openstack
/
fuel-library
Code Issues Proposed changes

Add parameters for correct work of privileged user 

Add parameters for privileged user, which allows connect to
nova with admin permissions.

As an example, it needs for correct work of 'InstanceLocalityFilter'
Cinder's scheduler filter for Sahara.

Upsteam patches:
I609870acf838b79be0e47edd18f0cc67d03bdb95
If181482c12721e3d26868b202f86f79d8e28f53f

Change-Id: I7d11001b168190648542c4d9b97b64ae4300ba59
Closes-bug: #1489920
This commit is contained in:
Denis Egorenko 2015-08-31 18:21:41 +03:00
parent 8b67fda3e2
commit 16c9338f92
4 changed files with 220 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
deployment/puppet/cinder/manifests/api.pp
View File

@ -34,12 +34,43 @@
# Defaults to http.
# Use auth_uri instead.
#
# [*os_privileged_user_name*]
# (optional) OpenStack privileged account username. Used for requests to
# other services (such as Nova) that require an account with
# special rights.
# Defaults to undef.
#
# [*privileged_user*]
# (optional) Enables OpenStack privileged account.
# Defaults to false.
#
# [*os_privileged_user_password*]
# (optional) Password associated with the OpenStack privileged account.
# Defaults to undef.
#
# [*os_privileged_user_tenant*]
# (optional) Tenant name associated with the OpenStack privileged account.
# Defaults to undef.
#
# [*os_privileged_user_auth_url*]
# (optional) Auth URL associated with the OpenStack privileged account.
# Defaults to undef.
#
# [*os_region_name*]
# (optional) Some operations require cinder to make API requests
# to Nova. This sets the keystone region to be used for these
# requests. For example, boot-from-volume.
# Defaults to undef.
#
# [*nova_catalog_info*]
# (optional) Match this value when searching for nova in the service
# catalog.
# Defaults to 'compute:Compute Service:publicURL'
#
# [*nova_catalog_admin_info*]
# (optional) Same as nova_catalog_info, but for admin endpoint.
# Defaults to 'compute:Compute Service:adminURL'
#
# [*keystone_auth_admin_prefix*]
# (optional) DEPRECATED The admin_prefix used to admin endpoint of the auth
# host. This allow admin auth URIs like http://auth_host:35357/keystone.
@ -125,19 +156,26 @@
#
class cinder::api (
$keystone_password,
$keystone_enabled = true,
$keystone_tenant = 'services',
$keystone_user = 'cinder',
$auth_uri = false,
$identity_uri = false,
$os_region_name = undef,
$service_workers = $::processorcount,
$package_ensure = 'present',
$bind_host = '0.0.0.0',
$enabled = true,
$manage_service = true,
$ratelimits = undef,
$default_volume_type = false,
$keystone_enabled = true,
$keystone_tenant = 'services',
$keystone_user = 'cinder',
$auth_uri = false,
$identity_uri = false,
$privileged_user = false,
$os_privileged_user_name = undef,
$os_privileged_user_password = undef,
$os_privileged_user_tenant = undef,
$os_privileged_user_auth_url = undef,
$os_region_name = undef,
$nova_catalog_info = 'compute:Compute Service:publicURL',
$nova_catalog_admin_info = 'compute:Compute Service:adminURL',
$service_workers = $::processorcount,
$package_ensure = 'present',
$bind_host = '0.0.0.0',
$enabled = true,
$manage_service = true,
$ratelimits = undef,
$default_volume_type = false,
$ratelimits_factory =
'cinder.api.v1.limits:RateLimitingMiddleware.factory',
$validate = false,
@ -209,12 +247,52 @@ class cinder::api (
'DEFAULT/osapi_volume_workers': value => $service_workers;
}
if $privileged_user {
if !$os_privileged_user_name {
fail('The os_privileged_user_name parameter is required when privileged_user is set to true')
}
if !$os_privileged_user_password {
fail('The os_privileged_user_password parameter is required when privileged_user is set to true')
}
if !$os_privileged_user_tenant {
fail('The os_privileged_user_tenant parameter is required when privileged_user is set to true')
}
cinder_config {
'DEFAULT/os_privileged_user_password': value => $os_privileged_user_password;
'DEFAULT/os_privileged_user_tenant': value => $os_privileged_user_tenant;
'DEFAULT/os_privileged_user_name': value => $os_privileged_user_name;
}
if $os_privileged_user_auth_url {
cinder_config {
'DEFAULT/os_privileged_user_auth_url': value => $os_privileged_user_auth_url;
}
} else {
cinder_config {
'DEFAULT/os_privileged_user_auth_url': ensure => absent;
}
}
} else {
cinder_config {
'DEFAULT/os_privileged_user_password': ensure => absent;
'DEFAULT/os_privileged_user_tenant': ensure => absent;
'DEFAULT/os_privileged_user_name': ensure => absent;
'DEFAULT/os_privileged_user_auth_url': ensure => absent;
}
}
if $os_region_name {
cinder_config {
'DEFAULT/os_region_name': value => $os_region_name;
}
}
cinder_config {
'DEFAULT/nova_catalog_info': value => $nova_catalog_info;
'DEFAULT/nova_catalog_admin_info': value => $nova_catalog_admin_info;
}
if $keystone_auth_uri and $auth_uri {
fail('both keystone_auth_uri and auth_uri are set and they have the same meaning')
}

91
deployment/puppet/cinder/spec/classes/cinder_api_spec.rb
View File

@ -30,6 +30,12 @@ describe 'cinder::api' do
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_workers').with(
:value => '8'
)
is_expected.to contain_cinder_config('DEFAULT/nova_catalog_info').with(
:value => 'compute:Compute Service:publicURL'
)
is_expected.to contain_cinder_config('DEFAULT/nova_catalog_admin_info').with(
:value => 'compute:Compute Service:adminURL'
)
is_expected.to contain_cinder_config('DEFAULT/default_volume_type').with(
:ensure => 'absent'
)
@ -69,10 +75,24 @@ describe 'cinder::api' do
)
is_expected.to_not contain_cinder_config('DEFAULT/os_region_name')
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_ensure('absent')
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_ensure('absent')
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_ensure('absent')
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_ensure('absent')
end
end
describe 'with a custom nova_catalog params' do
let :params do
req_params.merge({
'nova_catalog_admin_info' => 'compute:nova:adminURL',
'nova_catalog_info' => 'compute:nova:publicURL',
})
end
it { is_expected.to contain_cinder_config('DEFAULT/nova_catalog_admin_info').with_value('compute:nova:adminURL') }
it { is_expected.to contain_cinder_config('DEFAULT/nova_catalog_info').with_value('compute:nova:publicURL') }
end
describe 'with a custom region for nova' do
let :params do
req_params.merge({'os_region_name' => 'MyRegion'})
@ -84,6 +104,75 @@ describe 'cinder::api' do
end
end
describe 'with an OpenStack privileged account' do
context 'with all needed params' do
let :params do
req_params.merge({
'privileged_user' => 'true',
'os_privileged_user_name' => 'admin',
'os_privileged_user_password' => 'password',
'os_privileged_user_tenant' => 'admin',
'os_privileged_user_auth_url' => 'http://localhost:8080',
})
end
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_value('admin') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('password') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('admin') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value('http://localhost:8080') }
end
context 'without os_privileged_user_auth_url' do
let :params do
req_params.merge({
'privileged_user' => 'true',
'os_privileged_user_name' => 'admin',
'os_privileged_user_password' => 'password',
'os_privileged_user_tenant' => 'admin',
})
end
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_value('admin') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('password') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('admin') }
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_ensure('absent') }
end
context 'without os_privileged_user' do
let :params do
req_params.merge({
'privileged_user' => 'true',
})
end
it_raises 'a Puppet::Error', /The os_privileged_user_name parameter is required when privileged_user is set to true/
end
context 'without os_privileged_user_password' do
let :params do
req_params.merge({
'privileged_user' => 'true',
'os_privileged_user_name' => 'admin',
})
end
it_raises 'a Puppet::Error', /The os_privileged_user_password parameter is required when privileged_user is set to true/
end
context 'without os_privileged_user_tenant' do
let :params do
req_params.merge({
'privileged_user' => 'true',
'os_privileged_user_name' => 'admin',
'os_privileged_user_password' => 'password',
})
end
it_raises 'a Puppet::Error', /The os_privileged_user_tenant parameter is required when privileged_user is set to true/
end
end
describe 'with a default volume type' do
let :params do
req_params.merge({'default_volume_type' => 'foo'})

29
deployment/puppet/openstack/manifests/cinder.pp
View File

@ -129,17 +129,24 @@ class openstack::cinder(
if ($bind_host) {
class { 'cinder::api':
keystone_enabled => $keystone_enabled,
package_ensure => $::openstack_version['cinder'],
auth_uri => $auth_uri,
identity_uri => $identity_uri,
keystone_user => $keystone_user,
keystone_tenant => $keystone_tenant,
keystone_password => $cinder_user_password,
os_region_name => $region,
bind_host => $bind_host,
ratelimits => $cinder_rate_limits,
service_workers => $service_workers,
keystone_enabled => $keystone_enabled,
package_ensure => $::openstack_version['cinder'],
auth_uri => $auth_uri,
identity_uri => $identity_uri,
keystone_user => $keystone_user,
keystone_tenant => $keystone_tenant,
keystone_password => $cinder_user_password,
os_region_name => $region,
bind_host => $bind_host,
ratelimits => $cinder_rate_limits,
service_workers => $service_workers,
privileged_user => true,
os_privileged_user_password => $cinder_user_password,
os_privileged_user_tenant => $keystone_tenant,
os_privileged_user_auth_url => $auth_uri,
os_privileged_user_name => $keystone_user,
nova_catalog_admin_info => 'compute:nova:adminURL',
nova_catalog_info => 'compute:nova:internalURL',
}
class { 'cinder::scheduler':

30
tests/noop/spec/hosts/openstack-cinder/openstack-cinder_spec.rb
View File

@ -5,16 +5,19 @@ manifest = 'openstack-cinder/openstack-cinder.pp'
describe manifest do
shared_examples 'catalog' do
max_pool_size = 20
max_retries = '-1'
max_overflow = 20
rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
max_pool_size = 20
max_retries = '-1'
max_overflow = 20
rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
cinder_user = Noop.hiera_structure('cinder/user', "cinder")
cinder_user_password = Noop.hiera_structure('cinder/user_password')
cinder_tenant = Noop.hiera_structure('cinder/tenant', "services")
it 'ensures cinder_config contains "oslo_messaging_rabbit/rabbit_ha_queues" ' do
should contain_cinder_config('oslo_messaging_rabbit/rabbit_ha_queues').with(
'value' => rabbit_ha_queues,
)
end
it 'ensures cinder_config contains "oslo_messaging_rabbit/rabbit_ha_queues" ' do
should contain_cinder_config('oslo_messaging_rabbit/rabbit_ha_queues').with(
'value' => rabbit_ha_queues,
)
end
it 'should declare ::cinder class with correct database_max_* parameters' do
should contain_class('cinder').with(
@ -41,6 +44,15 @@ rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
should contain_cinder_config('DEFAULT/use_stderr').with(:value => 'false')
end
it "should contain cinder config with privileged user settings" do
should contain_cinder_config('DEFAULT/os_privileged_user_password').with_value(cinder_user_password)
should contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value(cinder_tenant)
should contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value("http://#{keystone_auth_host}:5000/")
should contain_cinder_config('DEFAULT/os_privileged_user_name').with_value(cinder_user)
should contain_cinder_config('DEFAULT/nova_catalog_admin_info').with_value('compute:nova:adminURL')
should contain_cinder_config('DEFAULT/nova_catalog_info').with_value('compute:nova:internalURL')
end
end # end of shared_examples
test_ubuntu_and_centos manifest