Add parameters for correct work of privileged user
Add parameters for privileged user, which allows connect to nova with admin permissions. As an example, it needs for correct work of 'InstanceLocalityFilter' Cinder's scheduler filter for Sahara. Upsteam patches: I609870acf838b79be0e47edd18f0cc67d03bdb95 If181482c12721e3d26868b202f86f79d8e28f53f Change-Id: I7d11001b168190648542c4d9b97b64ae4300ba59 Closes-bug: #1489920
This commit is contained in:
parent
8b67fda3e2
commit
16c9338f92
|
@ -34,12 +34,43 @@
|
|||
# Defaults to http.
|
||||
# Use auth_uri instead.
|
||||
#
|
||||
# [*os_privileged_user_name*]
|
||||
# (optional) OpenStack privileged account username. Used for requests to
|
||||
# other services (such as Nova) that require an account with
|
||||
# special rights.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*privileged_user*]
|
||||
# (optional) Enables OpenStack privileged account.
|
||||
# Defaults to false.
|
||||
#
|
||||
# [*os_privileged_user_password*]
|
||||
# (optional) Password associated with the OpenStack privileged account.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*os_privileged_user_tenant*]
|
||||
# (optional) Tenant name associated with the OpenStack privileged account.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*os_privileged_user_auth_url*]
|
||||
# (optional) Auth URL associated with the OpenStack privileged account.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*os_region_name*]
|
||||
# (optional) Some operations require cinder to make API requests
|
||||
# to Nova. This sets the keystone region to be used for these
|
||||
# requests. For example, boot-from-volume.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*nova_catalog_info*]
|
||||
# (optional) Match this value when searching for nova in the service
|
||||
# catalog.
|
||||
# Defaults to 'compute:Compute Service:publicURL'
|
||||
#
|
||||
# [*nova_catalog_admin_info*]
|
||||
# (optional) Same as nova_catalog_info, but for admin endpoint.
|
||||
# Defaults to 'compute:Compute Service:adminURL'
|
||||
#
|
||||
# [*keystone_auth_admin_prefix*]
|
||||
# (optional) DEPRECATED The admin_prefix used to admin endpoint of the auth
|
||||
# host. This allow admin auth URIs like http://auth_host:35357/keystone.
|
||||
|
@ -125,19 +156,26 @@
|
|||
#
|
||||
class cinder::api (
|
||||
$keystone_password,
|
||||
$keystone_enabled = true,
|
||||
$keystone_tenant = 'services',
|
||||
$keystone_user = 'cinder',
|
||||
$auth_uri = false,
|
||||
$identity_uri = false,
|
||||
$os_region_name = undef,
|
||||
$service_workers = $::processorcount,
|
||||
$package_ensure = 'present',
|
||||
$bind_host = '0.0.0.0',
|
||||
$enabled = true,
|
||||
$manage_service = true,
|
||||
$ratelimits = undef,
|
||||
$default_volume_type = false,
|
||||
$keystone_enabled = true,
|
||||
$keystone_tenant = 'services',
|
||||
$keystone_user = 'cinder',
|
||||
$auth_uri = false,
|
||||
$identity_uri = false,
|
||||
$privileged_user = false,
|
||||
$os_privileged_user_name = undef,
|
||||
$os_privileged_user_password = undef,
|
||||
$os_privileged_user_tenant = undef,
|
||||
$os_privileged_user_auth_url = undef,
|
||||
$os_region_name = undef,
|
||||
$nova_catalog_info = 'compute:Compute Service:publicURL',
|
||||
$nova_catalog_admin_info = 'compute:Compute Service:adminURL',
|
||||
$service_workers = $::processorcount,
|
||||
$package_ensure = 'present',
|
||||
$bind_host = '0.0.0.0',
|
||||
$enabled = true,
|
||||
$manage_service = true,
|
||||
$ratelimits = undef,
|
||||
$default_volume_type = false,
|
||||
$ratelimits_factory =
|
||||
'cinder.api.v1.limits:RateLimitingMiddleware.factory',
|
||||
$validate = false,
|
||||
|
@ -209,12 +247,52 @@ class cinder::api (
|
|||
'DEFAULT/osapi_volume_workers': value => $service_workers;
|
||||
}
|
||||
|
||||
if $privileged_user {
|
||||
if !$os_privileged_user_name {
|
||||
fail('The os_privileged_user_name parameter is required when privileged_user is set to true')
|
||||
}
|
||||
if !$os_privileged_user_password {
|
||||
fail('The os_privileged_user_password parameter is required when privileged_user is set to true')
|
||||
}
|
||||
if !$os_privileged_user_tenant {
|
||||
fail('The os_privileged_user_tenant parameter is required when privileged_user is set to true')
|
||||
}
|
||||
|
||||
cinder_config {
|
||||
'DEFAULT/os_privileged_user_password': value => $os_privileged_user_password;
|
||||
'DEFAULT/os_privileged_user_tenant': value => $os_privileged_user_tenant;
|
||||
'DEFAULT/os_privileged_user_name': value => $os_privileged_user_name;
|
||||
}
|
||||
|
||||
if $os_privileged_user_auth_url {
|
||||
cinder_config {
|
||||
'DEFAULT/os_privileged_user_auth_url': value => $os_privileged_user_auth_url;
|
||||
}
|
||||
} else {
|
||||
cinder_config {
|
||||
'DEFAULT/os_privileged_user_auth_url': ensure => absent;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
cinder_config {
|
||||
'DEFAULT/os_privileged_user_password': ensure => absent;
|
||||
'DEFAULT/os_privileged_user_tenant': ensure => absent;
|
||||
'DEFAULT/os_privileged_user_name': ensure => absent;
|
||||
'DEFAULT/os_privileged_user_auth_url': ensure => absent;
|
||||
}
|
||||
}
|
||||
|
||||
if $os_region_name {
|
||||
cinder_config {
|
||||
'DEFAULT/os_region_name': value => $os_region_name;
|
||||
}
|
||||
}
|
||||
|
||||
cinder_config {
|
||||
'DEFAULT/nova_catalog_info': value => $nova_catalog_info;
|
||||
'DEFAULT/nova_catalog_admin_info': value => $nova_catalog_admin_info;
|
||||
}
|
||||
|
||||
if $keystone_auth_uri and $auth_uri {
|
||||
fail('both keystone_auth_uri and auth_uri are set and they have the same meaning')
|
||||
}
|
||||
|
|
|
@ -30,6 +30,12 @@ describe 'cinder::api' do
|
|||
is_expected.to contain_cinder_config('DEFAULT/osapi_volume_workers').with(
|
||||
:value => '8'
|
||||
)
|
||||
is_expected.to contain_cinder_config('DEFAULT/nova_catalog_info').with(
|
||||
:value => 'compute:Compute Service:publicURL'
|
||||
)
|
||||
is_expected.to contain_cinder_config('DEFAULT/nova_catalog_admin_info').with(
|
||||
:value => 'compute:Compute Service:adminURL'
|
||||
)
|
||||
is_expected.to contain_cinder_config('DEFAULT/default_volume_type').with(
|
||||
:ensure => 'absent'
|
||||
)
|
||||
|
@ -69,10 +75,24 @@ describe 'cinder::api' do
|
|||
)
|
||||
|
||||
is_expected.to_not contain_cinder_config('DEFAULT/os_region_name')
|
||||
|
||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_ensure('absent')
|
||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_ensure('absent')
|
||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_ensure('absent')
|
||||
is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_ensure('absent')
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with a custom nova_catalog params' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'nova_catalog_admin_info' => 'compute:nova:adminURL',
|
||||
'nova_catalog_info' => 'compute:nova:publicURL',
|
||||
})
|
||||
end
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/nova_catalog_admin_info').with_value('compute:nova:adminURL') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/nova_catalog_info').with_value('compute:nova:publicURL') }
|
||||
end
|
||||
|
||||
describe 'with a custom region for nova' do
|
||||
let :params do
|
||||
req_params.merge({'os_region_name' => 'MyRegion'})
|
||||
|
@ -84,6 +104,75 @@ describe 'cinder::api' do
|
|||
end
|
||||
end
|
||||
|
||||
describe 'with an OpenStack privileged account' do
|
||||
|
||||
context 'with all needed params' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'privileged_user' => 'true',
|
||||
'os_privileged_user_name' => 'admin',
|
||||
'os_privileged_user_password' => 'password',
|
||||
'os_privileged_user_tenant' => 'admin',
|
||||
'os_privileged_user_auth_url' => 'http://localhost:8080',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_value('admin') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('password') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('admin') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value('http://localhost:8080') }
|
||||
end
|
||||
|
||||
context 'without os_privileged_user_auth_url' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'privileged_user' => 'true',
|
||||
'os_privileged_user_name' => 'admin',
|
||||
'os_privileged_user_password' => 'password',
|
||||
'os_privileged_user_tenant' => 'admin',
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_name').with_value('admin') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_password').with_value('password') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value('admin') }
|
||||
it { is_expected.to contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_ensure('absent') }
|
||||
end
|
||||
|
||||
context 'without os_privileged_user' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'privileged_user' => 'true',
|
||||
})
|
||||
end
|
||||
|
||||
it_raises 'a Puppet::Error', /The os_privileged_user_name parameter is required when privileged_user is set to true/
|
||||
end
|
||||
|
||||
context 'without os_privileged_user_password' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'privileged_user' => 'true',
|
||||
'os_privileged_user_name' => 'admin',
|
||||
})
|
||||
end
|
||||
|
||||
it_raises 'a Puppet::Error', /The os_privileged_user_password parameter is required when privileged_user is set to true/
|
||||
end
|
||||
|
||||
context 'without os_privileged_user_tenant' do
|
||||
let :params do
|
||||
req_params.merge({
|
||||
'privileged_user' => 'true',
|
||||
'os_privileged_user_name' => 'admin',
|
||||
'os_privileged_user_password' => 'password',
|
||||
})
|
||||
end
|
||||
|
||||
it_raises 'a Puppet::Error', /The os_privileged_user_tenant parameter is required when privileged_user is set to true/
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with a default volume type' do
|
||||
let :params do
|
||||
req_params.merge({'default_volume_type' => 'foo'})
|
||||
|
|
|
@ -129,17 +129,24 @@ class openstack::cinder(
|
|||
|
||||
if ($bind_host) {
|
||||
class { 'cinder::api':
|
||||
keystone_enabled => $keystone_enabled,
|
||||
package_ensure => $::openstack_version['cinder'],
|
||||
auth_uri => $auth_uri,
|
||||
identity_uri => $identity_uri,
|
||||
keystone_user => $keystone_user,
|
||||
keystone_tenant => $keystone_tenant,
|
||||
keystone_password => $cinder_user_password,
|
||||
os_region_name => $region,
|
||||
bind_host => $bind_host,
|
||||
ratelimits => $cinder_rate_limits,
|
||||
service_workers => $service_workers,
|
||||
keystone_enabled => $keystone_enabled,
|
||||
package_ensure => $::openstack_version['cinder'],
|
||||
auth_uri => $auth_uri,
|
||||
identity_uri => $identity_uri,
|
||||
keystone_user => $keystone_user,
|
||||
keystone_tenant => $keystone_tenant,
|
||||
keystone_password => $cinder_user_password,
|
||||
os_region_name => $region,
|
||||
bind_host => $bind_host,
|
||||
ratelimits => $cinder_rate_limits,
|
||||
service_workers => $service_workers,
|
||||
privileged_user => true,
|
||||
os_privileged_user_password => $cinder_user_password,
|
||||
os_privileged_user_tenant => $keystone_tenant,
|
||||
os_privileged_user_auth_url => $auth_uri,
|
||||
os_privileged_user_name => $keystone_user,
|
||||
nova_catalog_admin_info => 'compute:nova:adminURL',
|
||||
nova_catalog_info => 'compute:nova:internalURL',
|
||||
}
|
||||
|
||||
class { 'cinder::scheduler':
|
||||
|
|
|
@ -5,16 +5,19 @@ manifest = 'openstack-cinder/openstack-cinder.pp'
|
|||
describe manifest do
|
||||
shared_examples 'catalog' do
|
||||
|
||||
max_pool_size = 20
|
||||
max_retries = '-1'
|
||||
max_overflow = 20
|
||||
rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
|
||||
max_pool_size = 20
|
||||
max_retries = '-1'
|
||||
max_overflow = 20
|
||||
rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
|
||||
cinder_user = Noop.hiera_structure('cinder/user', "cinder")
|
||||
cinder_user_password = Noop.hiera_structure('cinder/user_password')
|
||||
cinder_tenant = Noop.hiera_structure('cinder/tenant', "services")
|
||||
|
||||
it 'ensures cinder_config contains "oslo_messaging_rabbit/rabbit_ha_queues" ' do
|
||||
should contain_cinder_config('oslo_messaging_rabbit/rabbit_ha_queues').with(
|
||||
'value' => rabbit_ha_queues,
|
||||
)
|
||||
end
|
||||
it 'ensures cinder_config contains "oslo_messaging_rabbit/rabbit_ha_queues" ' do
|
||||
should contain_cinder_config('oslo_messaging_rabbit/rabbit_ha_queues').with(
|
||||
'value' => rabbit_ha_queues,
|
||||
)
|
||||
end
|
||||
|
||||
it 'should declare ::cinder class with correct database_max_* parameters' do
|
||||
should contain_class('cinder').with(
|
||||
|
@ -41,6 +44,15 @@ rabbit_ha_queues = Noop.hiera('rabbit_ha_queues')
|
|||
should contain_cinder_config('DEFAULT/use_stderr').with(:value => 'false')
|
||||
end
|
||||
|
||||
it "should contain cinder config with privileged user settings" do
|
||||
should contain_cinder_config('DEFAULT/os_privileged_user_password').with_value(cinder_user_password)
|
||||
should contain_cinder_config('DEFAULT/os_privileged_user_tenant').with_value(cinder_tenant)
|
||||
should contain_cinder_config('DEFAULT/os_privileged_user_auth_url').with_value("http://#{keystone_auth_host}:5000/")
|
||||
should contain_cinder_config('DEFAULT/os_privileged_user_name').with_value(cinder_user)
|
||||
should contain_cinder_config('DEFAULT/nova_catalog_admin_info').with_value('compute:nova:adminURL')
|
||||
should contain_cinder_config('DEFAULT/nova_catalog_info').with_value('compute:nova:internalURL')
|
||||
end
|
||||
|
||||
end # end of shared_examples
|
||||
|
||||
test_ubuntu_and_centos manifest
|
||||
|
|
Loading…
Reference in New Issue