From a3f18966ea3a01885a1f031b7ccab046325fce09 Mon Sep 17 00:00:00 2001 From: Jan Klare Date: Fri, 27 Nov 2015 16:20:51 +0100 Subject: [PATCH] refactoring final step * added new logic into templates/default/keystone.conf.erb * refactored attributes throughout all recipes that were connected to the attributes used for the keystone.conf.erb template to adapt the new template attribute syntax * moved all attributes from attributes/default.rb that were used in keystone_conf.erb to attributes/keystone_conf.rb * removed all attributes from default.rb and keystone.conf.erb which are set as default in attributes, openstack doc and used to render the template * finished split between public, internal and admin endpoints * refactored endpoint and bind_service logic to fit the new common cookbook * adapted specs * added endpoint and bind_service attributes (moved from common) * removed keystone eventlet configuration (removed in mitaka) * moved templated service catalog to its own section * removed deprecated recipe for keystone server deployment without apache (also removed corresponding specs) * moved recipe openrc (and template + specs) from common here, to remove inverse dependency in common cookbook * adapted the specs (unit tests) to work again * removed qpid as a messaging option (can be included in a wrapper) * deleted default attributes from keystone.conf.rb originated in openstack-common * removed suse as supported platform * included current master of apache2 cookbook to utilize new listen logic * removed rubocop exceptions in recipes and libraries and regenerated the .rubocop_todo.yaml conaining all remaining exceptions Change-Id: I3262b2e6f792f37c32a446e6567790b82bdd4613 Implements: blueprint cookbook-refactoring Depends-On: I0547182085eed91d05384fdd7734408a839a9a2c --- .rubocop_todo.yml | 44 +- Berksfile | 4 + Gemfile | 14 - attributes/default.rb | 363 ++------- attributes/keystone_conf.rb | 30 + metadata.rb | 8 +- providers/register.rb | 215 +++-- recipes/client.rb | 2 +- recipes/openrc.rb | 65 ++ recipes/registration.rb | 31 +- recipes/server-apache.rb | 168 ++-- recipes/server.rb | 301 ------- spec/openrc_spec.rb | 65 ++ spec/register_spec.rb | 3 + spec/registration_spec.rb | 95 +-- spec/server-apache_spec.rb | 517 +----------- spec/server-redhat_spec.rb | 58 -- spec/server-suse_spec.rb | 86 -- spec/server_spec.rb | 1042 ------------------------ spec/spec_helper.rb | 19 +- templates/default/keystone.conf.erb | 1157 --------------------------- templates/default/openrc.erb | 15 + 22 files changed, 539 insertions(+), 3763 deletions(-) delete mode 100644 Gemfile create mode 100644 attributes/keystone_conf.rb create mode 100644 recipes/openrc.rb delete mode 100644 recipes/server.rb create mode 100644 spec/openrc_spec.rb delete mode 100644 spec/server-redhat_spec.rb delete mode 100644 spec/server-suse_spec.rb delete mode 100644 spec/server_spec.rb delete mode 100644 templates/default/keystone.conf.erb create mode 100644 templates/default/openrc.erb diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 887df42..e173d32 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,15 +1,29 @@ -# This configuration was generated by `rubocop --auto-gen-config` -# on 2015-05-28 16:50:06 -0500 using RuboCop version 0.29.1. -# The point is for the user to remove these configuration records -# one by one as the offenses are removed from the code base. -# Note that changes in the inspected code, or installation of new -# versions of RuboCop, may require this file to be generated again. - -# Offense count: 1 -Metrics/AbcSize: - Max: 19 - -# Offense count: 3 -# Configuration parameters: EnforcedStyle, SupportedStyles. -Style/ClassAndModuleChildren: - Enabled: false +# This configuration was generated by +# `rubocop --auto-gen-config` +# on 2016-01-12 15:11:37 +0100 using RuboCop version 0.34.2. +# The point is for the user to remove these configuration records +# one by one as the offenses are removed from the code base. +# Note that changes in the inspected code, or installation of new +# versions of RuboCop, may require this file to be generated again. + +# Offense count: 1 +# Configuration parameters: CountKeywordArgs. +Metrics/ParameterLists: + Max: 6 + +# Offense count: 4 +# Configuration parameters: EnforcedStyle, SupportedStyles. +Style/ClassAndModuleChildren: + Exclude: + - 'recipes/client.rb' + - 'recipes/openrc.rb' + - 'recipes/registration.rb' + - 'recipes/server-apache.rb' + +# Offense count: 3 +# Configuration parameters: Exclude. +Style/Documentation: + Exclude: + - 'recipes/client.rb' + - 'recipes/registration.rb' + - 'recipes/server-apache.rb' diff --git a/Berksfile b/Berksfile index 50da25e..eff649c 100644 --- a/Berksfile +++ b/Berksfile @@ -4,3 +4,7 @@ metadata cookbook "openstack-common", github: "openstack/cookbook-openstack-common" +# use the current master branch until the new apache listen logic has been +# released +cookbook 'apache2', + github: "svanzoest-cookbooks/apache2" diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 31c90b5..0000000 --- a/Gemfile +++ /dev/null @@ -1,14 +0,0 @@ -## THIS GEMFILE IS DEPRECATED AND WILL BE REMOVED AFTER THE NEXT RELEASE -## THERE WON'T BE ANY UPDATES TO THIS FILE DURING THIS RELEASE CYCLE -## WE SWITCHED TO CHEFDK AS THE BUNDLE FOR THE NEEDED GEMS - -source 'https://rubygems.org' - -gem 'chef', '~> 11.18.6' -gem 'json', '<= 1.7.7' # chef 11 dependency -gem 'berkshelf', '~> 3.2.1' -gem 'hashie', '~> 2.0' -gem 'chefspec', '~> 4.0.0' -gem 'rspec', '~> 3.0.0' -gem 'foodcritic', '~> 4.0' -gem 'rubocop', '~> 0.29.1' diff --git a/attributes/default.rb b/attributes/default.rb index c4a0060..b4e27c8 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -27,6 +27,25 @@ default['openstack']['identity']['custom_template_banner'] = " # Do not edit, changes will be overwritten " +# Set the endpoints for the identity service to allow all other cookbooks to +# access and use them +%w(public internal admin).each do |ep_type| + # openstack identity service endpoints (used by users and services) + default['openstack']['endpoints']['identity'][ep_type]['host'] = '127.0.0.1' + default['openstack']['endpoints']['identity'][ep_type]['scheme'] = 'http' + default['openstack']['endpoints']['identity'][ep_type]['path'] = '/v2.0' + # web-service (e.g. apache) listen address (can be different from openstack + # identity endpoints) + default['openstack']['bind_service']['identity'][ep_type]['host'] = '127.0.0.1' +end +%w(endpoints bind_service).each do |type| + default['openstack'][type]['identity']['public']['port'] = 5000 + default['openstack'][type]['identity']['internal']['port'] = 5001 + default['openstack'][type]['identity']['admin']['port'] = 35357 +end + +default['openstack']['identity']['catalog']['backend'] = 'sql' +default['openstack']['identity']['token']['backend'] = 'sql' # Adding these as blank # this needs to be here for the initial deep-merge to work default['credentials']['EC2']['admin']['access'] = '' @@ -46,9 +65,6 @@ default['openstack']['identity']['start_delay'] = 10 # will be used (keystone-paste.ini.erb) default['openstack']['identity']['pastefile_url'] = nil -# array of lines to add to templated version of keystone-paste.ini -default['openstack']['identity']['misc_paste'] = [] - # This specify the pipeline of the keystone public API, # all Identity public API requests will be processed by the order of the pipeline. # this value will be used in the templated version of keystone-paste.ini @@ -69,64 +85,12 @@ default['openstack']['identity']['pipeline']['admin_api'] = 'sizelimit url_norma default['openstack']['identity']['pipeline']['api_v3'] = 'sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3' default['openstack']['identity']['region'] = node['openstack']['region'] -# Amount of time a token should remain valid in seconds) -default['openstack']['identity']['token']['expiration'] = '3600' -default['openstack']['identity']['token']['hash_algorithm'] = 'md5' # Logging stuff default['openstack']['identity']['syslog']['use'] = false default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2' default['openstack']['identity']['syslog']['config_facility'] = 'local2' -# Number of Workers -default['openstack']['identity']['admin_workers'] = nil -default['openstack']['identity']['public_workers'] = nil - -# RPC attributes -default['openstack']['identity']['control_exchange'] = 'openstack' -default['openstack']['identity']['notification_driver'] = 'messaging' -default['openstack']['identity']['rpc_thread_pool_size'] = 64 -default['openstack']['identity']['rpc_conn_pool_size'] = 30 -default['openstack']['identity']['rpc_response_timeout'] = 60 -case node['openstack']['mq']['service_type'] -when 'rabbitmq' - default['openstack']['identity']['rpc_backend'] = 'rabbit' -when 'qpid' - default['openstack']['identity']['rpc_backend'] = 'qpid' -end - -# This references the domain to use for all Identity API v2 -# requests (which are not aware of domains). A domain with -# this ID will be created for you by keystone-manage db_sync -# in migration 008. The domain referenced by this ID cannot be -# deleted on the v3 API, to prevent accidentally breaking the -# v2 API. There is nothing special about this domain, other -# than the fact that it must exist to order to maintain -# support for your v2 clients. (string value) -default['openstack']['identity']['identity']['default_domain_id'] = 'default' - -# A subset (or all) of domains can have their own identity -# driver, each with their own partial configuration file in a -# domain configuration directory. Only values specific to the -# domain need to be placed in the domain specific -# configuration file. This feature is disabled by default; set -# to true to enable. (boolean value) -default['openstack']['identity']['identity']['domain_specific_drivers_enabled'] = false - -# Path for Keystone to locate the domain specific identity -# configuration files if domain_specific_drivers_enabled is -# set to true. (string value) -default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains' - -# Keystone Identity Mapping attributes -# # Keystone Identity Mapping backend driver, default is sql. -default['openstack']['identity']['identity_mapping']['driver'] = 'keystone.identity.mapping_backends.sql.Mapping' -# Public ID generator for user and group entities, default is sha256. -default['openstack']['identity']['identity_mapping']['generator'] = 'keystone.identity.id_generators.sha256.Generator' -# Setting this value to True makes that any user and group from default domain being handled by LDAP will still not be -# mapped to ensure their IDs remain backward compatible. You can only set it to False when configuring a fresh installation. -default['openstack']['identity']['identity_mapping']['backward_compatible_ids'] = 'True' - default['openstack']['identity']['admin_user'] = 'admin' default['openstack']['identity']['admin_tenant_name'] = 'admin' @@ -140,6 +104,49 @@ default['openstack']['identity']['users'] = { } } +# SSL Options +# Specify whether to enable SSL for Keystone API endpoint +default['openstack']['identity']['ssl']['enabled'] = false +# Specify server whether to enforce client certificate requirement +default['openstack']['identity']['ssl']['cert_required'] = false +# SSL certificate, keyfile and CA certficate file locations +default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl' +# Path of the cert file for SSL. +# Protocol for SSL (Apache) +default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' +# Which ciphers to use with the SSL/TLS protocol (Apache) +# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' +default['openstack']['identity']['ssl']['ciphers'] = nil + +# PKI signing. Corresponds to the [signing] section of keystone.conf +# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki' +default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl' + +# The authorization configuration options +# The external (REMOTE_USER) auth plugin module. (String value) +default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain' +# Default auth methods. (List value) +default['openstack']['identity']['auth']['methods'] = 'external, password, token, oauth1' + +# Token flushing cronjob +default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log' +default['openstack']['identity']['token_flush_cron']['hour'] = '*' +default['openstack']['identity']['token_flush_cron']['minute'] = '0' +default['openstack']['identity']['token_flush_cron']['day'] = '*' +default['openstack']['identity']['token_flush_cron']['weekday'] = '*' +default['openstack']['identity']['token_flush_cron']['enabled'] = true + +default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains' +default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl' + +default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem" +default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem" +default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem" +# Misc option support +# Allow additional strings to be added to keystone.conf +# For example: ['# Comment', 'key=value'] +default['openstack']['identity']['misc_keystone'] = [] + # SSL Options # Specify whether to enable SSL for Keystone API endpoint default['openstack']['identity']['ssl']['enabled'] = false @@ -161,229 +168,6 @@ default['openstack']['identity']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' # Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' default['openstack']['identity']['ssl']['ciphers'] = nil -# Security Assertion Markup Language (SAML) - -# Default TTL, in seconds, for any generated SAML assertion -# created by Keystone. (integer value) -default['openstack']['identity']['saml']['assertion_expiration_time'] = 3600 - -# Binary to be called for XML signing. Install the appropriate -# package, specify absolute path or adjust your PATH -# environment variable if the binary cannot be found. (string -# value) -# xmlsec1_binary=xmlsec1 -default['openstack']['identity']['saml']['xmlsec1_binary'] = 'xmlsec1' - -# Path of the certfile for SAML signing. For non-production -# environments, you may be interested in using `keystone- -# manage pki_setup` to generate self-signed certificates. -# Note, the path cannot contain a comma. (string value) -# certfile=/etc/keystone/ssl/certs/signing_cert.pem -default['openstack']['identity']['saml']['certfile'] = nil - -# Path of the keyfile for SAML signing. Note, the path cannot -# contain a comma. (string value) -# keyfile=/etc/keystone/ssl/private/signing_key.pem -default['openstack']['identity']['saml']['keyfile'] = nil - -# Entity ID value for unique Identity Provider identification. -# Usually FQDN is set with a suffix. A value is required to -# generate IDP Metadata. For example: -# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp -# (string value) -default['openstack']['identity']['saml']['idp_entity_id'] = nil - -# Identity Provider Single-Sign-On service value, required in -# the Identity Provider's metadata. A value is required to -# generate IDP Metadata. For example: -# https://keystone.example.com/v3/OS-FEDERATION/saml2/sso -# (string value) -default['openstack']['identity']['saml']['idp_sso_endpoint'] = nil - -# Language used by the organization. (string value) -default['openstack']['identity']['saml']['idp_lang'] = nil - -# Organization name the installation belongs to. (string -# value) -default['openstack']['identity']['saml']['idp_organization_name'] = nil - -# Organization name to be displayed. (string value) -default['openstack']['identity']['saml']['idp_organization_display_name'] = nil - -# URL of the organization. (string value) -default['openstack']['identity']['saml']['idp_organization_url'] = nil - -# Company of contact person. (string value) -default['openstack']['identity']['saml']['idp_contact_company'] = nil - -# Given name of contact person (string value) -default['openstack']['identity']['saml']['idp_contact_name'] = nil - -# Surname of contact person. (string value) -default['openstack']['identity']['saml']['idp_contact_surname'] = nil - -# Email address of contact person. (string value) -default['openstack']['identity']['saml']['idp_contact_email'] = nil - -# Telephone number of contact person. (string value) -default['openstack']['identity']['saml']['idp_contact_telephone'] = nil - -# Contact type. Allowed values are: technical, support, -# administrative billing, and other (string value) -default['openstack']['identity']['saml']['idp_contact_type'] = nil - -# Path to the Identity Provider Metadata file. This file -# should be generated with the keystone-manage -# saml_idp_metadata command. (string value) -# idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml -default['openstack']['identity']['saml']['idp_metadata_path'] = nil - -# PKI signing. Corresponds to the [signing] section of keystone.conf -# Note this section is only written if node['openstack']['auth']['strategy'] == 'pki' -default['openstack']['identity']['signing']['basedir'] = '/etc/keystone/ssl' -default['openstack']['identity']['signing']['certfile'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/signing_cert.pem" -default['openstack']['identity']['signing']['keyfile'] = "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem" -default['openstack']['identity']['signing']['ca_certs'] = "#{node['openstack']['identity']['signing']['basedir']}/certs/ca.pem" -default['openstack']['identity']['signing']['certfile_url'] = nil -default['openstack']['identity']['signing']['keyfile_url'] = nil -default['openstack']['identity']['signing']['ca_certs_url'] = nil -default['openstack']['identity']['signing']['key_size'] = '2048' -default['openstack']['identity']['signing']['valid_days'] = '3650' -default['openstack']['identity']['signing']['ca_password'] = nil - -# These switches set the various drivers for the different Keystone components -default['openstack']['identity']['identity']['backend'] = 'sql' -default['openstack']['identity']['assignment']['backend'] = 'sql' -default['openstack']['identity']['token']['backend'] = 'sql' -default['openstack']['identity']['catalog']['backend'] = 'sql' -default['openstack']['identity']['policy']['backend'] = 'sql' - -# The maximum number of entities that will be returned in a -# collection, with no limit set by default. This global limit -# may be then overridden for a specific driver, by specifying -# a list_limit in the appropriate section (identity, assignment, -# catalog or policy). (integer value) -default['openstack']['identity']['list_limit'] = nil -# The maximum number of entities that will be returned in an -# identity collection. (integer value) -default['openstack']['identity']['identity']['list_limit'] = nil -# Maximum number of entities that will be returned in an -# assignment collection. -default['openstack']['identity']['assignment']['list_limit'] = nil -# Maximum number of entities that will be returned in a -# catalog collection. (integer value) -default['openstack']['identity']['catalog']['list_limit'] = nil -# The maximum number of entities that will be returned in an -# policy collection. (integer value) -default['openstack']['identity']['policy']['list_limit'] = nil - -# The authorization configuration options -# The external (REMOTE_USER) auth plugin module. (String value) -default['openstack']['identity']['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain' -# Default auth methods. (List value) -default['openstack']['identity']['auth']['methods'] = 'external, password, token, oauth1' - -# LDAP backend general settings -default['openstack']['identity']['ldap']['url'] = 'ldap://localhost' -default['openstack']['identity']['ldap']['user'] = 'dc=Manager,dc=example,dc=com' -default['openstack']['identity']['ldap']['password'] = nil -default['openstack']['identity']['ldap']['suffix'] = 'cn=example,cn=com' -default['openstack']['identity']['ldap']['use_dumb_member'] = false -default['openstack']['identity']['ldap']['allow_subtree_delete'] = false -default['openstack']['identity']['ldap']['dumb_member'] = 'cn=dumb,dc=example,dc=com' -default['openstack']['identity']['ldap']['page_size'] = 0 -default['openstack']['identity']['ldap']['alias_dereferencing'] = 'default' -default['openstack']['identity']['ldap']['query_scope'] = 'one' -default['openstack']['identity']['ldap']['use_tls'] = false -# If both tls_cacertfile and tls_cacertdir are set, then the cacertfile takes precedence and tls_cacertdir is not used -default['openstack']['identity']['ldap']['tls_cacertfile'] = nil -default['openstack']['identity']['ldap']['tls_cacertdir'] = nil -default['openstack']['identity']['ldap']['tls_req_cert'] = 'demand' - -# LDAP backend user related settings -default['openstack']['identity']['ldap']['user_tree_dn'] = nil -default['openstack']['identity']['ldap']['user_filter'] = nil -default['openstack']['identity']['ldap']['user_objectclass'] = 'inetOrgPerson' -default['openstack']['identity']['ldap']['user_id_attribute'] = 'cn' -default['openstack']['identity']['ldap']['user_name_attribute'] = 'sn' -default['openstack']['identity']['ldap']['user_mail_attribute'] = 'email' -default['openstack']['identity']['ldap']['user_pass_attribute'] = 'userPassword' -default['openstack']['identity']['ldap']['user_enabled_attribute'] = 'enabled' -default['openstack']['identity']['ldap']['user_enabled_mask'] = 0 -default['openstack']['identity']['ldap']['user_enabled_default'] = 'true' -default['openstack']['identity']['ldap']['user_attribute_ignore'] = 'tenant_id,tenants' -default['openstack']['identity']['ldap']['user_allow_create'] = true -default['openstack']['identity']['ldap']['user_allow_update'] = true -default['openstack']['identity']['ldap']['user_allow_delete'] = true -default['openstack']['identity']['ldap']['user_enabled_emulation'] = false -default['openstack']['identity']['ldap']['user_enabled_emulation_dn'] = nil - -# LDAP backend tenant related settings -default['openstack']['identity']['ldap']['project_tree_dn'] = nil -default['openstack']['identity']['ldap']['project_filter'] = nil -default['openstack']['identity']['ldap']['project_objectclass'] = 'groupOfNames' -default['openstack']['identity']['ldap']['project_id_attribute'] = 'cn' -default['openstack']['identity']['ldap']['project_member_attribute'] = 'member' -default['openstack']['identity']['ldap']['project_name_attribute'] = 'ou' -default['openstack']['identity']['ldap']['project_desc_attribute'] = 'description' -default['openstack']['identity']['ldap']['project_enabled_attribute'] = 'enabled' -default['openstack']['identity']['ldap']['project_domain_id_attribute'] = 'businessCategory' -default['openstack']['identity']['ldap']['project_attribute_ignore'] = nil -default['openstack']['identity']['ldap']['project_allow_create'] = true -default['openstack']['identity']['ldap']['project_allow_update'] = true -default['openstack']['identity']['ldap']['project_allow_delete'] = true -default['openstack']['identity']['ldap']['project_enabled_emulation'] = false -default['openstack']['identity']['ldap']['project_enabled_emulation_dn'] = nil - -# LDAP backend role related settings -default['openstack']['identity']['ldap']['role_tree_dn'] = nil -default['openstack']['identity']['ldap']['role_filter'] = nil -default['openstack']['identity']['ldap']['role_objectclass'] = 'organizationalRole' -default['openstack']['identity']['ldap']['role_id_attribute'] = 'cn' -default['openstack']['identity']['ldap']['role_name_attribute'] = 'ou' -default['openstack']['identity']['ldap']['role_member_attribute'] = 'roleOccupant' -default['openstack']['identity']['ldap']['role_attribute_ignore'] = nil -default['openstack']['identity']['ldap']['role_allow_create'] = true -default['openstack']['identity']['ldap']['role_allow_update'] = true -default['openstack']['identity']['ldap']['role_allow_delete'] = true - -# LDAP backend group related settings -default['openstack']['identity']['ldap']['group_tree_dn'] = nil -default['openstack']['identity']['ldap']['group_filter'] = nil -default['openstack']['identity']['ldap']['group_objectclass'] = 'groupOfNames' -default['openstack']['identity']['ldap']['group_id_attribute'] = 'cn' -default['openstack']['identity']['ldap']['group_name_attribute'] = 'ou' -default['openstack']['identity']['ldap']['group_member_attribute'] = 'member' -default['openstack']['identity']['ldap']['group_desc_attribute'] = 'description' -default['openstack']['identity']['ldap']['group_attribute_ignore'] = nil -default['openstack']['identity']['ldap']['group_allow_create'] = true -default['openstack']['identity']['ldap']['group_allow_update'] = true -default['openstack']['identity']['ldap']['group_allow_delete'] = true - -# LDAP connection pool settings -default['openstack']['identity']['ldap']['use_pool'] = false -default['openstack']['identity']['ldap']['pool_size'] = 10 -default['openstack']['identity']['ldap']['pool_retry_max'] = 3 -default['openstack']['identity']['ldap']['pool_retry_delay'] = 0.1 -default['openstack']['identity']['ldap']['pool_connection_timeout'] = 3 -default['openstack']['identity']['ldap']['pool_connection_lifetime'] = 600 -default['openstack']['identity']['ldap']['use_auth_pool'] = false -default['openstack']['identity']['ldap']['auth_pool_size'] = 100 -default['openstack']['identity']['ldap']['auth_pool_connection_lifetime'] = 60 - -# Token flushing cronjob -default['openstack']['identity']['token_flush_cron']['enabled'] = node['openstack']['identity']['token']['backend'] == 'sql' -default['openstack']['identity']['token_flush_cron']['log_file'] = '/var/log/keystone/token-flush.log' -default['openstack']['identity']['token_flush_cron']['hour'] = '*' -default['openstack']['identity']['token_flush_cron']['minute'] = '0' -default['openstack']['identity']['token_flush_cron']['day'] = '*' -default['openstack']['identity']['token_flush_cron']['weekday'] = '*' - -# Misc option support -# Allow additional strings to be added to keystone.conf -# For example: ['# Comment', 'key=value'] -default['openstack']['identity']['misc_keystone'] = [] - # platform defaults case platform_family when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this @@ -398,18 +182,6 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this 'keystone_wsgi_file' => '/usr/share/keystone/keystone.wsgi', 'package_options' => '' } -when 'suse' - default['openstack']['identity']['user'] = 'openstack-keystone' - default['openstack']['identity']['group'] = 'openstack-keystone' - default['openstack']['identity']['platform'] = { - 'memcache_python_packages' => ['python-python-memcached'], - 'keystone_packages' => ['openstack-keystone'], - 'keystone_client_packages' => ['python-keystoneclient'], - 'keystone_service' => 'openstack-keystone', - 'keystone_process_name' => 'keystone-all', - 'keystone_wsgi_file' => '/usr/share/keystone/wsgi.py', - 'package_options' => '' - } when 'debian' default['openstack']['identity']['user'] = 'keystone' default['openstack']['identity']['group'] = 'keystone' @@ -423,3 +195,14 @@ when 'debian' 'package_options' => "-o Dpkg::Options::='--force-confold' -o Dpkg::Options::='--force-confdef'" } end + +# Array of bare options for openrc (e.g. 'option=value') +default['openstack']['misc_openrc'] = nil + +# openrc location and owner +default['openstack']['openrc']['path'] = '/root' +default['openstack']['openrc']['file'] = 'openrc' +default['openstack']['openrc']['user'] = 'root' +default['openstack']['openrc']['group'] = 'root' +default['openstack']['openrc']['file_mode'] = '0600' +default['openstack']['openrc']['path_mode'] = '0700' diff --git a/attributes/keystone_conf.rb b/attributes/keystone_conf.rb new file mode 100644 index 0000000..cee8468 --- /dev/null +++ b/attributes/keystone_conf.rb @@ -0,0 +1,30 @@ +default['openstack']['identity']['conf_secrets'] = {} +default['openstack']['identity']['conf'].tap do |conf| + # [DEFAULT] + conf['DEFAULT']['verbose'] = false # true in docs + if node['openstack']['identity']['syslog']['use'] + conf['DEFAULT']['log_config_append'] = '/etc/openstack/logging.conf' + else + conf['DEFAULT']['log_dir'] = '/var/log/keystone' + end + if node['openstack']['identity']['notification_driver'] == 'messaging' + conf['DEFAULT']['notification_topics'] = 'notifications' + end + conf['DEFAULT']['rpc_backend'] = node['openstack']['mq']['service_type'] + + # [assignment] + conf['assignment']['driver'] = 'keystone.assignment.backends.sql.Assignment' + + # [auth] + conf['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain' + conf['auth']['methods'] = 'external, password, token, oauth1' + + # [catalog] + conf['catalog']['driver'] = 'keystone.catalog.backends.sql.Catalog' + + # [identity] + conf['identity']['domain_specific_drivers_enabled'] = false + + # [policy] + conf['policy']['driver'] = 'keystone.policy.backends.sql.Policy' +end diff --git a/metadata.rb b/metadata.rb index 70c6b00..b450333 100755 --- a/metadata.rb +++ b/metadata.rb @@ -4,16 +4,16 @@ maintainer_email 'openstack-dev@lists.openstack.org' license 'Apache 2.0' description 'The OpenStack Identity service Keystone.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '12.0.0' +version '13.0.0' recipe 'openstack-identity::client', 'Install packages required for keystone client' -recipe 'openstack-identity::server', 'Installs and Configures Keystone Service' recipe 'openstack-identity::server-apache', 'Installs and Configures Keystone Service under Apache' recipe 'openstack-identity::registration', 'Adds user, tenant, role and endpoint records to Keystone' +recipe 'openstack-identity::openrc', 'Creates openrc file' -%w(ubuntu fedora redhat centos suse).each do |os| +%w(ubuntu redhat centos).each do |os| supports os end depends 'apache2', '~> 3.1.0' -depends 'openstack-common', '>= 12.0.0' +depends 'openstack-common', '>= 13.0.0' diff --git a/providers/register.rb b/providers/register.rb index f83d961..312a18d 100644 --- a/providers/register.rb +++ b/providers/register.rb @@ -25,119 +25,6 @@ require 'chef/mixin/shell_out' include Chef::Mixin::ShellOut include ::Openstack -private - -def generate_boot_creds(resource) - { - 'OS_SERVICE_ENDPOINT' => resource.auth_uri, - 'OS_SERVICE_TOKEN' => resource.bootstrap_token - } -end - -private - -def generate_admin_creds(resource) - identity_endpoint = resource.identity_endpoint - identity_endpoint = endpoint('identity-admin').to_s unless identity_endpoint - { - 'OS_USERNAME' => resource.admin_user, - 'OS_PASSWORD' => resource.admin_pass, - 'OS_TENANT_NAME' => resource.admin_tenant_name, - 'OS_AUTH_URL' => identity_endpoint - } -end - -private - -def generate_user_creds(resource) - identity_endpoint = resource.identity_endpoint - identity_endpoint = endpoint('identity-api').to_s unless identity_endpoint - { - 'OS_USERNAME' => resource.user_name, - 'OS_PASSWORD' => resource.user_pass, - 'OS_TENANT_NAME' => resource.tenant_name, - 'OS_AUTH_URL' => identity_endpoint - } -end - -private - -def get_env(resource, env = 'boot') - case env - when 'boot' - generate_boot_creds(resource) - when 'user' - generate_user_creds(resource) - when 'admin' - generate_admin_creds(resource) - end -end - -private - -def identity_command(resource, cmd, args = {}, env = 'boot') - keystonecmd = ['keystone'] << '--insecure' << cmd - args.each do |key, val| - keystonecmd << "--#{key}" unless key.empty? - keystonecmd << val.to_s - end - cmd_env = get_env(resource, env) - Chef::Log.debug("Running identity command: #{keystonecmd} env: " + cmd_env.to_s) - rc = shell_out(keystonecmd, env: cmd_env) - fail "#{rc.stderr} (#{rc.exitstatus})" if rc.exitstatus != 0 - rc.stdout -end - -private - -def identity_uuid(resource, type, key, value, args = {}, uuid_field = 'id') # rubocop: disable ParameterLists - rc = nil - begin - output = identity_command resource, "#{type}-list", args - output = prettytable_to_array(output) - rc = (type == 'endpoint') ? (search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region)) : (search_uuid(output, uuid_field, key => value)) - rescue RuntimeError => e - raise "Could not lookup uuid for #{type}:#{key}=>#{value}. Error was #{e.message}" - end - rc -end - -private - -def search_uuid(output, uuid_field, required_hash = {}) - rc = nil - output.each do |obj| - rc = obj[uuid_field] if obj.key?(uuid_field) && required_hash.values - obj.values_at(*required_hash.keys) == [] - end - rc -end - -private - -def service_need_updated?(resource, args = {}, uuid_field = 'id') - begin - output = identity_command resource, 'service-list', args - output = prettytable_to_array(output) - return search_uuid(output, uuid_field, 'name' => resource.service_name).nil? - rescue RuntimeError => e - raise "Could not check service attributes for service: type => #{resource.service_type}, name => #{resource.service_name}. Error was #{e.message}" - end - false -end - -private - -def endpoint_need_updated?(resource, key, value, args = {}, uuid_field = 'id') - begin - output = identity_command resource, 'endpoint-list', args - output = prettytable_to_array(output) - return search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region, 'publicurl' => resource.endpoint_publicurl, 'internalurl' => resource.endpoint_internalurl, 'adminurl' => resource.endpoint_adminurl).nil? - rescue RuntimeError => e - raise "Could not check endpoint attributes for endpoint:#{key}=>#{value}. Error was #{e.message}" - end - false -end - action :create_service do new_resource.updated_by_last_action(false) if node['openstack']['identity']['catalog']['backend'] == 'templated' @@ -348,3 +235,105 @@ action :create_ec2_credentials do raise "Unable to create EC2 Credentials for User '#{new_resource.user_name}' in Tenant '#{new_resource.tenant_name}' Error: " + e.message end end + +private + +def generate_boot_creds(resource) + { + 'OS_SERVICE_ENDPOINT' => resource.auth_uri, + 'OS_SERVICE_TOKEN' => resource.bootstrap_token + } +end + +def generate_admin_creds(resource) + identity_endpoint = resource.identity_endpoint + identity_endpoint = admin_endpoint('identity').to_s unless identity_endpoint + { + 'OS_USERNAME' => resource.admin_user, + 'OS_PASSWORD' => resource.admin_pass, + 'OS_TENANT_NAME' => resource.admin_tenant_name, + 'OS_AUTH_URL' => identity_endpoint + } +end + +def generate_user_creds(resource) + identity_endpoint = resource.identity_endpoint + identity_endpoint = public_endpoint('identity').to_s unless identity_endpoint + { + 'OS_USERNAME' => resource.user_name, + 'OS_PASSWORD' => resource.user_pass, + 'OS_TENANT_NAME' => resource.tenant_name, + 'OS_AUTH_URL' => identity_endpoint + } +end + +def get_env(resource, env = 'boot') + case env + when 'boot' + generate_boot_creds(resource) + when 'user' + generate_user_creds(resource) + when 'admin' + generate_admin_creds(resource) + end +end + +def identity_command(resource, cmd, args = {}, env = 'boot') + keystonecmd = build_keystone_cmd(cmd, args) + cmd_env = get_env(resource, env) + Chef::Log.debug("Running identity command: #{keystonecmd} env: " + cmd_env.to_s) + rc = shell_out(keystonecmd, env: cmd_env) + fail "#{rc.stderr} (#{rc.exitstatus})" if rc.exitstatus != 0 + rc.stdout +end + +def build_keystone_cmd(cmd, args) + keystonecmd = ['keystone'] << '--insecure' << cmd + args.each do |key, val| + keystonecmd << "--#{key}" unless key.empty? + keystonecmd << val.to_s + end + keystonecmd +end + +def identity_uuid(resource, type, key, value, args = {}, uuid_field = 'id') + rc = nil + begin + output = identity_command resource, "#{type}-list", args + output = prettytable_to_array(output) + rc = (type == 'endpoint') ? (search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region)) : (search_uuid(output, uuid_field, key => value)) + rescue RuntimeError => e + raise "Could not lookup uuid for #{type}:#{key}=>#{value}. Error was #{e.message}" + end + rc +end + +def search_uuid(output, uuid_field, required_hash = {}) + rc = nil + output.each do |obj| + rc = obj[uuid_field] if obj.key?(uuid_field) && required_hash.values - obj.values_at(*required_hash.keys) == [] + end + rc +end + +def service_need_updated?(resource, args = {}, uuid_field = 'id') + begin + output = identity_command resource, 'service-list', args + output = prettytable_to_array(output) + return search_uuid(output, uuid_field, 'name' => resource.service_name).nil? + rescue RuntimeError => e + raise "Could not check service attributes for service: type => #{resource.service_type}, name => #{resource.service_name}. Error was #{e.message}" + end + false +end + +def endpoint_need_updated?(resource, key, value, args = {}, uuid_field = 'id') + begin + output = identity_command resource, 'endpoint-list', args + output = prettytable_to_array(output) + return search_uuid(output, uuid_field, key => value, 'region' => resource.endpoint_region, 'publicurl' => resource.endpoint_publicurl, 'internalurl' => resource.endpoint_internalurl, 'adminurl' => resource.endpoint_adminurl).nil? + rescue RuntimeError => e + raise "Could not check endpoint attributes for endpoint:#{key}=>#{value}. Error was #{e.message}" + end + false +end diff --git a/recipes/client.rb b/recipes/client.rb index bdd4544..fcff9be 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -18,7 +18,7 @@ # limitations under the License. # -class ::Chef::Recipe # rubocop:disable Documentation +class ::Chef::Recipe include ::Openstack end diff --git a/recipes/openrc.rb b/recipes/openrc.rb new file mode 100644 index 0000000..29ca991 --- /dev/null +++ b/recipes/openrc.rb @@ -0,0 +1,65 @@ +# encoding: UTF-8 +# +# Cookbook Name:: openstack-identity +# recipe:: openrc +# +# Copyright 2014 IBM Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Chef +class ::Chef::Recipe + include ::Openstack +end + +# check attributes before searching +if node['openstack']['identity'] && node['openstack']['identity']['admin_tenant_name'] && node['openstack']['identity']['admin_user'] + ksadmin_tenant_name = node['openstack']['identity']['admin_tenant_name'] + ksadmin_user = node['openstack']['identity']['admin_user'] +else + identity_service_role = node['openstack']['identity_service_chef_role'] + keystone = search_for(identity_service_role).first + + if keystone.nil? + Chef::Log.warn("openrc not created, identity role node not found: #{identity_service_role}") + return + end + + ksadmin_tenant_name = keystone['openstack']['identity']['admin_tenant_name'] + ksadmin_user = keystone['openstack']['identity']['admin_user'] +end + +ksadmin_pass = get_password 'user', ksadmin_user +identity_public_endpoint = public_endpoint 'identity' + +directory node['openstack']['openrc']['path'] do + owner node['openstack']['openrc']['user'] + group node['openstack']['openrc']['group'] + mode node['openstack']['openrc']['path_mode'] + recursive true +end + +template "#{node['openstack']['openrc']['path']}/#{node['openstack']['openrc']['file']}" do + source 'openrc.erb' + owner node['openstack']['openrc']['user'] + group node['openstack']['openrc']['group'] + mode node['openstack']['openrc']['file_mode'] + sensitive true + variables( + user: ksadmin_user, + tenant: ksadmin_tenant_name, + password: ksadmin_pass, + identity_endpoint: identity_public_endpoint + ) +end diff --git a/recipes/registration.rb b/recipes/registration.rb index 62c5f26..3b256ba 100644 --- a/recipes/registration.rb +++ b/recipes/registration.rb @@ -21,34 +21,27 @@ require 'uri' -class ::Chef::Recipe # rubocop:disable Documentation +class ::Chef::Recipe include ::Openstack end -# TBD clean up item... -# These should probably become admin, internal, public endpoints for a -# single service 'identity-api'. To minimize impact, I propose that we -# defer that work until later. -identity_admin_endpoint = admin_endpoint 'identity-admin' -identity_internal_endpoint = internal_endpoint 'identity-internal' -identity_public_endpoint = public_endpoint 'identity-api' +identity_admin_endpoint = admin_endpoint 'identity' +identity_internal_endpoint = internal_endpoint 'identity' +identity_public_endpoint = public_endpoint 'identity' auth_uri = ::URI.decode identity_admin_endpoint.to_s -# FIXME(invsblduck): RuboCop gating was enabled mid-review; -# Remove these variables in a separate commit if really not needed. admin_tenant_name = node['openstack']['identity']['admin_tenant_name'] admin_user = node['openstack']['identity']['admin_user'] admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] -# rubocop:enable UselessAssignment bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token' -# FIXME(galstrom21): This needs to be refactored, to not use a -# MultilineBlockChain. # Register all the tenants specified in the users hash -node['openstack']['identity']['users'].values.map do |user_info| +identity_tenants = node['openstack']['identity']['users'].values.map do |user_info| user_info['roles'].values.push(user_info['default_tenant']) -end.flatten.uniq.each do |tenant_name| # rubocop: disable MultilineBlockChain +end + +identity_tenants.flatten.uniq.each do |tenant_name| openstack_identity_register "Register '#{tenant_name}' Tenant" do auth_uri auth_uri bootstrap_token bootstrap_token @@ -59,12 +52,12 @@ end.flatten.uniq.each do |tenant_name| # rubocop: disable MultilineBlockChain end end -# FIXME(galstrom21): This needs to be refactored, to not use a -# MultilineBlockChain. # Register all the roles from the users hash -node['openstack']['identity']['users'].values.map do |user_info| +identity_roles = node['openstack']['identity']['users'].values.map do |user_info| user_info['roles'].keys -end.flatten.uniq.each do |role_name| # rubocop: disable MultilineBlockChain +end + +identity_roles.flatten.uniq.each do |role_name| openstack_identity_register "Register '#{role_name}' Role" do auth_uri auth_uri bootstrap_token bootstrap_token diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index 757b5d6..f8792a7 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -20,7 +20,7 @@ require 'uri' -class ::Chef::Recipe # rubocop:disable Documentation +class ::Chef::Recipe include ::Openstack end @@ -109,7 +109,7 @@ if node['openstack']['auth']['strategy'] == 'pki' user node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] } + not_if { ::FileTest.exists? "#{node['openstack']['identity']['signing']['basedir']}/private/signing_key.pem" } end else remote_file node['openstack']['identity']['signing']['certfile'] do @@ -135,44 +135,30 @@ if node['openstack']['auth']['strategy'] == 'pki' end end -# Note that identity-bind and identity-admin-bind are not -# service endpoints where there could be separate 'admin', -# 'public', and 'internal'. (Well, actually I suppose we -# could shoehorn it into that infrastructure, but for now -# I propose that we leave them with the general endpoint -# lookup routine.) -bind_endpoint = endpoint 'identity-bind' -admin_bind_endpoint = endpoint 'identity-admin-bind' -identity_admin_endpoint = admin_endpoint 'identity-admin' +public_bind_service = node['openstack']['bind_service']['identity']['public'] +internal_bind_service = node['openstack']['bind_service']['identity']['internal'] +admin_bind_service = node['openstack']['bind_service']['identity']['admin'] -# These values are going into the templated catalog and -# since they're the endpoints being used by the clients, -# we should put in the public endpoints for each service. -identity_endpoint = public_endpoint 'identity-api' -compute_endpoint = public_endpoint 'compute-api' -ec2_endpoint = public_endpoint 'compute-ec2-api' -image_endpoint = public_endpoint 'image-api' -network_endpoint = public_endpoint 'network-api' -volume_endpoint = public_endpoint 'block-storage-api' +identity_admin_endpoint = admin_endpoint 'identity' db_user = node['openstack']['db']['identity']['username'] db_pass = get_password 'db', 'keystone' -sql_connection = db_uri('identity', db_user, db_pass) +node.default['openstack']['identity']['conf_secrets'] +.[]('database')['connection'] = + db_uri('identity', db_user, db_pass) bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token' -bind_address = bind_endpoint.host -admin_bind_address = admin_bind_endpoint.host - # If the search role is set, we search for memcache # servers via a Chef search. If not, we look at the # memcache.servers attribute. -memcache_servers = memcached_servers.join ',' # from openstack-common lib +memcache_servers = memcached_servers.join ',' # from openstack-common lib # These configuration endpoints must not have the path (v2.0, etc) # added to them, as these values are used in returning the version # listing information from the root / endpoint. -ie = identity_endpoint +identity_public_endpoint = public_endpoint 'identity' +ie = identity_public_endpoint public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/" ae = identity_admin_endpoint admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/" @@ -198,60 +184,79 @@ else end end -mq_service_type = node['openstack']['mq']['identity']['service_type'] - -if mq_service_type == 'rabbitmq' - node['openstack']['mq']['identity']['rabbit']['ha'] && (rabbit_hosts = rabbit_servers) - mq_password = get_password 'user', node['openstack']['mq']['identity']['rabbit']['userid'] -elsif mq_service_type == 'qpid' - mq_password = get_password 'user', node['openstack']['mq']['identity']['qpid']['username'] +if node['openstack']['identity']['conf']['DEFAULT']['rpc_backend'] == 'rabbit' + user = node['openstack']['mq']['identity']['rabbit']['userid'] + node.default['openstack']['identity']['conf_secrets'] + .[]('oslo_messaging_rabbit')['rabbit_userid'] = user + node.default['openstack']['identity']['conf_secrets'] + .[]('oslo_messaging_rabbit')['rabbit_password'] = + get_password 'user', user end +node.default['openstack']['identity']['conf'].tap do |conf| + # [DEFAULT] section + conf['DEFAULT']['admin_token'] = bootstrap_token + conf['DEFAULT']['public_endpoint'] = public_endpoint + conf['DEFAULT']['admin_endpoint'] = admin_endpoint + # [memcache] section + conf['memcache']['servers'] = memcache_servers if memcache_servers +end + +# merge all config options and secrets to be used in the nova.conf.erb +keystone_conf_options = merge_config_options 'identity' + template '/etc/keystone/keystone.conf' do - source 'keystone.conf.erb' + source 'openstack-service.conf.erb' + cookbook 'openstack-common' owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] mode 00640 variables( - sql_connection: sql_connection, - bind_address: bind_address, - admin_bind_address: admin_bind_address, - bootstrap_token: bootstrap_token, - memcache_servers: memcache_servers, - public_endpoint: public_endpoint, - public_port: identity_endpoint.port, - admin_endpoint: admin_endpoint, - admin_port: identity_admin_endpoint.port, - ldap: node['openstack']['identity']['ldap'], - token_expiration: node['openstack']['identity']['token']['expiration'], - rabbit_hosts: rabbit_hosts, - notification_driver: node['openstack']['identity']['notification_driver'], - mq_service_type: mq_service_type, - mq_password: mq_password + service_config: keystone_conf_options ) end -# populate the templated catlog, if you're using the templated catalog backend -uris = { - 'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'), - 'identity' => identity_endpoint.to_s.gsub('%25', '%'), - 'image' => image_endpoint.to_s.gsub('%25', '%'), - 'compute' => compute_endpoint.to_s.gsub('%25', '%'), - 'ec2' => ec2_endpoint.to_s.gsub('%25', '%'), - 'network' => network_endpoint.to_s.gsub('%25', '%'), - 'volume' => volume_endpoint.to_s.gsub('%25', '%') -} +# delete all secrets saved in the attribute +# node['openstack']['identity']['conf_secrets'] after creating the keystone.conf +ruby_block "delete all attributes in node['openstack']['identity']['conf_secrets']" do + block do + node.rm(:openstack, :identity, :conf_secrets) + end +end -template '/etc/keystone/default_catalog.templates' do - source 'default_catalog.templates.erb' - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00644 - variables( - uris: uris - ) +# TODO: (jklare) needs to be refactored and filled by the service cookbooks, to +# avoid dependencies on unused cookbooks +if node['openstack']['identity']['catalog']['backend'] == 'templated' + # These values are going into the templated catalog and + # since they're the endpoints being used by the clients, + # we should put in the public endpoints for each service. + compute_public_endpoint = public_endpoint 'compute' + ec2_public_endpoint = public_endpoint 'compute-ec2' + image_public_endpoint = public_endpoint 'image' + network_public_endpoint = public_endpoint 'network' + volume_public_endpoint = public_endpoint 'block-storage' - only_if { node['openstack']['identity']['catalog']['backend'] == 'templated' } + # populate the templated catlog, if you're using the templated catalog backend + # TODO: (jklare) this should be done in a helper method + uris = { + 'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'), + 'identity' => identity_public_endpoint.to_s.gsub('%25', '%'), + 'image' => image_public_endpoint.to_s.gsub('%25', '%'), + 'compute' => compute_public_endpoint.to_s.gsub('%25', '%'), + 'ec2' => ec2_public_endpoint.to_s.gsub('%25', '%'), + 'network' => network_public_endpoint.to_s.gsub('%25', '%'), + 'volume' => volume_public_endpoint.to_s.gsub('%25', '%') + } + + template '/etc/keystone/default_catalog.templates' do + source 'default_catalog.templates.erb' + owner node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + mode 00644 + variables( + uris: uris + ) + end end # sync db after keystone.conf is generated @@ -279,10 +284,13 @@ end #### Start of Apache specific work -listen_addresses = node['apache']['listen_addresses'] - ['*'] + [bind_address, admin_bind_address] -listen_ports = node['apache']['listen_ports'] - ['80'] + [identity_endpoint.port, identity_admin_endpoint.port] -node.set['apache']['listen_addresses'] = listen_addresses.uniq -node.set['apache']['listen_ports'] = listen_ports.uniq +apache_listen_public = { public_bind_service.host => [public_bind_service.port.to_s] } +apache_listen_internal = { internal_bind_service.host => [internal_bind_service.port.to_s] } +apache_listen_admin = { admin_bind_service.host => [admin_bind_service.port.to_s] } +apache_listen = Chef::Mixin::DeepMerge.merge(Chef::Mixin::DeepMerge.merge(apache_listen_public, apache_listen_internal), apache_listen_admin) + +node.normal['apache']['listen'] = + Chef::Mixin::DeepMerge.merge(node['apache']['listen'], apache_listen) include_recipe 'apache2' include_recipe 'apache2::mod_wsgi' @@ -296,11 +304,12 @@ directory keystone_apache_dir do end server_entry_public = "#{keystone_apache_dir}/main" +server_entry_internal = "#{keystone_apache_dir}/internal" server_entry_admin = "#{keystone_apache_dir}/admin" # Note: Using lazy here as the wsgi file is not available until after # the keystone package is installed during execution phase. -[server_entry_public, server_entry_admin].each do |server_entry| +[server_entry_public, server_entry_internal, server_entry_admin].each do |server_entry| file server_entry do content lazy { IO.read(platform_options['keystone_wsgi_file']) } owner 'root' @@ -311,13 +320,18 @@ end wsgi_apps = { 'public' => { - server_host: bind_address, - server_port: identity_endpoint.port, + server_host: public_bind_service.host, + server_port: public_bind_service.port, server_entry: server_entry_public }, + 'internal' => { + server_host: internal_bind_service.host, + server_port: internal_bind_service.port, + server_entry: server_entry_internal + }, 'admin' => { - server_host: admin_bind_address, - server_port: identity_admin_endpoint.port, + server_host: admin_bind_service.host, + server_port: admin_bind_service.port, server_entry: server_entry_admin } } diff --git a/recipes/server.rb b/recipes/server.rb deleted file mode 100644 index 890406f..0000000 --- a/recipes/server.rb +++ /dev/null @@ -1,301 +0,0 @@ -# encoding: UTF-8 -# -# Cookbook Name:: openstack-identity -# Recipe:: server -# -# Copyright 2012, Rackspace US, Inc. -# Copyright 2012-2013, Opscode, Inc. -# Copyright 2013-2014 SUSE LINUX Products GmbH. -# -# Licensed under the Apache License, Version 2.0 (the 'License'); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an 'AS IS' BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -require 'uri' - -class ::Chef::Recipe # rubocop:disable Documentation - include ::Openstack -end - -if node['openstack']['identity']['syslog']['use'] - include_recipe 'openstack-common::logging' -end - -platform_options = node['openstack']['identity']['platform'] - -db_type = node['openstack']['db']['identity']['service_type'] -unless db_type == 'sqlite' - node['openstack']['db']['python_packages'][db_type].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end - end -end - -platform_options['memcache_python_packages'].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end -end - -platform_options['keystone_packages'].each do |pkg| - package "identity cookbook package #{pkg}" do - package_name pkg - options platform_options['package_options'] - action :upgrade - end -end - -execute 'Keystone: sleep' do - command "sleep #{node['openstack']['identity']['start_delay']}" - - action :nothing -end - -service 'keystone' do - service_name platform_options['keystone_service'] - supports status: true, restart: true - - action [:enable] - - notifies :run, 'execute[Keystone: sleep]', :immediately -end - -directory '/etc/keystone' do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00700 -end - -directory node['openstack']['identity']['identity']['domain_config_dir'] do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00700 - only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] } -end - -file '/var/lib/keystone/keystone.db' do - action :delete - not_if { node['openstack']['db']['identity']['service_type'] == 'sqlite' } -end - -if node['openstack']['auth']['strategy'] == 'pki' - certfile_url = node['openstack']['identity']['signing']['certfile_url'] - keyfile_url = node['openstack']['identity']['signing']['keyfile_url'] - ca_certs_url = node['openstack']['identity']['signing']['ca_certs_url'] - signing_basedir = node['openstack']['identity']['signing']['basedir'] - - directory signing_basedir do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00700 - end - - directory "#{signing_basedir}/certs" do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00755 - end - - directory "#{signing_basedir}/private" do - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00750 - end - - if certfile_url.nil? || keyfile_url.nil? || ca_certs_url.nil? - execute 'keystone-manage pki_setup' do - user node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - - not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] } - end - else - remote_file node['openstack']['identity']['signing']['certfile'] do - source certfile_url - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00640 - - notifies :restart, 'service[keystone]', :delayed - end - - remote_file node['openstack']['identity']['signing']['keyfile'] do - source keyfile_url - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00640 - - notifies :restart, 'service[keystone]', :delayed - end - - remote_file node['openstack']['identity']['signing']['ca_certs'] do - source ca_certs_url - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00640 - - notifies :restart, 'service[keystone]', :delayed - end - end -end - -# Note that identity-bind and identity-admin-bind are not -# service endpoints where there could be separate 'admin', -# 'public', and 'internal'. (Well, actually I suppose we -# could shoehorn it into that infrastructure, but for now -# I propose that we leave them with the general endpoint -# lookup routine.) -bind_endpoint = endpoint 'identity-bind' -admin_bind_endpoint = endpoint 'identity-admin-bind' -identity_admin_endpoint = admin_endpoint 'identity-admin' - -# These values are going into the templated catalog and -# since they're the endpoints being used by the clients, -# we should put in the public endpoints for each service. -identity_endpoint = public_endpoint 'identity-api' -compute_endpoint = public_endpoint 'compute-api' -ec2_endpoint = public_endpoint 'compute-ec2-api' -image_endpoint = public_endpoint 'image-api' -network_endpoint = public_endpoint 'network-api' -volume_endpoint = public_endpoint 'block-storage-api' - -db_user = node['openstack']['db']['identity']['username'] -db_pass = get_password 'db', 'keystone' -sql_connection = db_uri('identity', db_user, db_pass) - -bootstrap_token = get_password 'token', 'openstack_identity_bootstrap_token' - -bind_address = bind_endpoint.host -admin_bind_address = admin_bind_endpoint.host - -# If the search role is set, we search for memcache -# servers via a Chef search. If not, we look at the -# memcache.servers attribute. -memcache_servers = memcached_servers.join ',' # from openstack-common lib - -# These configuration endpoints must not have the path (v2.0, etc) -# added to them, as these values are used in returning the version -# listing information from the root / endpoint. -ie = identity_endpoint -public_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/" -ae = identity_admin_endpoint -admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/" - -# If a keystone-paste.ini is specified use it. -# If platform_family is RHEL and we do not specify keystone-paste.ini, -# copy in /usr/share/keystone/keystone-dist-paste.ini since -# /etc/keystone/keystone-paste.ini is not packaged. -if node['openstack']['identity']['pastefile_url'] - remote_file '/etc/keystone/keystone-paste.ini' do - action :create_if_missing - source node['openstack']['identity']['pastefile_url'] - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00644 - notifies :restart, 'service[keystone]', :delayed - end -else - template '/etc/keystone/keystone-paste.ini' do - source 'keystone-paste.ini.erb' - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00644 - notifies :restart, 'service[keystone]', :delayed - end -end - -mq_service_type = node['openstack']['mq']['identity']['service_type'] - -if mq_service_type == 'rabbitmq' - node['openstack']['mq']['identity']['rabbit']['ha'] && (rabbit_hosts = rabbit_servers) - mq_password = get_password 'user', node['openstack']['mq']['identity']['rabbit']['userid'] -elsif mq_service_type == 'qpid' - mq_password = get_password 'user', node['openstack']['mq']['identity']['qpid']['username'] -end - -template '/etc/keystone/keystone.conf' do - source 'keystone.conf.erb' - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00640 - variables( - sql_connection: sql_connection, - bind_address: bind_address, - admin_bind_address: admin_bind_address, - bootstrap_token: bootstrap_token, - memcache_servers: memcache_servers, - public_endpoint: public_endpoint, - public_port: identity_endpoint.port, - admin_endpoint: admin_endpoint, - admin_port: identity_admin_endpoint.port, - ldap: node['openstack']['identity']['ldap'], - token_expiration: node['openstack']['identity']['token']['expiration'], - rabbit_hosts: rabbit_hosts, - notification_driver: node['openstack']['identity']['notification_driver'], - mq_service_type: mq_service_type, - mq_password: mq_password - ) - - notifies :restart, 'service[keystone]', :immediately -end - -# populate the templated catlog, if you're using the templated catalog backend -uris = { - 'identity-admin' => identity_admin_endpoint.to_s.gsub('%25', '%'), - 'identity' => identity_endpoint.to_s.gsub('%25', '%'), - 'image' => image_endpoint.to_s.gsub('%25', '%'), - 'compute' => compute_endpoint.to_s.gsub('%25', '%'), - 'ec2' => ec2_endpoint.to_s.gsub('%25', '%'), - 'network' => network_endpoint.to_s.gsub('%25', '%'), - 'volume' => volume_endpoint.to_s.gsub('%25', '%') -} - -template '/etc/keystone/default_catalog.templates' do - source 'default_catalog.templates.erb' - owner node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - mode 00644 - variables( - uris: uris - ) - - notifies :restart, 'service[keystone]', :immediately - only_if { node['openstack']['identity']['catalog']['backend'] == 'templated' } -end - -# sync db after keystone.conf is generated -execute 'keystone-manage db_sync' do - user node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - - only_if { node['openstack']['db']['identity']['migrate'] } -end - -# Configure the flush tokens cronjob -should_run_cron = node['openstack']['identity']['token_flush_cron']['enabled'] && node['openstack']['identity']['token']['backend'] == 'sql' -log_file = node['openstack']['identity']['token_flush_cron']['log_file'] - -cron 'keystone-manage-token-flush' do - minute node['openstack']['identity']['token_flush_cron']['minute'] - hour node['openstack']['identity']['token_flush_cron']['hour'] - day node['openstack']['identity']['token_flush_cron']['day'] - weekday node['openstack']['identity']['token_flush_cron']['weekday'] - action should_run_cron ? :create : :delete - user node['openstack']['identity']['user'] - command "keystone-manage token_flush > #{log_file} 2>&1; "\ - "echo keystone-manage token_flush ran at $(/bin/date) with exit code $? >> #{log_file}" -end diff --git a/spec/openrc_spec.rb b/spec/openrc_spec.rb new file mode 100644 index 0000000..927abd5 --- /dev/null +++ b/spec/openrc_spec.rb @@ -0,0 +1,65 @@ +# encoding: UTF-8 + +require_relative 'spec_helper' + +describe 'openstack-identity::openrc' do + describe 'ubuntu' do + let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } + let(:node) { runner.node } + let(:chef_run) do + runner.converge(described_recipe) + end + + include_context 'identity_stubs' + + describe '/root/openrc' do + let(:file) { chef_run.template('/root/openrc') } + + it 'creates the /root/openrc file' do + expect(chef_run).to create_directory('/root').with( + owner: 'root', + group: 'root', + mode: '0700', + recursive: true + ) + expect(chef_run).to create_template(file.name).with( + sensitive: true, + user: 'root', + group: 'root', + mode: '0600' + ) + end + + it 'contains auth environment variables' do + [ + /^export OS_USERNAME=admin$/, + /^export OS_TENANT_NAME=admin$/, + /^export OS_PASSWORD=admin$/, + %r{^export OS_AUTH_URL=http://127.0.0.1:5000/v2.0$}, + /^export OS_REGION_NAME=RegionOne$/ + ].each do |line| + expect(chef_run).to render_file(file.name).with_content(line) + end + end + + it 'templates misc_openrc array correctly' do + node.set['openstack']['misc_openrc'] = ['export MISC1=OPTION1', 'export MISC2=OPTION2'] + expect(chef_run).to render_file(file.name).with_content( + /^export MISC1=OPTION1$/) + expect(chef_run).to render_file(file.name).with_content( + /^export MISC2=OPTION2$/) + end + + it 'contains overridden auth environment variables' do + node.set['openstack']['identity']['admin_tenant_name'] = 'admin-tenant-name-override' + node.set['openstack']['identity']['admin_user'] = 'admin-user-override' + [ + /^export OS_USERNAME=admin-user-override$/, + /^export OS_TENANT_NAME=admin-tenant-name-override$/ + ].each do |line| + expect(chef_run).to render_file(file.name).with_content(line) + end + end + end + end +end diff --git a/spec/register_spec.rb b/spec/register_spec.rb index 33b9292..0579c8d 100644 --- a/spec/register_spec.rb +++ b/spec/register_spec.rb @@ -11,6 +11,9 @@ describe 'openstack-identity::default' do let(:cookbook_collection) { Chef::CookbookCollection.new([]) } let(:run_context) { Chef::RunContext.new(node, cookbook_collection, events) } + # needed to create the provider class OpenstackIdentityRegister by chef magic + before { chef_run } + describe 'tenant_create' do let(:resource) do r = Chef::Resource::OpenstackIdentityRegister.new('tenant1', diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb index 1b7b476..cb6c259 100644 --- a/spec/registration_spec.rb +++ b/spec/registration_spec.rb @@ -104,7 +104,7 @@ describe 'openstack-identity::registration' do auth_uri: 'http://127.0.0.1:35357/v2.0', bootstrap_token: 'bootstrap-token', user_name: user, - user_pass: '', + user_pass: 'admin', tenant_name: tenant ) end @@ -134,7 +134,7 @@ describe 'openstack-identity::registration' do tenant_name: tenant, admin_tenant_name: 'admin', admin_user: 'admin', - admin_pass: '' + admin_pass: 'admin' ) end end @@ -178,7 +178,7 @@ describe 'openstack-identity::registration' do tenant_name: 'default_tenant1', admin_tenant_name: 'admin', admin_user: 'admin', - admin_pass: '' + admin_pass: 'admin' ) end end @@ -239,7 +239,7 @@ describe 'openstack-identity::registration' do service_type: 'identity', endpoint_region: 'RegionOne', endpoint_adminurl: 'http://127.0.0.1:35357/v2.0', - endpoint_internalurl: 'http://127.0.0.1:5000/v2.0', + endpoint_internalurl: 'http://127.0.0.1:5001/v2.0', endpoint_publicurl: 'http://127.0.0.1:5000/v2.0' ) end @@ -252,15 +252,15 @@ describe 'openstack-identity::registration' do end it 'overrides identity endpoints' do - node.set['openstack']['endpoints']['identity-admin']['host'] = '127.0.0.2' - node.set['openstack']['endpoints']['identity-admin']['port'] = '5002' - node.set['openstack']['endpoints']['identity-admin']['path'] = '/v2.2' - node.set['openstack']['endpoints']['identity-internal']['host'] = '127.0.0.3' - node.set['openstack']['endpoints']['identity-internal']['port'] = '5003' - node.set['openstack']['endpoints']['identity-internal']['path'] = '/v2.3' - node.set['openstack']['endpoints']['identity-api']['host'] = '127.0.0.4' - node.set['openstack']['endpoints']['identity-api']['port'] = '5004' - node.set['openstack']['endpoints']['identity-api']['path'] = '/v2.4' + node.set['openstack']['endpoints']['identity']['admin']['host'] = '127.0.0.2' + node.set['openstack']['endpoints']['identity']['admin']['port'] = '5002' + node.set['openstack']['endpoints']['identity']['admin']['path'] = '/v2.2' + node.set['openstack']['endpoints']['identity']['internal']['host'] = '127.0.0.3' + node.set['openstack']['endpoints']['identity']['internal']['port'] = '5003' + node.set['openstack']['endpoints']['identity']['internal']['path'] = '/v2.3' + node.set['openstack']['endpoints']['identity']['public']['host'] = '127.0.0.4' + node.set['openstack']['endpoints']['identity']['public']['port'] = '5004' + node.set['openstack']['endpoints']['identity']['public']['path'] = '/v2.4' expect(chef_run).to create_endpoint_openstack_identity_register( 'Register Identity Endpoint' ).with( @@ -270,76 +270,13 @@ describe 'openstack-identity::registration' do ) end - it 'register endpoint with different admin URL' do - admin_url = 'https://admin.host:123/admin_path' - general_url = 'http://general.host:456/general_path' - - # Set the general endpoint - node.set['openstack']['endpoints']['identity-api']['uri'] = general_url - # TBD, clean this up so that admin is picked up from 'identiy-api' - node.set['openstack']['endpoints']['identity-admin']['uri'] = general_url - node.set['openstack']['endpoints']['identity-internal']['uri'] = general_url - # Set the admin endpoint override - node.set['openstack']['endpoints']['admin']['identity-admin']['uri'] = admin_url - - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Identity Endpoint' - ).with( - endpoint_adminurl: admin_url, - endpoint_internalurl: general_url, - endpoint_publicurl: general_url - ) - end - - it 'register endpoint with different internal URL' do - internal_url = 'http://internal.host:456/internal_path' - general_url = 'http://general.host:456/general_path' - - # Set the general endpoint - node.set['openstack']['endpoints']['identity-api']['uri'] = general_url - node.set['openstack']['endpoints']['identity-admin']['uri'] = general_url - node.set['openstack']['endpoints']['identity-internal']['uri'] = general_url - # Set the internal endpoint override - node.set['openstack']['endpoints']['internal']['identity-internal']['uri'] = internal_url - - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Identity Endpoint' - ).with( - endpoint_adminurl: general_url, - endpoint_internalurl: internal_url, - endpoint_publicurl: general_url - ) - end - - it 'register endpoint with different public URL' do - public_url = 'https://public.host:789/public_path' - general_url = 'http://general.host:456/general_path' - - # Set the general endpoint - node.set['openstack']['endpoints']['identity-api']['uri'] = general_url - node.set['openstack']['endpoints']['identity-admin']['uri'] = general_url - node.set['openstack']['endpoints']['identity-internal']['uri'] = general_url - # Set the public endpoint override - node.set['openstack']['endpoints']['public']['identity-api']['uri'] = public_url - - expect(chef_run).to create_endpoint_openstack_identity_register( - 'Register Identity Endpoint' - ).with( - endpoint_adminurl: general_url, - endpoint_internalurl: general_url, - endpoint_publicurl: public_url - ) - end - it 'register endpoint with all different URLs' do public_url = 'https://public.host:789/public_path' internal_url = 'http://internal.host:456/internal_path' admin_url = 'https://admin.host:123/admin_path' - - # Set the type specific overrides - node.set['openstack']['endpoints']['public']['identity-api']['uri'] = public_url - node.set['openstack']['endpoints']['internal']['identity-internal']['uri'] = internal_url - node.set['openstack']['endpoints']['admin']['identity-admin']['uri'] = admin_url + node.set['openstack']['endpoints']['identity']['public']['uri'] = public_url + node.set['openstack']['endpoints']['identity']['internal']['uri'] = internal_url + node.set['openstack']['endpoints']['identity']['admin']['uri'] = admin_url expect(chef_run).to create_endpoint_openstack_identity_register( 'Register Identity Endpoint' diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index 076bb6b..799d854 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -142,87 +142,6 @@ describe 'openstack-identity::server-apache' do end end - describe 'ssl files' do - describe 'with pki' do - describe 'with {certfile,keyfile,ca_certs}_url attributes set' do - before do - node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' - node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' - node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' - end - - describe 'cert file' do - let(:cert_file) { node['openstack']['identity']['signing']['certfile'] } - let(:file_resource) { chef_run.remote_file(cert_file) } - - it 'creates files' do - expect(chef_run).to create_remote_file(cert_file).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - end - - describe 'key file' do - let(:key_file) { node['openstack']['identity']['signing']['keyfile'] } - let(:file_resource) { chef_run.remote_file(key_file) } - - it 'creates file' do - expect(chef_run).to create_remote_file(key_file).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - end - - describe 'ca_certs' do - let(:ca_certs) { node['openstack']['identity']['signing']['ca_certs'] } - let(:file_resource) { chef_run.remote_file(ca_certs) } - - it 'creates file' do - expect(chef_run).to create_remote_file(ca_certs).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - end - end - - describe 'without {certfile,keyfile,ca_certs}_url attributes set' do - it 'does not create cert file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) - end - - it 'does not create key file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) - end - - it 'does not create ca_certs file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) - end - end - end - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - - it 'does not create cert file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) - end - - it 'does not create key file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) - end - - it 'does not create ca_certs file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) - end - end - end - it 'deletes keystone.db' do expect(chef_run).to delete_file('/var/lib/keystone/keystone.db') end @@ -259,21 +178,6 @@ describe 'openstack-identity::server-apache' do end end - describe 'with {certfile,keyfile,ca_certs}_url attributes set' do - before do - node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' - node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' - node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' - end - - it 'does not execute' do - expect(chef_run).to_not run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - it 'does not execute when dir exists' do expect(FileTest).to receive(:exists?) .with('/etc/keystone/ssl/private/signing_key.pem') @@ -290,7 +194,6 @@ describe 'openstack-identity::server-apache' do describe 'keystone.conf' do let(:path) { '/etc/keystone/keystone.conf' } let(:resource) { chef_run.template(path) } - describe 'file properties' do it 'creates /etc/keystone/keystone.conf' do expect(chef_run).to create_template(resource.name).with( @@ -301,167 +204,14 @@ describe 'openstack-identity::server-apache' do end end - describe '[eventlet_server_ssl] section' do - opts = { - enable: 'True', - certfile: '/etc/keystone/ssl/certs/sslcert.pem', - keyfile: '/etc/keystone/ssl/private/sslkey.pem', - ca_certs: '/etc/keystone/ssl/certs/sslca.pem', - cert_required: 'false' - } - describe 'with ssl enabled' do - before do - node.set['openstack']['identity']['ssl']['enabled'] = true - node.set['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl' - end - describe 'with client cert not required' do - it 'configures ssl options without client certificate' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r) - end - end - end - describe 'with client cert required' do - before do - node.set['openstack']['identity']['ssl']['cert_required'] = true - opts['cert_required'.to_sym] = 'true' - end - it 'configures ssl options with client certificate' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r) - end - end - end - end - - describe 'without ssl disabled' do - before { node.set['openstack']['identity']['ssl']['enabled'] = false } - it 'does not configure ssl options' do - opts.each do |key| - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server_ssl', /^#{key} = /) - end - end - end - end - - describe '[saml] section' do - describe 'saml attributes' do - saml_default_attrs = %w(assertion_expiration_time=3600 - xmlsec1_binary=xmlsec1 - certfile= - keyfile=) - it 'default saml attributes' do - saml_default_attrs.each do |attr| - default_value = /^#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', default_value) - end - end - - saml_override_attrs = %w(assertion_expiration_time - xmlsec1_binary - certfile - keyfile) - it 'override saml attributes' do - saml_override_attrs.each do |attr| - node.set['openstack']['identity']['saml']["#{attr}"] = "value_for_#{attr}" - override_value = /^#{attr}=value_for_#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', override_value) - end - end - end - - describe 'optional saml ipd attributes' do - optional_attrs = %w(idp_entity_id idp_sso_endpoint idp_lang - idp_organization_name idp_organization_display_name - idp_organization_url idp_contact_company idp_contact_name - idp_contact_surname idp_contact_email idp_contact_telephone - idp_contact_type idp_metadata_path) - it 'empty default ipd attributes' do - optional_attrs.each do |attr| - default_value = /^#{attr}=$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', default_value) - end - end - - it 'overridden ipd attributes' do - optional_attrs.each do |attr| - node.set['openstack']['identity']['saml']["#{attr}"] = "value_for_#{attr}" - override_value = /^#{attr}=value_for_#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', override_value) - end - end - end - end - it 'has no list_limits by default' do - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit=/) - end - - it 'sets list limits correctly' do - node.set['openstack']['identity']['list_limit'] = 111 - node.set['openstack']['identity']['assignment']['list_limit'] = 222 - node.set['openstack']['identity']['catalog']['list_limit'] = 333 - node.set['openstack']['identity']['identity']['list_limit'] = 444 - node.set['openstack']['identity']['policy']['list_limit'] = 555 - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^list_limit=111$/) - expect(chef_run).to render_config_file(path).with_section_content('assignment', /^list_limit=222$/) - expect(chef_run).to render_config_file(path).with_section_content('catalog', /^list_limit=333$/) - expect(chef_run).to render_config_file(path).with_section_content('identity', /^list_limit=444$/) - expect(chef_run).to render_config_file(path).with_section_content('policy', /^list_limit=555$/) - end - - it 'templates misc_keystone array correctly' do - node.set['openstack']['identity']['misc_keystone'] = ['MISC1=OPTION1', 'MISC2=OPTION2'] - expect(chef_run).to render_file(path).with_content( - /^MISC1=OPTION1$/) - expect(chef_run).to render_file(path).with_content( - /^MISC2=OPTION2$/) - end - - describe '[eventlet_server] section' do - it 'has default worker values' do - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server', /^admin_workers=/) - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server', /^public_workers=/) - end - - it 'has specific worker values' do - node.set['openstack']['identity']['admin_workers'] = 123 - node.set['openstack']['identity']['public_workers'] = 456 - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^admin_workers=123$/) - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^public_workers=456$/) - end - - it 'has bind host from endpoint' do - r = line_regexp('public_bind_host = 127.0.0.1') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - - it 'has admin bind host from endpoint' do - r = line_regexp('admin_bind_host = 127.0.0.1') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - - describe 'port numbers' do - ['public_port = 5000', 'admin_port = 35357'].each do |port| - it "has #{port}" do - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^#{port}$/) - end - end - end + expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit = /) end it 'has rpc_backend set for rabbit' do - node.set['openstack']['mq']['service_type'] = 'rabbitmq' expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^rpc_backend = rabbit$/) end - it 'has rpc_backend set for qpid' do - node.set['openstack']['mq']['service_type'] = 'qpid' - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^rpc_backend = qpid$/) - end - describe '[DEFAULT] section' do it 'has admin token' do r = line_regexp('admin_token = bootstrap-token') @@ -469,16 +219,16 @@ describe 'openstack-identity::server-apache' do end describe 'logging verbosity' do - ['verbose', 'debug'].each do |x| + ['verbose'].each do |x| it "has #{x} option" do - r = line_regexp("#{x} = False") + r = line_regexp("#{x} = false") expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', r) end end end describe 'syslog configuration' do - log_file = %r{^log_file = /\w+} + log_file = %r{^log_dir = /var/log/keystone$} log_conf = %r{^log_config_append = /\w+} it 'renders log_file correctly' do @@ -494,18 +244,6 @@ describe 'openstack-identity::server-apache' do end end - it 'has default for oslo.messaging configuration' do - [/^notification_driver = messaging$/, - /^notification_topics = notifications$/, - /^rpc_thread_pool_size = 64$/, - /^rpc_response_timeout = 60$/, - /^rpc_backend = rabbit$/, - /^control_exchange = openstack$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line) - end - end - it 'has correct endpoints' do # values correspond to node attrs set in chef_run above pub = line_regexp('public_endpoint = http://127.0.0.1:5000/') @@ -553,7 +291,7 @@ describe 'openstack-identity::server-apache' do it 'does not configure attributes' do optional_attrs.each do |a| - r = /^#{Regexp.quote(a)} =$/ + r = /^#{Regexp.quote(a)} = $/ expect(chef_run).not_to render_config_file(path).with_section_content('ldap', r) end end @@ -571,77 +309,9 @@ describe 'openstack-identity::server-apache' do before do node.set['openstack']['identity']['ldap']['use_tls'] = true end - - context 'when cert paths are configured' do - it 'has a tls_cacertfile when configured' do - node.set['openstack']['identity']['ldap']['tls_cacertfile'] = 'tls_cacertfile_value' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_cacertfile = tls_cacertfile_value$/) - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', /^tls_cacertdir = /) - end - it 'has a tls_cacertdir when configured and tls_cacertfile unset' do - node.set['openstack']['identity']['ldap']['tls_cacertfile'] = nil - node.set['openstack']['identity']['ldap']['tls_cacertdir'] = 'tls_cacertdir_value' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_cacertdir = tls_cacertdir_value$/) - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', /^tls_cacertfile = /) - end - end - - context 'when tls_req_cert validation disabled' do - it 'has a tls_req_cert set to never' do - node.set['openstack']['identity']['ldap']['tls_req_cert'] = 'never' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_req_cert = never$/) - end - end end end end - - it 'has required attributes' do - required_attrs = %w(alias_dereferencing allow_subtree_delete - dumb_member group_allow_create group_allow_delete - group_allow_update group_desc_attribute - group_id_attribute - group_member_attribute group_name_attribute - group_objectclass page_size query_scope - role_allow_create role_allow_delete - role_allow_update role_id_attribute - role_member_attribute role_name_attribute - role_objectclass suffix project_allow_create - project_allow_delete project_allow_update - project_desc_attribute project_domain_id_attribute - project_enabled_attribute project_enabled_emulation - project_id_attribute project_member_attribute - project_name_attribute project_objectclass url - use_dumb_member user user_allow_create - user_allow_delete user_allow_update - user_attribute_ignore - user_enabled_attribute user_enabled_default - user_enabled_emulation user_enabled_mask - user_id_attribute user_mail_attribute - user_name_attribute user_objectclass - user_pass_attribute) - - required_attrs.each do |a| - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^#{Regexp.quote(a)} = \w+/) - end - end - end - - describe '[identity] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.identity.backends.sql.Identity') - expect(chef_run).to render_config_file(path).with_section_content('identity', r) - end - - [ - /^default_domain_id=default$/, - /^domain_specific_drivers_enabled=false$/, - %r{^domain_config_dir=/etc/keystone/domains$} - ].each do |line| - it "has a #{line.source} line" do - expect(chef_run).to render_config_file(path).with_section_content('identity', line) - end - end end describe '[assignment] section' do @@ -665,30 +335,6 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to render_config_file(path).with_content(sql) expect(chef_run).not_to render_config_file(path).with_section_content('catalog', templated) end - - it 'configures driver with templated backend' do - node.set['openstack']['identity']['catalog']['backend'] = 'templated' - - expect(chef_run).to render_config_file(path).with_section_content('catalog', templated) - expect(chef_run).not_to render_config_file(path).with_section_content('catalog', sql) - end - end - - describe '[token] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.token.persistence.backends.sql.Token') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end - - it 'sets token expiration time' do - r = line_regexp('expiration = 3600') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end - - it 'sets token hash algorithm' do - r = line_regexp('hash_algorithm = md5') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end end describe '[policy] section' do @@ -698,118 +344,15 @@ describe 'openstack-identity::server-apache' do end end - describe '[signing] section' do - opts = { - certfile: '/etc/keystone/ssl/certs/signing_cert.pem', - keyfile: '/etc/keystone/ssl/private/signing_key.pem', - ca_certs: '/etc/keystone/ssl/certs/ca.pem', - key_size: '2048', - valid_days: '3650', - ca_password: nil - } - - describe 'with pki' do - it 'configures cert options' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('signing', r) - end - end - end - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - it 'does not configure cert options' do - opts.each do |key| - expect(chef_run).not_to render_config_file(path).with_section_content('signing', /^#{key} = /) - end - end - end - end - - describe '[oslo_messaging_qpid] section' do - it 'has defaults for oslo_messaging_qpid section' do - node.set['openstack']['mq']['service_type'] = 'qpid' - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^rpc_conn_pool_size = 30$/, - /^qpid_hostname = 127.0.0.1$/, - /^qpid_port = 5672$/, - /^qpid_username = guest$/, - /^qpid_password = guest$/, - /^qpid_sasl_mechanisms = $/, - /^qpid_heartbeat = 60$/, - /^qpid_protocol = tcp$/, - /^qpid_tcp_nodelay = true$/, - /^qpid_topology_version = 1$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_qpid', line) - end - end - end - describe '[oslo_messaging_rabbit] section' do it 'has defaults for oslo_messaging_rabbit section' do - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^heartbeat_timeout_threshold=0$/, - /^heartbeat_rate=2$/, - /^rpc_conn_pool_size = 30$/, - /^rabbit_host = 127.0.0.1$/, - /^rabbit_port = 5672$/, - /^rabbit_userid = guest$/, - /^rabbit_password = guest$/, - %r{^rabbit_virtual_host = /$}, - /^rabbit_max_retries = 0$/, - /^rabbit_retry_interval = 1$/ + [ + /^rabbit_userid = guest$/, + /^rabbit_password = guest$/ ].each do |line| expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) end end - it 'has defaults for oslo_messaging_rabbit section with ha' do - node.set['openstack']['mq']['identity']['rabbit']['ha'] = true - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^rpc_conn_pool_size = 30$/, - /^rabbit_hosts = rabbit_servers_value$/, - /^rabbit_userid = guest$/, - /^rabbit_password = guest$/, - %r{^rabbit_virtual_host = /$}, - /^rabbit_ha_queues = true$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - it 'does not have ssl config set' do - [/^rabbit_use_ssl=/, - /^kombu_ssl_version=/, - /^kombu_ssl_keyfile=/, - /^kombu_ssl_certfile=/, - /^kombu_ssl_ca_certs=/, - /^kombu_reconnect_delay=/, - /^kombu_reconnect_timeout=/].each do |line| - expect(chef_run).not_to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - - it 'sets ssl config' do - node.set['openstack']['mq']['identity']['rabbit']['use_ssl'] = true - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_version'] = 'TLSv1.2' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_keyfile'] = 'keyfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_certfile'] = 'certfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_ca_certs'] = 'certsfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_reconnect_delay'] = 123.123 - node.set['openstack']['mq']['identity']['rabbit']['kombu_reconnect_timeout'] = 123 - [/^rabbit_use_ssl=true/, - /^kombu_ssl_version=TLSv1.2$/, - /^kombu_ssl_keyfile=keyfile$/, - /^kombu_ssl_certfile=certfile$/, - /^kombu_ssl_ca_certs=certsfile$/, - /^kombu_reconnect_delay=123.123$/, - /^kombu_reconnect_timeout=123$/].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end end end @@ -821,21 +364,6 @@ describe 'openstack-identity::server-apache' do expect(chef_run).not_to render_file(file) end end - - describe 'with templated backend' do - before do - node.set['openstack']['identity']['catalog']['backend'] = 'templated' - end - let(:template) { chef_run.template(file) } - - it 'creates /etc/keystone/default_catalog.templates' do - expect(chef_run).to create_template(template.name).with( - user: 'keystone', - group: 'keystone', - mode: 0644 - ) - end - end end describe 'db_sync' do @@ -883,11 +411,11 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to render_file(path).with_content(/^pipeline = service_v3$/) end it 'template misc_paste array correctly' do - node.set['openstack']['identity']['misc_paste'] = ['MISC1=OPTION1', 'MISC2=OPTION2'] + node.set['openstack']['identity']['misc_paste'] = ['MISC1 = OPTION1', 'MISC2 = OPTION2'] expect(chef_run).to render_file(path).with_content( - /^MISC1=OPTION1$/) + /^MISC1 = OPTION1$/) expect(chef_run).to render_file(path).with_content( - /^MISC2=OPTION2$/) + /^MISC2 = OPTION2$/) end end @@ -912,8 +440,10 @@ describe 'openstack-identity::server-apache' do end it 'set apache addresses and ports' do - expect(chef_run.node['apache']['listen_addresses']).to eq ['127.0.0.1'] - expect(chef_run.node['apache']['listen_ports']).to eq [5000, 35357] + expect(chef_run.node['apache']['listen']).to eq( + '*' => ['80'], + '127.0.0.1' => ['5000', '5001', '35357'] + ) end describe 'apache recipes' do @@ -975,23 +505,6 @@ describe 'openstack-identity::server-apache' do expect(chef_run).not_to render_file(file).with_content(line) end end - - it "configures #{file} triggered common lines" do - node.set['openstack']['identity']['debug'] = 'True' - node.set['openstack']['identity']['ssl']['cert_required'] = true - node.set['openstack']['identity']['ssl']['enabled'] = true - node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers' - [/^ LogLevel debug$/, - /^ SSLEngine On$/, - %r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$}, - %r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$}, - %r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$}, - /^ SSLProtocol All -SSLv2 -SSLv3$/, - /^ SSLCipherSuite ciphers$/, - /^ SSLVerifyClient require$/].each do |line| - expect(chef_run).to render_file(file).with_content(line) - end - end end describe 'keystone-public.conf' do diff --git a/spec/server-redhat_spec.rb b/spec/server-redhat_spec.rb deleted file mode 100644 index 9a3c0f8..0000000 --- a/spec/server-redhat_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -# encoding: UTF-8 -# - -require_relative 'spec_helper' - -describe 'openstack-identity::server' do - describe 'redhat' do - let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) } - let(:node) { runner.node } - let(:chef_run) { runner.converge(described_recipe) } - - include_context 'identity_stubs' - - it 'converges when configured to use sqlite db backend' do - node.set['openstack']['db']['identity']['service_type'] = 'sqlite' - expect { chef_run }.to_not raise_error - end - - it 'upgrades mysql python packages' do - expect(chef_run).to upgrade_package('identity cookbook package MySQL-python') - end - - it 'upgrades postgresql python packages if explicitly told' do - node.set['openstack']['db']['identity']['service_type'] = 'postgresql' - expect(chef_run).to upgrade_package('identity cookbook package python-psycopg2') - end - - it 'upgrades memcache python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-memcached') - end - - it 'upgrades keystone packages' do - expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone') - end - - it 'starts keystone on boot' do - expect(chef_run).to enable_service('openstack-keystone') - end - - describe 'keystone-paste.ini' do - before { node.set['openstack']['identity']['pastefile_url'] = 'file:///usr/share/keystone/keystone-dist-paste.ini' } - paste_file = '/etc/keystone/keystone-paste.ini' - let(:file_resource) { chef_run.remote_file(paste_file) } - - it 'copies local keystone-dist-paste.ini when keystone-paste pastefile_url is specified' do - expect(chef_run).to create_remote_file_if_missing(paste_file).with( - source: 'file:///usr/share/keystone/keystone-dist-paste.ini', - user: 'keystone', - group: 'keystone', - mode: 00644) - end - - it 'restarts keystone when keystone-paste.ini is created' do - expect(file_resource).to notify('service[keystone]').to(:restart) - end - end - end -end diff --git a/spec/server-suse_spec.rb b/spec/server-suse_spec.rb deleted file mode 100644 index 4f6f93f..0000000 --- a/spec/server-suse_spec.rb +++ /dev/null @@ -1,86 +0,0 @@ -# encoding: UTF-8 -# - -require_relative 'spec_helper' - -describe 'openstack-identity::server' do - describe 'suse' do - let(:runner) { ChefSpec::SoloRunner.new(SUSE_OPTS) } - let(:node) { runner.node } - let(:chef_run) { runner.converge(described_recipe) } - - include_context 'identity_stubs' - - it 'converges when configured to use sqlite db backend' do - node.set['openstack']['db']['identity']['service_type'] = 'sqlite' - expect { chef_run }.to_not raise_error - end - - it 'upgrades mysql python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-mysql') - end - - it 'upgrades postgresql python packages if explicitly told' do - node.set['openstack']['db']['identity']['service_type'] = 'postgresql' - expect(chef_run).to upgrade_package('identity cookbook package python-psycopg2') - end - - it 'upgrades memcache python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-python-memcached') - end - - it 'upgrades keystone packages' do - expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone') - end - - it 'starts keystone on boot' do - expect(chef_run).to enable_service('openstack-keystone') - end - - describe '/etc/keystone' do - let(:dir) { chef_run.directory('/etc/keystone') } - - it 'has proper owner' do - expect(dir.owner).to eq('openstack-keystone') - expect(dir.group).to eq('openstack-keystone') - end - end - - describe '/etc/keystone/ssl' do - before { node.set['openstack']['auth']['strategy'] = 'pki' } - let(:dir) { chef_run.directory('/etc/keystone/ssl') } - - it 'has proper owner' do - expect(dir.owner).to eq('openstack-keystone') - expect(dir.group).to eq('openstack-keystone') - end - end - - it 'deletes keystone.db' do - expect(chef_run).to delete_file('/var/lib/keystone/keystone.db') - end - - describe 'keystone.conf' do - let(:template) { chef_run.template '/etc/keystone/keystone.conf' } - - it 'has proper owner' do - expect(template.owner).to eq('openstack-keystone') - expect(template.group).to eq('openstack-keystone') - end - end - - describe 'default_catalog.templates' do - before do - node.set['openstack']['identity']['catalog']['backend'] = 'templated' - end - let(:template) do - chef_run.template('/etc/keystone/default_catalog.templates') - end - - it 'has proper owner' do - expect(template.owner).to eq('openstack-keystone') - expect(template.group).to eq('openstack-keystone') - end - end - end -end diff --git a/spec/server_spec.rb b/spec/server_spec.rb deleted file mode 100644 index 58e1dbd..0000000 --- a/spec/server_spec.rb +++ /dev/null @@ -1,1042 +0,0 @@ -# encoding: UTF-8 -# - -require_relative 'spec_helper' - -describe 'openstack-identity::server' do - describe 'ubuntu' do - let(:runner) { ChefSpec::SoloRunner.new(UBUNTU_OPTS) } - let(:node) { runner.node } - let(:chef_run) do - node.set_unless['openstack']['endpoints']['identity-bind'] = { - 'host' => '127.0.1.1' - } - node.set_unless['openstack']['endpoints']['identity-api'] = { - 'host' => '127.0.1.1', - 'port' => '5000', - 'scheme' => 'https' - } - node.set_unless['openstack']['endpoints']['identity-admin'] = { - 'host' => '127.0.1.1', - 'port' => '35357', - 'scheme' => 'https' - } - node.set_unless['openstack']['endpoints']['identity-admin-bind'] = { - 'host' => '127.0.1.1', - 'port' => '35357' - } - - runner.converge(described_recipe) - end - - include Helpers - include_context 'identity_stubs' - - it 'runs logging recipe if node attributes say to' do - node.set['openstack']['identity']['syslog']['use'] = true - expect(chef_run).to include_recipe('openstack-common::logging') - end - - it 'does not run logging recipe' do - expect(chef_run).not_to include_recipe('openstack-common::logging') - end - - it 'converges when configured to use sqlite db backend' do - node.set['openstack']['db']['identity']['service_type'] = 'sqlite' - expect { chef_run }.to_not raise_error - end - - it 'upgrades mysql python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-mysqldb') - end - - it 'upgrades postgresql python packages if explicitly told' do - node.set['openstack']['db']['identity']['service_type'] = 'postgresql' - expect(chef_run).to upgrade_package('identity cookbook package python-psycopg2') - end - - it 'upgrades memcache python packages' do - expect(chef_run).to upgrade_package('identity cookbook package python-memcache') - end - - it 'upgrades keystone packages' do - expect(chef_run).to upgrade_package('identity cookbook package keystone') - end - - it 'starts keystone on boot' do - expect(chef_run).to enable_service('keystone') - end - - describe 'sleep on keystone service enable' do - let(:sleep) { chef_run.execute('Keystone: sleep') } - - it 'has sleep notified to run' do - expect(chef_run.service('keystone')).to notify( - "execute[#{sleep.name}]").to(:run) - end - - it 'has correct sleep seconds' do - expect(sleep.command).to eq('sleep 10') - end - end - - it 'has flush tokens cronjob running every day at 3:30am' do - expect(chef_run).to create_cron('keystone-manage-token-flush').with_command(/keystone-manage token_flush/) - expect(chef_run).to create_cron('keystone-manage-token-flush').with_minute('0') - expect(chef_run).to create_cron('keystone-manage-token-flush').with_hour('*') - expect(chef_run).to create_cron('keystone-manage-token-flush').with_day('*') - expect(chef_run).to create_cron('keystone-manage-token-flush').with_weekday('*') - end - - it 'deletes flush tokens cronjob when tokens backend is not sql' do - node.set['openstack']['identity']['token']['backend'] = 'notsql' - expect(chef_run).to delete_cron('keystone-manage-token-flush') - end - - describe '/etc/keystone' do - let(:dir) { chef_run.directory('/etc/keystone') } - - it 'creates directory /etc/keystone' do - expect(chef_run).to create_directory(dir.name).with( - user: 'keystone', - group: 'keystone', - mode: 00700 - ) - end - end - - describe '/etc/keystone/domains' do - let(:dir) { '/etc/keystone/domains' } - - it 'does not create /etc/keystone/domains by default' do - expect(chef_run).not_to create_directory(dir) - end - - it 'creates /etc/keystone/domains when domain_specific_drivers_enabled enabled' do - node.set['openstack']['identity']['identity']['domain_specific_drivers_enabled'] = true - expect(chef_run).to create_directory(dir).with( - user: 'keystone', - group: 'keystone', - mode: 00700 - ) - end - end - - describe 'ssl directories' do - let(:ssl_dir) { '/etc/keystone/ssl' } - let(:certs_dir) { "#{ssl_dir}/certs" } - let(:private_dir) { "#{ssl_dir}/private" } - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - - it 'does not create /etc/keystone/ssl' do - expect(chef_run).not_to create_directory(ssl_dir) - end - - it 'does not create /etc/keystone/ssl/certs' do - expect(chef_run).not_to create_directory(certs_dir) - end - - it 'does not create /etc/keystone/ssl/private' do - expect(chef_run).not_to create_directory(private_dir) - end - end - - describe 'with pki' do - describe '/etc/keystone/ssl' do - let(:dir_resource) { chef_run.directory(ssl_dir) } - - it 'creates /etc/keystone/ssl' do - expect(chef_run).to create_directory(ssl_dir).with( - owner: 'keystone', - group: 'keystone', - mode: 0700 - ) - end - end - - describe '/etc/keystone/ssl/certs' do - let(:dir_resource) { chef_run.directory(certs_dir) } - - it 'creates /etc/keystone/ssl/certs' do - expect(chef_run).to create_directory(certs_dir).with( - user: 'keystone', - group: 'keystone', - mode: 0755 - ) - end - end - - describe '/etc/keystone/ssl/private' do - let(:dir_resource) { chef_run.directory(private_dir) } - - it 'creates /etc/keystone/ssl/private' do - expect(chef_run).to create_directory(private_dir).with( - user: 'keystone', - group: 'keystone', - mode: 0750 - ) - end - end - end - end - - describe 'ssl files' do - describe 'with pki' do - describe 'with {certfile,keyfile,ca_certs}_url attributes set' do - before do - node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' - node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' - node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' - end - - describe 'cert file' do - let(:cert_file) { node['openstack']['identity']['signing']['certfile'] } - let(:file_resource) { chef_run.remote_file(cert_file) } - - it 'creates files' do - expect(chef_run).to create_remote_file(cert_file).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - - it 'notifies keystone restart' do - expect(file_resource).to notify('service[keystone]').to(:restart) - end - end - - describe 'key file' do - let(:key_file) { node['openstack']['identity']['signing']['keyfile'] } - let(:file_resource) { chef_run.remote_file(key_file) } - - it 'creates file' do - expect(chef_run).to create_remote_file(key_file).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - - it 'notifies keystone restart' do - expect(file_resource).to notify('service[keystone]').to(:restart) - end - end - - describe 'ca_certs' do - let(:ca_certs) { node['openstack']['identity']['signing']['ca_certs'] } - let(:file_resource) { chef_run.remote_file(ca_certs) } - - it 'creates file' do - expect(chef_run).to create_remote_file(ca_certs).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - - it 'notifies keystone restart' do - expect(file_resource).to notify('service[keystone]').to(:restart) - end - end - end - - describe 'without {certfile,keyfile,ca_certs}_url attributes set' do - it 'does not create cert file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) - end - - it 'does not create key file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) - end - - it 'does not create ca_certs file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) - end - end - end - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - - it 'does not create cert file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['certfile']) - end - - it 'does not create key file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['keyfile']) - end - - it 'does not create ca_certs file' do - expect(chef_run).not_to create_remote_file(node['openstack']['identity']['signing']['ca_certs']) - end - end - end - - it 'deletes keystone.db' do - expect(chef_run).to delete_file('/var/lib/keystone/keystone.db') - end - - it 'does not delete keystone.db when configured to use sqlite' do - node.set['openstack']['db']['identity']['service_type'] = 'sqlite' - expect(chef_run).not_to delete_file('/var/lib/keystone/keystone.db') - end - - describe 'pki setup' do - let(:cmd) { 'keystone-manage pki_setup' } - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - it 'does not execute' do - expect(chef_run).to_not run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - - describe 'with pki' do - describe 'without {certfile,keyfile,ca_certs}_url attributes set' do - it 'executes' do - expect(FileTest).to receive(:exists?) - .with('/etc/keystone/ssl/private/signing_key.pem') - .and_return(false) - - expect(chef_run).to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - - describe 'with {certfile,keyfile,ca_certs}_url attributes set' do - before do - node.set['openstack']['identity']['signing']['certfile_url'] = 'http://www.test.com/signing_cert.pem' - node.set['openstack']['identity']['signing']['keyfile_url'] = 'http://www.test.com/signing_key.pem' - node.set['openstack']['identity']['signing']['ca_certs_url'] = 'http://www.test.com/ca.pem' - end - - it 'does not execute' do - expect(chef_run).to_not run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - - it 'does not execute when dir exists' do - expect(FileTest).to receive(:exists?) - .with('/etc/keystone/ssl/private/signing_key.pem') - .and_return(true) - - expect(chef_run).not_to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - end - - describe 'keystone.conf' do - let(:path) { '/etc/keystone/keystone.conf' } - let(:resource) { chef_run.template(path) } - - describe 'file properties' do - it 'creates /etc/keystone/keystone.conf' do - expect(chef_run).to create_template(resource.name).with( - user: 'keystone', - group: 'keystone', - mode: 0640 - ) - end - end - - describe '[eventlet_server_ssl] section' do - opts = { - enable: 'True', - certfile: '/etc/keystone/ssl/certs/sslcert.pem', - keyfile: '/etc/keystone/ssl/private/sslkey.pem', - ca_certs: '/etc/keystone/ssl/certs/sslca.pem', - cert_required: 'false' - } - describe 'with ssl enabled' do - before do - node.set['openstack']['identity']['ssl']['enabled'] = true - node.set['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl' - end - describe 'with client cert not required' do - it 'configures ssl options without client certificate' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r) - end - end - end - describe 'with client cert required' do - before do - node.set['openstack']['identity']['ssl']['cert_required'] = true - opts['cert_required'.to_sym] = 'true' - end - it 'configures ssl options with client certificate' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r) - end - end - end - end - - describe 'without ssl disabled' do - before { node.set['openstack']['identity']['ssl']['enabled'] = false } - it 'does not configure ssl options' do - opts.each do |key| - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server_ssl', /^#{key} = /) - end - end - end - end - - describe '[saml] section' do - describe 'saml attributes' do - saml_default_attrs = %w(assertion_expiration_time=3600 - xmlsec1_binary=xmlsec1 - certfile= - keyfile=) - it 'default saml attributes' do - saml_default_attrs.each do |attr| - default_value = /^#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', default_value) - end - end - - saml_override_attrs = %w(assertion_expiration_time - xmlsec1_binary - certfile - keyfile) - it 'override saml attributes' do - saml_override_attrs.each do |attr| - node.set['openstack']['identity']['saml']["#{attr}"] = "value_for_#{attr}" - override_value = /^#{attr}=value_for_#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', override_value) - end - end - end - - describe 'optional saml ipd attributes' do - optional_attrs = %w(idp_entity_id idp_sso_endpoint idp_lang - idp_organization_name idp_organization_display_name - idp_organization_url idp_contact_company idp_contact_name - idp_contact_surname idp_contact_email idp_contact_telephone - idp_contact_type idp_metadata_path) - it 'empty default ipd attributes' do - optional_attrs.each do |attr| - default_value = /^#{attr}=$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', default_value) - end - end - - it 'overridden ipd attributes' do - optional_attrs.each do |attr| - node.set['openstack']['identity']['saml']["#{attr}"] = "value_for_#{attr}" - override_value = /^#{attr}=value_for_#{attr}$/ - expect(chef_run).to render_config_file(path).with_section_content('saml', override_value) - end - end - end - end - - it 'has no list_limits by default' do - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit=/) - end - - it 'sets list limits correctly' do - node.set['openstack']['identity']['list_limit'] = 111 - node.set['openstack']['identity']['assignment']['list_limit'] = 222 - node.set['openstack']['identity']['catalog']['list_limit'] = 333 - node.set['openstack']['identity']['identity']['list_limit'] = 444 - node.set['openstack']['identity']['policy']['list_limit'] = 555 - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^list_limit=111$/) - expect(chef_run).to render_config_file(path).with_section_content('assignment', /^list_limit=222$/) - expect(chef_run).to render_config_file(path).with_section_content('catalog', /^list_limit=333$/) - expect(chef_run).to render_config_file(path).with_section_content('identity', /^list_limit=444$/) - expect(chef_run).to render_config_file(path).with_section_content('policy', /^list_limit=555$/) - end - - it 'templates misc_keystone array correctly' do - node.set['openstack']['identity']['misc_keystone'] = ['MISC1=OPTION1', 'MISC2=OPTION2'] - expect(chef_run).to render_file(path).with_content( - /^MISC1=OPTION1$/) - expect(chef_run).to render_file(path).with_content( - /^MISC2=OPTION2$/) - end - - it 'notifies keystone restart' do - expect(resource).to notify('service[keystone]').to(:restart) - end - - describe '[eventlet_server] section' do - it 'has default worker values' do - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server', /^admin_workers=/) - expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server', /^public_workers=/) - end - - it 'has specific worker values' do - node.set['openstack']['identity']['admin_workers'] = 123 - node.set['openstack']['identity']['public_workers'] = 456 - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^admin_workers=123$/) - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^public_workers=456$/) - end - describe 'bind_interface is nil' do - it 'has bind host from endpoint' do - r = line_regexp('public_bind_host = 127.0.1.1') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - end - - describe 'bind_interface is eth0' do - before do - node.set['openstack']['endpoints']['identity-bind']['bind_interface'] = 'eth0' - allow_any_instance_of(Chef::Recipe).to receive(:address_for) - .and_return('10.0.0.2') - end - - it 'has bind host from interface ip' do - r = line_regexp('public_bind_host = 10.0.0.2') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - end - - describe 'admin bind_interface is nil' do - it 'has admin bind host from endpoint' do - r = line_regexp('admin_bind_host = 127.0.1.1') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - end - - describe 'admin bind_interface is eth0' do - before do - node.set['openstack']['endpoints']['identity-admin-bind']['bind_interface'] = 'eth0' - allow_any_instance_of(Chef::Recipe).to receive(:address_for) - .and_return('10.0.0.2') - end - - it 'has admin bind host from interface ip' do - r = line_regexp('admin_bind_host = 10.0.0.2') - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', r) - end - end - - describe 'port numbers' do - ['public_port', 'admin_port'].each do |x| - it "has #{x}" do - expect(chef_run).to render_config_file(path).with_section_content('eventlet_server', /^#{x} = \d+$/) - end - end - end - end - - it 'has rpc_backend set for rabbit' do - node.set['openstack']['mq']['service_type'] = 'rabbitmq' - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^rpc_backend = rabbit$/) - end - - it 'has rpc_backend set for qpid' do - node.set['openstack']['mq']['service_type'] = 'qpid' - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', /^rpc_backend = qpid$/) - end - - describe '[DEFAULT] section' do - it 'has admin token' do - r = line_regexp('admin_token = bootstrap-token') - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', r) - end - - describe 'logging verbosity' do - ['verbose', 'debug'].each do |x| - it "has #{x} option" do - r = line_regexp("#{x} = False") - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', r) - end - end - end - - describe 'syslog configuration' do - log_file = %r{^log_file = /\w+} - log_conf = %r{^log_config_append = /\w+} - - it 'renders log_file correctly' do - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_file) - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_conf) - end - - it 'renders log_config correctly' do - node.set['openstack']['identity']['syslog']['use'] = true - - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_conf) - expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_file) - end - end - - it 'has default for oslo.messaging configuration' do - [/^notification_driver = messaging$/, - /^notification_topics = notifications$/, - /^rpc_thread_pool_size = 64$/, - /^rpc_response_timeout = 60$/, - /^rpc_backend = rabbit$/, - /^control_exchange = openstack$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line) - end - end - - it 'has correct endpoints' do - # values correspond to node attrs set in chef_run above - pub = line_regexp('public_endpoint = https://127.0.1.1:5000/') - adm = line_regexp('admin_endpoint = https://127.0.1.1:35357/') - - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub) - expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', adm) - end - end - - describe '[memcache] section' do - it 'has no servers by default' do - # `Openstack#memcached_servers' is stubbed in spec_helper.rb to - # return an empty array, so we expect an empty `servers' list. - r = line_regexp('servers = ') - expect(chef_run).to render_config_file(path).with_section_content('memcache', r) - end - - it 'has servers when hostnames are configured' do - # Re-stub `Openstack#memcached_servers' here - hosts = ['host1:111', 'host2:222'] - r = line_regexp("servers = #{hosts.join(',')}") - - allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers) - .and_return(hosts) - expect(chef_run).to render_config_file(path).with_section_content('memcache', r) - end - end - - describe '[sql] section' do - it 'has a connection' do - r = /^connection = \w+/ - expect(chef_run).to render_config_file(path).with_section_content('database', r) - end - end - - describe '[ldap] section' do - describe 'optional nil attributes' do - optional_attrs = %w(group_tree_dn group_filter user_filter - user_tree_dn user_enabled_emulation_dn - group_attribute_ignore role_attribute_ignore - role_tree_dn role_filter project_tree_dn - project_enabled_emulation_dn project_filter - project_attribute_ignore) - - it 'does not configure attributes' do - optional_attrs.each do |a| - r = /^#{Regexp.quote(a)} =$/ - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', r) - end - end - - context 'ssl settings' do - context 'when use_tls disabled' do - it 'does not set tls_ options if use_tls is disabled' do - [/^tls_cacertfile = /, /^tls_cacertdir = /, /^tls_req_cert = /].each do |setting| - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', setting) - end - end - end - - context 'when use_tls enabled' do - before do - node.set['openstack']['identity']['ldap']['use_tls'] = true - end - - context 'when cert paths are configured' do - it 'has a tls_cacertfile when configured' do - node.set['openstack']['identity']['ldap']['tls_cacertfile'] = 'tls_cacertfile_value' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_cacertfile = tls_cacertfile_value$/) - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', /^tls_cacertdir = /) - end - it 'has a tls_cacertdir when configured and tls_cacertfile unset' do - node.set['openstack']['identity']['ldap']['tls_cacertfile'] = nil - node.set['openstack']['identity']['ldap']['tls_cacertdir'] = 'tls_cacertdir_value' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_cacertdir = tls_cacertdir_value$/) - expect(chef_run).not_to render_config_file(path).with_section_content('ldap', /^tls_cacertfile = /) - end - end - - context 'when tls_req_cert validation disabled' do - it 'has a tls_req_cert set to never' do - node.set['openstack']['identity']['ldap']['tls_req_cert'] = 'never' - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^tls_req_cert = never$/) - end - end - end - end - end - - it 'has required attributes' do - required_attrs = %w(alias_dereferencing allow_subtree_delete - dumb_member group_allow_create group_allow_delete - group_allow_update group_desc_attribute - group_id_attribute - group_member_attribute group_name_attribute - group_objectclass page_size query_scope - role_allow_create role_allow_delete - role_allow_update role_id_attribute - role_member_attribute role_name_attribute - role_objectclass suffix project_allow_create - project_allow_delete project_allow_update - project_desc_attribute project_domain_id_attribute - project_enabled_attribute project_enabled_emulation - project_id_attribute project_member_attribute - project_name_attribute project_objectclass url - use_dumb_member user user_allow_create - user_allow_delete user_allow_update - user_attribute_ignore - user_enabled_attribute user_enabled_default - user_enabled_emulation user_enabled_mask - user_id_attribute user_mail_attribute - user_name_attribute user_objectclass - user_pass_attribute) - - required_attrs.each do |a| - expect(chef_run).to render_config_file(path).with_section_content('ldap', /^#{Regexp.quote(a)} = \w+/) - end - end - - context 'when connection pool enabled' do - before do - node.set['openstack']['identity']['ldap']['use_pool'] = true - end - [ - /use_pool = true/, - /pool_size = 10/, - /pool_retry_max = 3/, - /pool_retry_delay = 0.1/, - /pool_connection_timeout = 3/, - /pool_connection_lifetime = 600/, - /use_auth_pool = false/, - /auth_pool_size = 100/, - /auth_pool_connection_lifetime = 60/ - ].each do |line| - it "has LDAP setting #{line.source}" do - expect(chef_run).to render_config_file(path).with_section_content('ldap', line) - end - end - end - end - - describe '[identity] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.identity.backends.sql.Identity') - expect(chef_run).to render_config_file(path).with_section_content('identity', r) - end - - [ - /^default_domain_id=default$/, - /^domain_specific_drivers_enabled=false$/, - %r{^domain_config_dir=/etc/keystone/domains$} - ].each do |line| - it "has a #{line.source} line" do - expect(chef_run).to render_config_file(path).with_section_content('identity', line) - end - end - end - - describe '[identity_mapping] section' do - it 'has identity_mapping section attributes' do - [ - /^driver = keystone.identity.mapping_backends.sql.Mapping$/, - /^generator = keystone.identity.id_generators.sha256.Generator$/, - /^backward_compatible_ids = True$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('identity_mapping', line) - end - end - end - - describe '[assignment] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.assignment.backends.sql.Assignment') - expect(chef_run).to render_config_file(path).with_section_content('assignment', r) - end - end - - describe '[auth] section' do - it 'configures authorization options' do - [ - /^external = keystone.auth.plugins.external.DefaultDomain$/, - /^methods = external, password, token, oauth1$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('auth', line) - end - end - end - - describe '[catalog] section' do - # use let() to access Helpers#line_regexp method - let(:templated) do - str = 'driver = keystone.catalog.backends.templated.TemplatedCatalog' - line_regexp(str) - end - let(:sql) do - line_regexp('driver = keystone.catalog.backends.sql.Catalog') - end - - it 'configures driver' do - expect(chef_run).to render_config_file(path).with_content(sql) - expect(chef_run).not_to render_config_file(path).with_section_content('catalog', templated) - end - - it 'configures driver with templated backend' do - node.set['openstack']['identity']['catalog']['backend'] = 'templated' - - expect(chef_run).to render_config_file(path).with_section_content('catalog', templated) - expect(chef_run).not_to render_config_file(path).with_section_content('catalog', sql) - end - end - - describe '[token] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.token.persistence.backends.sql.Token') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end - - it 'sets token expiration time' do - r = line_regexp('expiration = 3600') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end - - it 'sets token hash algorithm' do - r = line_regexp('hash_algorithm = md5') - expect(chef_run).to render_config_file(path).with_section_content('token', r) - end - end - - describe '[policy] section' do - it 'configures driver' do - r = line_regexp('driver = keystone.policy.backends.sql.Policy') - expect(chef_run).to render_config_file(path).with_section_content('policy', r) - end - end - - describe '[signing] section' do - opts = { - certfile: '/etc/keystone/ssl/certs/signing_cert.pem', - keyfile: '/etc/keystone/ssl/private/signing_key.pem', - ca_certs: '/etc/keystone/ssl/certs/ca.pem', - key_size: '2048', - valid_days: '3650', - ca_password: nil - } - - describe 'with pki' do - it 'configures cert options' do - opts.each do |key, val| - r = line_regexp("#{key} = #{val}") - expect(chef_run).to render_config_file(path).with_section_content('signing', r) - end - end - end - - describe 'without pki' do - before { node.set['openstack']['auth']['strategy'] = 'uuid' } - it 'does not configure cert options' do - opts.each do |key| - expect(chef_run).not_to render_config_file(path).with_section_content('signing', /^#{key} = /) - end - end - end - end - - describe '[oslo_messaging_qpid] section' do - it 'has defaults for oslo_messaging_qpid section' do - node.set['openstack']['mq']['service_type'] = 'qpid' - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^rpc_conn_pool_size = 30$/, - /^qpid_hostname = 127.0.0.1$/, - /^qpid_port = 5672$/, - /^qpid_username = guest$/, - /^qpid_password = guest$/, - /^qpid_sasl_mechanisms = $/, - /^qpid_heartbeat = 60$/, - /^qpid_protocol = tcp$/, - /^qpid_tcp_nodelay = true$/, - /^qpid_topology_version = 1$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_qpid', line) - end - end - end - - describe '[oslo_messaging_rabbit] section' do - it 'has defaults for oslo_messaging_rabbit section' do - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^heartbeat_timeout_threshold=0$/, - /^heartbeat_rate=2$/, - /^rpc_conn_pool_size = 30$/, - /^rabbit_host = 127.0.0.1$/, - /^rabbit_port = 5672$/, - /^rabbit_userid = guest$/, - /^rabbit_password = guest$/, - %r{^rabbit_virtual_host = /$}, - /^rabbit_max_retries = 0$/, - /^rabbit_retry_interval = 1$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - it 'has defaults for oslo_messaging_rabbit section with ha' do - node.set['openstack']['mq']['identity']['rabbit']['ha'] = true - [/^amqp_durable_queues = false$/, - /^amqp_auto_delete = false$/, - /^rpc_conn_pool_size = 30$/, - /^rabbit_hosts = rabbit_servers_value$/, - /^rabbit_userid = guest$/, - /^rabbit_password = guest$/, - %r{^rabbit_virtual_host = /$}, - /^rabbit_ha_queues = true$/ - ].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - it 'does not have ssl config set' do - [/^rabbit_use_ssl=/, - /^kombu_ssl_version=/, - /^kombu_ssl_keyfile=/, - /^kombu_ssl_certfile=/, - /^kombu_ssl_ca_certs=/, - /^kombu_reconnect_delay=/, - /^kombu_reconnect_timeout=/].each do |line| - expect(chef_run).not_to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - - it 'sets ssl config' do - node.set['openstack']['mq']['identity']['rabbit']['use_ssl'] = true - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_version'] = 'TLSv1.2' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_keyfile'] = 'keyfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_certfile'] = 'certfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_ssl_ca_certs'] = 'certsfile' - node.set['openstack']['mq']['identity']['rabbit']['kombu_reconnect_delay'] = 123.123 - node.set['openstack']['mq']['identity']['rabbit']['kombu_reconnect_timeout'] = 123 - [/^rabbit_use_ssl=true/, - /^kombu_ssl_version=TLSv1.2$/, - /^kombu_ssl_keyfile=keyfile$/, - /^kombu_ssl_certfile=certfile$/, - /^kombu_ssl_ca_certs=certsfile$/, - /^kombu_reconnect_delay=123.123$/, - /^kombu_reconnect_timeout=123$/].each do |line| - expect(chef_run).to render_config_file(path).with_section_content('oslo_messaging_rabbit', line) - end - end - end - end - - describe 'default_catalog.templates' do - let(:file) { '/etc/keystone/default_catalog.templates' } - - describe 'without templated backend' do - it 'does not create' do - expect(chef_run).not_to render_file(file) - end - end - - describe 'with templated backend' do - before do - node.set['openstack']['identity']['catalog']['backend'] = 'templated' - end - let(:template) { chef_run.template(file) } - - it 'creates /etc/keystone/default_catalog.templates' do - expect(chef_run).to create_template(template.name).with( - user: 'keystone', - group: 'keystone', - mode: 0644 - ) - end - - it 'notifies keystone restart' do - expect(template).to notify('service[keystone]').to(:restart) - end - end - end - - describe 'db_sync' do - let(:cmd) { 'keystone-manage db_sync' } - - it 'runs migrations' do - expect(chef_run).to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - - it 'does not run migrations' do - node.set['openstack']['db']['identity']['migrate'] = false - expect(chef_run).not_to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' - ) - end - end - - describe 'keystone-paste.ini as template' do - let(:path) { '/etc/keystone/keystone-paste.ini' } - let(:template) { chef_run.template(path) } - - it 'creates /etc/keystone/default_catalog.templates' do - expect(chef_run).to create_template(template.name).with( - user: 'keystone', - group: 'keystone', - mode: 0644 - ) - end - - it 'has default api pipeline value' do - expect(chef_run).to render_file(path).with_content(/^pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service$/) - expect(chef_run).to render_file(path).with_content(/^pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service$/) - expect(chef_run).to render_file(path).with_content(/^pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3$/) - end - it 'template api pipeline set correct' do - node.set['openstack']['identity']['pipeline']['public_api'] = 'public_service' - node.set['openstack']['identity']['pipeline']['admin_api'] = 'admin_service' - node.set['openstack']['identity']['pipeline']['api_v3'] = 'service_v3' - expect(chef_run).to render_file(path).with_content(/^pipeline = public_service$/) - expect(chef_run).to render_file(path).with_content(/^pipeline = admin_service$/) - expect(chef_run).to render_file(path).with_content(/^pipeline = service_v3$/) - end - it 'template misc_paste array correctly' do - node.set['openstack']['identity']['misc_paste'] = ['MISC1=OPTION1', 'MISC2=OPTION2'] - expect(chef_run).to render_file(path).with_content( - /^MISC1=OPTION1$/) - expect(chef_run).to render_file(path).with_content( - /^MISC2=OPTION2$/) - end - end - - describe 'keystone-paste.ini as remote file' do - before { node.set['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini' } - let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') } - - it 'uses a remote file if pastefile_url is specified' do - expect(chef_run).to create_remote_file_if_missing('/etc/keystone/keystone-paste.ini').with( - source: 'http://server/mykeystone-paste.ini', - user: 'keystone', - group: 'keystone', - mode: 00644 - ) - expect(remote_paste).to notify('service[keystone]').to(:restart) - end - end - end -end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index ad14029..e76418d 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -5,11 +5,6 @@ require 'chefspec/berkshelf' ChefSpec::Coverage.start! { add_filter 'openstack-identity' } LOG_LEVEL = :fatal -SUSE_OPTS = { - platform: 'suse', - version: '11.3', - log_level: LOG_LEVEL -} REDHAT_OPTS = { platform: 'redhat', version: '7.1', @@ -55,5 +50,19 @@ shared_context 'identity_stubs' do .with('token', 'openstack_identity_bootstrap_token') .and_return('bootstrap-token') stub_command('/usr/sbin/apache2 -t') + allow_any_instance_of(Chef::Recipe).to receive(:search_for) + .with('os-identity').and_return( + [{ + 'openstack' => { + 'identity' => { + 'admin_tenant_name' => 'admin', + 'admin_user' => 'admin' + } + } + }] + ) + allow_any_instance_of(Chef::Recipe).to receive(:get_password) + .with('user', 'admin') + .and_return('admin') end end diff --git a/templates/default/keystone.conf.erb b/templates/default/keystone.conf.erb deleted file mode 100644 index 2a31bb0..0000000 --- a/templates/default/keystone.conf.erb +++ /dev/null @@ -1,1157 +0,0 @@ -<%= node["openstack"]["identity"]["custom_template_banner"] %> -[DEFAULT] - -# -# From keystone -# - -# A "shared secret" that can be used to bootstrap Keystone. This "token" does -# not represent a user, and carries no explicit authorization. To disable in -# production (highly recommended), remove AdminTokenAuthMiddleware from your -# paste application pipelines (for example, in keystone-paste.ini). (string -# value) -#admin_token = ADMIN -admin_token = <%= @bootstrap_token %> - -# The base public endpoint URL for Keystone that is advertised to clients -# (NOTE: this does NOT affect how Keystone listens for connections). Defaults -# to the base host URL of the request. E.g. a request to -# http://server:5000/v3/users will default to http://server:5000. You should -# only need to set this value if the base URL contains a path (e.g. /prefix/v3) -# or the endpoint should be found on a different server. (string value) -#public_endpoint = -public_endpoint = <%= @public_endpoint %> - -# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: -# this does NOT affect how Keystone listens for connections). Defaults to the -# base host URL of the request. E.g. a request to http://server:35357/v3/users -# will default to http://server:35357. You should only need to set this value -# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be -# found on a different server. (string value) -#admin_endpoint = -admin_endpoint = <%= @admin_endpoint %> - -<% if node['openstack']['identity']['list_limit'] %> -# The maximum number of entities that will be returned in a collection, with no -# limit set by default. This global limit may be then overridden for a specific -# driver, by specifying a list_limit in the appropriate section (e.g. -# [assignment]). (integer value) -#list_limit= -list_limit=<%= node['openstack']['identity']['list_limit'] %> -<% end %> - -# -# From keystone.notifications -# -# -# From keystone.openstack.common.eventlet_backdoor -# -# -# From keystone.openstack.common.policy -# - -# -# From oslo.log -# - -# Print debugging output (set logging level to DEBUG instead of default WARNING -# level). (boolean value) -#debug = false -debug = <%= node["openstack"]["identity"]["debug"] %> - -# Print more verbose output (set logging level to INFO instead of default -# WARNING level). (boolean value) -#verbose = false -verbose = <%= node["openstack"]["identity"]["verbose"] %> - -<% if node["openstack"]["identity"]["syslog"]["use"] %> -# The name of a logging configuration file. This file is appended to any -# existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. (string value) -# Deprecated group/name - [DEFAULT]/log_config -#log_config_append = -log_config_append = /etc/openstack/logging.conf -<% else %> -# (Optional) Name of log file to output to. If no default is set, logging will -# go to stdout. (string value) -# Deprecated group/name - [DEFAULT]/logfile -#log_file = -log_file = /var/log/keystone/keystone.log -<% end %> - -# -# From oslo.messaging -# - -# Driver or drivers to handle sending notifications. (multi valued) -#notification_driver = -notification_driver = <%= node['openstack']['identity']['notification_driver'] %> - -<% if @notification_driver == "messaging" -%> -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -#notification_topics = notifications -notification_topics = <%= node["openstack"]["mq"]["identity"]["notification_topics"] %> - -# Size of RPC thread pool. (integer value) -#rpc_thread_pool_size = 64 -rpc_thread_pool_size = <%= node["openstack"]["identity"]["rpc_thread_pool_size"] %> - -# Seconds to wait for a response from a call. (integer value) -#rpc_response_timeout = 60 -rpc_response_timeout = <%= node["openstack"]["identity"]["rpc_response_timeout"] %> - -# The messaging driver to use, defaults to rabbit. Other drivers include qpid -# and zmq. (string value) -#rpc_backend = rabbit -rpc_backend = <%= node["openstack"]["identity"]["rpc_backend"] %> - -# The default exchange under which topics are scoped. May be overridden by an -# exchange name specified in the transport_url option. (string value) -#control_exchange = keystone -control_exchange = <%= node["openstack"]["identity"]["control_exchange"] %> - -<% end -%> - -[assignment] - -# -# From keystone -# - -# Assignment backend driver. (string value) -#driver = -driver = keystone.assignment.backends.<%= node["openstack"]["identity"]["assignment"]["backend"] %>.Assignment - -# Maximum number of entities that will be returned in an -# assignment collection. (integer value) -#list_limit= -<% if node['openstack']['identity']['assignment']['list_limit'] %> -list_limit=<%= node['openstack']['identity']['assignment']['list_limit'] %> -<% end %> - -[auth] - -# -# From keystone -# - -# The external (REMOTE_USER) auth plugin module. (String value) -external = <%= node['openstack']['identity']['auth']['external'] %> - -# Default auth methods. (List value) -methods = <%= node['openstack']['identity']['auth']['methods'] %> - -[cache] - -# -# From keystone -# - -[catalog] - -# -# From keystone -# - -# Catalog backend driver. (string value) -#driver = keystone.catalog.backends.sql.Catalog -<% if node["openstack"]["identity"]["catalog"]["backend"] == "templated" -%> -driver = keystone.catalog.backends.templated.TemplatedCatalog -<% else -%> -driver = keystone.catalog.backends.<%= node["openstack"]["identity"]["catalog"]["backend"] %>.Catalog -<% end -%> - -<% if node['openstack']['identity']['catalog']['list_limit'] %> -# Maximum number of entities that will be returned in a catalog collection. -# (integer value) -#list_limit = -list_limit=<%= node['openstack']['identity']['catalog']['list_limit'] %> -<% end %> - -[credential] - -# -# From keystone -# - -[database] - -# -# From oslo.db -# - -# The SQLAlchemy connection string to use to connect to the database. (string -# value) -# Deprecated group/name - [DEFAULT]/sql_connection -# Deprecated group/name - [DATABASE]/sql_connection -# Deprecated group/name - [sql]/connection -#connection = -connection = <%= @sql_connection %> - -[endpoint_filter] - -# -# Options defined in keystone -# - -[endpoint_policy] - -# -# From keystone -# -[eventlet_server] - -# -# From keystone -# - -<% if node["openstack"]["identity"]["public_workers"] %> -# The number of worker processes to serve the public eventlet application. -# Defaults to number of CPUs (minimum of 2). (integer value) -# Deprecated group/name - [DEFAULT]/public_workers -#public_workers = -public_workers=<%= node["openstack"]["identity"]["public_workers"] %> -<% end %> - -<% if node["openstack"]["identity"]["admin_workers"] %> -# The number of worker processes to serve the admin eventlet application. -# Defaults to number of CPUs (minimum of 2). (integer value) -# Deprecated group/name - [DEFAULT]/admin_workers -#admin_workers = -admin_workers=<%= node["openstack"]["identity"]["admin_workers"] %> -<% end %> - -# The IP address of the network interface for the public service to listen on. -# (string value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/public_bind_host -#public_bind_host = 0.0.0.0 -public_bind_host = <%= @bind_address %> - -# The port number which the public service listens on. (integer value) -# Deprecated group/name - [DEFAULT]/public_port -#public_port = 5000 -public_port = <%= @public_port %> - -# The IP address of the network interface for the admin service to listen on. -# (string value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/admin_bind_host -#admin_bind_host = 0.0.0.0 -admin_bind_host = <%= @admin_bind_address %> - -# The port number which the admin service listens on. (integer value) -# Deprecated group/name - [DEFAULT]/admin_port -#admin_port = 35357 -admin_port = <%= @admin_port %> - -<% if node['openstack']['identity']['ssl']['enabled'] %> -[eventlet_server_ssl] - -# -# From keystone -# - -enable = True -certfile = <%= node['openstack']['identity']['ssl']['certfile'] %> -keyfile = <%= node['openstack']['identity']['ssl']['keyfile'] %> -ca_certs = <%= node['openstack']['identity']['ssl']['ca_certs'] %> -# Require client certificate. (boolean value) -cert_required = <%= node['openstack']['identity']['ssl']['cert_required'] %> -<% end %> - -[federation] - -# -# Options defined in keystone -# - -# Federation backend driver. (string value) -#driver=keystone.contrib.federation.backends.sql.Federation - -# Value to be used when filtering assertion parameters from -# the environment. (string value) -#assertion_prefix= - -[identity] - -# -# From keystone -# - -# This references the domain to use for all Identity API v2 requests (which are -# not aware of domains). A domain with this ID will be created for you by -# keystone-manage db_sync in migration 008. The domain referenced by this ID -# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. -# There is nothing special about this domain, other than the fact that it must -# exist to order to maintain support for your v2 clients. (string value) -#default_domain_id = default -default_domain_id=<%= node["openstack"]["identity"]["identity"]["default_domain_id"] %> - -# A subset (or all) of domains can have their own identity driver, each with -# their own partial configuration options, stored in either the resource -# backend or in a file in a domain configuration directory (depending on the -# setting of domain_configurations_from_database). Only values specific to the -# domain need to be specified in this manner. This feature is disabled by -# default; set to true to enable. (boolean value) -#domain_specific_drivers_enabled = false -domain_specific_drivers_enabled=<%= node["openstack"]["identity"]["identity"]["domain_specific_drivers_enabled"] %> - -# Path for Keystone to locate the domain specific identity configuration files -# if domain_specific_drivers_enabled is set to true. (string value) -#domain_config_dir = /etc/keystone/domains -domain_config_dir=<%= node["openstack"]["identity"]["identity"]["domain_config_dir"] %> - -# Identity backend driver. (string value) -#driver = keystone.identity.backends.sql.Identity -driver = keystone.identity.backends.<%= node["openstack"]["identity"]["identity"]["backend"] %>.Identity - -<% if node['openstack']['identity']['identity']['list_limit'] %> -# Maximum number of entities that will be returned in an identity collection. -# (integer value) -#list_limit = -list_limit=<%= node['openstack']['identity']['identity']['list_limit'] %> -<% end %> - -[identity_mapping] - -# -# From keystone -# - -# Keystone Identity Mapping backend driver. (string value) -driver = <%= node['openstack']['identity']['identity_mapping']['driver'] %> - -# Public ID generator for user and group entities in the keystone.identity.id_generator namespace. -# The Keystone identity mapper only supports generators that produce no more than 64 characters. -# (string value) -generator = <%= node['openstack']['identity']['identity_mapping']['generator'] %> - -# The format of user and group IDs changed in Juno for backends that do not -# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the -# underlying attribute in LDAP. By default this mapping is disabled, which -# ensures that existing IDs will not change. Even when the mapping is enabled -# by using domain specific drivers, any users and groups from the default -# domain being handled by LDAP will still not be mapped to ensure their IDs -# remain backward compatible. Setting this value to False will enable the -# mapping for even the default LDAP driver. It is only safe to do this if you -# do not already have assignments for users and groups from the default LDAP -# domain, and it is acceptable for Keystone to provide the different IDs to -# clients than it did previously. Typically this means that the only time you -# can set this value to False is when configuring a fresh installation. -# (boolean value) -backward_compatible_ids = <%= node['openstack']['identity']['identity_mapping']['backward_compatible_ids'] %> - -[kvs] - -# -# From keystone -# - -[ldap] - -# -# From keystone -# - -# URL for connecting to the LDAP server. (string value) -#url = ldap://localhost -url = <%= @ldap["url"] %> - -# User BindDN to query the LDAP server. (string value) -#user = -user = <%= @ldap["user"] %> - -<% if @ldap["password"] -%> -# Password for the BindDN to query the LDAP server. (string value) -#password = -password = <%= @ldap["password"] %> -<% end -%> - -# LDAP server suffix (string value) -#suffix = cn=example,cn=com -suffix = <%= @ldap["suffix"] %> - -# If true, will add a dummy member to groups. This is required if the -# objectclass for groups requires the "member" attribute. (boolean value) -#use_dumb_member = false -use_dumb_member = <%= @ldap["use_dumb_member"] %> - -# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string -# value) -#dumb_member = cn=dumb,dc=nonexistent -dumb_member = <%= @ldap["dumb_member"] %> - -# Delete subtrees using the subtree delete control. Only enable this option if -# your LDAP server supports subtree deletion. (boolean value) -#allow_subtree_delete = false -allow_subtree_delete = <%= @ldap["allow_subtree_delete"] %> - -# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) -# or "sub" (subtree/wholeSubtree). (string value) -#query_scope = one -query_scope = <%= @ldap["query_scope"] %> - -# Maximum results per page; a value of zero ("0") disables paging. (integer -# value) -#page_size = 0 -page_size = <%= @ldap["page_size"] %> - -# The LDAP dereferencing option for queries. This can be either "never", -# "searching", "always", "finding" or "default". The "default" option falls -# back to using default dereferencing configured by your ldap.conf. (string -# value) -#alias_dereferencing = default -alias_dereferencing = <%= @ldap["alias_dereferencing"] %> - -<% if @ldap["user_tree_dn"] -%> -# Search base for users. (string value) -#user_tree_dn = -user_tree_dn = <%= @ldap["user_tree_dn"] %> -<% end -%> - -<% if @ldap["user_filter"] -%> -# LDAP search filter for users. (string value) -#user_filter = -user_filter = <%= @ldap["user_filter"] %> -<% end -%> - -# LDAP objectclass for users. (string value) -#user_objectclass = inetOrgPerson -user_objectclass = <%= @ldap["user_objectclass"] %> - -# LDAP attribute mapped to user id. WARNING: must not be a multivalued -# attribute. (string value) -#user_id_attribute = cn -user_id_attribute = <%= @ldap["user_id_attribute"] %> - -# LDAP attribute mapped to user name. (string value) -#user_name_attribute = sn -user_name_attribute = <%= @ldap["user_name_attribute"] %> - -# LDAP attribute mapped to user email. (string value) -#user_mail_attribute = mail -user_mail_attribute = <%= @ldap["user_mail_attribute"] %> - -# LDAP attribute mapped to password. (string value) -#user_pass_attribute = userPassword -user_pass_attribute = <%= @ldap["user_pass_attribute"] %> - -# LDAP attribute mapped to user enabled flag. (string value) -#user_enabled_attribute = enabled -user_enabled_attribute = <%= @ldap["user_enabled_attribute"] %> - -# Bitmask integer to indicate the bit that the enabled value is stored in if -# the LDAP server represents "enabled" as a bit on an integer rather than a -# boolean. A value of "0" indicates the mask is not used. If this is not set to -# "0" the typical value is "2". This is typically used when -# "user_enabled_attribute = userAccountControl". (integer value) -#user_enabled_mask = 0 -user_enabled_mask = <%= @ldap["user_enabled_mask"] %> - -# Default value to enable users. This should match an appropriate int value if -# the LDAP server uses non-boolean (bitmask) values to indicate if a user is -# enabled or disabled. If this is not set to "True" the typical value is "512". -# This is typically used when "user_enabled_attribute = userAccountControl". -# (string value) -#user_enabled_default = True -user_enabled_default = <%= @ldap["user_enabled_default"] %> - -# List of attributes stripped off the user on update. (list value) -#user_attribute_ignore = default_project_id,tenants -user_attribute_ignore = <%= @ldap["user_attribute_ignore"] %> - -# Allow user creation in LDAP backend. (boolean value) -#user_allow_create = true -user_allow_create = <%= @ldap["user_allow_create"] %> - -# Allow user updates in LDAP backend. (boolean value) -#user_allow_update = true -user_allow_update = <%= @ldap["user_allow_update"] %> - -# Allow user deletion in LDAP backend. (boolean value) -#user_allow_delete = true -user_allow_delete = <%= @ldap["user_allow_delete"] %> - -# If true, Keystone uses an alternative method to determine if a user is -# enabled or not by checking if they are a member of the -# "user_enabled_emulation_dn" group. (boolean value) -#user_enabled_emulation = false -user_enabled_emulation = <%= @ldap["user_enabled_emulation"] %> - -<% if @ldap["user_enabled_emulation_dn"] -%> -# DN of the group entry to hold enabled users when using enabled emulation. -# (string value) -#user_enabled_emulation_dn = -user_enabled_emulation_dn = <%= @ldap["user_enabled_emulation_dn"] %> -<% end -%> - -<% if @ldap["project_tree_dn"] -%> -# Search base for projects (string value) -# Deprecated group/name - [ldap]/tenant_tree_dn -#project_tree_dn = -project_tree_dn = <%= @ldap["project_tree_dn"] %> -<% end -%> - -<% if @ldap["project_filter"] -%> -# LDAP search filter for projects. (string value) -# Deprecated group/name - [ldap]/tenant_filter -#project_filter = -project_filter = <%= @ldap["project_filter"] %> -<% end -%> - -# LDAP objectclass for projects. (string value) -# Deprecated group/name - [ldap]/tenant_objectclass -#project_objectclass = groupOfNames -project_objectclass = <%= @ldap["project_objectclass"] %> - -# LDAP attribute mapped to project id. (string value) -# Deprecated group/name - [ldap]/tenant_id_attribute -#project_id_attribute = cn -project_id_attribute = <%= @ldap["project_id_attribute"] %> - -# LDAP attribute mapped to project membership for user. (string value) -# Deprecated group/name - [ldap]/tenant_member_attribute -#project_member_attribute = member -project_member_attribute = <%= @ldap["project_member_attribute"] %> - -# LDAP attribute mapped to project name. (string value) -# Deprecated group/name - [ldap]/tenant_name_attribute -#project_name_attribute = ou -project_name_attribute = <%= @ldap["project_name_attribute"] %> - -# LDAP attribute mapped to project description. (string value) -# Deprecated group/name - [ldap]/tenant_desc_attribute -#project_desc_attribute = description -project_desc_attribute = <%= @ldap["project_desc_attribute"] %> - -# LDAP attribute mapped to project enabled. (string value) -# Deprecated group/name - [ldap]/tenant_enabled_attribute -#project_enabled_attribute = enabled -project_enabled_attribute = <%= @ldap["project_enabled_attribute"] %> - -# LDAP attribute mapped to project domain_id. (string value) -# Deprecated group/name - [ldap]/tenant_domain_id_attribute -#project_domain_id_attribute = businessCategory -project_domain_id_attribute = <%= @ldap["project_domain_id_attribute"] %> - -<% if @ldap["project_attribute_ignore"] -%> -# List of attributes stripped off the project on update. (list value) -# Deprecated group/name - [ldap]/tenant_attribute_ignore -#project_attribute_ignore = -project_attribute_ignore = <%= @ldap["project_attribute_ignore"] %> -<% end -%> - -# Allow project creation in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_create -#project_allow_create = true -project_allow_create = <%= @ldap["project_allow_create"] %> - -# Allow project update in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_update -#project_allow_update = true -project_allow_update = <%= @ldap["project_allow_update"] %> - -# Allow project deletion in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_delete -#project_allow_delete = true -project_allow_delete = <%= @ldap["project_allow_delete"] %> - -# If true, Keystone uses an alternative method to determine if a project is -# enabled or not by checking if they are a member of the -# "project_enabled_emulation_dn" group. (boolean value) -# Deprecated group/name - [ldap]/tenant_enabled_emulation -#project_enabled_emulation = false -project_enabled_emulation = <%= @ldap["project_enabled_emulation"] %> - -<% if @ldap["project_enabled_emulation_dn"] -%> -# DN of the group entry to hold enabled projects when using enabled emulation. -# (string value) -# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn -#project_enabled_emulation_dn = -project_enabled_emulation_dn = <%= @ldap["project_enabled_emulation_dn"] %> -<% end -%> - -<% if @ldap["role_tree_dn"] -%> -# Search base for roles. (string value) -#role_tree_dn = -role_tree_dn = <%= @ldap["role_tree_dn"] %> -<% end -%> - -<% if @ldap["role_filter"] -%> -# LDAP search filter for roles. (string value) -#role_filter = -role_filter = <%= @ldap["role_filter"] %> -<% end -%> - -# LDAP objectclass for roles. (string value) -#role_objectclass = organizationalRole -role_objectclass = <%= @ldap["role_objectclass"] %> - -# LDAP attribute mapped to role id. (string value) -#role_id_attribute = cn -role_id_attribute = <%= @ldap["role_id_attribute"] %> - -# LDAP attribute mapped to role name. (string value) -#role_name_attribute = ou -role_name_attribute = <%= @ldap["role_name_attribute"] %> - -# LDAP attribute mapped to role membership. (string value) -#role_member_attribute=roleOccupant -role_member_attribute = <%= @ldap["role_member_attribute"] %> - -<% if @ldap["role_attribute_ignore"] -%> -# List of attributes stripped off the role on update. (list value) -#role_attribute_ignore = -role_attribute_ignore = <%= @ldap["role_attribute_ignore"] %> -<% end -%> - -# Allow role creation in LDAP backend. (boolean value) -#role_allow_create=true -role_allow_create = <%= @ldap["role_allow_create"] %> - -# Allow role update in LDAP backend. (boolean value) -#role_allow_update=true -role_allow_update = <%= @ldap["role_allow_update"] %> - -# Allow role deletion in LDAP backend. (boolean value) -#role_allow_delete=true -role_allow_delete = <%= @ldap["role_allow_delete"] %> - -<% if @ldap["group_tree_dn"] -%> -# Search base for groups. (string value) -#group_tree_dn = -group_tree_dn = <%= @ldap["group_tree_dn"] %> -<% end -%> - -<% if @ldap["group_filter"] -%> -# LDAP search filter for groups. (string value) -#group_filter = -group_filter = <%= @ldap["group_filter"] %> -<% end -%> - -# LDAP objectclass for groups. (string value) -#group_objectclass = groupOfNames -group_objectclass = <%= @ldap["group_objectclass"] %> - -# LDAP attribute mapped to group id. (string value) -#group_id_attribute = cn -group_id_attribute = <%= @ldap["group_id_attribute"] %> - -# LDAP attribute mapped to group name. (string value) -#group_name_attribute = ou -group_name_attribute = <%= @ldap["group_name_attribute"] %> - -# LDAP attribute mapped to show group membership. (string value) -#group_member_attribute = member -group_member_attribute = <%= @ldap["group_member_attribute"] %> - -# LDAP attribute mapped to group description. (string value) -#group_desc_attribute = description -group_desc_attribute = <%= @ldap["group_desc_attribute"] %> - -<% if @ldap["group_attribute_ignore"] -%> -# List of attributes stripped off the group on update. (list value) -#group_attribute_ignore = -group_attribute_ignore = <%= @ldap["group_attribute_ignore"] %> -<% end -%> - -# Allow group creation in LDAP backend. (boolean value) -#group_allow_create = true -group_allow_create = <%= @ldap["group_allow_create"] %> - -# Allow group update in LDAP backend. (boolean value) -#group_allow_update = true -group_allow_update = <%= @ldap["group_allow_update"] %> - -# Allow group deletion in LDAP backend. (boolean value) -#group_allow_delete = true -group_allow_delete = <%= @ldap["group_allow_delete"] %> - -<% if @ldap['use_pool'] -%> -# Enable LDAP connection pooling. (boolean value) -use_pool = true - -# Connection pool size. (integer value) -pool_size = <%= @ldap['pool_size'] %> - -# Maximum count of reconnect trials. (integer value) -pool_retry_max = <%= @ldap['pool_retry_max'] %> - -# Time span in seconds to wait between two reconnect trials. -# (floating point value) -pool_retry_delay = <%= @ldap['pool_retry_delay'] %> - -# Connector timeout in seconds. Value -1 indicates indefinite -# wait for response. (integer value) -pool_connection_timeout = <%= @ldap['pool_connection_timeout'] %> - -# Connection lifetime in seconds. (integer value) -pool_connection_lifetime = <%= @ldap['pool_connection_lifetime'] %> - -# Enable LDAP connection pooling for end user authentication. -# If use_pool is disabled, then this setting is meaningless -# and is not used at all. (boolean value) -use_auth_pool = <%= @ldap['use_auth_pool'] %> - -# End user auth connection pool size. (integer value) -auth_pool_size = <%= @ldap['auth_pool_size'] %> - -# End user auth connection lifetime in seconds. (integer -# value) -auth_pool_connection_lifetime = <%= @ldap['auth_pool_connection_lifetime'] %> -<% end -%> - - -# Enable TLS for communicating with LDAP servers. (boolean value) -#use_tls = false -<% if @ldap["use_tls"] -%> -use_tls = True - -# CA certificate file path for communicating with LDAP servers. (string value) -#tls_cacertfile = -# CA certificate directory path for communicating with LDAP servers. (string -# value) -#tls_cacertdir = -<% if @ldap["tls_cacertfile"] -%> -tls_cacertfile = <%= @ldap["tls_cacertfile"] %> -<% elsif @ldap["tls_cacertdir"] -%> -tls_cacertdir = <%= @ldap["tls_cacertdir"] %> -<% end -%> - -# Valid options for tls_req_cert are demand, never, and allow. (string value) -#tls_req_cert = demand -<% if @ldap["tls_req_cert"] -%> -tls_req_cert = <%= @ldap["tls_req_cert"] %> -<% end -%> - -<% end -%> - -[matchmaker_ring] - -# -# Options defined in oslo.messaging -# - -# Matchmaker ring file (JSON). (string value) -# Deprecated group/name - [DEFAULT]/matchmaker_ringfile -#ringfile=/etc/oslo/matchmaker_ring.json - -[memcache] - -# -# Options defined in keystone -# - -<% if @memcache_servers -%> -# Memcache servers in the format of "host:port". (list value) -#servers=localhost:11211 -servers = <%= @memcache_servers %> -<% end -%> - -[oauth1] - -# -# From keystone -# - -[os_inherit] - -# -# From keystone -# - -[oslo_messaging_amqp] - -# -# From oslo.messaging -# - -<% if @mq_service_type == "qpid" %> -[oslo_messaging_qpid] - -# -# From oslo.messaging -# - -# Use durable queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/rabbit_durable_queues -#amqp_durable_queues = false -amqp_durable_queues = <%= node['openstack']['mq']['identity']['durable_queues'] %> - -# Auto-delete queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_auto_delete -#amqp_auto_delete = false -amqp_auto_delete = <%= node['openstack']['mq']['identity']['auto_delete'] %> - -# Size of RPC connection pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -#rpc_conn_pool_size = 30 -rpc_conn_pool_size = <%= node["openstack"]["identity"]["rpc_conn_pool_size"] %> - -# Qpid broker hostname. (string value) -# Deprecated group/name - [DEFAULT]/qpid_hostname -#qpid_hostname = localhost -qpid_hostname = <%= node["openstack"]["mq"]["identity"]["qpid"]["host"] %> - -# Qpid broker port. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_port -#qpid_port = 5672 -qpid_port = <%= node["openstack"]["mq"]["identity"]["qpid"]["port"] %> - -# Username for Qpid connection. (string value) -# Deprecated group/name - [DEFAULT]/qpid_username -#qpid_username = -qpid_username = <%= node["openstack"]["mq"]["identity"]["qpid"]["username"] %> - -# Password for Qpid connection. (string value) -# Deprecated group/name - [DEFAULT]/qpid_password -#qpid_password = -qpid_password = <%= @mq_password %> - -# Space separated list of SASL mechanisms to use for auth. (string value) -# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms -#qpid_sasl_mechanisms = -qpid_sasl_mechanisms = <%= node["openstack"]["mq"]["identity"]["qpid"]["sasl_mechanisms"] %> - -# Seconds between connection keepalive heartbeats. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_heartbeat -#qpid_heartbeat = 60 -qpid_heartbeat = <%= node["openstack"]["mq"]["identity"]["qpid"]["heartbeat"] %> - -# Transport to use, either 'tcp' or 'ssl'. (string value) -# Deprecated group/name - [DEFAULT]/qpid_protocol -#qpid_protocol = tcp -qpid_protocol = <%= node["openstack"]["mq"]["identity"]["qpid"]["protocol"] %> - -# Whether to disable the Nagle algorithm. (boolean value) -# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay -#qpid_tcp_nodelay = true -qpid_tcp_nodelay = <%= node["openstack"]["mq"]["identity"]["qpid"]["tcp_nodelay"] %> - -# The qpid topology version to use. Version 1 is what was originally used by -# impl_qpid. Version 2 includes some backwards-incompatible changes that allow -# broker federation to work. Users should update to version 2 when they are -# able to take everything down, as it requires a clean break. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_topology_version -#qpid_topology_version = 1 -qpid_topology_version = <%= node['openstack']['mq']['identity']['qpid']['topology_version'] %> -<% end -%> - -<% if @mq_service_type == "rabbitmq" -%> -[oslo_messaging_rabbit] - -# -# From oslo.messaging -# - -# Number of seconds after which the Rabbit broker is considered down if heartbeat's keep-alive fails (0 disable the heartbeat) -heartbeat_timeout_threshold=<%= node['openstack']['mq']['identity']['rabbit']['heartbeat_timeout_threshold'] %> - -# How often times during the heartbeat_timeout_threshold we check the heartbeat -heartbeat_rate=<%= node['openstack']['mq']['identity']['rabbit']['heartbeat_rate'] %> - -# Use durable queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/rabbit_durable_queues -#amqp_durable_queues = false -amqp_durable_queues = <%= node['openstack']['mq']['identity']['durable_queues'] %> - -# Auto-delete queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_auto_delete -#amqp_auto_delete = false -amqp_auto_delete = <%= node['openstack']['mq']['identity']['auto_delete'] %> - -# Size of RPC connection pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -#rpc_conn_pool_size = 30 -rpc_conn_pool_size = <%= node["openstack"]["identity"]["rpc_conn_pool_size"] %> - -<% if node['openstack']['mq']['identity']['rabbit']['use_ssl'] -%> - -# Connect over SSL for RabbitMQ. (boolean value) -rabbit_use_ssl=true - -<% if node['openstack']['mq']['identity']['rabbit']['kombu_ssl_version'] -%> -# SSL version to use (valid only if SSL enabled). valid values -# are TLSv1 and SSLv23. SSLv2 and SSLv3 may be available on -# some distributions. (string value) -kombu_ssl_version=<%= node['openstack']['mq']['identity']['rabbit']['kombu_ssl_version'] %> -<% end -%> -<% if node['openstack']['mq']['identity']['rabbit']['kombu_ssl_keyfile'] -%> -# SSL key file (valid only if SSL enabled) -kombu_ssl_keyfile=<%= node['openstack']['mq']['identity']['rabbit']['kombu_ssl_keyfile'] %> -<% end -%> -<% if node['openstack']['mq']['identity']['rabbit']['kombu_ssl_certfile'] -%> -# SSL cert file (valid only if SSL enabled) -kombu_ssl_certfile=<%= node['openstack']['mq']['identity']['rabbit']['kombu_ssl_certfile'] %> -<% end -%> -<% if node['openstack']['mq']['identity']['rabbit']['kombu_ssl_ca_certs'] -%> -# SSL certification authority file (valid only if SSL enabled) -kombu_ssl_ca_certs=<%= node['openstack']['mq']['identity']['rabbit']['kombu_ssl_ca_certs'] %> -<% end -%> -# How long to wait before reconnecting in response to an AMQP consumer cancel notification -kombu_reconnect_delay=<%= node['openstack']['mq']['identity']['rabbit']['kombu_reconnect_delay'] %> -# How long to wait before considering a reconnect attempt to have failed. -# This value should not be longer than rpc_response_timeout -kombu_reconnect_timeout=<%= node['openstack']['mq']['identity']['rabbit']['kombu_reconnect_timeout'] %> -<% end -%> - -<% if node["openstack"]["mq"]["identity"]["rabbit"]["ha"] %> -# RabbitMQ HA cluster host:port pairs. (list value) -# Deprecated group/name - [DEFAULT]/rabbit_hosts -#rabbit_hosts = $rabbit_host:$rabbit_port -rabbit_hosts = <%= @rabbit_hosts %> - -# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you -# must wipe the RabbitMQ database. (boolean value) -# Deprecated group/name - [DEFAULT]/rabbit_ha_queues -#rabbit_ha_queues = false -rabbit_ha_queues = true -<% else -%> -# The RabbitMQ broker address where a single node is used. (string value) -# Deprecated group/name - [DEFAULT]/rabbit_host -#rabbit_host = localhost -rabbit_host = <%= node["openstack"]["mq"]["identity"]["rabbit"]["host"] %> - -# The RabbitMQ broker port where a single node is used. (integer value) -# Deprecated group/name - [DEFAULT]/rabbit_port -#rabbit_port = 5672 -rabbit_port = <%= node["openstack"]["mq"]["identity"]["rabbit"]["port"] %> -<% end -%> - -# The RabbitMQ userid. (string value) -# Deprecated group/name - [DEFAULT]/rabbit_userid -#rabbit_userid = guest -rabbit_userid = <%= node["openstack"]["mq"]["identity"]["rabbit"]["userid"] %> - -# The RabbitMQ password. (string value) -# Deprecated group/name - [DEFAULT]/rabbit_password -#rabbit_password = guest -rabbit_password = <%= @mq_password %> - -# The RabbitMQ virtual host. (string value) -# Deprecated group/name - [DEFAULT]/rabbit_virtual_host -#rabbit_virtual_host = / -rabbit_virtual_host = <%= node["openstack"]["mq"]["identity"]["rabbit"]["vhost"] %> - -# Maximum retries with trying to connect to RabbitMQ -# (the default of 0 implies an infinite retry count) -rabbit_max_retries = <%= node["openstack"]["mq"]["identity"]["rabbit"]["rabbit_max_retries"] %> - -# RabbitMQ connection retry interval -rabbit_retry_interval = <%= node["openstack"]["mq"]["identity"]["rabbit"]["rabbit_retry_interval"] %> -<% end -%> - -[oslo_middleware] - -# -# From oslo.middleware -# -[paste_deploy] - -# -# From keystone -# - -[policy] - -# -# From keystone -# - -# Policy backend driver. (string value) -#driver = keystone.policy.backends.sql.Policy -driver = keystone.policy.backends.<%= node["openstack"]["identity"]["policy"]["backend"] %>.Policy - -<% if node['openstack']['identity']['policy']['list_limit'] %> -# Maximum number of entities that will be returned in a policy collection. -# (integer value) -#list_limit = -list_limit=<%= node['openstack']['identity']['policy']['list_limit'] %> -<% end %> - -[resource] - -# -# From keystone -# - -[revoke] - -# -# From keystone -# - -[role] - -# -# From keystone -# -[saml] - -# -# From keystone -# - -# Default TTL, in seconds, for any generated SAML assertion created by -# Keystone. (integer value) -#assertion_expiration_time = 3600 -assertion_expiration_time=<%= node["openstack"]["identity"]["saml"]["assertion_expiration_time"] %> - -# Binary to be called for XML signing. Install the appropriate package, specify -# absolute path or adjust your PATH environment variable if the binary cannot -# be found. (string value) -#xmlsec1_binary = xmlsec1 -xmlsec1_binary=<%= node["openstack"]["identity"]["saml"]["xmlsec1_binary"] %> - -# Path of the certfile for SAML signing. For non-production environments, you -# may be interested in using `keystone-manage pki_setup` to generate self- -# signed certificates. Note, the path cannot contain a comma. (string value) -#certfile = /etc/keystone/ssl/certs/signing_cert.pem -certfile=<%= node["openstack"]["identity"]["saml"]["certfile"] %> - -# Path of the keyfile for SAML signing. Note, the path cannot contain a comma. -# (string value) -#keyfile = /etc/keystone/ssl/private/signing_key.pem -keyfile=<%= node["openstack"]["identity"]["saml"]["keyfile"] %> - -# Entity ID value for unique Identity Provider identification. Usually FQDN is -# set with a suffix. A value is required to generate IDP Metadata. For example: -# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) -#idp_entity_id = -idp_entity_id=<%= node["openstack"]["identity"]["saml"]["idp_entity_id"] %> - -# Identity Provider Single-Sign-On service value, required in the Identity -# Provider's metadata. A value is required to generate IDP Metadata. For -# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string -# value) -#idp_sso_endpoint = -idp_sso_endpoint=<%= node["openstack"]["identity"]["saml"]["idp_sso_endpoint"] %> - -# Language used by the organization. (string value) -#idp_lang = en -idp_lang=<%= node["openstack"]["identity"]["saml"]["idp_lang"] %> - -# Organization name the installation belongs to. (string value) -#idp_organization_name = -idp_organization_name=<%= node["openstack"]["identity"]["saml"]["idp_organization_name"] %> - -# Organization name to be displayed. (string value) -#idp_organization_display_name = -idp_organization_display_name=<%= node["openstack"]["identity"]["saml"]["idp_organization_display_name"] %> - -# URL of the organization. (string value) -#idp_organization_url = -idp_organization_url=<%= node["openstack"]["identity"]["saml"]["idp_organization_url"] %> - -# Company of contact person. (string value) -#idp_contact_company = -idp_contact_company=<%= node["openstack"]["identity"]["saml"]["idp_contact_company"] %> - -# Given name of contact person (string value) -#idp_contact_name = -idp_contact_name=<%= node["openstack"]["identity"]["saml"]["idp_contact_name"] %> - -# Surname of contact person. (string value) -#idp_contact_surname = -idp_contact_surname=<%= node["openstack"]["identity"]["saml"]["idp_contact_surname"] %> - -# Email address of contact person. (string value) -#idp_contact_email = -idp_contact_email=<%= node["openstack"]["identity"]["saml"]["idp_contact_email"] %> - -# Telephone number of contact person. (string value) -#idp_contact_telephone = -idp_contact_telephone=<%= node["openstack"]["identity"]["saml"]["idp_contact_telephone"] %> - -# Contact type. Allowed values are: technical, support, administrative billing, -# and other (string value) -#idp_contact_type = other -idp_contact_type=<%= node["openstack"]["identity"]["saml"]["idp_contact_type"] %> - -# Path to the Identity Provider Metadata file. This file should be generated -# with the keystone-manage saml_idp_metadata command. (string value) -#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml -idp_metadata_path=<%= node["openstack"]["identity"]["saml"]["idp_metadata_path"] %> - -[signing] - -# -# From keystone -# - -<% if node["openstack"]["auth"]["strategy"] == "pki" -%> -# Path of the certfile for token signing. For non-production environments, you -# may be interested in using `keystone-manage pki_setup` to generate self- -# signed certificates. (string value) -#certfile = /etc/keystone/ssl/certs/signing_cert.pem -certfile = <%= node["openstack"]["identity"]["signing"]["certfile"] %> - -# Path of the keyfile for token signing. (string value) -#keyfile = /etc/keystone/ssl/private/signing_key.pem -keyfile = <%= node["openstack"]["identity"]["signing"]["keyfile"] %> - -# Path of the CA for token signing. (string value) -#ca_certs = /etc/keystone/ssl/certs/ca.pem -ca_certs = <%= node["openstack"]["identity"]["signing"]["ca_certs"] %> - -# Key size (in bits) for token signing cert (auto generated certificate). -# (integer value) -#key_size = 2048 -key_size = <%= node["openstack"]["identity"]["signing"]["key_size"] %> - -# Days the token signing cert is valid for (auto generated certificate). -# (integer value) -#valid_days = 3650 -valid_days = <%= node["openstack"]["identity"]["signing"]["valid_days"] %> - -# TODO: Is this used anymore? -ca_password = <%= node["openstack"]["identity"]["signing"]["ca_password"] %> -<% end -%> - -[ssl] - -# -# From keystone -# - -[token] - -# -# From keystone -# - -# Amount of time a token should remain valid (in seconds). (integer value) -#expiration = 3600 -expiration = <%= node["openstack"]["identity"]["token"]["expiration"] %> - -# Controls the token construction, validation, and revocation operations. Core -# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". The -# default provider is uuid. (string value) -#provider = keystone.token.providers.uuid.Provider -provider = keystone.token.providers.<%= node["openstack"]["auth"]["strategy"] %>.Provider - -# Token persistence backend driver. (string value) -#driver = keystone.token.persistence.backends.sql.Token -driver = keystone.token.persistence.backends.<%= node["openstack"]["identity"]["token"]["backend"] %>.Token - -# The hash algorithm to use for PKI tokens. This can be set to any algorithm -# that hashlib supports. WARNING: Before changing this value, the auth_token -# middleware must be configured with the hash_algorithms, otherwise token -# revocation will not be processed correctly. (string value) -#hash_algorithm = md5 -hash_algorithm = <%= node["openstack"]["identity"]["token"]["hash_algorithm"] %> - -[trust] - -# -# From keystone -# - -# Misc options -<% if node["openstack"]["identity"]["misc_keystone"] %> -<% node["openstack"]["identity"]["misc_keystone"].each do |m| %> -<%= m %> -<% end %> -<% end %> diff --git a/templates/default/openrc.erb b/templates/default/openrc.erb new file mode 100644 index 0000000..76e64f2 --- /dev/null +++ b/templates/default/openrc.erb @@ -0,0 +1,15 @@ +<%= node['openstack']['identity']['custom_template_banner'] %> + +# COMMON OPENSTACK ENVS +export OS_USERNAME=<%= @user %> +export OS_PASSWORD=<%= @password %> +export OS_TENANT_NAME=<%= @tenant %> +export OS_AUTH_URL=<%= @identity_endpoint %> +export OS_REGION_NAME=<%= node['openstack']['region'] %> + +<% if node['openstack']['misc_openrc'] %> +# Misc options +<% node['openstack']['misc_openrc'].each do |m| %> +<%= m %> +<% end %> +<% end %>