Move keystone authtoken keys into cinder.conf
* Remove the keystone keys from api-paste.ini template * Add the keystone keys to cinder.conf template * update specs Change-Id: I5cff962fe200cc1b63352b5e3491f7afed9897f7 Closes-Bug: #1359864
This commit is contained in:
parent
8951fd1b83
commit
e84947717a
|
@ -6,6 +6,7 @@ This file is used to list changes made in each version of the openstack-block-st
|
|||
* Upgrading to Juno
|
||||
* Sync conf files with Juno
|
||||
* Upgrading berkshelf from 2.0.18 to 3.1.5
|
||||
* Move keystone keys into cinder.conf
|
||||
|
||||
## 9.4.1
|
||||
* Add support for LVMISCSIDriver driver using block devices with LVM
|
||||
|
|
|
@ -56,12 +56,6 @@ service 'cinder-api' do
|
|||
subscribes :restart, 'template[/etc/cinder/cinder.conf]'
|
||||
end
|
||||
|
||||
identity_endpoint = endpoint 'identity-api'
|
||||
identity_admin_endpoint = endpoint 'identity-admin'
|
||||
service_pass = get_password 'service', 'openstack-block-storage'
|
||||
|
||||
auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version'])
|
||||
|
||||
execute 'cinder-manage db sync' do
|
||||
user node['openstack']['block-storage']['user']
|
||||
group node['openstack']['block-storage']['group']
|
||||
|
@ -72,11 +66,6 @@ template '/etc/cinder/api-paste.ini' do
|
|||
group node['openstack']['block-storage']['group']
|
||||
owner node['openstack']['block-storage']['user']
|
||||
mode 00644
|
||||
variables(
|
||||
auth_uri: auth_uri,
|
||||
identity_admin_endpoint: identity_admin_endpoint,
|
||||
service_pass: service_pass
|
||||
)
|
||||
|
||||
notifies :restart, 'service[cinder-api]', :immediately
|
||||
end
|
||||
|
|
|
@ -80,6 +80,12 @@ else
|
|||
end
|
||||
end
|
||||
|
||||
identity_endpoint = endpoint 'identity-api'
|
||||
identity_admin_endpoint = endpoint 'identity-admin'
|
||||
service_pass = get_password 'service', 'openstack-block-storage'
|
||||
|
||||
auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version'])
|
||||
|
||||
template '/etc/cinder/cinder.conf' do
|
||||
source 'cinder.conf.erb'
|
||||
group node['openstack']['block-storage']['group']
|
||||
|
@ -98,7 +104,10 @@ template '/etc/cinder/cinder.conf' do
|
|||
volume_api_bind_port: cinder_api_bind.port,
|
||||
vmware_host_pass: vmware_host_pass,
|
||||
enabled_drivers: enabled_drivers,
|
||||
multi_backend_sections: multi_backend_sections
|
||||
multi_backend_sections: multi_backend_sections,
|
||||
auth_uri: auth_uri,
|
||||
identity_admin_endpoint: identity_admin_endpoint,
|
||||
service_pass: service_pass
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
@ -75,79 +75,6 @@ describe 'openstack-block-storage::api' do
|
|||
it 'notifies cinder-api restart' do
|
||||
expect(file).to notify('service[cinder-api]').to(:restart)
|
||||
end
|
||||
|
||||
context 'template contents' do
|
||||
it 'has signing_dir' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
|
||||
end
|
||||
|
||||
context 'endpoint related' do
|
||||
before do
|
||||
endpoint = double(port: 'port', host: 'host', scheme: 'scheme')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('image-api')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('identity-admin')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('identity-api')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('block-storage-api-bind')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform)
|
||||
.and_return('auth_uri_transform')
|
||||
end
|
||||
|
||||
it 'has auth_uri' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/)
|
||||
end
|
||||
|
||||
it 'has auth_host' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/)
|
||||
end
|
||||
|
||||
it 'has auth_port' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/)
|
||||
end
|
||||
|
||||
it 'has auth_protocol' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/)
|
||||
end
|
||||
end
|
||||
|
||||
it 'has no auth_version when auth_version is v2.0' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0'
|
||||
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/)
|
||||
end
|
||||
|
||||
it 'has auth_version when auth version is not v2.0' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/)
|
||||
end
|
||||
|
||||
it 'has an admin tenant name' do
|
||||
node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/)
|
||||
end
|
||||
|
||||
it 'has an admin user' do
|
||||
node.set['openstack']['block-storage']['service_user'] = 'username'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/)
|
||||
end
|
||||
|
||||
it 'has an admin password' do
|
||||
# (fgimenez) the get_password mocking is set in spec/spec_helper.rb
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'policy file' do
|
||||
|
|
|
@ -40,6 +40,27 @@ describe 'openstack-block-storage::cinder-common' do
|
|||
|
||||
describe 'cinder.conf' do
|
||||
let(:file) { chef_run.template('/etc/cinder/cinder.conf') }
|
||||
let(:test_pass) { 'test_pass' }
|
||||
before do
|
||||
endpoint = double(port: 'port', host: 'host', scheme: 'scheme')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('image-api')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('identity-admin')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('identity-api')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('block-storage-api-bind')
|
||||
.and_return(endpoint)
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform)
|
||||
.and_return('auth_uri_transform')
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
|
||||
.with('user', anything)
|
||||
.and_return(test_pass)
|
||||
end
|
||||
|
||||
it 'should create the cinder.conf template' do
|
||||
expect(chef_run).to create_template(file.name)
|
||||
|
@ -54,20 +75,64 @@ describe 'openstack-block-storage::cinder-common' do
|
|||
expect(sprintf('%o', file.mode)).to eq '644'
|
||||
end
|
||||
|
||||
context 'template contents' do
|
||||
let(:test_pass) { 'test_pass' }
|
||||
before do
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('image-api')
|
||||
.and_return(double(host: 'glance_host_value', port: 'glance_port_value'))
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:endpoint)
|
||||
.with('block-storage-api-bind')
|
||||
.and_return(double(host: 'cinder_host_value', port: 'cinder_port_value'))
|
||||
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
|
||||
.with('user', anything)
|
||||
.and_return(test_pass)
|
||||
context 'template keystone contents' do
|
||||
it 'has signing_dir' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/)
|
||||
end
|
||||
|
||||
context 'endpoint related' do
|
||||
|
||||
it 'has auth_uri' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/)
|
||||
end
|
||||
|
||||
it 'has auth_host' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/)
|
||||
end
|
||||
|
||||
it 'has auth_port' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/)
|
||||
end
|
||||
|
||||
it 'has auth_protocol' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/)
|
||||
end
|
||||
end
|
||||
|
||||
it 'has no auth_version when auth_version is v2.0' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0'
|
||||
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/)
|
||||
end
|
||||
|
||||
it 'has auth_version when auth version is not v2.0' do
|
||||
node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/)
|
||||
end
|
||||
|
||||
it 'has an admin tenant name' do
|
||||
node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/)
|
||||
end
|
||||
|
||||
it 'has an admin user' do
|
||||
node.set['openstack']['block-storage']['service_user'] = 'username'
|
||||
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/)
|
||||
end
|
||||
|
||||
it 'has an admin password' do
|
||||
# (fgimenez) the get_password mocking is set in spec/spec_helper.rb
|
||||
expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'template contents' do
|
||||
|
||||
context 'commonly named attributes' do
|
||||
%w(debug verbose lock_path notification_driver
|
||||
storage_availability_zone quota_volumes quota_gigabytes quota_driver
|
||||
|
@ -141,8 +206,8 @@ describe 'openstack-block-storage::cinder-common' do
|
|||
|
||||
context 'glance endpoint' do
|
||||
%w(host port).each do |glance_attr|
|
||||
it "has a glace #{glance_attr} attribute" do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=glance_#{glance_attr}_value$/)
|
||||
it "has a glance #{glance_attr} attribute" do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=#{glance_attr}$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -154,11 +219,11 @@ describe 'openstack-block-storage::cinder-common' do
|
|||
|
||||
context 'cinder endpoint' do
|
||||
it 'has osapi_volume_listen set' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=cinder_host_value$/)
|
||||
expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=host$/)
|
||||
end
|
||||
|
||||
it 'has osapi_volume_listen_port set' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=cinder_port_value$/)
|
||||
expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=port$/)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -55,14 +55,3 @@ paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
|
|||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
||||
auth_uri = <%= @auth_uri %>
|
||||
auth_host = <%= @identity_admin_endpoint.host %>
|
||||
auth_port = <%= @identity_admin_endpoint.port %>
|
||||
auth_protocol = <%= @identity_admin_endpoint.scheme %>
|
||||
<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %>
|
||||
auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %>
|
||||
<% end %>
|
||||
admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %>
|
||||
admin_user = <%= node["openstack"]["block-storage"]["service_user"] %>
|
||||
admin_password = <%= @service_pass %>
|
||||
signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %>
|
||||
|
|
|
@ -1004,3 +1004,159 @@ enabled_backends = <%= @multi_backend_sections.keys.join(',') %>
|
|||
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
[keystone_authtoken]
|
||||
|
||||
#
|
||||
# Options defined in keystonemiddleware.auth_token
|
||||
#
|
||||
|
||||
# Prefix to prepend at the beginning of the path. Deprecated,
|
||||
# use identity_uri. (string value)
|
||||
#auth_admin_prefix=
|
||||
|
||||
# Host providing the admin Identity API endpoint. Deprecated,
|
||||
# use identity_uri. (string value)
|
||||
auth_host = <%= @identity_admin_endpoint.host %>
|
||||
|
||||
# Port of the admin Identity API endpoint. Deprecated, use
|
||||
# identity_uri. (integer value)
|
||||
auth_port = <%= @identity_admin_endpoint.port %>
|
||||
|
||||
# Protocol of the admin Identity API endpoint (http or https).
|
||||
# Deprecated, use identity_uri. (string value)
|
||||
auth_protocol = <%= @identity_admin_endpoint.scheme %>
|
||||
|
||||
# Complete public Identity API endpoint (string value)
|
||||
auth_uri = <%= @auth_uri %>
|
||||
|
||||
# Complete admin Identity API endpoint. This should specify
|
||||
# the unversioned root endpoint e.g. https://localhost:35357/
|
||||
# (string value)
|
||||
#identity_uri=<None>
|
||||
|
||||
# API version of the admin Identity API endpoint (string
|
||||
# value)
|
||||
<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %>
|
||||
auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %>
|
||||
<% end %>
|
||||
|
||||
# Do not handle authorization requests within the middleware,
|
||||
# but delegate the authorization decision to downstream WSGI
|
||||
# components (boolean value)
|
||||
#delay_auth_decision=false
|
||||
|
||||
# Request timeout value for communicating with Identity API
|
||||
# server. (boolean value)
|
||||
#http_connect_timeout=<None>
|
||||
|
||||
# How many times are we trying to reconnect when communicating
|
||||
# with Identity API Server. (integer value)
|
||||
#http_request_max_retries=3
|
||||
|
||||
# This option is deprecated and may be removed in a future
|
||||
# release. Single shared secret with the Keystone
|
||||
# configuration used for bootstrapping a Keystone
|
||||
# installation, or otherwise bypassing the normal
|
||||
# authentication process. This option should not be used, use
|
||||
# `admin_user` and `admin_password` instead. (string value)
|
||||
#admin_token=<None>
|
||||
|
||||
# Keystone account username (string value)
|
||||
admin_user = <%= node["openstack"]["block-storage"]["service_user"] %>
|
||||
|
||||
# Keystone account password (string value)
|
||||
admin_password = <%= @service_pass %>
|
||||
|
||||
# Keystone service account tenant name to validate user tokens
|
||||
# (string value)
|
||||
admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %>
|
||||
|
||||
# Env key for the swift cache (string value)
|
||||
#cache=<None>
|
||||
|
||||
# Required if Keystone server requires client certificate
|
||||
# (string value)
|
||||
#certfile=<None>
|
||||
|
||||
# Required if Keystone server requires client certificate
|
||||
# (string value)
|
||||
#keyfile=<None>
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying
|
||||
# HTTPs connections. Defaults to system CAs. (string value)
|
||||
#cafile=<None>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
#insecure=false
|
||||
|
||||
# Directory used to cache files related to PKI tokens (string
|
||||
# value)
|
||||
signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %>
|
||||
|
||||
# Optionally specify a list of memcached server(s) to use for
|
||||
# caching. If left undefined, tokens will instead be cached
|
||||
# in-process. (list value)
|
||||
# Deprecated group/name - [DEFAULT]/memcache_servers
|
||||
#memcached_servers=<None>
|
||||
|
||||
# In order to prevent excessive effort spent validating
|
||||
# tokens, the middleware caches previously-seen tokens for a
|
||||
# configurable duration (in seconds). Set to -1 to disable
|
||||
# caching completely. (integer value)
|
||||
#token_cache_time=300
|
||||
|
||||
# Determines the frequency at which the list of revoked tokens
|
||||
# is retrieved from the Identity service (in seconds). A high
|
||||
# number of revocation events combined with a low cache
|
||||
# duration may significantly reduce performance. (integer
|
||||
# value)
|
||||
#revocation_cache_time=10
|
||||
|
||||
# (optional) if defined, indicate whether token data should be
|
||||
# authenticated or authenticated and encrypted. Acceptable
|
||||
# values are MAC or ENCRYPT. If MAC, token data is
|
||||
# authenticated (with HMAC) in the cache. If ENCRYPT, token
|
||||
# data is encrypted and authenticated in the cache. If the
|
||||
# value is not one of these options or empty, auth_token will
|
||||
# raise an exception on initialization. (string value)
|
||||
#memcache_security_strategy=<None>
|
||||
|
||||
# (optional, mandatory if memcache_security_strategy is
|
||||
# defined) this string is used for key derivation. (string
|
||||
# value)
|
||||
#memcache_secret_key=<None>
|
||||
|
||||
# (optional) indicate whether to set the X-Service-Catalog
|
||||
# header. If False, middleware will not ask for service
|
||||
# catalog on token validation and will not set the X-Service-
|
||||
# Catalog header. (boolean value)
|
||||
#include_service_catalog=true
|
||||
|
||||
# Used to control the use and type of token binding. Can be
|
||||
# set to: "disabled" to not check token binding. "permissive"
|
||||
# (default) to validate binding information if the bind type
|
||||
# is of a form known to the server and ignore it if not.
|
||||
# "strict" like "permissive" but if the bind type is unknown
|
||||
# the token will be rejected. "required" any form of token
|
||||
# binding is needed to be allowed. Finally the name of a
|
||||
# binding method that must be present in tokens. (string
|
||||
# value)
|
||||
#enforce_token_bind=permissive
|
||||
|
||||
# If true, the revocation list will be checked for cached
|
||||
# tokens. This requires that PKI tokens are configured on the
|
||||
# Keystone server. (boolean value)
|
||||
#check_revocations_for_cached=false
|
||||
|
||||
# Hash algorithms to use for hashing PKI tokens. This may be a
|
||||
# single algorithm or multiple. The algorithms are those
|
||||
# supported by Python standard hashlib.new(). The hashes will
|
||||
# be tried in the order given, so put the preferred one first
|
||||
# for performance. The result of the first hash will be stored
|
||||
# in the cache. This will typically be set to multiple values
|
||||
# only while migrating from a less secure algorithm to a more
|
||||
# secure one. Once all the old tokens are expired this option
|
||||
# should be set to a single value for better performance.
|
||||
# (list value)
|
||||
#hash_algorithms=md5
|
||||
|
|
Loading…
Reference in New Issue