Allow cinder authtoken settings to be configurable

This patch is for allowing cafile, insecure,
memcached_servers, memcache_security_strategy,
memcache_secret_key and hash_algorithms to be
configurable.

Change-Id: If4e75092f969bb6b5df29d715e1cff696e41a9a3
Closes-Bug: #1370906
This commit is contained in:
chenxiao 2014-09-19 10:46:07 +08:00
parent 43553e0e17
commit 5641af2512
5 changed files with 98 additions and 4 deletions

View File

@ -4,6 +4,7 @@ This file is used to list changes made in each version of the openstack-block-st
## 10.0.1
# Update cinder.conf mode from 0644 to 0640
* Add attribute for ibmnas_platform_type
* Allow cafile, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and hash_algorithms to be configurable
## 10.0.0
* Upgrading to Juno

View File

@ -48,9 +48,14 @@ Attributes
* `openstack["block-storage"]["db"]["username"]` - cinder username for database
* `openstack["block-storage"]["volume_name_template"]` - Template string to be used to generate volume names
* `openstack["block-storage"]["snapshot_name_template"]` - Template string to be used to generate snapshot names
* `openstack['block-storage']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0 inherited from common cookbook. The default auth API version used to interact with identity service.
* `openstack["block-storage"]["snapshot_name_template"]` - Template string to be used to generate snapshot names
* `openstack['block-storage']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0 inherited from common cookbook. The default auth API version used to interact with identity service
* `openstack['block-storage']['api']['auth']['memcached_servers']` - A list of memcached server(s) to use for caching
* `openstack['block-storage']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
* `openstack['block-storage']['api']['auth']['memcache_secret_key']` - This string is used for key derivation
* `openstack['block-storage']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens
* `openstack['block-storage']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections
* `openstack['block-storage']['api']['auth']['insecure']` - Set whether to verify HTTPS connections
MQ attributes
-------------
* `openstack["block-storage"]["mq"]["service_type"]` - Select qpid or rabbitmq. default rabbitmq

View File

@ -71,6 +71,24 @@ default['openstack']['block-storage']['api']['auth']['cache_dir'] = '/var/cache/
default['openstack']['block-storage']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
# A list of memcached server(s) to use for caching
default['openstack']['block-storage']['api']['auth']['memcached_servers'] = nil
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
default['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] = nil
# This string is used for key derivation
default['openstack']['block-storage']['api']['auth']['memcache_secret_key'] = nil
# Hash algorithms to use for hashing PKI tokens
default['openstack']['block-storage']['api']['auth']['hash_algorithms'] = 'md5'
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
default['openstack']['block-storage']['api']['auth']['cafile'] = nil
# Verify HTTPS connections
default['openstack']['block-storage']['api']['auth']['insecure'] = false
# Maximum allocatable gigabytes
# Should equal total backend storage, default is 10TB
default['openstack']['block-storage']['max_gigabytes'] = '10000'

View File

@ -75,13 +75,69 @@ describe 'openstack-block-storage::cinder-common' do
expect(sprintf('%o', file.mode)).to eq '640'
end
context 'template keystone contents' do
context 'keystone authtoken attributes with default values' do
it 'sets memcached server(s)' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcached_servers = $/)
end
it 'sets memcache security strategy' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_security_strategy = $/)
end
it 'sets memcache secret key' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_secret_key = $/)
end
it 'sets cafile' do
expect(chef_run).not_to render_file(file.name).with_content(/^cafile = $/)
end
it 'sets insecure' do
expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/)
end
it 'sets token hash algorithms' do
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/)
end
end
context 'keystone authtoken attributes' do
it 'has signing_dir' do
node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
end
it 'sets memcached server(s)' do
node.set['openstack']['block-storage']['api']['auth']['memcached_servers'] = 'localhost:11211'
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/)
end
it 'sets memcache security strategy' do
node.set['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] = 'MAC'
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/)
end
it 'sets memcache secret key' do
node.set['openstack']['block-storage']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/)
end
it 'sets cafile' do
node.set['openstack']['block-storage']['api']['auth']['cafile'] = 'dir/to/path'
expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$})
end
it 'sets insecure' do
node.set['openstack']['block-storage']['api']['auth']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
end
it 'sets token hash algorithms' do
node.set['openstack']['block-storage']['api']['auth']['hash_algorithms'] = 'sha2'
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/)
end
context 'endpoint related' do
it 'has auth_uri' do

View File

@ -1095,9 +1095,13 @@ admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"
# A PEM encoded Certificate Authority to use when verifying
# HTTPs connections. Defaults to system CAs. (string value)
#cafile=<None>
<% if node['openstack']['block-storage']['api']['auth']['cafile'] %>
cafile = <%= node['openstack']['block-storage']['api']['auth']['cafile'] %>
<% end %>
# Verify HTTPS connections. (boolean value)
#insecure=false
insecure = <%= node['openstack']['block-storage']['api']['auth']['insecure'] %>
# Directory used to cache files related to PKI tokens (string
# value)
@ -1108,6 +1112,9 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
# in-process. (list value)
# Deprecated group/name - [DEFAULT]/memcache_servers
#memcached_servers=<None>
<% if node['openstack']['block-storage']['api']['auth']['memcached_servers'] %>
memcached_servers = <%= node['openstack']['block-storage']['api']['auth']['memcached_servers'] %>
<% end %>
# In order to prevent excessive effort spent validating
# tokens, the middleware caches previously-seen tokens for a
@ -1130,11 +1137,17 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
# value is not one of these options or empty, auth_token will
# raise an exception on initialization. (string value)
#memcache_security_strategy=<None>
<% if node['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] %>
memcache_security_strategy = <%= node['openstack']['block-storage']['api']['auth']['memcache_security_strategy'] %>
<% end %>
# (optional, mandatory if memcache_security_strategy is
# defined) this string is used for key derivation. (string
# value)
#memcache_secret_key=<None>
<% if node['openstack']['block-storage']['api']['auth']['memcache_secret_key'] %>
memcache_secret_key = <%= node['openstack']['block-storage']['api']['auth']['memcache_secret_key'] %>
<% end %>
# (optional) indicate whether to set the X-Service-Catalog
# header. If False, middleware will not ask for service
@ -1169,3 +1182,4 @@ signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"]
# should be set to a single value for better performance.
# (list value)
#hash_algorithms=md5
hash_algorithms = <%= node['openstack']['block-storage']['api']['auth']['hash_algorithms'] %>