Merge "Simplify identity endpoint"

This commit is contained in:
Zuul 2018-07-03 06:31:58 +00:00 committed by Gerrit Code Review
commit 41b3463312
8 changed files with 129 additions and 252 deletions

View File

@ -29,11 +29,11 @@ default['openstack']['identity']['custom_template_banner'] = '
'
%w(admin internal public).each do |ep_type|
# host for openstack admin/internal/public identity endpoint
# host for openstack identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
# scheme for openstack admin/internal/public identity endpoint
# scheme for openstack identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
# path for openstack admin/internal/public identity endpoint
# path for openstack identity endpoint
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
end
@ -41,17 +41,11 @@ end
default['openstack']['endpoints']['public']['identity']['port'] = 5000
# port for openstack internal identity endpoint
default['openstack']['endpoints']['internal']['identity']['port'] = 5000
# port for openstack admin identity endpoint
default['openstack']['endpoints']['admin']['identity']['port'] = 35357
# address for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
# port for openstack identity service main endpoint to bind to
default['openstack']['bind_service']['public']['identity']['port'] = 5000
# address for openstack identity service admin endpoint to bind to
default['openstack']['bind_service']['admin']['identity']['host'] = '127.0.0.1'
# port for openstack identity service admin endpoint to bind to
default['openstack']['bind_service']['admin']['identity']['port'] = 35357
# identity service catalog backend for service endpoints
default['openstack']['identity']['catalog']['backend'] = 'sql'

View File

@ -29,10 +29,11 @@ project_domain_name = node['openstack']['identity']['admin_project_domain']
ksadmin_user = node['openstack']['identity']['admin_user']
admin_domain_name = node['openstack']['identity']['admin_domain_name']
auth_api_version = node['openstack']['api']['auth']['version']
# auth_api_version = node['openstack']['api']['auth']['version']
ksadmin_pass = get_password 'user', ksadmin_user
identity_public_endpoint = public_endpoint 'identity'
auth_url = auth_uri_transform identity_public_endpoint.to_s, auth_api_version
identity_endpoint = public_endpoint 'identity'
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
directory node['openstack']['openrc']['path'] do
owner node['openstack']['openrc']['user']

View File

@ -30,10 +30,8 @@ class ::Chef::Recipe
include ::Openstack
end
identity_admin_endpoint = admin_endpoint 'identity'
identity_internal_endpoint = internal_endpoint 'identity'
identity_public_endpoint = public_endpoint 'identity'
auth_url = ::URI.decode identity_admin_endpoint.to_s
identity_endpoint = public_endpoint 'identity'
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
# define the credentials to use for the initial admin user
admin_project = node['openstack']['identity']['admin_project']
@ -50,17 +48,17 @@ connection_params = {
openstack_domain_name: admin_domain,
}
ruby_block 'wait for identity admin endpoint' do
ruby_block 'wait for identity endpoint' do
block do
begin
Timeout.timeout(60) do
until Net::HTTP.get_response(URI(auth_url)).message == 'OK'
Chef::Log.info 'waiting for identity admin endpoint to be up...'
Chef::Log.info 'waiting for identity endpoint to be up...'
sleep 1
end
end
rescue Timeout::Error
raise 'Waited 60 seconds for identity admin endpoint to become ready'\
raise 'Waited 60 seconds for identity endpoint to become ready'\
' and will not wait any longer'
end
end
@ -87,10 +85,6 @@ openstack_role '_member_' do
connection_params connection_params
end
node.normal['openstack']['identity']['adminURL'] = identity_admin_endpoint.to_s
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
node.normal['openstack']['identity']['publicURL'] = identity_public_endpoint.to_s
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
Chef::Log.info "Keystone AdminURL: #{identity_admin_endpoint}"
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
Chef::Log.info "Keystone PublicURL: #{identity_public_endpoint}"
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"

View File

@ -48,9 +48,7 @@ end
platform_options = node['openstack']['identity']['platform']
identity_admin_endpoint = admin_endpoint 'identity'
identity_internal_endpoint = internal_endpoint 'identity'
identity_public_endpoint = public_endpoint 'identity'
identity_endpoint = public_endpoint 'identity'
# define the credentials to use for the initial admin user
admin_project = node['openstack']['identity']['admin_project']
@ -125,14 +123,8 @@ include_recipe 'openstack-identity::_credential_tokens'
include_recipe 'openstack-identity::_fernet_tokens'
# define the address to bind the keystone apache public service to
public_bind_service = node['openstack']['bind_service']['public']['identity']
public_bind_address = bind_address public_bind_service
# define the address to bind the keystone apache admin service to
admin_bind_service = node['openstack']['bind_service']['admin']['identity']
admin_bind_address = bind_address admin_bind_service
# define the address where the keystone admin endpoint will be reachable
identity_admin_endpoint = admin_endpoint 'identity'
bind_service = node['openstack']['bind_service']['public']['identity']
bind_address = bind_address bind_service
# set the keystone database credentials
db_user = node['openstack']['db']['identity']['username']
@ -145,13 +137,9 @@ node.default['openstack']['identity']['conf_secrets']
memcache_servers = memcached_servers.join ','
# define the address where the keystone public endpoint will be reachable
identity_public_endpoint = public_endpoint 'identity'
ie = identity_public_endpoint
ie = identity_endpoint
# define the keystone public endpoint full path
api_public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
ae = identity_admin_endpoint
# define the keystone admin endpoint full path
api_admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"
api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
# If a keystone-paste.ini is specified use it.
# If platform_family is RHEL and we do not specify keystone-paste.ini,
@ -181,8 +169,7 @@ end
# set keystone config parameters for admin_token, endpoints and memcache
node.default['openstack']['identity']['conf'].tap do |conf|
conf['DEFAULT']['public_endpoint'] = api_public_endpoint
conf['DEFAULT']['admin_endpoint'] = api_admin_endpoint
conf['DEFAULT']['public_endpoint'] = api_endpoint
conf['memcache']['servers'] = memcache_servers if memcache_servers
end
@ -227,8 +214,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
# populate the templated catlog
# TODO: (jklare) this should be done in a helper method
uris = {
'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'),
'identity' => identity_public_endpoint.to_s.gsub('%25', '%'),
'identity' => identity_endpoint.to_s.gsub('%25', '%'),
'image' => image_public_endpoint.to_s.gsub('%25', '%'),
'compute' => compute_public_endpoint.to_s.gsub('%25', '%'),
'ec2' => ec2_public_endpoint.to_s.gsub('%25', '%'),
@ -262,9 +248,9 @@ execute 'bootstrap_keystone' do
--bootstrap-role-name #{admin_role} \\
--bootstrap-service-name keystone \\
--bootstrap-region-id #{region} \\
--bootstrap-admin-url #{identity_admin_endpoint} \\
--bootstrap-public-url #{identity_public_endpoint} \\
--bootstrap-internal-url #{identity_internal_endpoint}"
--bootstrap-admin-url #{identity_endpoint} \\
--bootstrap-public-url #{identity_endpoint} \\
--bootstrap-internal-url #{identity_endpoint}"
end
#### Start of Apache specific work
@ -274,8 +260,7 @@ apache_listen = Array(node['apache']['listen']) # include already defined listen
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
# a different address syntax. *:80 vs 0.0.0.0:80
apache_listen -= ['*:80']
apache_listen += ["#{public_bind_address}:#{public_bind_service['port']}"]
apache_listen += ["#{admin_bind_address}:#{admin_bind_service['port']}"]
apache_listen += ["#{bind_address}:#{bind_service['port']}"]
node.normal['apache']['listen'] = apache_listen.uniq
# include the apache2 default recipe and the recipes for mod_wsgi
@ -292,44 +277,27 @@ directory keystone_apache_dir do
mode 0o0755
end
wsgi_apps = {
'public' => {
server_host: public_bind_address,
server_port: public_bind_service['port'],
server_entry: '/usr/bin/keystone-wsgi-public',
server_alias: 'identity',
},
'admin' => {
server_host: admin_bind_address,
server_port: admin_bind_service['port'],
server_entry: '/usr/bin/keystone-wsgi-admin',
server_alias: 'identity_admin',
},
}
# create the keystone apache config using the web_app resource from the apache2
# cookbook
wsgi_apps.each do |app, opt|
web_app "keystone-#{app}" do
template 'wsgi-keystone.conf.erb'
server_host opt[:server_host]
server_port opt[:server_port]
server_entry opt[:server_entry]
server_alias opt[:server_alias]
server_suffix app
log_dir node['apache']['log_dir']
log_debug node['openstack']['identity']['debug']
user keystone_user
group keystone_group
use_ssl node['openstack']['identity']['ssl']['enabled']
cert_file node['openstack']['identity']['ssl']['certfile']
chain_file node['openstack']['identity']['ssl']['chainfile']
key_file node['openstack']['identity']['ssl']['keyfile']
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
cert_required node['openstack']['identity']['ssl']['cert_required']
protocol node['openstack']['identity']['ssl']['protocol']
ciphers node['openstack']['identity']['ssl']['ciphers']
end
web_app 'identity' do
template 'wsgi-keystone.conf.erb'
server_host bind_address
server_port bind_service['port']
server_entry '/usr/bin/keystone-wsgi-public'
server_alias 'identity'
server_suffix app
log_dir node['apache']['log_dir']
log_debug node['openstack']['identity']['debug']
user keystone_user
group keystone_group
use_ssl node['openstack']['identity']['ssl']['enabled']
cert_file node['openstack']['identity']['ssl']['certfile']
chain_file node['openstack']['identity']['ssl']['chainfile']
key_file node['openstack']['identity']['ssl']['keyfile']
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
cert_required node['openstack']['identity']['ssl']['cert_required']
protocol node['openstack']['identity']['ssl']['protocol']
ciphers node['openstack']['identity']['ssl']['ciphers']
end
# disable default keystone config file from UCA package

View File

@ -12,7 +12,7 @@ describe 'openstack-identity::registration' do
include_context 'identity_stubs'
connection_params = {
openstack_auth_url: 'http://127.0.0.1:35357/v3/auth/tokens',
openstack_auth_url: 'http://127.0.0.1:5000/v3/auth/tokens',
openstack_username: 'admin',
openstack_api_key: 'admin',
openstack_project_name: 'admin',
@ -25,7 +25,7 @@ describe 'openstack-identity::registration' do
describe 'keystone bootstrap' do
context 'default values' do
it do
expect(chef_run).to run_ruby_block('wait for identity admin endpoint')
expect(chef_run).to run_ruby_block('wait for identity endpoint')
end
it "registers #{domain_name} domain" do
@ -62,62 +62,6 @@ describe 'openstack-identity::registration' do
)
end
end
context 'all different values' do
connection_params_other = {
openstack_auth_url: 'https://admin.identity:1234/v3/auth/tokens',
openstack_username: 'identity_admin',
openstack_api_key: 'identity_admin_pass',
openstack_project_name: 'admin_project',
openstack_domain_name: 'identity_domain',
}
before do
node.set['openstack']['endpoints']['admin']['identity']['uri'] =
'https://admin.identity:1234/v3'
node.set['openstack']['endpoints']['internal']['identity']['uri'] =
'https://internal.identity:5678/v3'
node.set['openstack']['endpoints']['public']['identity']['uri'] =
'https://public.identity:9753/v3'
node.set['openstack']['region'] = 'otherRegion'
node.set['openstack']['identity']['admin_project'] = 'admin_project'
node.set['openstack']['identity']['admin_user'] = 'identity_admin'
node.set['openstack']['identity']['admin_role'] = 'identity_role'
node.set['openstack']['identity']['admin_domain_name'] =
'identity_domain'
end
it 'registers identity_domain domain' do
expect(chef_run).to create_openstack_domain(
'identity_domain'
).with(
connection_params: connection_params_other
)
end
it 'grants identity_admin user to identity_domain domain' do
expect(chef_run).to grant_domain_openstack_user(
'identity_admin'
).with(
domain_name: 'identity_domain',
role_name: 'identity_role',
connection_params: connection_params_other
)
end
it 'create service role' do
expect(chef_run).to create_openstack_role(
'service'
).with(
connection_params: connection_params_other
)
end
it 'create service role' do
expect(chef_run).to create_openstack_role(
'_member_'
).with(
connection_params: connection_params_other
)
end
end
end
end
end

View File

@ -20,7 +20,6 @@ describe 'openstack-identity::server-apache' do
project_name = 'admin'
role_name = 'admin'
password = 'admin'
admin_url = 'http://127.0.0.1:35357/v3'
public_url = 'http://127.0.0.1:5000/v3'
internal_url = 'http://127.0.0.1:5000/v3'
@ -53,7 +52,7 @@ describe 'openstack-identity::server-apache' do
--bootstrap-role-name #{role_name} \\
--bootstrap-service-name #{service_name} \\
--bootstrap-region-id #{region} \\
--bootstrap-admin-url #{admin_url} \\
--bootstrap-admin-url #{public_url} \\
--bootstrap-public-url #{public_url} \\
--bootstrap-internal-url #{internal_url}")
end
@ -140,10 +139,8 @@ describe 'openstack-identity::server-apache' do
it 'has correct endpoints' do
# values correspond to node attrs set in chef_run above
pub = line_regexp('public_endpoint = http://127.0.0.1:5000/')
adm = line_regexp('admin_endpoint = http://127.0.0.1:35357/')
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub)
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', adm)
end
end
@ -293,16 +290,11 @@ describe 'openstack-identity::server-apache' do
end
it 'template api pipeline set correct' do
node.set['openstack']['identity']['pipeline']['public_api'] = 'public_service'
node.set['openstack']['identity']['pipeline']['admin_api'] = 'admin_service'
node.set['openstack']['identity']['pipeline']['api_v3'] = 'service_v3'
expect(chef_run).to render_config_file(path).with_section_content(
'pipeline:public_api',
/^pipeline = public_service$/
)
expect(chef_run).to render_config_file(path).with_section_content(
'pipeline:admin_api',
/^pipeline = admin_service$/
)
expect(chef_run).to render_config_file(path).with_section_content(
'pipeline:api_v3',
/^pipeline = service_v3$/
@ -335,9 +327,7 @@ describe 'openstack-identity::server-apache' do
describe 'apache setup' do
it 'set apache addresses and ports' do
expect(chef_run.node['apache']['listen']).to eq(
%w(127.0.0.1:5000 127.0.0.1:35357)
)
expect(chef_run.node['apache']['listen']).to eq(%w(127.0.0.1:5000))
end
describe 'apache recipes' do
@ -354,102 +344,85 @@ describe 'openstack-identity::server-apache' do
end
describe 'apache wsgi' do
['/etc/apache2/sites-available/keystone-public.conf',
'/etc/apache2/sites-available/keystone-admin.conf'].each do |file|
it "creates #{file}" do
expect(chef_run).to create_template(file).with(
user: 'root',
group: 'root',
mode: '0644'
)
end
let(:file) { '/etc/apache2/sites-available/identity.conf' }
it 'configures keystone-admin.conf lines' do
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
[/^custom_template_banner_value$/,
/user=keystone/,
/group=keystone/,
%r{^ ErrorLog /var/log/apache2/keystone-admin.log$},
%r{^ CustomLog /var/log/apache2/keystone-admin_access.log combined$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line)
it 'creates identity.conf' do
expect(chef_run).to create_template(file).with(
user: 'root',
group: 'root',
mode: '0644'
)
end
it 'does not configure keystone-admin.conf' do
expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf')
end
it 'configures identity.conf lines' do
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
[/^custom_template_banner_value$/,
/user=keystone/,
/group=keystone/,
%r{^ ErrorLog /var/log/apache2/identity.log$},
%r{^ CustomLog /var/log/apache2/identity_access.log combined$}].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it 'does not configure identity.conf triggered common lines' do
[/^ LogLevel/,
/^ SSL/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable SSL' do
let(:file) { '/etc/apache2/sites-available/identity.conf' }
before do
node.set['openstack']['identity']['ssl']['enabled'] = true
end
it 'configures identity.conf common ssl lines' do
[/^ SSLEngine On$/,
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it 'configures keystone-public.conf lines' do
node.set['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
[/^custom_template_banner_value$/,
/user=keystone/,
/group=keystone/,
%r{^ ErrorLog /var/log/apache2/keystone-public.log$},
%r{^ CustomLog /var/log/apache2/keystone-public_access.log combined$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line)
end
end
it "does not configure #{file} triggered common lines" do
[/^ LogLevel/,
/^ SSL/].each do |line|
it 'does not configure identity.conf common ssl lines' do
[/^ SSLCertificateChainFile/,
/^ SSLCipherSuite/,
/^ SSLVerifyClient require/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable SSL' do
before do
node.set['openstack']['identity']['ssl']['enabled'] = true
end
it "configures #{file} common ssl lines" do
[/^ SSLEngine On$/,
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it "does not configure #{file} common ssl lines" do
[/^ SSLCertificateChainFile/,
/^ SSLCipherSuite/,
/^ SSLVerifyClient require/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
it "configures #{file} chainfile when set" do
node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
expect(chef_run).to render_file(file)
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
end
it "configures #{file} ciphers when set" do
node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
expect(chef_run).to render_file(file)
.with_content(/^ SSLCipherSuite ciphers_value$/)
end
it "configures #{file} cert_required set" do
node.set['openstack']['identity']['ssl']['cert_required'] = true
expect(chef_run).to render_file(file)
.with_content(/^ SSLVerifyClient require$/)
end
it 'configures identity.conf chainfile when set' do
node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
expect(chef_run).to render_file(file)
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
end
it 'configures identity.conf ciphers when set' do
node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
expect(chef_run).to render_file(file)
.with_content(/^ SSLCipherSuite ciphers_value$/)
end
it 'configures identity.conf cert_required set' do
node.set['openstack']['identity']['ssl']['cert_required'] = true
expect(chef_run).to render_file(file)
.with_content(/^ SSLVerifyClient require$/)
end
end
end
describe 'keystone-public.conf' do
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:5000>$/,
/^ WSGIDaemonProcess keystone-public/,
/^ WSGIProcessGroup keystone-public$/,
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-public.conf').with_content(line)
end
end
end
describe 'keystone-admin.conf' do
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:35357>$/,
/^ WSGIDaemonProcess keystone-admin/,
/^ WSGIProcessGroup keystone-admin$/,
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-admin$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/keystone-admin.conf').with_content(line)
end
describe 'identity.conf' do
let(:file) { '/etc/apache2/sites-available/identity.conf' }
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:5000>$/,
/^ WSGIDaemonProcess identity/,
/^ WSGIProcessGroup identity$/,
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
end

View File

@ -4,16 +4,19 @@ require 'chefspec/berkshelf'
ChefSpec::Coverage.start! { add_filter 'openstack-identity' }
LOG_LEVEL = :fatal
RSpec.configure do |config|
config.color = true
config.formatter = :documentation
config.log_level = :fatal
end
REDHAT_OPTS = {
platform: 'redhat',
version: '7.3',
log_level: LOG_LEVEL,
version: '7.4',
}.freeze
UBUNTU_OPTS = {
platform: 'ubuntu',
version: '16.04',
log_level: LOG_LEVEL,
}.freeze
# Helper methods

View File

@ -1,15 +1,15 @@
<%= node['openstack']['identity']['custom_template_banner'] %>
<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
WSGIDaemonProcess keystone-<%= @params[:server_suffix] %> processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
WSGIProcessGroup keystone-<%= @params[:server_suffix] %>
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
WSGIProcessGroup identity
WSGIScriptAlias / <%= @params[:server_entry] %>
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>.log
CustomLog <%= @params[:log_dir] %>/keystone-<%= @params[:server_suffix] %>_access.log combined
ErrorLog <%= @params[:log_dir] %>/identity.log
CustomLog <%= @params[:log_dir] %>/identity_access.log combined
<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
LogLevel debug
<% end -%>