Don't validate token_flush for non-persistent token formats

THT incorporated a change so that the keystone_cron container deploys
only if a persistent token format is used (e.g, `uuid`, `pki`):

  https://review.opendev.org/#/c/682265/

This is because `fernet` and `jws` tokens are completely non-persistent
by way of authenticated encryption and the keystone_cron container only
runs a cron job to execute `keystone-manage token_flush`, which prunes
expired tokens from keystone's token table. This cron job is useful for
deployments relying on `uuid`, `pki`, or some other out-of-tree provider
that requires tokens to be recorded for keystone's token validation
process.

This commit updates the validation to check for the token format and
only performs the validation if the token format isn't `fernet` or
`jws`.

Change-Id: Ib4d0a505021568975b79400d67fd709dd74e9acf
(cherry picked from commit 7547548a6b)
This commit is contained in:
Lance Bragstad 2020-02-28 20:12:39 +00:00
parent 328bb7345d
commit 3fd14c9960
6 changed files with 224 additions and 23 deletions

View File

@ -39,6 +39,7 @@
:datadir: "/etc/puppet/"
:hierarchy:
- "common"
- "service_configs"
- name: populate hiera content
copy:
@ -46,6 +47,12 @@
content: |
tripleo_undercloud_conf_file: /undercloud.conf
- name: populate service config content
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "uuid"
- name: populate undercloud.conf
copy:
dest: /undercloud.conf

View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

View File

@ -0,0 +1,51 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
override_command: true
command: python -m SimpleHTTPServer 8787
pkg_extras: python-setuptools python-enum34 python-netaddr epel-release ruby PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
override_command: true
command: python3 -m http.server 8787
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

View File

@ -0,0 +1,44 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Skip validation when using fernet tokens
block:
- name: Set token format to fernet
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "fernet"
- name: Ensure validation gracefully passes
include_role:
name: undercloud_tokenflush
- name: Skip validation when using jws tokens
block:
- name: Set token format to jws
copy:
dest: /etc/puppet/service_configs.yaml
content: |
"keystone::token_provider": "jws"
- name: Ensure validation gracefully passes
include_role:
name: undercloud_tokenflush

View File

@ -0,0 +1,41 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install hiera
package:
name: hiera
- name: create hiera tree
file:
path: /etc/puppet/
state: directory
- name: lay down hiera data files
copy:
dest: /etc/puppet/hiera.yaml
content: |
:backends:
- yaml
:yaml:
:datadir: "/etc/puppet/"
:hierarchy:
- "service_configs"

View File

@ -1,29 +1,50 @@
---
- name: Get the path of tripleo undercloud config file
- name: Fetch token provider
become: true
hiera: name="tripleo_undercloud_conf_file"
hiera:
name: keystone::token_provider
- name: Get the Container CLI from the undercloud.conf file
become: true
validations_read_ini:
path: "{{ tripleo_undercloud_conf_file }}"
section: DEFAULT
key: container_cli
ignore_missing_file: true
register: container_cli
- name: Check if keystone_cron container is available
when:
- ansible_facts['keystone::token_provider'] != 'fernet'
- ansible_facts['keystone::token_provider'] != 'jws'
block:
- name: Get keystone crontab
become: true
shell: |
set -o pipefail
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
register: cron_result
changed_when: false
- name: Get the path of tripleo undercloud config file
become: true
hiera: name="tripleo_undercloud_conf_file"
- name: Check keystone crontab
fail:
- name: Get the Container CLI from the undercloud.conf file
become: true
validations_read_ini:
path: "{{ tripleo_undercloud_conf_file }}"
section: DEFAULT
key: container_cli
ignore_missing_file: true
register: container_cli
- name: Get keystone crontab
become: true
shell: |
set -o pipefail
{{ container_cli.value|default('podman', true) }} exec keystone_cron crontab -l -u keystone |grep -v '^#'
register: cron_result
changed_when: false
- name: Check keystone crontab
fail:
msg: >-
keystone token_flush does not appear to be enabled via cron.
You should add '<desired interval> keystone-manage token_flush'
to the keystone users crontab."
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
- name: Describe why token flush validation was skipped
debug:
msg: >-
keystone token_flush does not appear to be enabled via cron.
You should add '<desired interval> keystone-manage token_flush'
to the keystone users crontab."
when: "cron_result.stdout.find('keystone-manage token_flush') == -1"
Skipping token flush validation since you are using a non-persistent
token format ({{ ansible_facts['keystone::token_provider'] }}). You do
not need a separate keystone_cron container to periodically prune tokens
from keystone's database.
when:
- ansible_facts['keystone::token_provider'] == 'fernet' or ansible_facts['keystone::token_provider'] == 'jws'