From e84947717a1823acc830c5ff051e74107d554e02 Mon Sep 17 00:00:00 2001 From: Mark Vanderwiel Date: Thu, 21 Aug 2014 14:13:43 -0500 Subject: [PATCH] Move keystone authtoken keys into cinder.conf * Remove the keystone keys from api-paste.ini template * Add the keystone keys to cinder.conf template * update specs Change-Id: I5cff962fe200cc1b63352b5e3491f7afed9897f7 Closes-Bug: #1359864 --- CHANGELOG.md | 1 + recipes/api.rb | 11 -- recipes/cinder-common.rb | 11 +- spec/api_spec.rb | 73 ------------- spec/cinder_common_spec.rb | 97 ++++++++++++++--- templates/default/api-paste.ini.erb | 11 -- templates/default/cinder.conf.erb | 156 ++++++++++++++++++++++++++++ 7 files changed, 248 insertions(+), 112 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0d9f67..49659ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ This file is used to list changes made in each version of the openstack-block-st * Upgrading to Juno * Sync conf files with Juno * Upgrading berkshelf from 2.0.18 to 3.1.5 +* Move keystone keys into cinder.conf ## 9.4.1 * Add support for LVMISCSIDriver driver using block devices with LVM diff --git a/recipes/api.rb b/recipes/api.rb index e6483ca..18166dc 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -56,12 +56,6 @@ service 'cinder-api' do subscribes :restart, 'template[/etc/cinder/cinder.conf]' end -identity_endpoint = endpoint 'identity-api' -identity_admin_endpoint = endpoint 'identity-admin' -service_pass = get_password 'service', 'openstack-block-storage' - -auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version']) - execute 'cinder-manage db sync' do user node['openstack']['block-storage']['user'] group node['openstack']['block-storage']['group'] @@ -72,11 +66,6 @@ template '/etc/cinder/api-paste.ini' do group node['openstack']['block-storage']['group'] owner node['openstack']['block-storage']['user'] mode 00644 - variables( - auth_uri: auth_uri, - identity_admin_endpoint: identity_admin_endpoint, - service_pass: service_pass - ) notifies :restart, 'service[cinder-api]', :immediately end diff --git a/recipes/cinder-common.rb b/recipes/cinder-common.rb index 97ad48f..8074164 100644 --- a/recipes/cinder-common.rb +++ b/recipes/cinder-common.rb @@ -80,6 +80,12 @@ else end end +identity_endpoint = endpoint 'identity-api' +identity_admin_endpoint = endpoint 'identity-admin' +service_pass = get_password 'service', 'openstack-block-storage' + +auth_uri = auth_uri_transform(identity_endpoint.to_s, node['openstack']['block-storage']['api']['auth']['version']) + template '/etc/cinder/cinder.conf' do source 'cinder.conf.erb' group node['openstack']['block-storage']['group'] @@ -98,7 +104,10 @@ template '/etc/cinder/cinder.conf' do volume_api_bind_port: cinder_api_bind.port, vmware_host_pass: vmware_host_pass, enabled_drivers: enabled_drivers, - multi_backend_sections: multi_backend_sections + multi_backend_sections: multi_backend_sections, + auth_uri: auth_uri, + identity_admin_endpoint: identity_admin_endpoint, + service_pass: service_pass ) end diff --git a/spec/api_spec.rb b/spec/api_spec.rb index 60de2d7..9e93581 100644 --- a/spec/api_spec.rb +++ b/spec/api_spec.rb @@ -75,79 +75,6 @@ describe 'openstack-block-storage::api' do it 'notifies cinder-api restart' do expect(file).to notify('service[cinder-api]').to(:restart) end - - context 'template contents' do - it 'has signing_dir' do - node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir' - - expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/) - end - - context 'endpoint related' do - before do - endpoint = double(port: 'port', host: 'host', scheme: 'scheme') - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('image-api') - .and_return(endpoint) - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('identity-admin') - .and_return(endpoint) - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('identity-api') - .and_return(endpoint) - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('block-storage-api-bind') - .and_return(endpoint) - allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform) - .and_return('auth_uri_transform') - end - - it 'has auth_uri' do - expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/) - end - - it 'has auth_host' do - expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/) - end - - it 'has auth_port' do - expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/) - end - - it 'has auth_protocol' do - expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/) - end - end - - it 'has no auth_version when auth_version is v2.0' do - node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0' - - expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/) - end - - it 'has auth_version when auth version is not v2.0' do - node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0' - - expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/) - end - - it 'has an admin tenant name' do - node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name' - - expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/) - end - - it 'has an admin user' do - node.set['openstack']['block-storage']['service_user'] = 'username' - - expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/) - end - - it 'has an admin password' do - # (fgimenez) the get_password mocking is set in spec/spec_helper.rb - expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/) - end - end end describe 'policy file' do diff --git a/spec/cinder_common_spec.rb b/spec/cinder_common_spec.rb index efe7d8b..c8e6e94 100644 --- a/spec/cinder_common_spec.rb +++ b/spec/cinder_common_spec.rb @@ -40,6 +40,27 @@ describe 'openstack-block-storage::cinder-common' do describe 'cinder.conf' do let(:file) { chef_run.template('/etc/cinder/cinder.conf') } + let(:test_pass) { 'test_pass' } + before do + endpoint = double(port: 'port', host: 'host', scheme: 'scheme') + allow_any_instance_of(Chef::Recipe).to receive(:endpoint) + .with('image-api') + .and_return(endpoint) + allow_any_instance_of(Chef::Recipe).to receive(:endpoint) + .with('identity-admin') + .and_return(endpoint) + allow_any_instance_of(Chef::Recipe).to receive(:endpoint) + .with('identity-api') + .and_return(endpoint) + allow_any_instance_of(Chef::Recipe).to receive(:endpoint) + .with('block-storage-api-bind') + .and_return(endpoint) + allow_any_instance_of(Chef::Recipe).to receive(:auth_uri_transform) + .and_return('auth_uri_transform') + allow_any_instance_of(Chef::Recipe).to receive(:get_password) + .with('user', anything) + .and_return(test_pass) + end it 'should create the cinder.conf template' do expect(chef_run).to create_template(file.name) @@ -54,20 +75,64 @@ describe 'openstack-block-storage::cinder-common' do expect(sprintf('%o', file.mode)).to eq '644' end - context 'template contents' do - let(:test_pass) { 'test_pass' } - before do - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('image-api') - .and_return(double(host: 'glance_host_value', port: 'glance_port_value')) - allow_any_instance_of(Chef::Recipe).to receive(:endpoint) - .with('block-storage-api-bind') - .and_return(double(host: 'cinder_host_value', port: 'cinder_port_value')) - allow_any_instance_of(Chef::Recipe).to receive(:get_password) - .with('user', anything) - .and_return(test_pass) + context 'template keystone contents' do + it 'has signing_dir' do + node.set['openstack']['block-storage']['api']['auth']['cache_dir'] = 'auth_cache_dir' + + expect(chef_run).to render_file(file.name).with_content(/^signing_dir = auth_cache_dir$/) end + context 'endpoint related' do + + it 'has auth_uri' do + expect(chef_run).to render_file(file.name).with_content(/^auth_uri = auth_uri_transform$/) + end + + it 'has auth_host' do + expect(chef_run).to render_file(file.name).with_content(/^auth_host = host$/) + end + + it 'has auth_port' do + expect(chef_run).to render_file(file.name).with_content(/^auth_port = port$/) + end + + it 'has auth_protocol' do + expect(chef_run).to render_file(file.name).with_content(/^auth_protocol = scheme$/) + end + end + + it 'has no auth_version when auth_version is v2.0' do + node.set['openstack']['block-storage']['api']['auth']['version'] = 'v2.0' + + expect(chef_run).not_to render_file(file.name).with_content(/^auth_version = v2.0$/) + end + + it 'has auth_version when auth version is not v2.0' do + node.set['openstack']['block-storage']['api']['auth']['version'] = 'v3.0' + + expect(chef_run).to render_file(file.name).with_content(/^auth_version = v3.0$/) + end + + it 'has an admin tenant name' do + node.set['openstack']['block-storage']['service_tenant_name'] = 'tenant_name' + + expect(chef_run).to render_file(file.name).with_content(/^admin_tenant_name = tenant_name$/) + end + + it 'has an admin user' do + node.set['openstack']['block-storage']['service_user'] = 'username' + + expect(chef_run).to render_file(file.name).with_content(/^admin_user = username$/) + end + + it 'has an admin password' do + # (fgimenez) the get_password mocking is set in spec/spec_helper.rb + expect(chef_run).to render_file(file.name).with_content(/^admin_password = cinder-pass$/) + end + end + + context 'template contents' do + context 'commonly named attributes' do %w(debug verbose lock_path notification_driver storage_availability_zone quota_volumes quota_gigabytes quota_driver @@ -141,8 +206,8 @@ describe 'openstack-block-storage::cinder-common' do context 'glance endpoint' do %w(host port).each do |glance_attr| - it "has a glace #{glance_attr} attribute" do - expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=glance_#{glance_attr}_value$/) + it "has a glance #{glance_attr} attribute" do + expect(chef_run).to render_file(file.name).with_content(/^glance_#{glance_attr}=#{glance_attr}$/) end end end @@ -154,11 +219,11 @@ describe 'openstack-block-storage::cinder-common' do context 'cinder endpoint' do it 'has osapi_volume_listen set' do - expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=cinder_host_value$/) + expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen=host$/) end it 'has osapi_volume_listen_port set' do - expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=cinder_port_value$/) + expect(chef_run).to render_file(file.name).with_content(/^osapi_volume_listen_port=port$/) end end diff --git a/templates/default/api-paste.ini.erb b/templates/default/api-paste.ini.erb index 7319e5c..d39d1a4 100644 --- a/templates/default/api-paste.ini.erb +++ b/templates/default/api-paste.ini.erb @@ -55,14 +55,3 @@ paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory -auth_uri = <%= @auth_uri %> -auth_host = <%= @identity_admin_endpoint.host %> -auth_port = <%= @identity_admin_endpoint.port %> -auth_protocol = <%= @identity_admin_endpoint.scheme %> -<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %> -auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %> -<% end %> -admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %> -admin_user = <%= node["openstack"]["block-storage"]["service_user"] %> -admin_password = <%= @service_pass %> -signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %> diff --git a/templates/default/cinder.conf.erb b/templates/default/cinder.conf.erb index 3c4ff8d..013c8ee 100644 --- a/templates/default/cinder.conf.erb +++ b/templates/default/cinder.conf.erb @@ -1004,3 +1004,159 @@ enabled_backends = <%= @multi_backend_sections.keys.join(',') %> <% end %> <% end %> + +[keystone_authtoken] + +# +# Options defined in keystonemiddleware.auth_token +# + +# Prefix to prepend at the beginning of the path. Deprecated, +# use identity_uri. (string value) +#auth_admin_prefix= + +# Host providing the admin Identity API endpoint. Deprecated, +# use identity_uri. (string value) +auth_host = <%= @identity_admin_endpoint.host %> + +# Port of the admin Identity API endpoint. Deprecated, use +# identity_uri. (integer value) +auth_port = <%= @identity_admin_endpoint.port %> + +# Protocol of the admin Identity API endpoint (http or https). +# Deprecated, use identity_uri. (string value) +auth_protocol = <%= @identity_admin_endpoint.scheme %> + +# Complete public Identity API endpoint (string value) +auth_uri = <%= @auth_uri %> + +# Complete admin Identity API endpoint. This should specify +# the unversioned root endpoint e.g. https://localhost:35357/ +# (string value) +#identity_uri= + +# API version of the admin Identity API endpoint (string +# value) +<% if node['openstack']['block-storage']['api']['auth']['version'] != 'v2.0' %> +auth_version = <%= node['openstack']['block-storage']['api']['auth']['version'] %> +<% end %> + +# Do not handle authorization requests within the middleware, +# but delegate the authorization decision to downstream WSGI +# components (boolean value) +#delay_auth_decision=false + +# Request timeout value for communicating with Identity API +# server. (boolean value) +#http_connect_timeout= + +# How many times are we trying to reconnect when communicating +# with Identity API Server. (integer value) +#http_request_max_retries=3 + +# This option is deprecated and may be removed in a future +# release. Single shared secret with the Keystone +# configuration used for bootstrapping a Keystone +# installation, or otherwise bypassing the normal +# authentication process. This option should not be used, use +# `admin_user` and `admin_password` instead. (string value) +#admin_token= + +# Keystone account username (string value) +admin_user = <%= node["openstack"]["block-storage"]["service_user"] %> + +# Keystone account password (string value) +admin_password = <%= @service_pass %> + +# Keystone service account tenant name to validate user tokens +# (string value) +admin_tenant_name = <%= node["openstack"]["block-storage"]["service_tenant_name"] %> + +# Env key for the swift cache (string value) +#cache= + +# Required if Keystone server requires client certificate +# (string value) +#certfile= + +# Required if Keystone server requires client certificate +# (string value) +#keyfile= + +# A PEM encoded Certificate Authority to use when verifying +# HTTPs connections. Defaults to system CAs. (string value) +#cafile= + +# Verify HTTPS connections. (boolean value) +#insecure=false + +# Directory used to cache files related to PKI tokens (string +# value) +signing_dir = <%= node["openstack"]["block-storage"]["api"]["auth"]["cache_dir"] %> + +# Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached +# in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers= + +# In order to prevent excessive effort spent validating +# tokens, the middleware caches previously-seen tokens for a +# configurable duration (in seconds). Set to -1 to disable +# caching completely. (integer value) +#token_cache_time=300 + +# Determines the frequency at which the list of revoked tokens +# is retrieved from the Identity service (in seconds). A high +# number of revocation events combined with a low cache +# duration may significantly reduce performance. (integer +# value) +#revocation_cache_time=10 + +# (optional) if defined, indicate whether token data should be +# authenticated or authenticated and encrypted. Acceptable +# values are MAC or ENCRYPT. If MAC, token data is +# authenticated (with HMAC) in the cache. If ENCRYPT, token +# data is encrypted and authenticated in the cache. If the +# value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +#memcache_security_strategy= + +# (optional, mandatory if memcache_security_strategy is +# defined) this string is used for key derivation. (string +# value) +#memcache_secret_key= + +# (optional) indicate whether to set the X-Service-Catalog +# header. If False, middleware will not ask for service +# catalog on token validation and will not set the X-Service- +# Catalog header. (boolean value) +#include_service_catalog=true + +# Used to control the use and type of token binding. Can be +# set to: "disabled" to not check token binding. "permissive" +# (default) to validate binding information if the bind type +# is of a form known to the server and ignore it if not. +# "strict" like "permissive" but if the bind type is unknown +# the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string +# value) +#enforce_token_bind=permissive + +# If true, the revocation list will be checked for cached +# tokens. This requires that PKI tokens are configured on the +# Keystone server. (boolean value) +#check_revocations_for_cached=false + +# Hash algorithms to use for hashing PKI tokens. This may be a +# single algorithm or multiple. The algorithms are those +# supported by Python standard hashlib.new(). The hashes will +# be tried in the order given, so put the preferred one first +# for performance. The result of the first hash will be stored +# in the cache. This will typically be set to multiple values +# only while migrating from a less secure algorithm to a more +# secure one. Once all the old tokens are expired this option +# should be set to a single value for better performance. +# (list value) +#hash_algorithms=md5