Move keystone authtoken keys into cinder.conf

* Remove the keystone keys from api-paste.ini template
* Add the keystone keys to cinder.conf template
* update specs

Change-Id: I5cff962fe200cc1b63352b5e3491f7afed9897f7
Closes-Bug: #1359864

CHANGELOG.md

@@ -6,6 +6,7 @@ This file is used to list changes made in each version of the openstack-block-st
 * Upgrading to Juno
 * Sync conf files with Juno
 * Upgrading berkshelf from 2.0.18 to 3.1.5
+* Move keystone keys into cinder.conf
 
 ## 9.4.1
 * Add support for LVMISCSIDriver driver using block devices with LVM

recipes/api.rb

@@ -56,12 +56,6 @@ service 'cinder-api' do
   subscribes :restart, 'template[/etc/cinder/cinder.conf]'
 end
 
-identity_endpoint = endpoint 'identity-api'
-identity_admin_endpoint = endpoint 'identity-admin'
-service_pass = get_password 'service', 'openstack-block-storage'
-
-auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version'])
-
 execute 'cinder-manage db sync' do
   user node['openstack']['block-storage']['user']
   group node['openstack']['block-storage']['group']
@@ -72,11 +66,6 @@ template '/etc/cinder/api-paste.ini' do
   group node['openstack']['block-storage']['group']
   owner node['openstack']['block-storage']['user']
   mode 00644
-  variables(
-    auth_uri: auth_uri,
-    identity_admin_endpoint: identity_admin_endpoint,
-    service_pass: service_pass
-    )
 
   notifies :restart, 'service[cinder-api]', :immediately
 end

recipes/cinder-common.rb

@@ -80,6 +80,12 @@ else
   end
 end
 
+identity_endpoint = endpoint 'identity-api'
+identity_admin_endpoint = endpoint 'identity-admin'
+service_pass = get_password 'service', 'openstack-block-storage'
+
+auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version'])
+
 template '/etc/cinder/cinder.conf' do
   source 'cinder.conf.erb'
   group node['openstack']['block-storage']['group']
@@ -98,7 +104,10 @@ template '/etc/cinder/cinder.conf' do
     volume_api_bind_port: cinder_api_bind.port,
     vmware_host_pass: vmware_host_pass,
     enabled_drivers: enabled_drivers,
-    multi_backend_sections: multi_backend_sections
+    multi_backend_sections: multi_backend_sections,
+    auth_uri: auth_uri,
+    identity_admin_endpoint: identity_admin_endpoint,
+    service_pass: service_pass
   )
 end
 

spec/api_spec.rb

@@ -75,79 +75,6 @@ describe 'openstack-block-storage::api' do
       it 'notifies cinder-api restart' do
         expect(file).to notify('service[cinder-api]').to(:restart)
       end
-
-      context 'template contents' do
-        it 'has signing_dir' do
-          node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
-
-          expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
-        end
-
-        context 'endpoint related' do
-          before do
-            endpoint = double(port: 'port', host: 'host', scheme: 'scheme')
-            allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-              .with('image-api')
-              .and_return(endpoint)
-            allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-              .with('identity-admin')
-              .and_return(endpoint)
-            allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-              .with('identity-api')
-              .and_return(endpoint)
-            allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-              .with('block-storage-api-bind')
-              .and_return(endpoint)
-            allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform)
-              .and_return('auth_uri_transform')
-          end
-
-          it 'has auth_uri' do
-            expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/)
-          end
-
-          it 'has auth_host' do
-            expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/)
-          end
-
-          it 'has auth_port' do
-            expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/)
-          end
-
-          it 'has auth_protocol' do
-            expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/)
-          end
-        end
-
-        it 'has no auth_version when auth_version is v2.0' do
-          node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0'
-
-          expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/)
-        end
-
-        it 'has auth_version when auth version is not v2.0' do
-          node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0'
-
-          expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/)
-        end
-
-        it 'has an admin tenant name' do
-          node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name'
-
-          expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/)
-        end
-
-        it 'has an admin user' do
-          node.set['openstack']['block-storage']['service_user'] = 'username'
-
-          expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/)
-        end
-
-        it 'has an admin password' do
-          # (fgimenez) the get_password mocking is set in spec/spec_helper.rb
-          expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/)
-        end
-      end
     end
 
     describe 'policy file' do

spec/cinder_common_spec.rb

@@ -40,6 +40,27 @@ describe 'openstack-block-storage::cinder-common' do
 
     describe 'cinder.conf' do
       let(:file) { chef_run.template('/etc/cinder/cinder.conf') }
+      let(:test_pass) { 'test_pass' }
+      before do
+        endpoint = double(port: 'port', host: 'host', scheme: 'scheme')
+        allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
+          .with('image-api')
+          .and_return(endpoint)
+        allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
+          .with('identity-admin')
+          .and_return(endpoint)
+        allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
+          .with('identity-api')
+          .and_return(endpoint)
+        allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
+          .with('block-storage-api-bind')
+          .and_return(endpoint)
+        allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform)
+          .and_return('auth_uri_transform')
+        allow_any_instance_of(Chef::Recipe).to receive(:get_password)
+          .with('user', anything)
+          .and_return(test_pass)
+      end
 
       it 'should create the cinder.conf template' do
         expect(chef_run).to create_template(file.name)
@@ -54,20 +75,64 @@ describe 'openstack-block-storage::cinder-common' do
         expect(sprintf('%o', file.mode)).to eq '644'
       end
 
-      context 'template contents' do
-        let(:test_pass) { 'test_pass' }
-        before do
-          allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-            .with('image-api')
-            .and_return(double(host: 'glance_host_value', port: 'glance_port_value'))
-          allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
-            .with('block-storage-api-bind')
-            .and_return(double(host: 'cinder_host_value', port: 'cinder_port_value'))
-          allow_any_instance_of(Chef::Recipe).to receive(:get_password)
-            .with('user', anything)
-            .and_return(test_pass)
+      context 'template keystone contents' do
+        it 'has signing_dir' do
+          node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
+
+          expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
         end
 
+        context 'endpoint related' do
+
+          it 'has auth_uri' do
+            expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/)
+          end
+
+          it 'has auth_host' do
+            expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/)
+          end
+
+          it 'has auth_port' do
+            expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/)
+          end
+
+          it 'has auth_protocol' do
+            expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/)
+          end
+        end
+
+        it 'has no auth_version when auth_version is v2.0' do
+          node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0'
+
+          expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/)
+        end
+
+        it 'has auth_version when auth version is not v2.0' do
+          node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0'
+
+          expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/)
+        end
+
+        it 'has an admin tenant name' do
+          node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name'
+
+          expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/)
+        end
+
+        it 'has an admin user' do
+          node.set['openstack']['block-storage']['service_user'] = 'username'
+
+          expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/)
+        end
+
+        it 'has an admin password' do
+          # (fgimenez) the get_password mocking is set in spec/spec_helper.rb
+          expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/)
+        end
+      end
+
+      context 'template contents' do
+
         context 'commonly named attributes' do
           %w(debug verbose lock_path notification_driver
              storage_availability_zone quota_volumes quota_gigabytes quota_driver
@@ -141,8 +206,8 @@ describe 'openstack-block-storage::cinder-common' do
 
         context 'glance endpoint' do
           %w(host port).each do |glance_attr|
-            it "has a glace #{glance_attr} attribute" do
-              expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=glance_#{glance_attr}_value$/)
+            it "has a glance #{glance_attr} attribute" do
+              expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=#{glance_attr}$/)
             end
           end
         end
@@ -154,11 +219,11 @@ describe 'openstack-block-storage::cinder-common' do
 
         context 'cinder endpoint' do
           it 'has osapi_volume_listen set' do
-            expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=cinder_host_value$/)
+            expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=host$/)
           end
 
           it 'has osapi_volume_listen_port set' do
-            expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=cinder_port_value$/)
+            expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=port$/)
           end
         end
 

templates/default/api-paste.ini.erb

@@ -55,14 +55,3 @@ paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
 
 [filter:authtoken]
 paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
-auth_uri = <%= @auth_uri %>
-auth_host = <%= @identity_admin_endpoint.host %>
-auth_port = <%= @identity_admin_endpoint.port %>
-auth_protocol = <%= @identity_admin_endpoint.scheme %>
-<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %>
-auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %>
-<% end %>
-admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %>
-admin_user = <%= node["openstack"]["block-storage"]["service_user"] %>
-admin_password = <%= @service_pass %>
-signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %>

templates/default/cinder.conf.erb

@@ -1004,3 +1004,159 @@ enabled_backends = <%= @multi_backend_sections.keys.join(',') %>
 
 <% end %>
 <% end %>
+
+[keystone_authtoken]
+
+#
+# Options defined in keystonemiddleware.auth_token
+#
+
+# Prefix to prepend at the beginning of the path. Deprecated,
+# use identity_uri. (string value)
+#auth_admin_prefix=
+
+# Host providing the admin Identity API endpoint. Deprecated,
+# use identity_uri. (string value)
+auth_host = <%= @identity_admin_endpoint.host %>
+
+# Port of the admin Identity API endpoint. Deprecated, use
+# identity_uri. (integer value)
+auth_port = <%= @identity_admin_endpoint.port %>
+
+# Protocol of the admin Identity API endpoint (http or https).
+# Deprecated, use identity_uri. (string value)
+auth_protocol = <%= @identity_admin_endpoint.scheme %>
+
+# Complete public Identity API endpoint (string value)
+auth_uri = <%= @auth_uri %>
+
+# Complete admin Identity API endpoint. This should specify
+# the unversioned root endpoint e.g. https://localhost:35357/
+# (string value)
+#identity_uri=<None>
+
+# API version of the admin Identity API endpoint (string
+# value)
+<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %>
+auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %>
+<% end %>
+
+# Do not handle authorization requests within the middleware,
+# but delegate the authorization decision to downstream WSGI
+# components (boolean value)
+#delay_auth_decision=false
+
+# Request timeout value for communicating with Identity API
+# server. (boolean value)
+#http_connect_timeout=<None>
+
+# How many times are we trying to reconnect when communicating
+# with Identity API Server. (integer value)
+#http_request_max_retries=3
+
+# This option is deprecated and may be removed in a future
+# release. Single shared secret with the Keystone
+# configuration used for bootstrapping a Keystone
+# installation, or otherwise bypassing the normal
+# authentication process. This option should not be used, use
+# `admin_user` and `admin_password` instead. (string value)
+#admin_token=<None>
+
+# Keystone account username (string value)
+admin_user = <%= node["openstack"]["block-storage"]["service_user"] %>
+
+# Keystone account password (string value)
+admin_password = <%= @service_pass %>
+
+# Keystone service account tenant name to validate user tokens
+# (string value)
+admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %>
+
+# Env key for the swift cache (string value)
+#cache=<None>
+
+# Required if Keystone server requires client certificate
+# (string value)
+#certfile=<None>
+
+# Required if Keystone server requires client certificate
+# (string value)
+#keyfile=<None>
+
+# A PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. Defaults to system CAs. (string value)
+#cafile=<None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure=false
+
+# Directory used to cache files related to PKI tokens (string
+# value)
+signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %>
+
+# Optionally specify a list of memcached server(s) to use for
+# caching. If left undefined, tokens will instead be cached
+# in-process. (list value)
+# Deprecated group/name - [DEFAULT]/memcache_servers
+#memcached_servers=<None>
+
+# In order to prevent excessive effort spent validating
+# tokens, the middleware caches previously-seen tokens for a
+# configurable duration (in seconds). Set to -1 to disable
+# caching completely. (integer value)
+#token_cache_time=300
+
+# Determines the frequency at which the list of revoked tokens
+# is retrieved from the Identity service (in seconds). A high
+# number of revocation events combined with a low cache
+# duration may significantly reduce performance. (integer
+# value)
+#revocation_cache_time=10
+
+# (optional) if defined, indicate whether token data should be
+# authenticated or authenticated and encrypted. Acceptable
+# values are MAC or ENCRYPT.  If MAC, token data is
+# authenticated (with HMAC) in the cache. If ENCRYPT, token
+# data is encrypted and authenticated in the cache. If the
+# value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+#memcache_security_strategy=<None>
+
+# (optional, mandatory if memcache_security_strategy is
+# defined) this string is used for key derivation. (string
+# value)
+#memcache_secret_key=<None>
+
+# (optional) indicate whether to set the X-Service-Catalog
+# header. If False, middleware will not ask for service
+# catalog on token validation and will not set the X-Service-
+# Catalog header. (boolean value)
+#include_service_catalog=true
+
+# Used to control the use and type of token binding. Can be
+# set to: "disabled" to not check token binding. "permissive"
+# (default) to validate binding information if the bind type
+# is of a form known to the server and ignore it if not.
+# "strict" like "permissive" but if the bind type is unknown
+# the token will be rejected. "required" any form of token
+# binding is needed to be allowed. Finally the name of a
+# binding method that must be present in tokens. (string
+# value)
+#enforce_token_bind=permissive
+
+# If true, the revocation list will be checked for cached
+# tokens. This requires that PKI tokens are configured on the
+# Keystone server. (boolean value)
+#check_revocations_for_cached=false
+
+# Hash algorithms to use for hashing PKI tokens. This may be a
+# single algorithm or multiple. The algorithms are those
+# supported by Python standard hashlib.new(). The hashes will
+# be tried in the order given, so put the preferred one first
+# for performance. The result of the first hash will be stored
+# in the cache. This will typically be set to multiple values
+# only while migrating from a less secure algorithm to a more
+# secure one. Once all the old tokens are expired this option
+# should be set to a single value for better performance.
+# (list value)
+#hash_algorithms=md5