $insecure = false,
- $cacert = undef,
-) {
- include keystone::params
-
- service { 'keystone':
- ensure => $ensure,
- name => $service_name,
- enable => $enable,
- hasstatus => $hasstatus,
- hasrestart => $hasrestart,
- provider => $provider
- }
-
- if $insecure {
- $insecure_s = '--insecure'
- } else {
- $insecure_s = ''
- }
-
- if $cacert {
- $cacert_s = "--os-cacert ${cacert}"
- } else {
- $cacert_s = ''
- }
-
- if $validate and $admin_token and $admin_endpoint {
- $cmd = "keystone --os-endpoint ${admin_endpoint} --os-token ${admin_token} ${insecure_s} ${cacert_s} user-list"
- $catch = 'name'
- exec { 'validate_keystone_connection':
- path => '/usr/bin:/bin:/usr/sbin:/sbin',
- provider => shell,
- command => $cmd,
- subscribe => Service['keystone'],
- refreshonly => true,
- tries => $retries,
- try_sleep => $delay
- }
-
- Exec['validate_keystone_connection'] -> Keystone_user<||>
- Exec['validate_keystone_connection'] -> Keystone_role<||>
- Exec['validate_keystone_connection'] -> Keystone_tenant<||>
- Exec['validate_keystone_connection'] -> Keystone_service<||>
- Exec['validate_keystone_connection'] -> Keystone_endpoint<||>
- }
-}
+++ /dev/null
-#
-# Class to serve keystone with apache mod_wsgi in place of keystone service
-#
-# Serving keystone from apache is the recommended way to go for production
-# systems as the current keystone implementation is not multi-processor aware,
-# thus limiting the performance for concurrent accesses.
-#
-# See the following URIs for reference:
-# https://etherpad.openstack.org/havana-keystone-performance
-# http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
-#
-# When using this class you should disable your keystone service.
-#
-# == Parameters
-#
-# [*servername*]
-# The servername for the virtualhost.
-# Optional. Defaults to $::fqdn
-#
-# [*public_port*]
-# The public port.
-# Optional. Defaults to 5000
-#
-# [*admin_port*]
-# The admin port.
-# Optional. Defaults to 35357
-#
-# [*bind_host*]
-# The host/ip address Apache will listen on.
-# Optional. Defaults to undef (listen on all ip addresses).
-#
-# [*public_path*]
-# The prefix for the public endpoint.
-# Optional. Defaults to '/'
-#
-# [*admin_path*]
-# The prefix for the admin endpoint.
-# Optional. Defaults to '/'
-#
-# [*ssl*]
-# Use ssl ? (boolean)
-# Optional. Defaults to true
-#
-# [*workers*]
-# Number of WSGI workers to spawn.
-# Optional. Defaults to 1
-#
-# [*ssl_cert*]
-# [*ssl_key*]
-# [*ssl_chain*]
-# [*ssl_ca*]
-# [*ssl_crl_path*]
-# [*ssl_crl*]
-# [*ssl_certs_dir*]
-# apache::vhost ssl parameters.
-# Optional. Default to apache::vhost 'ssl_*' defaults.
-#
-# == Dependencies
-#
-# requires Class['apache'] & Class['keystone']
-#
-# == Examples
-#
-# include apache
-#
-# class { 'keystone::wsgi::apache': }
-#
-# == Note about ports & paths
-#
-# When using same port for both endpoints (443 anyone ?), you *MUST* use two
-# different public_path & admin_path !
-#
-# == Authors
-#
-# François Charlier <francois.charlier@enovance.com>
-#
-# == Copyright
-#
-# Copyright 2013 eNovance <licensing@enovance.com>
-#
-class keystone::wsgi::apache (
- $servername = $::fqdn,
- $public_port = 5000,
- $admin_port = 35357,
- $bind_host = undef,
- $public_path = '/',
- $admin_path = '/',
- $ssl = true,
- $workers = 1,
- $ssl_cert = undef,
- $ssl_key = undef,
- $ssl_chain = undef,
- $ssl_ca = undef,
- $ssl_crl_path = undef,
- $ssl_crl = undef,
- $ssl_certs_dir = undef,
- $threads = $::processorcount,
- $priority = '10',
-) {
-
- include ::keystone::params
- include ::apache
- include ::apache::mod::wsgi
- if $ssl {
- include ::apache::mod::ssl
- }
-
- Package['keystone'] -> Package['httpd']
- Package['keystone'] ~> Service['httpd']
- Keystone_config <| |> ~> Service['httpd']
- Service['httpd'] -> Keystone_endpoint <| |>
- Service['httpd'] -> Keystone_role <| |>
- Service['httpd'] -> Keystone_service <| |>
- Service['httpd'] -> Keystone_tenant <| |>
- Service['httpd'] -> Keystone_user <| |>
- Service['httpd'] -> Keystone_user_role <| |>
-
- ## Sanitize parameters
-
- # Ensure there's no trailing '/' except if this is also the only character
- $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
- # Ensure there's no trailing '/' except if this is also the only character
- $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
-
- if $public_port == $admin_port and $public_path_real == $admin_path_real {
- fail('When using the same port for public & private endpoints, public_path and admin_path should be different.')
- }
-
- file { $::keystone::params::keystone_wsgi_script_path:
- ensure => directory,
- owner => 'keystone',
- group => 'keystone',
- require => Package['httpd'],
- }
-
- file { 'keystone_wsgi_admin':
- ensure => file,
- path => "${::keystone::params::keystone_wsgi_script_path}/admin",
- source => $::keystone::params::keystone_wsgi_script_source,
- owner => 'keystone',
- group => 'keystone',
- mode => '0644',
- # source file provided by keystone package
- require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
- }
-
- file { 'keystone_wsgi_main':
- ensure => file,
- path => "${::keystone::params::keystone_wsgi_script_path}/main",
- source => $::keystone::params::keystone_wsgi_script_source,
- owner => 'keystone',
- group => 'keystone',
- mode => '0644',
- # source file provided by keystone package
- require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
- }
-
- $wsgi_daemon_process_options_main = {
- user => 'keystone',
- group => 'keystone',
- processes => $workers,
- threads => $threads,
- display-name => 'keystone-main',
- }
-
- $wsgi_daemon_process_options_admin = {
- user => 'keystone',
- group => 'keystone',
- processes => $workers,
- threads => $threads,
- display-name => 'keystone-admin',
- }
-
- $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
- $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
-
- if $public_port == $admin_port {
- $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin)
- } else {
- $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
- }
-
- ::apache::vhost { 'keystone_wsgi_main':
- ensure => 'present',
- servername => $servername,
- ip => $bind_host,
- port => $public_port,
- docroot => $::keystone::params::keystone_wsgi_script_path,
- docroot_owner => 'keystone',
- docroot_group => 'keystone',
- priority => $priority,
- ssl => $ssl,
- ssl_cert => $ssl_cert,
- ssl_key => $ssl_key,
- ssl_chain => $ssl_chain,
- ssl_ca => $ssl_ca,
- ssl_crl_path => $ssl_crl_path,
- ssl_crl => $ssl_crl,
- ssl_certs_dir => $ssl_certs_dir,
- wsgi_daemon_process => 'keystone_main',
- wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
- wsgi_process_group => 'keystone_main',
- wsgi_script_aliases => $wsgi_script_aliases_main_real,
- require => File['keystone_wsgi_main'],
- }
-
- if $public_port != $admin_port {
- ::apache::vhost { 'keystone_wsgi_admin':
- ensure => 'present',
- servername => $servername,
- ip => $bind_host,
- port => $admin_port,
- docroot => $::keystone::params::keystone_wsgi_script_path,
- docroot_owner => 'keystone',
- docroot_group => 'keystone',
- priority => $priority,
- ssl => $ssl,
- ssl_cert => $ssl_cert,
- ssl_key => $ssl_key,
- ssl_chain => $ssl_chain,
- ssl_ca => $ssl_ca,
- ssl_crl_path => $ssl_crl_path,
- ssl_crl => $ssl_crl,
- ssl_certs_dir => $ssl_certs_dir,
- wsgi_daemon_process => 'keystone_admin',
- wsgi_daemon_process_options => $wsgi_daemon_process_options_admin,
- wsgi_process_group => 'keystone_admin',
- wsgi_script_aliases => $wsgi_script_aliases_admin,
- require => File['keystone_wsgi_admin'],
- }
- }
-}
+++ /dev/null
-{
- "name": "stackforge-keystone",
- "version": "5.1.0",
- "author": "Puppet Labs and OpenStack Contributors",
- "summary": "Puppet module for OpenStack Keystone",
- "license": "Apache-2.0",
- "source": "git://github.com/openstack/puppet-keystone.git",
- "project_page": "https://launchpad.net/puppet-keystone",
- "issues_url": "https://bugs.launchpad.net/puppet-keystone",
- "dependencies": [
- {"name":"puppetlabs/apache","version_requirement":">=1.0.0 <2.0.0"},
- {"name":"puppetlabs/inifile","version_requirement":">=1.0.0 <2.0.0"},
- {"name":"puppetlabs/stdlib","version_requirement":">=4.0.0 <5.0.0"},
- {"name":"stackforge/openstacklib","version_requirement":">=5.0.0 <6.0.0"}
- ],
- "requirements": [
- {
- "name": "pe",
- "version_requirement": "3.x"
- },
- {
- "name": "puppet",
- "version_requirement": "3.x"
- }
- ],
- "operatingsystem_support": [
- {
- "operatingsystem": "Debian",
- "operatingsystemrelease": [
- "7"
- ]
- },
- {
- "operatingsystem": "Fedora",
- "operatingsystemrelease": [
- "20"
- ]
- },
- {
- "operatingsystem": "RedHat",
- "operatingsystemrelease": [
- "6.5",
- "7"
- ]
- },
- {
- "operatingsystem": "Ubuntu",
- "operatingsystemrelease": [
- "12.04",
- "14.04"
- ]
- }
- ],
- "description": "Installs and configures OpenStack Keystone (Identity)."
-}
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::client' do
-
- describe "with default parameters" do
- it { should contain_package('python-keystoneclient').with(
- 'ensure' => 'present',
- 'tag' => 'openstack'
- ) }
- end
-
- describe "with specified version" do
- let :params do
- {:ensure => '2013.1'}
- end
-
- it { should contain_package('python-keystoneclient').with(
- 'ensure' => '2013.1',
- 'tag' => 'openstack'
- ) }
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::cron::token_flush' do
-
- let :facts do
- { :osfamily => 'Debian' }
- end
-
- describe 'with default parameters' do
- it 'configures a cron' do
- should contain_cron('keystone-manage token_flush').with(
- :ensure => 'present',
- :command => 'keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1',
- :environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
- :user => 'keystone',
- :minute => 1,
- :hour => 0,
- :monthday => '*',
- :month => '*',
- :weekday => '*'
- )
- end
- end
-
- describe 'when specifying a maxdelay param' do
- let :params do
- {
- :maxdelay => 600
- }
- end
-
- it 'configures a cron with delay' do
- should contain_cron('keystone-manage token_flush').with(
- :ensure => 'present',
- :command => 'sleep `expr ${RANDOM} \\% 600`; keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1',
- :environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
- :user => 'keystone',
- :minute => 1,
- :hour => 0,
- :monthday => '*',
- :month => '*',
- :weekday => '*'
- )
- end
- end
-
- describe 'when specifying a maxdelay param' do
- let :params do
- {
- :ensure => 'absent'
- }
- end
-
- it 'configures a cron with delay' do
- should contain_cron('keystone-manage token_flush').with(
- :ensure => 'absent',
- :command => 'keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1',
- :environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
- :user => 'keystone',
- :minute => 1,
- :hour => 0,
- :monthday => '*',
- :month => '*',
- :weekday => '*'
- )
- end
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::db::mysql' do
-
- let :pre_condition do
- [
- 'include mysql::server',
- 'include keystone::db::sync'
- ]
- end
-
- let :facts do
- { :osfamily => 'Debian' }
- end
-
- let :params do
- {
- 'password' => 'keystone_default_password',
- }
- end
-
- describe 'with only required params' do
- it { should contain_openstacklib__db__mysql('keystone').with(
- 'user' => 'keystone',
- 'password_hash' => '*B552157B14BCEDDCEAA06767A012F31BDAA9CE3D',
- 'dbname' => 'keystone',
- 'host' => '127.0.0.1',
- 'charset' => 'utf8'
- )}
- end
-
- describe "overriding allowed_hosts param to array" do
- let :params do
- {
- :password => 'keystonepass',
- :allowed_hosts => ['127.0.0.1','%']
- }
- end
-
- end
- describe "overriding allowed_hosts param to string" do
- let :params do
- {
- :password => 'keystonepass2',
- :allowed_hosts => '192.168.1.1'
- }
- end
-
- end
-
- describe "overriding allowed_hosts param equals to host param " do
- let :params do
- {
- :password => 'keystonepass2',
- :allowed_hosts => '127.0.0.1'
- }
- end
-
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::db::postgresql' do
-
- let :req_params do
- {:password => 'pw'}
- end
-
- let :facts do
- {
- :postgres_default_version => '8.4',
- :osfamily => 'RedHat',
- }
- end
-
- describe 'with only required params' do
- let :params do
- req_params
- end
- it { should contain_postgresql__db('keystone').with(
- :user => 'keystone',
- :password => 'pw'
- ) }
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::endpoint' do
-
- it { should contain_keystone_service('keystone').with(
- :ensure => 'present',
- :type => 'identity',
- :description => 'OpenStack Identity Service'
- )}
-
- describe 'with default parameters' do
- it { should contain_keystone_endpoint('RegionOne/keystone').with(
- :ensure => 'present',
- :public_url => 'http://127.0.0.1:5000/v2.0',
- :admin_url => 'http://127.0.0.1:35357/v2.0',
- :internal_url => 'http://127.0.0.1:5000/v2.0'
- )}
- end
-
- describe 'with overridden parameters' do
-
- let :params do
- { :version => 'v42.6',
- :public_url => 'https://identity.some.tld/the/main/endpoint',
- :admin_url => 'https://identity-int.some.tld/some/admin/endpoint',
- :internal_url => 'https://identity-int.some.tld/some/internal/endpoint' }
- end
-
- it { should contain_keystone_endpoint('RegionOne/keystone').with(
- :ensure => 'present',
- :public_url => 'https://identity.some.tld/the/main/endpoint/v42.6',
- :admin_url => 'https://identity-int.some.tld/some/admin/endpoint/v42.6',
- :internal_url => 'https://identity-int.some.tld/some/internal/endpoint/v42.6'
- )}
- end
-
- describe 'without internal_url parameter' do
-
- let :params do
- { :public_url => 'https://identity.some.tld/the/main/endpoint' }
- end
-
- it 'internal_url should default to public_url' do
- should contain_keystone_endpoint('RegionOne/keystone').with(
- :ensure => 'present',
- :public_url => 'https://identity.some.tld/the/main/endpoint/v2.0',
- :internal_url => 'https://identity.some.tld/the/main/endpoint/v2.0'
- )
- end
- end
-
- describe 'with deprecated parameters' do
-
- let :params do
- { :public_address => '10.0.0.1',
- :admin_address => '10.0.0.2',
- :internal_address => '10.0.0.3',
- :public_port => '23456',
- :admin_port => '12345',
- :region => 'RegionTwo',
- :version => 'v3.0' }
- end
-
- it { should contain_keystone_endpoint('RegionTwo/keystone').with(
- :ensure => 'present',
- :public_url => 'http://10.0.0.1:23456/v3.0',
- :admin_url => 'http://10.0.0.2:12345/v3.0',
- :internal_url => 'http://10.0.0.3:23456/v3.0'
- )}
-
- describe 'public_address overrides public_url' do
- let :params do
- { :public_address => '10.0.0.1',
- :public_port => '12345',
- :public_url => 'http://10.10.10.10:23456/v3.0' }
- end
-
- it { should contain_keystone_endpoint('RegionOne/keystone').with(
- :ensure => 'present',
- :public_url => 'http://10.0.0.1:12345/v2.0'
- )}
- end
- end
-
- describe 'with overridden deprecated internal_port' do
-
- let :params do
- { :internal_port => '12345' }
- end
-
- it { should contain_keystone_endpoint('RegionOne/keystone').with(
- :ensure => 'present',
- :public_url => 'http://127.0.0.1:5000/v2.0',
- :admin_url => 'http://127.0.0.1:35357/v2.0',
- :internal_url => 'http://127.0.0.1:12345/v2.0'
- )}
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::ldap' do
- describe 'with basic params' do
- let :params do
- {
- :url => 'ldap://foo',
- :user => 'cn=foo,dc=example,dc=com',
- :password => 'abcdefg',
- :suffix => 'dc=example,dc=com',
- :query_scope => 'sub',
- :page_size => '50',
- :user_tree_dn => 'cn=users,dc=example,dc=com',
- :user_filter => '(memberOf=cn=openstack,cn=groups,cn=accounts,dc=example,dc=com)',
- :user_objectclass => 'inetUser',
- :user_id_attribute => 'uid',
- :user_name_attribute => 'cn',
- :user_mail_attribute => 'mail',
- :user_enabled_attribute => 'UserAccountControl',
- :user_enabled_mask => '2',
- :user_enabled_default => '512',
- :user_enabled_invert => 'False',
- :user_attribute_ignore => '',
- :user_default_project_id_attribute => 'defaultProject',
- :user_allow_create => 'False',
- :user_allow_update => 'False',
- :user_allow_delete => 'False',
- :user_pass_attribute => 'krbPassword',
- :user_enabled_emulation => 'True',
- :user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
- :user_additional_attribute_mapping => 'description:name, gecos:name',
- :project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
- :project_filter => '',
- :project_objectclass => 'organizationalUnit',
- :project_id_attribute => 'ou',
- :project_member_attribute => 'member',
- :project_desc_attribute => 'description',
- :project_name_attribute => 'ou',
- :project_enabled_attribute => 'enabled',
- :project_domain_id_attribute => 'businessCategory',
- :project_attribute_ignore => '',
- :project_allow_create => 'True',
- :project_allow_update => 'True',
- :project_allow_delete => 'True',
- :project_enabled_emulation => 'False',
- :project_enabled_emulation_dn => 'True',
- :project_additional_attribute_mapping => 'cn=enabled,ou=openstack,dc=example,dc=com',
- :role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
- :role_filter => '',
- :role_objectclass => 'organizationalRole',
- :role_id_attribute => 'cn',
- :role_name_attribute => 'ou',
- :role_member_attribute => 'roleOccupant',
- :role_attribute_ignore => 'description',
- :role_allow_create => 'True',
- :role_allow_update => 'True',
- :role_allow_delete => 'True',
- :role_additional_attribute_mapping => '',
- :group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
- :group_filter => 'cn=enabled-groups,cn=groups,cn=accounts,dc=example,dc=com',
- :group_objectclass => 'organizationalRole',
- :group_id_attribute => 'cn',
- :group_name_attribute => 'cn',
- :group_member_attribute => 'roleOccupant',
- :group_desc_attribute => 'description',
- :group_attribute_ignore => '',
- :group_allow_create => 'False',
- :group_allow_update => 'False',
- :group_allow_delete => 'False',
- :group_additional_attribute_mapping => '',
- :use_tls => 'False',
- :tls_cacertdir => '/etc/ssl/certs/',
- :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
- :tls_req_cert => 'demand',
- :identity_driver => 'keystone.identity.backends.ldap.Identity',
- :assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
- :use_pool => 'True',
- :pool_size => 20,
- :pool_retry_max => 2,
- :pool_retry_delay => 0.2,
- :pool_connection_timeout => 222,
- :pool_connection_lifetime => 222,
- :use_auth_pool => 'True',
- :auth_pool_size => 20,
- :auth_pool_connection_lifetime => 200,
- }
- end
- it { should contain_package('python-ldap') }
- it { should contain_package('python-ldappool') }
- it 'should have basic params' do
- # basic params
- should contain_keystone_config('ldap/url').with_value('ldap://foo')
- should contain_keystone_config('ldap/user').with_value('cn=foo,dc=example,dc=com')
- should contain_keystone_config('ldap/password').with_value('abcdefg').with_secret(true)
- should contain_keystone_config('ldap/suffix').with_value('dc=example,dc=com')
- should contain_keystone_config('ldap/query_scope').with_value('sub')
- should contain_keystone_config('ldap/page_size').with_value('50')
-
- # users
- should contain_keystone_config('ldap/user_tree_dn').with_value('cn=users,dc=example,dc=com')
- should contain_keystone_config('ldap/user_filter').with_value('(memberOf=cn=openstack,cn=groups,cn=accounts,dc=example,dc=com)')
- should contain_keystone_config('ldap/user_objectclass').with_value('inetUser')
- should contain_keystone_config('ldap/user_id_attribute').with_value('uid')
- should contain_keystone_config('ldap/user_name_attribute').with_value('cn')
- should contain_keystone_config('ldap/user_mail_attribute').with_value('mail')
- should contain_keystone_config('ldap/user_enabled_attribute').with_value('UserAccountControl')
- should contain_keystone_config('ldap/user_enabled_mask').with_value('2')
- should contain_keystone_config('ldap/user_enabled_default').with_value('512')
- should contain_keystone_config('ldap/user_enabled_invert').with_value('False')
- should contain_keystone_config('ldap/user_attribute_ignore').with_value('')
- should contain_keystone_config('ldap/user_default_project_id_attribute').with_value('defaultProject')
- should contain_keystone_config('ldap/user_tree_dn').with_value('cn=users,dc=example,dc=com')
- should contain_keystone_config('ldap/user_allow_create').with_value('False')
- should contain_keystone_config('ldap/user_allow_update').with_value('False')
- should contain_keystone_config('ldap/user_allow_delete').with_value('False')
- should contain_keystone_config('ldap/user_pass_attribute').with_value('krbPassword')
- should contain_keystone_config('ldap/user_enabled_emulation').with_value('True')
- should contain_keystone_config('ldap/user_enabled_emulation_dn').with_value('cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com')
- should contain_keystone_config('ldap/user_additional_attribute_mapping').with_value('description:name, gecos:name')
-
- # projects/tenants
- should contain_keystone_config('ldap/project_tree_dn').with_value('ou=projects,ou=openstack,dc=example,dc=com')
- should contain_keystone_config('ldap/project_filter').with_value('')
- should contain_keystone_config('ldap/project_objectclass').with_value('organizationalUnit')
- should contain_keystone_config('ldap/project_id_attribute').with_value('ou')
- should contain_keystone_config('ldap/project_member_attribute').with_value('member')
- should contain_keystone_config('ldap/project_desc_attribute').with_value('description')
- should contain_keystone_config('ldap/project_name_attribute').with_value('ou')
- should contain_keystone_config('ldap/project_enabled_attribute').with_value('enabled')
- should contain_keystone_config('ldap/project_domain_id_attribute').with_value('businessCategory')
- should contain_keystone_config('ldap/project_attribute_ignore').with_value('')
- should contain_keystone_config('ldap/project_allow_create').with_value('True')
- should contain_keystone_config('ldap/project_allow_update').with_value('True')
- should contain_keystone_config('ldap/project_allow_delete').with_value('True')
- should contain_keystone_config('ldap/project_enabled_emulation').with_value('False')
- should contain_keystone_config('ldap/project_enabled_emulation_dn').with_value('True')
- should contain_keystone_config('ldap/project_additional_attribute_mapping').with_value('cn=enabled,ou=openstack,dc=example,dc=com')
-
- # roles
- should contain_keystone_config('ldap/role_tree_dn').with_value('ou=roles,ou=openstack,dc=example,dc=com')
- should contain_keystone_config('ldap/role_filter').with_value('')
- should contain_keystone_config('ldap/role_objectclass').with_value('organizationalRole')
- should contain_keystone_config('ldap/role_id_attribute').with_value('cn')
- should contain_keystone_config('ldap/role_name_attribute').with_value('ou')
- should contain_keystone_config('ldap/role_member_attribute').with_value('roleOccupant')
- should contain_keystone_config('ldap/role_attribute_ignore').with_value('description')
- should contain_keystone_config('ldap/role_allow_create').with_value('True')
- should contain_keystone_config('ldap/role_allow_update').with_value('True')
- should contain_keystone_config('ldap/role_allow_delete').with_value('True')
- should contain_keystone_config('ldap/role_additional_attribute_mapping').with_value('')
-
- # groups
- should contain_keystone_config('ldap/group_tree_dn').with_value('ou=groups,ou=openstack,dc=example,dc=com')
- should contain_keystone_config('ldap/group_filter').with_value('cn=enabled-groups,cn=groups,cn=accounts,dc=example,dc=com')
- should contain_keystone_config('ldap/group_objectclass').with_value('organizationalRole')
- should contain_keystone_config('ldap/group_id_attribute').with_value('cn')
- should contain_keystone_config('ldap/group_member_attribute').with_value('roleOccupant')
- should contain_keystone_config('ldap/group_desc_attribute').with_value('description')
- should contain_keystone_config('ldap/group_name_attribute').with_value('cn')
- should contain_keystone_config('ldap/group_attribute_ignore').with_value('')
- should contain_keystone_config('ldap/group_allow_create').with_value('False')
- should contain_keystone_config('ldap/group_allow_update').with_value('False')
- should contain_keystone_config('ldap/group_allow_delete').with_value('False')
- should contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('')
-
- # tls
- should contain_keystone_config('ldap/use_tls').with_value('False')
- should contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/')
- should contain_keystone_config('ldap/tls_cacertfile').with_value('/etc/ssl/certs/ca-certificates.crt')
- should contain_keystone_config('ldap/tls_req_cert').with_value('demand')
-
- # ldap pooling
- should contain_keystone_config('ldap/use_pool').with_value('True')
- should contain_keystone_config('ldap/pool_size').with_value('20')
- should contain_keystone_config('ldap/pool_retry_max').with_value('2')
- should contain_keystone_config('ldap/pool_retry_delay').with_value('0.2')
- should contain_keystone_config('ldap/pool_connection_timeout').with_value('222')
- should contain_keystone_config('ldap/pool_connection_lifetime').with_value('222')
- should contain_keystone_config('ldap/use_auth_pool').with_value('True')
- should contain_keystone_config('ldap/auth_pool_size').with_value('20')
- should contain_keystone_config('ldap/auth_pool_connection_lifetime').with_value('200')
-
- # drivers
- should contain_keystone_config('identity/driver').with_value('keystone.identity.backends.ldap.Identity')
- should contain_keystone_config('assignment/driver').with_value('keystone.assignment.backends.ldap.Assignment')
- end
- end
-
- describe 'with deprecated params' do
- let :params do
- {
- :tenant_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
- :tenant_filter => '',
- :tenant_objectclass => 'organizationalUnit',
- :tenant_id_attribute => 'ou',
- :tenant_member_attribute => 'member',
- :tenant_desc_attribute => 'description',
- :tenant_name_attribute => 'ou',
- :tenant_enabled_attribute => 'enabled',
- :tenant_domain_id_attribute => 'businessCategory',
- :tenant_attribute_ignore => '',
- :tenant_allow_create => 'True',
- :tenant_allow_update => 'True',
- :tenant_allow_delete => 'True',
- :tenant_enabled_emulation => 'False',
- :tenant_enabled_emulation_dn => 'True',
- :tenant_additional_attribute_mapping => 'cn=enabled,ou=openstack,dc=example,dc=com',
- }
- end
- it 'should work with deprecated params' do
- should contain_keystone_config('ldap/project_tree_dn').with_value('ou=projects,ou=openstack,dc=example,dc=com')
- should contain_keystone_config('ldap/project_filter').with_value('')
- should contain_keystone_config('ldap/project_objectclass').with_value('organizationalUnit')
- should contain_keystone_config('ldap/project_id_attribute').with_value('ou')
- should contain_keystone_config('ldap/project_member_attribute').with_value('member')
- should contain_keystone_config('ldap/project_desc_attribute').with_value('description')
- should contain_keystone_config('ldap/project_name_attribute').with_value('ou')
- should contain_keystone_config('ldap/project_enabled_attribute').with_value('enabled')
- should contain_keystone_config('ldap/project_domain_id_attribute').with_value('businessCategory')
- should contain_keystone_config('ldap/project_attribute_ignore').with_value('')
- should contain_keystone_config('ldap/project_allow_create').with_value('True')
- should contain_keystone_config('ldap/project_allow_update').with_value('True')
- should contain_keystone_config('ldap/project_allow_delete').with_value('True')
- should contain_keystone_config('ldap/project_enabled_emulation').with_value('False')
- should contain_keystone_config('ldap/project_enabled_emulation_dn').with_value('True')
- should contain_keystone_config('ldap/project_additional_attribute_mapping').with_value('cn=enabled,ou=openstack,dc=example,dc=com')
- end
- end
-
- describe 'with deprecated and new params both set' do
- let :params do
- {
- :tenant_tree_dn => 'ou=projects,ou=old-openstack,dc=example,dc=com',
- :project_tree_dn => 'ou=projects,ou=new-openstack,dc=example,dc=com',
- }
- end
- it 'should fail with deprecated and new params both set' do
- expect {
- should compile
- }.to raise_error Puppet::Error, /tenant_tree_dn and project_tree_dn are both set. results may be unexpected/
- end
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::logging' do
-
- let :params do
- {
- }
- end
-
- let :log_params do
- {
- :logging_context_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s',
- :logging_default_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s',
- :logging_debug_format_suffix => '%(funcName)s %(pathname)s:%(lineno)d',
- :logging_exception_prefix => '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s',
- :log_config_append => '/etc/keystone/logging.conf',
- :publish_errors => true,
- :default_log_levels => {
- 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN',
- 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO',
- 'iso8601' => 'WARN',
- 'requests.packages.urllib3.connectionpool' => 'WARN' },
- :fatal_deprecations => true,
- :instance_format => '[instance: %(uuid)s] ',
- :instance_uuid_format => '[instance: %(uuid)s] ',
- :log_date_format => '%Y-%m-%d %H:%M:%S',
- }
- end
-
- shared_examples_for 'keystone-logging' do
-
- context 'with extended logging options' do
- before { params.merge!( log_params ) }
- it_configures 'logging params set'
- end
-
- context 'without extended logging options' do
- it_configures 'logging params unset'
- end
-
- end
-
- shared_examples_for 'logging params set' do
- it 'enables logging params' do
- should contain_keystone_config('DEFAULT/logging_context_format_string').with_value(
- '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s')
-
- should contain_keystone_config('DEFAULT/logging_default_format_string').with_value(
- '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s')
-
- should contain_keystone_config('DEFAULT/logging_debug_format_suffix').with_value(
- '%(funcName)s %(pathname)s:%(lineno)d')
-
- should contain_keystone_config('DEFAULT/logging_exception_prefix').with_value(
- '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s')
-
- should contain_keystone_config('DEFAULT/log_config_append').with_value(
- '/etc/keystone/logging.conf')
- should contain_keystone_config('DEFAULT/publish_errors').with_value(
- true)
-
- should contain_keystone_config('DEFAULT/default_log_levels').with_value(
- 'amqp=WARN,amqplib=WARN,boto=WARN,iso8601=WARN,qpid=WARN,requests.packages.urllib3.connectionpool=WARN,sqlalchemy=WARN,suds=INFO')
-
- should contain_keystone_config('DEFAULT/fatal_deprecations').with_value(
- true)
-
- should contain_keystone_config('DEFAULT/instance_format').with_value(
- '[instance: %(uuid)s] ')
-
- should contain_keystone_config('DEFAULT/instance_uuid_format').with_value(
- '[instance: %(uuid)s] ')
-
- should contain_keystone_config('DEFAULT/log_date_format').with_value(
- '%Y-%m-%d %H:%M:%S')
- end
- end
-
-
- shared_examples_for 'logging params unset' do
- [ :logging_context_format_string, :logging_default_format_string,
- :logging_debug_format_suffix, :logging_exception_prefix,
- :log_config_append, :publish_errors,
- :default_log_levels, :fatal_deprecations,
- :instance_format, :instance_uuid_format,
- :log_date_format, ].each { |param|
- it { should contain_keystone_config("DEFAULT/#{param}").with_ensure('absent') }
- }
- end
-
- context 'on Debian platforms' do
- let :facts do
- { :osfamily => 'Debian' }
- end
-
- it_configures 'keystone-logging'
- end
-
- context 'on RedHat platforms' do
- let :facts do
- { :osfamily => 'RedHat' }
- end
-
- it_configures 'keystone-logging'
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::policy' do
-
- shared_examples_for 'keystone policies' do
- let :params do
- {
- :policy_path => '/etc/keystone/policy.json',
- :policies => {
- 'context_is_admin' => {
- 'key' => 'context_is_admin',
- 'value' => 'foo:bar'
- }
- }
- }
- end
-
- it 'set up the policies' do
- should contain_openstacklib__policy__base('context_is_admin').with({
- :key => 'context_is_admin',
- :value => 'foo:bar'
- })
- end
- end
-
- context 'on Debian platforms' do
- let :facts do
- { :osfamily => 'Debian' }
- end
-
- it_configures 'keystone policies'
- end
-
- context 'on RedHat platforms' do
- let :facts do
- { :osfamily => 'RedHat' }
- end
-
- it_configures 'keystone policies'
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::python' do
-
- let :facts do
- { :osfamily => 'Debian' }
- end
-
- it { should contain_package('python-keystone').with_ensure("present") }
-
- describe 'override ensure' do
- let(:params) { { :ensure => "latest" } }
-
- it { should contain_package('python-keystone').with_ensure("latest") }
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-describe 'keystone::roles::admin' do
-
- describe 'with only the required params set' do
-
- let :params do
- {
- :email => 'foo@bar',
- :password => 'ChangeMe',
- :service_tenant => 'services'
- }
- end
-
- it { should contain_keystone_tenant('services').with(
- :ensure => 'present',
- :enabled => true,
- :description => 'Tenant for the openstack services'
- )}
- it { should contain_keystone_tenant('openstack').with(
- :ensure => 'present',
- :enabled => true,
- :description => 'admin tenant'
- )}
- it { should contain_keystone_user('admin').with(
- :ensure => 'present',
- :enabled => true,
- :tenant => 'openstack',
- :email => 'foo@bar',
- :password => 'ChangeMe',
- :ignore_default_tenant => 'false'
- )}
- it { should contain_keystone_role('admin').with_ensure('present') }
- it { should contain_keystone_user_role('admin@openstack').with(
- :roles => ['admin'],
- :ensure => 'present'
- )}
-
- end
-
- describe 'when overriding optional params' do
-
- let :params do
- {
- :admin => 'admin',
- :email => 'foo@baz',
- :password => 'foo',
- :admin_tenant => 'admin',
- :admin_roles => ['admin', 'heat_stack_owner'],
- :service_tenant => 'foobar',
- :ignore_default_tenant => 'true',
- :admin_tenant_desc => 'admin something else',
- :service_tenant_desc => 'foobar description',
- }
- end
-
- it { should contain_keystone_tenant('foobar').with(
- :ensure => 'present',
- :enabled => true,
- :description => 'foobar description'
- )}
- it { should contain_keystone_tenant('admin').with(
- :ensure => 'present',
- :enabled => true,
- :description => 'admin something else'
- )}
- it { should contain_keystone_user('admin').with(
- :ensure => 'present',
- :enabled => true,
- :tenant => 'admin',
- :email => 'foo@baz',
- :password => 'foo',
- :ignore_default_tenant => 'true'
- )}
- it { should contain_keystone_user_role('admin@admin').with(
- :roles => ['admin', 'heat_stack_owner'],
- :ensure => 'present'
- )}
-
- end
-
- describe 'when disabling user configuration' do
- before do
- let :params do
- {
- :configure_user => false
- }
- end
-
- it { should_not contain_keystone_user('keystone') }
- it { should contain_keystone_user_role('keystone@openstack') }
- end
- end
-
- describe 'when disabling user and role configuration' do
- before do
- let :params do
- {
- :configure_user => false,
- :configure_user_role => false
- }
- end
-
- it { should_not contain_keystone_user('keystone') }
- it { should_not contain_keystone_user_role('keystone@openstack') }
- end
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::service' do
-
- describe "with default parameters" do
- it { should contain_service('keystone').with(
- :ensure => 'running',
- :enable => true,
- :hasstatus => true,
- :hasrestart => true
- ) }
- it { should_not contain_exec('validate_keystone_connection') }
- end
-
- describe "with validation on" do
- let :params do
- {
- :validate => 'true',
- :admin_token => 'admintoken'
- }
- end
-
- it { should contain_service('keystone').with(
- :ensure => 'running',
- :enable => true,
- :hasstatus => true,
- :hasrestart => true
- ) }
- it { should contain_exec('validate_keystone_connection') }
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone' do
-
- let :global_facts do
- {
- :processorcount => 42,
- :concat_basedir => '/var/lib/puppet/concat',
- :fqdn => 'some.host.tld'
- }
- end
-
- let :facts do
- global_facts.merge({
- :osfamily => 'Debian',
- :operatingsystem => 'Debian',
- :operatingsystemrelease => '7.0'
- })
- end
-
- default_params = {
- 'admin_token' => 'service_token',
- 'package_ensure' => 'present',
- 'public_bind_host' => '0.0.0.0',
- 'admin_bind_host' => '0.0.0.0',
- 'public_port' => '5000',
- 'admin_port' => '35357',
- 'admin_token' => 'service_token',
- 'compute_port' => '8774',
- 'verbose' => false,
- 'debug' => false,
- 'catalog_type' => 'sql',
- 'catalog_driver' => false,
- 'token_provider' => 'keystone.token.providers.uuid.Provider',
- 'token_driver' => 'keystone.token.persistence.backends.sql.Token',
- 'cache_dir' => '/var/cache/keystone',
- 'enable_ssl' => false,
- 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
- 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
- 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
- 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
- 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
- 'enabled' => true,
- 'database_connection' => 'sqlite:////var/lib/keystone/keystone.db',
- 'database_idle_timeout' => '200',
- 'enable_pki_setup' => true,
- 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
- 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
- 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
- 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
- 'rabbit_host' => 'localhost',
- 'rabbit_password' => 'guest',
- 'rabbit_userid' => 'guest',
- }
-
- override_params = {
- 'package_ensure' => 'latest',
- 'public_bind_host' => '0.0.0.0',
- 'admin_bind_host' => '0.0.0.0',
- 'public_port' => '5001',
- 'admin_port' => '35358',
- 'admin_token' => 'service_token_override',
- 'compute_port' => '8778',
- 'verbose' => true,
- 'debug' => true,
- 'catalog_type' => 'template',
- 'token_provider' => 'keystone.token.providers.uuid.Provider',
- 'token_driver' => 'keystone.token.backends.kvs.Token',
- 'public_endpoint' => 'https://localhost:5000/v2.0/',
- 'admin_endpoint' => 'https://localhost:35357/v2.0/',
- 'enable_ssl' => true,
- 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem',
- 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem',
- 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
- 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
- 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
- 'enabled' => false,
- 'database_connection' => 'mysql://a:b@c/d',
- 'database_idle_timeout' => '300',
- 'enable_pki_setup' => true,
- 'signing_certfile' => '/etc/keystone/ssl/certs/signing_cert.pem',
- 'signing_keyfile' => '/etc/keystone/ssl/private/signing_key.pem',
- 'signing_ca_certs' => '/etc/keystone/ssl/certs/ca.pem',
- 'signing_ca_key' => '/etc/keystone/ssl/private/cakey.pem',
- 'rabbit_host' => '127.0.0.1',
- 'rabbit_password' => 'openstack',
- 'rabbit_userid' => 'admin',
- }
-
- httpd_params = {'service_name' => 'httpd'}.merge(default_params)
-
- shared_examples_for 'core keystone examples' do |param_hash|
- it { should contain_class('keystone::params') }
-
- it { should contain_package('keystone').with(
- 'ensure' => param_hash['package_ensure'],
- 'tag' => 'openstack'
- ) }
-
- it { should contain_group('keystone').with(
- 'ensure' => 'present',
- 'system' => true
- ) }
-
- it { should contain_user('keystone').with(
- 'ensure' => 'present',
- 'gid' => 'keystone',
- 'system' => true
- ) }
-
- it 'should contain the expected directories' do
- ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone'].each do |d|
- should contain_file(d).with(
- 'ensure' => 'directory',
- 'owner' => 'keystone',
- 'group' => 'keystone',
- 'mode' => '0750',
- 'require' => 'Package[keystone]'
- )
- end
- end
-
- it 'should only synchronize the db if $enabled is true' do
- if param_hash['enabled']
- should contain_exec('keystone-manage db_sync').with(
- :user => 'keystone',
- :refreshonly => true,
- :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'],
- :require => 'User[keystone]'
- )
- end
- end
-
- it 'should contain correct config' do
- [
- 'public_bind_host',
- 'admin_bind_host',
- 'public_port',
- 'admin_port',
- 'compute_port',
- 'verbose',
- 'debug'
- ].each do |config|
- should contain_keystone_config("DEFAULT/#{config}").with_value(param_hash[config])
- end
- end
-
- it 'should contain correct admin_token config' do
- should contain_keystone_config('DEFAULT/admin_token').with_value(param_hash['admin_token']).with_secret(true)
- end
-
- it 'should contain correct mysql config' do
- should contain_keystone_config('database/idle_timeout').with_value(param_hash['database_idle_timeout'])
- should contain_keystone_config('database/connection').with_value(param_hash['database_connection']).with_secret(true)
- end
-
- it { should contain_keystone_config('token/provider').with_value(
- param_hash['token_provider']
- ) }
-
- it 'should contain correct token driver' do
- should contain_keystone_config('token/driver').with_value(param_hash['token_driver'])
- end
-
- it 'should ensure proper setting of admin_endpoint and public_endpoint' do
- if param_hash['admin_endpoint']
- should contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint'])
- else
- should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent')
- end
- if param_hash['public_endpoint']
- should contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint'])
- else
- should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent')
- end
- end
-
- it 'should contain correct rabbit_password' do
- should contain_keystone_config('DEFAULT/rabbit_password').with_value(param_hash['rabbit_password']).with_secret(true)
- end
- end
-
- [default_params, override_params].each do |param_hash|
- describe "when #{param_hash == default_params ? "using default" : "specifying"} class parameters for service" do
-
- let :params do
- param_hash
- end
-
- it_configures 'core keystone examples', param_hash
-
- it { should contain_service('keystone').with(
- 'ensure' => param_hash['enabled'] ? 'running' : 'stopped',
- 'enable' => param_hash['enabled'],
- 'hasstatus' => true,
- 'hasrestart' => true
- ) }
-
- end
- end
-
- describe "when using default class parameters for httpd" do
- let :params do
- httpd_params
- end
-
- let :pre_condition do
- 'include ::apache'
- end
-
- it_configures 'core keystone examples', httpd_params
-
- it do
- expect {
- should contain_service('keystone')
- }.to raise_error(RSpec::Expectations::ExpectationNotMetError, /expected that the catalogue would contain Service\[keystone\]/)
- end
-
- end
-
- describe 'with deprecated sql_connection parameter' do
- let :params do
- { :admin_token => 'service_token',
- :sql_connection => 'mysql://a:b@c/d' }
- end
-
- it { should contain_keystone_config('database/connection').with_value(params[:sql_connection]) }
- end
-
- describe 'with deprecated idle_timeout parameter' do
- let :params do
- { :admin_token => 'service_token',
- :idle_timeout => 365 }
- end
-
- it { should contain_keystone_config('database/idle_timeout').with_value(params[:idle_timeout]) }
- end
-
- describe 'when configuring signing token provider' do
-
- describe 'when configuring as UUID' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.uuid.Provider'
- }
- end
- it { should contain_exec('keystone-manage pki_setup').with(
- :creates => '/etc/keystone/ssl/private/signing_key.pem'
- ) }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
-
- describe 'when overriding the cache dir' do
- before do
- params.merge!(:cache_dir => '/var/lib/cache/keystone')
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
-
- describe 'when disable pki_setup' do
- before do
- params.merge!(:enable_pki_setup => false)
- end
- it { should_not contain_exec('keystone-manage pki_setup') }
- end
- end
-
- describe 'when configuring as PKI' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.pki.Provider'
- }
- end
- it { should contain_exec('keystone-manage pki_setup').with(
- :creates => '/etc/keystone/ssl/private/signing_key.pem'
- ) }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
-
- describe 'when overriding the cache dir' do
- before do
- params.merge!(:cache_dir => '/var/lib/cache/keystone')
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
-
- describe 'when disable pki_setup' do
- before do
- params.merge!(:enable_pki_setup => false)
- end
- it { should_not contain_exec('keystone-manage pki_setup') }
- end
- end
-
- describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.uuid.Provider',
- 'enable_pki_setup' => false,
- 'signing_certfile' => 'signing_certfile',
- 'signing_keyfile' => 'signing_keyfile',
- 'signing_ca_certs' => 'signing_ca_certs',
- 'signing_ca_key' => 'signing_ca_key',
- 'signing_cert_subject' => 'signing_cert_subject',
- 'signing_key_size' => 2048
- }
- end
-
- it { should_not contain_exec('keystone-manage pki_setup') }
-
- it 'should contain correct PKI certfile config' do
- should contain_keystone_config('signing/certfile').with_value('signing_certfile')
- end
-
- it 'should contain correct PKI keyfile config' do
- should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
- end
-
- it 'should contain correct PKI ca_certs config' do
- should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
- end
-
- it 'should contain correct PKI ca_key config' do
- should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
- end
-
- it 'should contain correct PKI cert_subject config' do
- should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
- end
-
- it 'should contain correct PKI key_size config' do
- should contain_keystone_config('signing/key_size').with_value('2048')
- end
- end
-
- describe 'when configuring PKI signing cert paths with pki_setup disabled' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.pki.Provider',
- 'enable_pki_setup' => false,
- 'signing_certfile' => 'signing_certfile',
- 'signing_keyfile' => 'signing_keyfile',
- 'signing_ca_certs' => 'signing_ca_certs',
- 'signing_ca_key' => 'signing_ca_key',
- 'signing_cert_subject' => 'signing_cert_subject',
- 'signing_key_size' => 2048
- }
- end
-
- it { should_not contain_exec('keystone-manage pki_setup') }
-
- it 'should contain correct PKI certfile config' do
- should contain_keystone_config('signing/certfile').with_value('signing_certfile')
- end
-
- it 'should contain correct PKI keyfile config' do
- should contain_keystone_config('signing/keyfile').with_value('signing_keyfile')
- end
-
- it 'should contain correct PKI ca_certs config' do
- should contain_keystone_config('signing/ca_certs').with_value('signing_ca_certs')
- end
-
- it 'should contain correct PKI ca_key config' do
- should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
- end
-
- it 'should contain correct PKI cert_subject config' do
- should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
- end
-
- it 'should contain correct PKI key_size config' do
- should contain_keystone_config('signing/key_size').with_value('2048')
- end
- end
-
- describe 'with invalid catalog_type' do
- let :params do
- { :admin_token => 'service_token',
- :catalog_type => 'invalid' }
- end
-
- it_raises "a Puppet::Error", /validate_re\(\): "invalid" does not match "template|sql"/
- end
-
- describe 'when configuring catalog driver' do
- let :params do
- { :admin_token => 'service_token',
- :catalog_driver => 'keystone.catalog.backends.alien.AlienCatalog' }
- end
-
- it { should contain_keystone_config('catalog/driver').with_value(params[:catalog_driver]) }
- end
-
- describe 'when configuring deprecated token_format as UUID with enable_pki_setup' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_format' => 'UUID'
- }
- end
- it { should contain_exec('keystone-manage pki_setup').with(
- :creates => '/etc/keystone/ssl/private/signing_key.pem'
- ) }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
- describe 'when overriding the cache dir' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.pki.Provider',
- 'cache_dir' => '/var/lib/cache/keystone'
- }
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
- end
-
- describe 'when configuring deprecated token_format as UUID without enable_pki_setup' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_format' => 'UUID',
- 'enable_pki_setup' => false
- }
- end
- it { should_not contain_exec('keystone-manage pki_setup') }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
- describe 'when overriding the cache dir' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.uuid.Provider',
- 'cache_dir' => '/var/lib/cache/keystone'
- }
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
- end
-
- describe 'when configuring deprecated token_format as PKI with enable_pki_setup' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_format' => 'PKI',
- }
- end
- it { should contain_exec('keystone-manage pki_setup').with(
- :creates => '/etc/keystone/ssl/private/signing_key.pem'
- ) }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
- describe 'when overriding the cache dir' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.pki.Provider',
- 'cache_dir' => '/var/lib/cache/keystone'
- }
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
- end
-
- describe 'when configuring deprecated token_format as PKI without enable_pki_setup' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_format' => 'PKI',
- 'enable_pki_setup' => false
- }
- end
- it { should_not contain_exec('keystone-manage pki_setup') }
- it { should contain_file('/var/cache/keystone').with_ensure('directory') }
- describe 'when overriding the cache dir' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_provider' => 'keystone.token.providers.pki.Provider',
- 'cache_dir' => '/var/lib/cache/keystone'
- }
- end
- it { should contain_file('/var/lib/cache/keystone') }
- end
- end
-
- end
-
- describe 'when configuring token expiration' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'token_expiration' => '42',
- }
- end
-
- it { should contain_keystone_config("token/expiration").with_value('42') }
- end
-
- describe 'when not configuring token expiration' do
- let :params do
- {
- 'admin_token' => 'service_token',
- }
- end
-
- it { should contain_keystone_config("token/expiration").with_value('3600') }
- end
-
- describe 'configure memcache servers if set' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'memcache_servers' => [ 'SERVER1:11211', 'SERVER2:11211' ],
- 'token_driver' => 'keystone.token.backends.memcache.Token',
- 'cache_backend' => 'dogpile.cache.memcached',
- 'cache_backend_argument' => ['url:SERVER1:12211'],
- }
- end
-
- it { should contain_keystone_config("memcache/servers").with_value('SERVER1:11211,SERVER2:11211') }
- it { should contain_keystone_config('cache/enabled').with_value(true) }
- it { should contain_keystone_config('token/caching').with_value(true) }
- it { should contain_keystone_config('cache/backend').with_value('dogpile.cache.memcached') }
- it { should contain_keystone_config('cache/backend_argument').with_value('url:SERVER1:12211') }
- it { should contain_package('python-memcache').with(
- :name => 'python-memcache',
- :ensure => 'present'
- ) }
- end
-
- describe 'do not configure memcache servers when not set' do
- let :params do
- default_params
- end
-
- it { should contain_keystone_config("cache/enabled").with_ensure('absent') }
- it { should contain_keystone_config("token/caching").with_ensure('absent') }
- it { should contain_keystone_config("cache/backend").with_ensure('absent') }
- it { should contain_keystone_config("cache/backend_argument").with_ensure('absent') }
- it { should contain_keystone_config("cache/debug_cache_backend").with_ensure('absent') }
- it { should contain_keystone_config("memcache/servers").with_ensure('absent') }
- end
-
- describe 'raise error if memcache_servers is not an array' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'memcache_servers' => 'ANY_SERVER:11211'
- }
- end
-
- it { expect { should contain_class('keystone::params') }.to \
- raise_error(Puppet::Error, /is not an Array/) }
- end
-
- describe 'with syslog disabled by default' do
- let :params do
- default_params
- end
-
- it { should contain_keystone_config('DEFAULT/use_syslog').with_value(false) }
- it { should_not contain_keystone_config('DEFAULT/syslog_log_facility') }
- end
-
- describe 'with syslog enabled' do
- let :params do
- default_params.merge({
- :use_syslog => 'true',
- })
- end
-
- it { should contain_keystone_config('DEFAULT/use_syslog').with_value(true) }
- it { should contain_keystone_config('DEFAULT/syslog_log_facility').with_value('LOG_USER') }
- end
-
- describe 'with syslog enabled and custom settings' do
- let :params do
- default_params.merge({
- :use_syslog => 'true',
- :log_facility => 'LOG_LOCAL0'
- })
- end
-
- it { should contain_keystone_config('DEFAULT/use_syslog').with_value(true) }
- it { should contain_keystone_config('DEFAULT/syslog_log_facility').with_value('LOG_LOCAL0') }
- end
-
- describe 'with log_file disabled by default' do
- let :params do
- default_params
- end
- it { should contain_keystone_config('DEFAULT/log_file').with_ensure('absent') }
- end
-
- describe 'with log_file and log_dir enabled' do
- let :params do
- default_params.merge({
- :log_file => 'keystone.log',
- :log_dir => '/var/lib/keystone'
- })
- end
- it { should contain_keystone_config('DEFAULT/log_file').with_value('keystone.log') }
- it { should contain_keystone_config('DEFAULT/log_dir').with_value('/var/lib/keystone') }
- end
-
- describe 'with log_file and log_dir disabled' do
- let :params do
- default_params.merge({
- :log_file => false,
- :log_dir => false
- })
- end
- it { should contain_keystone_config('DEFAULT/log_file').with_ensure('absent') }
- it { should contain_keystone_config('DEFAULT/log_dir').with_ensure('absent') }
- end
-
- describe 'when configuring api binding with deprecated parameter' do
- let :params do
- default_params.merge({
- :bind_host => '10.0.0.2',
- })
- end
- it { should contain_keystone_config('DEFAULT/public_bind_host').with_value('10.0.0.2') }
- it { should contain_keystone_config('DEFAULT/admin_bind_host').with_value('10.0.0.2') }
- end
-
- describe 'when enabling SSL' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'enable_ssl' => true,
- 'public_endpoint' => 'https://localhost:5000/v2.0/',
- 'admin_endpoint' => 'https://localhost:35357/v2.0/',
- }
- end
- it {should contain_keystone_config('ssl/enable').with_value(true)}
- it {should contain_keystone_config('ssl/certfile').with_value('/etc/keystone/ssl/certs/keystone.pem')}
- it {should contain_keystone_config('ssl/keyfile').with_value('/etc/keystone/ssl/private/keystonekey.pem')}
- it {should contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
- it {should contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
- it {should contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
- it {should contain_keystone_config('DEFAULT/public_endpoint').with_value('https://localhost:5000/v2.0/')}
- it {should contain_keystone_config('DEFAULT/admin_endpoint').with_value('https://localhost:35357/v2.0/')}
- end
- describe 'when disabling SSL' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'enable_ssl' => false,
- }
- end
- it {should contain_keystone_config('ssl/enable').with_value(false)}
- it {should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent')}
- it {should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent')}
- end
- describe 'not setting notification settings by default' do
- let :params do
- default_params
- end
-
- it { should contain_keystone_config('DEFAULT/notification_driver').with_value(nil) }
- it { should contain_keystone_config('DEFAULT/notification_topics').with_vaule(nil) }
- it { should contain_keystone_config('DEFAULT/control_exchange').with_vaule(nil) }
- end
-
- describe 'with RabbitMQ communication SSLed' do
- let :params do
- default_params.merge!({
- :rabbit_use_ssl => true,
- :kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
- :kombu_ssl_certfile => '/path/to/ssl/cert/file',
- :kombu_ssl_keyfile => '/path/to/ssl/keyfile',
- :kombu_ssl_version => 'TLSv1'
- })
- end
-
- it do
- should contain_keystone_config('DEFAULT/rabbit_use_ssl').with_value('true')
- should contain_keystone_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
- should contain_keystone_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
- should contain_keystone_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
- should contain_keystone_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
- end
- end
-
- describe 'with RabbitMQ communication not SSLed' do
- let :params do
- default_params.merge!({
- :rabbit_use_ssl => false,
- :kombu_ssl_ca_certs => 'undef',
- :kombu_ssl_certfile => 'undef',
- :kombu_ssl_keyfile => 'undef',
- :kombu_ssl_version => 'TLSv1'
- })
- end
-
- it do
- should contain_keystone_config('DEFAULT/rabbit_use_ssl').with_value('false')
- should contain_keystone_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
- should contain_keystone_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
- should contain_keystone_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
- should contain_keystone_config('DEFAULT/kombu_ssl_version').with_ensure('absent')
- end
- end
-
- describe 'setting notification settings' do
- let :params do
- default_params.merge({
- :notification_driver => 'keystone.openstack.common.notifier.rpc_notifier',
- :notification_topics => 'notifications',
- :control_exchange => 'keystone'
- })
- end
-
- it { should contain_keystone_config('DEFAULT/notification_driver').with_value('keystone.openstack.common.notifier.rpc_notifier') }
- it { should contain_keystone_config('DEFAULT/notification_topics').with_value('notifications') }
- it { should contain_keystone_config('DEFAULT/control_exchange').with_value('keystone') }
- end
-
- describe 'setting sql (default) catalog' do
- let :params do
- default_params
- end
-
- it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.sql.Catalog') }
- end
-
- describe 'setting default template catalog' do
- let :params do
- {
- :admin_token => 'service_token',
- :catalog_type => 'template'
- }
- end
-
- it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.templated.Catalog') }
- it { should contain_keystone_config('catalog/template_file').with_value('/etc/keystone/default_catalog.templates') }
- end
-
- describe 'with overridden validation_auth_url' do
- let :params do
- {
- :admin_token => 'service_token',
- :validate_service => true,
- :validate_auth_url => 'http://some.host:35357/v2.0',
- :admin_endpoint => 'http://some.host:35357'
- }
- end
-
- it { should contain_keystone_config('DEFAULT/admin_endpoint').with_value('http://some.host:35357') }
- it { should contain_class('keystone::service').with(
- 'validate' => true,
- 'admin_endpoint' => 'http://some.host:35357/v2.0'
- )}
- end
-
- describe 'with service validation' do
- let :params do
- {
- :admin_token => 'service_token',
- :validate_service => true,
- :admin_endpoint => 'http://some.host:35357'
- }
- end
-
- it { should contain_class('keystone::service').with(
- 'validate' => true,
- 'admin_endpoint' => 'http://some.host:35357'
- )}
- end
-
- describe 'setting another template catalog' do
- let :params do
- {
- :admin_token => 'service_token',
- :catalog_type => 'template',
- :catalog_template_file => '/some/template_file'
- }
- end
-
- it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.templated.Catalog') }
- it { should contain_keystone_config('catalog/template_file').with_value('/some/template_file') }
- end
-
- describe 'setting service_provider' do
- let :facts do
- global_facts.merge({
- :osfamily => 'RedHat',
- :operatingsystemrelease => '6.0'
- })
- end
-
- describe 'with default service_provider' do
- let :params do
- { 'admin_token' => 'service_token' }
- end
-
- it { should contain_service('keystone').with(
- :provider => nil
- )}
- end
-
- describe 'with overrided service_provider' do
- let :params do
- {
- 'admin_token' => 'service_token',
- 'service_provider' => 'pacemaker'
- }
- end
-
- it { should contain_service('keystone').with(
- :provider => 'pacemaker'
- )}
- end
- end
-end
+++ /dev/null
-require 'spec_helper'
-
-describe 'keystone::wsgi::apache' do
-
- let :global_facts do
- {
- :processorcount => 42,
- :concat_basedir => '/var/lib/puppet/concat',
- :fqdn => 'some.host.tld'
- }
- end
-
- let :pre_condition do
- [
- 'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }'
- ]
- end
-
- shared_examples_for 'apache serving keystone with mod_wsgi' do
- it { should contain_service('httpd').with_name(platform_parameters[:httpd_service_name]) }
- it { should contain_class('keystone::params') }
- it { should contain_class('apache') }
- it { should contain_class('apache::mod::wsgi') }
- it { should contain_class('keystone::db::sync') }
-
- describe 'with default parameters' do
-
- it { should contain_file("#{platform_parameters[:wsgi_script_path]}").with(
- 'ensure' => 'directory',
- 'owner' => 'keystone',
- 'group' => 'keystone',
- 'require' => 'Package[httpd]'
- )}
-
- it { should contain_file('keystone_wsgi_admin').with(
- 'ensure' => 'file',
- 'path' => "#{platform_parameters[:wsgi_script_path]}/admin",
- 'source' => platform_parameters[:wsgi_script_source],
- 'owner' => 'keystone',
- 'group' => 'keystone',
- 'mode' => '0644',
- 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"]
- )}
-
- it { should contain_file('keystone_wsgi_main').with(
- 'ensure' => 'file',
- 'path' => "#{platform_parameters[:wsgi_script_path]}/main",
- 'source' => platform_parameters[:wsgi_script_source],
- 'owner' => 'keystone',
- 'group' => 'keystone',
- 'mode' => '0644',
- 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"]
- )}
-
- it { should contain_apache__vhost('keystone_wsgi_admin').with(
- 'servername' => 'some.host.tld',
- 'ip' => nil,
- 'port' => '35357',
- 'docroot' => "#{platform_parameters[:wsgi_script_path]}",
- 'docroot_owner' => 'keystone',
- 'docroot_group' => 'keystone',
- 'ssl' => 'true',
- 'wsgi_daemon_process' => 'keystone_admin',
- 'wsgi_daemon_process_options' => {
- 'user' => 'keystone',
- 'group' => 'keystone',
- 'processes' => '1',
- 'threads' => '42',
- 'display-name' => 'keystone-admin',
- },
- 'wsgi_process_group' => 'keystone_admin',
- 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/admin" },
- 'require' => 'File[keystone_wsgi_admin]'
- )}
-
- it { should contain_apache__vhost('keystone_wsgi_main').with(
- 'servername' => 'some.host.tld',
- 'ip' => nil,
- 'port' => '5000',
- 'docroot' => "#{platform_parameters[:wsgi_script_path]}",
- 'docroot_owner' => 'keystone',
- 'docroot_group' => 'keystone',
- 'ssl' => 'true',
- 'wsgi_daemon_process' => 'keystone_main',
- 'wsgi_daemon_process_options' => {
- 'user' => 'keystone',
- 'group' => 'keystone',
- 'processes' => '1',
- 'threads' => '42',
- 'display-name' => 'keystone-main',
- },
- 'wsgi_process_group' => 'keystone_main',
- 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/main" },
- 'require' => 'File[keystone_wsgi_main]'
- )}
- it { should contain_file("#{platform_parameters[:httpd_ports_file]}") }
- end
-
- describe 'when overriding parameters using different ports' do
- let :params do
- {
- :servername => 'dummy.host',
- :bind_host => '10.42.51.1',
- :public_port => 12345,
- :admin_port => 4142,
- :ssl => false,
- :workers => 37,
- }
- end
-
- it { should contain_apache__vhost('keystone_wsgi_admin').with(
- 'servername' => 'dummy.host',
- 'ip' => '10.42.51.1',
- 'port' => '4142',
- 'docroot' => "#{platform_parameters[:wsgi_script_path]}",
- 'docroot_owner' => 'keystone',
- 'docroot_group' => 'keystone',
- 'ssl' => 'false',
- 'wsgi_daemon_process' => 'keystone_admin',
- 'wsgi_daemon_process_options' => {
- 'user' => 'keystone',
- 'group' => 'keystone',
- 'processes' => '37',
- 'threads' => '42',
- 'display-name' => 'keystone-admin',
- },
- 'wsgi_process_group' => 'keystone_admin',
- 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/admin" },
- 'require' => 'File[keystone_wsgi_admin]'
- )}
-
- it { should contain_apache__vhost('keystone_wsgi_main').with(
- 'servername' => 'dummy.host',
- 'ip' => '10.42.51.1',
- 'port' => '12345',
- 'docroot' => "#{platform_parameters[:wsgi_script_path]}",
- 'docroot_owner' => 'keystone',
- 'docroot_group' => 'keystone',
- 'ssl' => 'false',
- 'wsgi_daemon_process' => 'keystone_main',
- 'wsgi_daemon_process_options' => {
- 'user' => 'keystone',
- 'group' => 'keystone',
- 'processes' => '37',
- 'threads' => '42',
- 'display-name' => 'keystone-main',
- },
- 'wsgi_process_group' => 'keystone_main',
- 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/main" },
- 'require' => 'File[keystone_wsgi_main]'
- )}
-
- it { should contain_file("#{platform_parameters[:httpd_ports_file]}") }
- end
-
- describe 'when overriding parameters using same port' do
- let :params do
- {
- :servername => 'dummy.host',
- :public_port => 4242,
- :admin_port => 4242,
- :public_path => '/main/endpoint/',
- :admin_path => '/admin/endpoint/',
- :ssl => true,
- :workers => 37,
- }
- end
-
- it { should_not contain_apache__vhost('keystone_wsgi_admin') }
-
- it { should contain_apache__vhost('keystone_wsgi_main').with(
- 'servername' => 'dummy.host',
- 'ip' => nil,
- 'port' => '4242',
- 'docroot' => "#{platform_parameters[:wsgi_script_path]}",
- 'docroot_owner' => 'keystone',
- 'docroot_group' => 'keystone',
- 'ssl' => 'true',
- 'wsgi_daemon_process' => 'keystone_main',
- 'wsgi_daemon_process_options' => {
- 'user' => 'keystone',
- 'group' => 'keystone',
- 'processes' => '37',
- 'threads' => '42',
- 'display-name' => 'keystone-main',
- },
- 'wsgi_process_group' => 'keystone_main',
- 'wsgi_script_aliases' => {
- '/main/endpoint' => "#{platform_parameters[:wsgi_script_path]}/main",
- '/admin/endpoint' => "#{platform_parameters[:wsgi_script_path]}/admin"
- },
- 'require' => 'File[keystone_wsgi_main]'
- )}
- end
-
- describe 'when overriding parameters using same port and same path' do
- let :params do
- {
- :servername => 'dummy.host',
- :public_port => 4242,
- :admin_port => 4242,
- :public_path => '/endpoint/',
- :admin_path => '/endpoint/',
- :ssl => true,
- :workers => 37,
- }
- end
-
- it_raises 'a Puppet::Error', /When using the same port for public & private endpoints, public_path and admin_path should be different\./
- end
- end
-
- context 'on RedHat platforms' do
- let :facts do
- global_facts.merge({
- :osfamily => 'RedHat',
- :operatingsystemrelease => '6.0'
- })
- end
-
- let :platform_parameters do
- {
- :httpd_service_name => 'httpd',
- :httpd_ports_file => '/etc/httpd/conf/ports.conf',
- :wsgi_script_path => '/var/www/cgi-bin/keystone',
- :wsgi_script_source => '/usr/share/keystone/keystone.wsgi'
- }
- end
-
- it_configures 'apache serving keystone with mod_wsgi'
- end
-
- context 'on Debian platforms' do
- let :facts do
- global_facts.merge({
- :osfamily => 'Debian',
- :operatingsystem => 'Debian',
- :operatingsystemrelease => '7.0'
- })
- end
-
- let :platform_parameters do
- {
- :httpd_service_name => 'apache2',
- :httpd_ports_file => '/etc/apache2/ports.conf',
- :wsgi_script_path => '/usr/lib/cgi-bin/keystone',
- :wsgi_script_source => '/usr/share/keystone/wsgi.py'
- }
- end
-
- it_configures 'apache serving keystone with mod_wsgi'
- end
-end
+++ /dev/null
-#
-# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
-#
-# Author: Emilien Macchi <emilien.macchi@enovance.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-require 'spec_helper'
-
-describe 'keystone::resource::service_identity' do
-
- let (:title) { 'neutron' }
-
- let :required_params do
- { :password => 'secrete',
- :service_type => 'network',
- :admin_url => 'http://192.168.0.1:9696',
- :internal_url => 'http://10.0.0.1:9696',
- :public_url => 'http://7.7.7.7:9696' }
- end
-
- shared_examples 'keystone::resource::service_identity examples' do
-
- context 'with only required parameters' do
- let :params do
- required_params
- end
-
- it { should contain_keystone_user(title).with(
- :ensure => 'present',
- :password => 'secrete',
- :email => 'neutron@localhost',
- :tenant => 'services',
- )}
-
- it { should contain_keystone_user_role("#{title}@services").with(
- :ensure => 'present',
- :roles => 'admin',
- )}
-
- it { should contain_keystone_service(title).with(
- :ensure => 'present',
- :type => 'network',
- :description => 'neutron service',
- )}
-
- it { should contain_keystone_endpoint("RegionOne/#{title}").with(
- :ensure => 'present',
- :public_url => 'http://7.7.7.7:9696',
- :internal_url => 'http://10.0.0.1:9696',
- :admin_url => 'http://192.168.0.1:9696',
- )}
- end
-
- context 'when omitting a required parameter password' do
- let :params do
- required_params.delete(:password)
- end
- it { expect { should raise_error(Puppet::Error) } }
- end
-
- end
-
- context 'on a Debian osfamily' do
- let :facts do
- { :osfamily => "Debian" }
- end
-
- include_examples 'keystone::resource::service_identity examples'
- end
-
- context 'on a RedHat osfamily' do
- let :facts do
- { :osfamily => 'RedHat' }
- end
-
- include_examples 'keystone::resource::service_identity examples'
- end
-end
+++ /dev/null
-shared_examples_for "a Puppet::Error" do |description|
- it "with message matching #{description.inspect}" do
- expect { should have_class_count(1) }.to raise_error(Puppet::Error, description)
- end
-end
+++ /dev/null
---format
-s
---colour
---loadby
-mtime
---backtrace
+++ /dev/null
-# Load libraries from openstacklib here to simulate how they live together in a real puppet run (for provider unit tests)
-$LOAD_PATH.push(File.join(File.dirname(__FILE__), 'fixtures', 'modules', 'openstacklib', 'lib'))
-require 'puppetlabs_spec_helper/module_spec_helper'
-require 'shared_examples'
-
-RSpec.configure do |c|
- c.alias_it_should_behave_like_to :it_configures, 'configures'
- c.alias_it_should_behave_like_to :it_raises, 'raises'
-end
-
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_endpoint/openstack'
-
-provider_class = Puppet::Type.type(:keystone_endpoint).provider(:openstack)
-
-describe provider_class do
-
- describe 'when updating an endpoint' do
-
- let(:endpoint_attrs) do
- {
- :name => 'foo/bar',
- :ensure => 'present',
- :public_url => 'http://127.0.0.1:5000/v2.0',
- :internal_url => 'http://127.0.0.1:5001/v2.0',
- :admin_url => 'http://127.0.0.1:5002/v2.0',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_endpoint.new(endpoint_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- describe '#create' do
- it 'creates an endpoint' do
- provider.class.stubs(:openstack)
- .with('endpoint', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Region","Service Name","Service Type","PublicURL","AdminURL","InternalURL"
-"1cb05cfed7c24279be884ba4f6520262","foo","bar","","http://127.0.0.1:5000/v2.0","http://127.0.0.1:5001/v2.0","http://127.0.0.1:5002/v2.0"
-')
- provider.class.stubs(:openstack)
- .with('endpoint', 'create', '--format', 'shell', [['bar', '--region', 'foo', '--publicurl', 'http://127.0.0.1:5000/v2.0', '--internalurl', 'http://127.0.0.1:5001/v2.0', '--adminurl', 'http://127.0.0.1:5002/v2.0', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('adminurl="http://127.0.0.1:5002/v2.0"
-id="3a5c4378981e4112a0d44902a43e16ef"
-internalurl="http://127.0.0.1:5001/v2.0"
-publicurl="http://127.0.0.1:5000/v2.0"
-region="foo"
-service_id="8137d72980fd462192f276585a002426"
-service_name="bar"
-service_type="test"
-')
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'destroys an endpoint' do
- provider.class.stubs(:openstack)
- .with('endpoint', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Region","Service Name","Service Type","PublicURL","AdminURL","InternalURL"
-"1cb05cfed7c24279be884ba4f6520262","foo","bar","","http://127.0.0.1:5000/v2.0","http://127.0.0.1:5001/v2.0","http://127.0.0.1:5002/v2.0"
-')
- provider.class.stubs(:openstack)
- .with('endpoint', 'delete', [['1cb05cfed7c24279be884ba4f6520262', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- expect(provider.destroy).to be_nil # We don't really care that it's nil, only that it runs successfully
- end
-
- end
-
- describe '#exists' do
- context 'when endpoint exists' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('endpoint', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Region","Service Name","Service Type","PublicURL","AdminURL","InternalURL"
-"1cb05cfed7c24279be884ba4f6520262","foo","bar","","http://127.0.0.1:5000/v2.0","http://127.0.0.1:5001/v2.0","http://127.0.0.1:5002/v2.0"
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
- end
-
- context 'when tenant does not exist' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('endpoint', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Region","Service Name","Service Type","PublicURL","AdminURL","InternalURL"')
- response = provider.exists?
- end
-
- it { is_expected.to be_falsey }
- end
- end
-
- describe '#instances' do
- it 'finds every tenant' do
- provider.class.stubs(:openstack)
- .with('endpoint', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Region","Service Name","Service Type","PublicURL","AdminURL","InternalURL"
-"1cb05cfed7c24279be884ba4f6520262","foo","bar","","http://127.0.0.1:5000/v2.0","http://127.0.0.1:5001/v2.0","http://127.0.0.1:5002/v2.0"
-')
- instances = provider.instances
- expect(instances.count).to eq(1)
- end
- end
-
- end
-end
+++ /dev/null
-#
-# these tests are a little concerning b/c they are hacking around the
-# modulepath, so these tests will not catch issues that may eventually arise
-# related to loading these plugins.
-# I could not, for the life of me, figure out how to programatcally set the modulepath
-$LOAD_PATH.push(
- File.join(
- File.dirname(__FILE__),
- '..',
- '..',
- '..',
- 'fixtures',
- 'modules',
- 'inifile',
- 'lib')
-)
-require 'spec_helper'
-provider_class = Puppet::Type.type(:keystone_paste_ini).provider(:ini_setting)
-describe provider_class do
-
- it 'should allow setting to be set explicitly' do
- resource = Puppet::Type::Keystone_paste_ini.new(
- {:name => 'dude/foo', :value => 'bar'}
- )
- provider = provider_class.new(resource)
- provider.section.should == 'dude'
- provider.setting.should == 'foo'
- end
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_role/openstack'
-
-provider_class = Puppet::Type.type(:keystone_role).provider(:openstack)
-
-describe provider_class do
-
- describe 'when creating a role' do
-
- let(:role_attrs) do
- {
- :name => 'foo',
- :ensure => 'present',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_role.new(role_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- describe '#create' do
- it 'creates a role' do
- provider.class.stubs(:openstack)
- .with('role', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"
-"1cb05cfed7c24279be884ba4f6520262","foo"
-')
- provider.class.stubs(:openstack)
- .with('role', 'create', '--format', 'shell', [['foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('name="foo"')
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'destroys a role' do
- provider.class.stubs(:openstack)
- .with('role', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"')
- provider.class.stubs(:openstack)
- .with('role', 'delete', [['foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.destroy
- expect(provider.exists?).to be_falsey
- end
-
- end
-
- describe '#exists' do
- context 'when role exists' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('role', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"
-"1cb05cfed7c24279be884ba4f6520262","foo"
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
- end
-
- context 'when role does not exist' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('role', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"')
- response = provider.exists?
- end
-
- it { is_expected.to be_falsey }
- end
- end
-
- describe '#instances' do
- it 'finds every role' do
- provider.class.stubs(:openstack)
- .with('role', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"
-"1cb05cfed7c24279be884ba4f6520262","foo"
-')
- instances = provider.instances
- expect(instances.count).to eq(1)
- end
- end
-
- end
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_service/openstack'
-
-provider_class = Puppet::Type.type(:keystone_service).provider(:openstack)
-
-describe provider_class do
-
- describe 'when creating a service' do
-
- let(:service_attrs) do
- {
- :name => 'foo',
- :description => 'foo',
- :ensure => 'present',
- :type => 'foo',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_service.new(service_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- describe '#create' do
- it 'creates a service' do
- provider.class.stubs(:openstack)
- .with('service', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Type","Description"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo"
-')
- provider.class.stubs(:openstack)
- .with('service', 'create', '--format', 'shell', [['foo', '--description', 'foo', '--type', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('description="foo"
-enabled="True"
-id="8f0dd4c0abc44240998fbb3f5089ecbf"
-name="foo"
-type="foo"
-')
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'destroys a service' do
- provider.class.stubs(:openstack)
- .with('service', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Type","Description"')
- provider.class.stubs(:openstack)
- .with('service', 'delete', [['foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.destroy
- expect(provider.exists?).to be_falsey
- end
-
- end
-
- describe '#exists' do
- context 'when service exists' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('service', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Type","Description"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo"
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
- end
-
- context 'when service does not exist' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('service', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Type","Description"')
- response = provider.exists?
- end
-
- it { is_expected.to be_falsey }
- end
- end
-
- describe '#instances' do
- it 'finds every service' do
- provider.class.stubs(:openstack)
- .with('service', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Type","Description"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo"
-')
- instances = provider.instances
- expect(instances.count).to eq(1)
- end
- end
-
- end
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone'
-require 'tempfile'
-
-
-klass = Puppet::Provider::Keystone
-
-class Puppet::Provider::Keystone
- def self.reset
- @admin_endpoint = nil
- @tenant_hash = nil
- @admin_token = nil
- @keystone_file = nil
- end
-end
-
-describe Puppet::Provider::Keystone do
-
- after :each do
- klass.reset
- end
-
-
- describe 'when retrieving the security token' do
-
- it 'should return nothing if there is no keystone config file' do
- ini_file = Puppet::Util::IniConfig::File.new
- t = Tempfile.new('foo')
- path = t.path
- t.unlink
- ini_file.read(path)
- expect(klass.get_admin_token).to be_nil
- end
-
- it 'should return nothing if the keystone config file does not have a DEFAULT section' do
- mock = {}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- expect(klass.get_admin_token).to be_nil
- end
-
- it 'should fail if the keystone config file does not contain an admin token' do
- mock = {'DEFAULT' => {'not_a_token' => 'foo'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- expect(klass.get_admin_token).to be_nil
- end
-
- it 'should parse the admin token if it is in the config file' do
- mock = {'DEFAULT' => {'admin_token' => 'foo'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_token.should == 'foo'
- end
-
- it 'should use the specified bind_host in the admin endpoint' do
- mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '35357' }}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'http://192.168.56.210:35357/v2.0/'
- end
-
- it 'should use localhost in the admin endpoint if bind_host is 0.0.0.0' do
- mock = {'DEFAULT' => { 'admin_bind_host' => '0.0.0.0', 'admin_port' => '35357' }}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'http://127.0.0.1:35357/v2.0/'
- end
-
- it 'should use [::1] in the admin endpoint if bind_host is ::0' do
- mock = {'DEFAULT' => { 'admin_bind_host' => '::0', 'admin_port' => '35357' }}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'http://[::1]:35357/v2.0/'
- end
-
- it 'should use localhost in the admin endpoint if bind_host is unspecified' do
- mock = {'DEFAULT' => { 'admin_port' => '35357' }}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'http://127.0.0.1:35357/v2.0/'
- end
-
- it 'should use https if ssl is enabled' do
- mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '35357' }, 'ssl' => {'enable' => 'True'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'https://192.168.56.210:35357/v2.0/'
- end
-
- it 'should use http if ssl is disabled' do
- mock = {'DEFAULT' => {'admin_bind_host' => '192.168.56.210', 'admin_port' => '35357' }, 'ssl' => {'enable' => 'False'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'http://192.168.56.210:35357/v2.0/'
- end
-
- it 'should use the defined admin_endpoint if available' do
- mock = {'DEFAULT' => {'admin_endpoint' => 'https://keystone.example.com' }, 'ssl' => {'enable' => 'False'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'https://keystone.example.com/v2.0/'
- end
-
- it 'should handle an admin_endpoint with a trailing slash' do
- mock = {'DEFAULT' => {'admin_endpoint' => 'https://keystone.example.com/' }, 'ssl' => {'enable' => 'False'}}
- Puppet::Util::IniConfig::File.expects(:new).returns(mock)
- mock.expects(:read).with('/etc/keystone/keystone.conf')
- klass.get_admin_endpoint.should == 'https://keystone.example.com/v2.0/'
- end
-
- end
-
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_tenant/openstack'
-
-provider_class = Puppet::Type.type(:keystone_tenant).provider(:openstack)
-
-describe provider_class do
-
- describe 'when updating a tenant' do
-
- let(:tenant_attrs) do
- {
- :name => 'foo',
- :description => 'foo',
- :ensure => 'present',
- :enabled => 'True',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_tenant.new(tenant_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- describe '#create' do
- it 'creates a tenant' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo",True
-')
- provider.class.stubs(:openstack)
- .with('project', 'create', '--format', 'shell', [['foo', '--enable', '--description', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('description="foo"
-enabled="True"
-name="foo"
-')
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'destroys a tenant' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"')
- provider.class.stubs(:openstack)
- .with('project', 'delete', [['foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.destroy
- expect(provider.exists?).to be_falsey
- end
-
- end
-
- describe '#exists' do
- context 'when tenant exists' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo",True
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
- end
-
- context 'when tenant does not exist' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"')
- response = provider.exists?
- end
-
- it { is_expected.to be_falsey }
- end
- end
-
- describe '#instances' do
- it 'finds every tenant' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo",True
-')
- instances = provider.instances
- expect(instances.count).to eq(1)
- end
- end
-
- end
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_user/openstack'
-
-provider_class = Puppet::Type.type(:keystone_user).provider(:openstack)
-
-describe provider_class do
-
- let(:user_attrs) do
- {
- :name => 'foo',
- :ensure => 'present',
- :enabled => 'True',
- :password => 'foo',
- :tenant => 'foo',
- :email => 'foo@example.com',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_user.new(user_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- describe 'when updating a user' do
-
- describe '#create' do
- it 'creates a user' do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo@example.com",True
-')
- provider.class.stubs(:openstack)
- .with('user', 'create', '--format', 'shell', [['foo', '--enable', '--password', 'foo', '--project', 'foo', '--email', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('email="foo@example.com"
-enabled="True"
-id="12b23f07d4a3448d8189521ab09610b0"
-name="foo"
-project_id="5e2001b2248540f191ff22627dc0c2d7"
-username="foo"
-')
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'destroys a user' do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"')
- provider.class.stubs(:openstack)
- .with('user', 'delete', [['foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.destroy
- expect(provider.exists?).to be_falsey
- end
-
- end
-
- describe '#exists' do
- context 'when user exists' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo@example.com",True
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
- end
-
- context 'when user does not exist' do
-
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"')
- response = provider.exists?
- end
-
- it { is_expected.to be_falsey }
- end
- end
-
- describe '#instances' do
- it 'finds every user' do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo@example.com",True
-')
- instances = provider.instances
- expect(instances.count).to eq(1)
- end
- end
-
- describe '#tenant' do
- it 'gets the tenant with default backend' do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo@example.com",True
-')
- tenant = provider.tenant
- expect(tenant).to eq('foo')
- end
- it 'gets the tenant with LDAP backend' do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","Email","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","foo","","foo@example.com",True
-')
- provider.class.expects(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['foo', '--project', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","User"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo"
-')
- tenant = provider.tenant
- expect(tenant).to eq('foo')
- end
- end
- describe '#tenant=' do
- context 'when using default backend' do
- it 'sets the tenant' do
- provider.class.expects(:openstack)
- .with('user', 'set', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.class.expects(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","User"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo"
-')
- provider.tenant=('bar')
- end
- end
- context 'when using LDAP read-write backend' do
- it 'sets the tenant when _member_ role exists' do
- provider.class.expects(:openstack)
- .with('user', 'set', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.class.expects(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('')
- provider.class.expects(:openstack)
- .with('role', 'show', '--format', 'shell', [['_member_', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('name="_member_"')
- provider.class.expects(:openstack)
- .with('role', 'add', [['_member_', '--project', 'bar', '--user', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.tenant=('bar')
- end
- it 'sets the tenant when _member_ role does not exist' do
- provider.class.expects(:openstack)
- .with('user', 'set', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.class.expects(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('')
- provider.class.expects(:openstack)
- .with('role', 'show', '--format', 'shell', [['_member_', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .raises(Puppet::ExecutionFailure, 'no such role _member_')
- provider.class.expects(:openstack)
- .with('role', 'create', '--format', 'shell', [['_member_', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('name="_member_"')
- provider.class.expects(:openstack)
- .with('role', 'add', [['_member_', '--project', 'bar', '--user', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.tenant=('bar')
- end
- end
- context 'when using LDAP read-only backend' do
- it 'sets the tenant when _member_ role exists' do
- provider.class.expects(:openstack)
- .with('user', 'set', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .raises(Puppet::ExecutionFailure, 'You are not authorized to perform the requested action: LDAP user update')
- provider.class.expects(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('')
- provider.class.expects(:openstack)
- .with('role', 'show', '--format', 'shell', [['_member_', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('name="_member_"')
- provider.class.expects(:openstack)
- .with('role', 'add', [['_member_', '--project', 'bar', '--user', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.tenant=('bar')
- end
- it 'sets the tenant and gets an unexpected exception message' do
- provider.class.expects(:openstack)
- .with('user', 'set', [['foo', '--project', 'bar', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .raises(Puppet::ExecutionFailure, 'unknown error message')
- expect{ provider.tenant=('bar') }.to raise_error(Puppet::ExecutionFailure, /unknown error message/)
- end
- end
- end
-
- end
-
- describe "#password" do
- let(:user_attrs) do
- {
- :name => 'foo',
- :ensure => 'present',
- :enabled => 'True',
- :password => 'foo',
- :tenant => 'foo',
- :email => 'foo@example.com',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'https://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- it 'checks the password with HTTPS' do
- httpobj = mock('Net::HTTP')
- httpobj.stubs(:use_ssl=).with(true)
- httpobj.stubs(:verify_mode=)
- Net::HTTP.stubs(:start).returns(httpobj)
- reqobj = mock('Net::HTTP::Post')
- reqobj.stubs(:body=)
- reqobj.stubs(:content_type=)
- Net::HTTP::Post.stubs(:start).returns(reqobj)
- respobj = mock('Net::HTTPResponse')
- respobj.stubs(:code).returns('200')
- httpobj.stubs(:request).returns(respobj)
- password = provider.password
- expect(password).to eq('foo')
- end
- it 'fails the password check with HTTPS' do
- httpobj = mock('Net::HTTP')
- httpobj.stubs(:use_ssl=).with(true)
- httpobj.stubs(:verify_mode=)
- Net::HTTP.stubs(:start).returns(httpobj)
- reqobj = mock('Net::HTTP::Post')
- reqobj.stubs(:body=)
- reqobj.stubs(:content_type=)
- Net::HTTP::Post.stubs(:start).returns(reqobj)
- respobj = mock('Net::HTTPResponse')
- respobj.stubs(:code).returns('401')
- httpobj.stubs(:request).returns(respobj)
- password = provider.password
- expect(password).to eq(nil)
- end
-
- describe 'when updating a user with unmanaged password' do
-
- let(:user_attrs) do
- {
- :name => 'foo',
- :ensure => 'present',
- :enabled => 'True',
- :password => 'foo',
- :replace_password => 'False',
- :tenant => 'foo',
- :email => 'foo@example.com',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_user.new(user_attrs)
- end
-
- let :provider do
- provider_class.new(resource)
- end
-
- it 'should not try to check password' do
- expect(provider.password).to eq('foo')
- end
- end
-
- end
-end
+++ /dev/null
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/keystone_user_role/openstack'
-
-provider_class = Puppet::Type.type(:keystone_user_role).provider(:openstack)
-
-describe provider_class do
-
- describe 'when updating a user\'s role' do
-
- let(:user_role_attrs) do
- {
- :name => 'foo@example.com@foo',
- :ensure => 'present',
- :roles => ['foo', 'bar'],
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'foo',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
-
- let(:resource) do
- Puppet::Type::Keystone_user_role.new(user_role_attrs)
- end
-
- let(:provider) do
- provider_class.new(resource)
- end
-
- before(:each) do
- provider.class.stubs(:openstack)
- .with('user', 'list', '--quiet', '--format', 'csv', [['--project', 'foo', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"
-"1cb05cfed7c24279be884ba4f6520262","foo@example.com"
-')
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name"
-"1cb05cfed7c24279be884ba4f6520262","foo"
-')
- end
-
- describe '#create' do
- it 'adds all the roles to the user' do
- provider.class.stubs(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['--project', 'foo', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","User"
-"1cb05cfed7c24279be884ba4f6520262","foo","foo","foo@example.com"
-"1cb05cfed7c24279be884ba4f6520263","bar","foo","foo@example.com"
-')
- provider.class.stubs(:openstack)
- .with('role', 'add', [['foo', '--project', 'foo', '--user', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.class.stubs(:openstack)
- .with('role', 'add', [['bar', '--project', 'foo', '--user', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.create
- expect(provider.exists?).to be_truthy
- end
- end
-
- describe '#destroy' do
- it 'removes all the roles from a user' do
- provider.class.stubs(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['--project', 'foo', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","User"')
- provider.class.stubs(:openstack)
- .with('role', 'remove', [['foo', '--project', 'foo', '--user', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.class.stubs(:openstack)
- .with('role', 'remove', [['bar', '--project', 'foo', '--user', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- provider.destroy
- expect(provider.exists?).to be_falsey
- end
-
- end
-
- describe '#exists' do
- subject(:response) do
- provider.class.stubs(:openstack)
- .with('user role', 'list', '--quiet', '--format', 'csv', [['--project', 'foo', 'foo@example.com', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'foo', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Project","User"
-"1cb05ed7c24279be884ba4f6520262","foo","foo","foo@example.com"
-"1cb05ed7c24279be884ba4f6520262","bar","foo","foo@example.com"
-')
- response = provider.exists?
- end
-
- it { is_expected.to be_truthy }
-
- end
-
- end
-end
+++ /dev/null
-# TODO: This should be extracted into openstacklib during the Kilo cycle
-# Load libraries from aviator here to simulate how they live together in a real puppet run
-$LOAD_PATH.push(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'modules', 'aviator', 'lib'))
-require 'puppet'
-require 'spec_helper'
-require 'puppet/provider/openstack'
-
-
-describe Puppet::Provider::Openstack do
-
- before(:each) do
- ENV['OS_USERNAME'] = nil
- ENV['OS_PASSWORD'] = nil
- ENV['OS_TENANT_NAME'] = nil
- ENV['OS_AUTH_URL'] = nil
- end
-
- let(:type) do
- Puppet::Type.newtype(:test_resource) do
- newparam(:name, :namevar => true)
- newparam(:auth)
- newparam(:log_file)
- end
- end
-
- shared_examples 'authenticating with environment variables' do
- it 'makes a successful request' do
- ENV['OS_USERNAME'] = 'test'
- ENV['OS_PASSWORD'] = 'abc123'
- ENV['OS_TENANT_NAME'] = 'test'
- ENV['OS_AUTH_URL'] = 'http://127.0.0.1:35357/v2.0'
- if provider.class == Class
- provider.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [[ '--long' ]])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","test","Test tenant",True
-')
- else
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [[ '--long' ]])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","test","Test tenant",True
-')
- end
- response = provider.request('project', 'list', nil, nil, '--long' )
- expect(response.first[:description]).to match /Test tenant/
- end
- end
-
- shared_examples 'it has no credentials' do
- it 'fails to authenticate' do
- expect{ provider.request('project', 'list', nil, nil, '--long') }.to raise_error(Puppet::Error::OpenstackAuthInputError, /No credentials provided/)
- end
- end
-
- describe '#request' do
-
- context 'with valid password credentials in parameters' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'test',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
-
- it 'makes a successful request' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'test', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","test","Test tenant",True
-')
- response = provider.request('project', 'list', nil, resource_attrs[:auth], '--long')
- expect(response.first[:description]).to match /Test tenant/
- end
- end
-
- context 'with valid openrc file in parameters' do
- mock = "export OS_USERNAME='test'\nexport OS_PASSWORD='abc123'\nexport OS_TENANT_NAME='test'\nexport OS_AUTH_URL='http://127.0.0.1:5000/v2.0'"
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- :auth => {
- 'openrc' => '/root/openrc'
- }
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
-
- it 'makes a successful request' do
- File.expects(:open).with('/root/openrc').returns(StringIO.new(mock))
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'test', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","test","Test tenant",True
-')
- response = provider.request('project', 'list', nil, resource_attrs[:auth], '--long')
- expect(response.first[:description]).to match /Test tenant/
- end
- end
-
- context 'with valid service token in parameters' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- :auth => {
- 'token' => 'secrettoken',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0'
- }
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
-
- it 'makes a successful request' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-token', 'secrettoken', '--os-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('"ID","Name","Description","Enabled"
-"1cb05cfed7c24279be884ba4f6520262","test","Test tenant",True
-')
- response = provider.request('project', 'list', nil, resource_attrs[:auth], '--long')
- expect(response.first[:description]).to match /Test tenant/
- end
-
- it 'makes a successful show request' do
- provider.class.stubs(:openstack)
- .with('project', 'show', '--format', 'shell', [['test', '--os-token', 'secrettoken', '--os-url', 'http://127.0.0.1:5000/v2.0']])
- .returns('ID="1cb05cfed7c24279be884ba4f6520262"
-Name="test"
-Description="Test Tenant"
-Enabled="True"
-')
- response = provider.request('project', 'show', 'test', resource_attrs[:auth])
- expect(response[:description]).to match /Test Tenant/
- expect(response[:id]).to match /1cb05cfed7c24279be884ba4f6520262/
- expect(response[:name]).to match /test/
- expect(response[:enabled]).to match /True/
- end
-
- end
-
- context 'with valid password credentials in environment variables' do
- it_behaves_like 'authenticating with environment variables' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
- end
- end
-
- context 'with no valid credentials' do
- it_behaves_like 'it has no credentials' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
- end
- end
-
- context 'it retries on connection errors' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- :auth => {
- 'username' => 'test',
- 'password' => 'abc123',
- 'tenant_name' => 'test',
- 'auth_url' => 'http://127.0.0.1:5000/v2.0',
- }
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.new(type.new(resource_attrs))
- end
- it 'retries' do
- provider.class.stubs(:openstack)
- .with('project', 'list', '--quiet', '--format', 'csv', [['--long', '--os-username', 'test', '--os-password', 'abc123', '--os-tenant-name', 'test', '--os-auth-url', 'http://127.0.0.1:5000/v2.0']])
- .raises(Puppet::ExecutionFailure, 'Unable to establish connection')
- .then
- .returns('')
- provider.class.expects(:sleep).with(2).returns(nil)
- provider.request('project', 'list', nil, resource_attrs[:auth], '--long')
- end
- end
- end
-
-
- describe '::request' do
-
- context 'with valid password credentials in environment variables' do
- it_behaves_like 'authenticating with environment variables' do
- let(:resource_attrs) do
- {
- :name => 'stubresource',
- }
- end
- let(:provider) do
- Puppet::Provider::Openstack.dup
- end
- end
- end
-
- context 'with no valid credentials' do
- it_behaves_like 'it has no credentials' do
- let(:provider) { Puppet::Provider::Openstack.dup }
- end
- end
-
- end
-
- describe 'parse_csv' do
- context 'with mixed stderr' do
- text = "ERROR: Testing\n\"field\",\"test\",1,2,3\n"
- csv = Puppet::Provider::Openstack.parse_csv(text)
- it 'should ignore non-CSV text at the beginning of the input' do
- expect(csv).to be_kind_of(Array)
- expect(csv[0]).to match_array(['field', 'test', '1', '2', '3'])
- expect(csv.size).to eq(1)
- end
- end
-
- context 'with \r\n line endings' do
- text = "ERROR: Testing\r\n\"field\",\"test\",1,2,3\r\n"
- csv = Puppet::Provider::Openstack.parse_csv(text)
- it 'ignore the carriage returns' do
- expect(csv).to be_kind_of(Array)
- expect(csv[0]).to match_array(['field', 'test', '1', '2', '3'])
- expect(csv.size).to eq(1)
- end
- end
-
- context 'with embedded newlines' do
- text = "ERROR: Testing\n\"field\",\"te\nst\",1,2,3\n"
- csv = Puppet::Provider::Openstack.parse_csv(text)
- it 'should parse correctly' do
- expect(csv).to be_kind_of(Array)
- expect(csv[0]).to match_array(['field', "te\nst", '1', '2', '3'])
- expect(csv.size).to eq(1)
- end
- end
- end
-
-end
+++ /dev/null
-describe Puppet::Type.type(:keystone_endpoint) do
-
- it 'should fail when the namevar does not contain a region' do
- expect do
- Puppet::Type.type(:keystone_endpoint).new(:name => 'foo')
- end.to raise_error(Puppet::Error, /Invalid value/)
- end
-
-end
+++ /dev/null
-require 'spec_helper'
-# this hack is required for now to ensure that the path is set up correctly
-# to retrive the parent provider
-$LOAD_PATH.push(
- File.join(
- File.dirname(__FILE__),
- '..',
- '..',
- 'fixtures',
- 'modules',
- 'inifile',
- 'lib')
-)
-require 'puppet/type/keystone_paste_ini'
-describe 'Puppet::Type.type(:keystone_paste_ini)' do
- before :each do
- @keystone_paste_ini = Puppet::Type.type(:keystone_paste_ini).new(:name => 'DEFAULT/foo', :value => 'bar')
- end
- it 'should accept a valid value' do
- @keystone_paste_ini[:value] = 'bar'
- @keystone_paste_ini[:value].should == 'bar'
- end
-end
+++ /dev/null
-require 'spec_helper'
-require 'puppet'
-require 'puppet/type/keystone_user_role'
-
-describe Puppet::Type.type(:keystone_user_role) do
-
- before :each do
- @user_roles = Puppet::Type.type(:keystone_user_role).new(
- :name => 'foo@bar',
- :roles => ['a', 'b']
- )
-
- @roles = @user_roles.parameter('roles')
- end
-
- it 'should not be in sync for' do
- expect(@roles.insync?(['a', 'b', 'c'])).to be false
- expect(@roles.insync?('a')).to be false
- expect(@roles.insync?(['a'])).to be false
- expect(@roles.insync?(nil)).to be false
- end
-
- it 'should be in sync for' do
- expect(@roles.insync?(['a', 'b'])).to be true
- expect(@roles.insync?(['b', 'a'])).to be true
- end
-
-end
+++ /dev/null
-Exec { logoutput => 'on_failure' }
-
-package { 'curl': ensure => present }
-
-# example of how to build a single node
-# keystone instance backed by sqlite
-# with all of the default admin roles
-node keystone_sqlite {
- class { 'keystone':
- verbose => true,
- debug => true,
- catalog_type => 'sql',
- admin_token => 'admin_token',
- }
- class { 'keystone::roles::admin':
- email => 'example@abc.com',
- password => 'ChangeMe',
- }
- class { 'keystone::endpoint':
- public_url => "http://${::fqdn}:5000/",
- admin_url => "http://${::fqdn}:35357/",
- }
-}
-
-node keystone_mysql {
- class { 'mysql::server': }
- class { 'keystone::db::mysql':
- password => 'keystone',
- }
- class { 'keystone':
- verbose => true,
- debug => true,
- sql_connection => 'mysql://keystone:keystone@127.0.0.1/keystone',
- catalog_type => 'sql',
- admin_token => 'admin_token',
- }
- class { 'keystone::roles::admin':
- email => 'test@puppetlabs.com',
- password => 'ChangeMe',
- }
-}
-
-
-# keystone with mysql on another node
-node keystone {
- class { 'keystone':
- verbose => true,
- debug => true,
- sql_connection => 'mysql://keystone:password@127.0.0.1/keystone',
- catalog_type => 'sql',
- admin_token => 'admin_token',
- }
- class { 'keystone::db::mysql':
- password => 'keystone',
- }
- class { 'keystone::roles::admin':
- email => 'example@abc.com',
- password => 'ChangeMe',
- }
- class { 'keystone::endpoint':
- public_url => "http://${::fqdn}:5000/",
- admin_url => "http://${::fqdn}:35357/",
- }
-}
-
-node default {
- fail("could not find a matching node entry for ${clientcert}")
-}
projects / dsa-puppet.git / commitdiff