Move nova to authtoken

In nova::keystone::authtoken, use keystone::resource::authtoken to configure
keystone_authtoken section in nova.conf, with all parameters
required to configure keystonemiddleware.
This patch will allow to deploy Nova to use Keystone v3 authentification.
Update acceptance and examples

Some deprecations:
- nova::api::admin_tenant_name is deprecated in favor of
  nova::keystone::authtoken::project_name.
- nova::api::admin_user is deprecated in favor of
  nova::keystone::authtoken::username.
- nova::api::admin_password is deprecated in favor of
  nova::keystone::authtoken::password.
- nova::api::identity_uri is deprecated in favor of
  nova::keystone::authtoken::auth_url.
- nova::api::auth_version is deprecated in favor of
  nova::keystone::authtoken::auth_version
- nova::api::auth_uri is deprecated in favor of
  nova::keystone::authtoken::auth_uri
- nova::memcached_servers is deprecated in favor of
  nova::keystone::authtoken::memcached_servers.

The patch is backward compatible and keep defaults values like before.

Depends-On: I299d4c372da702232eaa7cb34b690e372f56e701
Change-Id: I32649549879f912a0f49881c244b119497cf8473
Related-Bug: #1604463

lib/puppet/provider/nova.rb

@@ -19,10 +19,14 @@ class Puppet::Provider::Nova < Puppet::Provider::Openstack
 
   def self.nova_request(service, action, error, properties=nil)
     properties ||= []
-    @credentials.username = nova_credentials['admin_user']
+    @credentials.username = nova_credentials['username']
-    @credentials.password = nova_credentials['admin_password']
+    @credentials.password = nova_credentials['password']
-    @credentials.project_name = nova_credentials['admin_tenant_name']
+    @credentials.project_name = nova_credentials['project_name']
     @credentials.auth_url = auth_endpoint
+    if @credentials.version == '3'
+      @credentials.user_domain_name = nova_credentials['user_domain_name']
+      @credentials.project_domain_name = nova_credentials['project_domain_name']
+    end
     raise error unless @credentials.set?
     Puppet::Provider::Openstack.request(service, action, properties, @credentials)
   end
@@ -63,8 +67,7 @@ class Puppet::Provider::Nova < Puppet::Provider::Openstack
 
   def self.get_nova_credentials
     #needed keys for authentication
-    auth_keys = ['auth_uri', 'admin_tenant_name', 'admin_user',
+    auth_keys = ['auth_uri', 'project_name', 'username', 'password']
-                 'admin_password']
     conf = nova_conf
     if conf and conf['keystone_authtoken'] and
         auth_keys.all?{|k| !conf['keystone_authtoken'][k].nil?}
@@ -73,6 +76,16 @@ class Puppet::Provider::Nova < Puppet::Provider::Openstack
       if conf['neutron'] and conf['neutron']['region_name']
         creds['region_name'] = conf['neutron']['region_name'].strip
       end
+      if !conf['keystone_authtoken']['project_domain_name'].nil?
+        creds['project_domain_name'] = conf['keystone_authtoken']['project_domain_name'].strip
+      else
+        creds['project_domain_name'] = 'Default'
+      end
+      if !conf['keystone_authtoken']['user_domain_name'].nil?
+        creds['user_domain_name'] = conf['keystone_authtoken']['user_domain_name'].strip
+      else
+        creds['user_domain_name'] = 'Default'
+      end
       return creds
     else
       raise(Puppet::Error, "File: #{conf_filename} does not contain all " +
@@ -94,10 +107,10 @@ class Puppet::Provider::Nova < Puppet::Provider::Openstack
   def self.auth_nova(*args)
     q = nova_credentials
     authenv = {
-      :OS_AUTH_URL    => self.auth_endpoint,
+      :OS_AUTH_URL     => self.auth_endpoint,
-      :OS_USERNAME    => q['admin_user'],
+      :OS_USERNAME     => q['username'],
-      :OS_TENANT_NAME => q['admin_tenant_name'],
+      :OS_PROJECT_NAME => q['project_name'],
-      :OS_PASSWORD    => q['admin_password']
+      :OS_PASSWORD     => q['password']
     }
     if q.key?('region_name')
       authenv[:OS_REGION_NAME] = q['region_name']

lib/puppet/type/nova_aggregate.rb

@@ -45,7 +45,7 @@ Puppet::Type.newtype(:nova_aggregate) do
   ensurable
 
   autorequire(:nova_config) do
-    ['auth_uri', 'admin_tenant_name', 'admin_user', 'admin_password']
+    ['auth_uri', 'project_name', 'username', 'password']
   end
 
   newparam(:name, :namevar => true) do

lib/puppet/type/nova_flavor.rb

@@ -51,7 +51,7 @@ Puppet::Type.newtype(:nova_flavor) do
   ensurable
 
   autorequire(:nova_config) do
-    ['auth_uri', 'admin_tenant_name', 'admin_user', 'admin_password']
+    ['auth_uri', 'project_name', 'username', 'password']
   end
 
   # Require the nova-api service to be running

manifests/api.pp

@@ -4,9 +4,6 @@
 #
 # === Parameters
 #
-# [*admin_password*]
-#   (required) The password to set for the nova admin user in keystone
-#
 # [*enabled*]
 #   (optional) Whether the nova api service will be run
 #   Defaults to true
@@ -23,22 +20,6 @@
 #   (optional) Whether the nova api package will be installed
 #   Defaults to 'present'
 #
-# [*auth_uri*]
-#   (optional) Complete public Identity API endpoint.
-#   Defaults to 'http://127.0.0.1:5000/'
-#
-# [*identity_uri*]
-#   (optional) Complete admin Identity API endpoint.
-#   Defaults to: 'http://127.0.0.1:35357/'
-#
-# [*admin_tenant_name*]
-#   (optional) The name of the tenant to create in keystone for use by the nova services
-#   Defaults to 'services'
-#
-# [*admin_user*]
-#   (optional) The name of the user to create in keystone for use by the nova services
-#   Defaults to 'nova'
-#
 # [*api_bind_address*]
 #   (optional) IP address for nova-api server to listen
 #   Defaults to '0.0.0.0'
@@ -209,9 +190,9 @@
 #   Defaults to port undef
 #
 # [*auth_version*]
-#   (optional) DEPRECATED. API version of the admin Identity API endpoint
+#   (optional) DEPRECATED. Use auth_token from
-#   for example, use 'v3.0' for the keystone version 3.0 api
+#   nova::keystone::authtoken class instead.
-#   Defaults to false
+#   Defaults to undef
 #
 # [*osapi_v3*]
 #   (optional) DEPRECATED. Enable or not Nova API v3
@@ -226,16 +207,36 @@
 #   Class instead.
 #   Defaults to undef
 #
+# [*admin_tenant_name*]
+#   (optional) DEPRECATED. Use project_name from
+#   nova::keystone::authtoken class instead.
+#   Defaults to undef
+#
+# [*admin_user*]
+#   (optional) DEPRECATED. Use username from
+#   nova::keystone::authtoken class instead.
+#   Defaults to undef
+#
+# [*admin_password*]
+#   (optional) DEPRECATED. Use password from
+#   nova::keystone::authtoken class instead.
+#   Defaults to undef
+#
+# [*identity_uri*]
+#   (optional) DEPRECATED. Use auth_url from
+#   nova::keystone::authtoken class instead.
+#   Defaults to undef
+#
+# [*auth_uri*]
+#   (optional) DEPRECATED. Use auth_uri from
+#   nova::keystone::authtoken class instead.
+#   Defaults to undef
+#
 class nova::api(
-  $admin_password,
   $enabled                              = true,
   $manage_service                       = true,
   $api_paste_config                     = 'api-paste.ini',
   $ensure_package                       = 'present',
-  $auth_uri                             = 'http://127.0.0.1:5000/',
-  $identity_uri                         = 'http://127.0.0.1:35357/',
-  $admin_tenant_name                    = 'services',
-  $admin_user                           = 'nova',
   $api_bind_address                     = '0.0.0.0',
   $osapi_compute_listen_port            = 8774,
   $metadata_listen                      = '0.0.0.0',
@@ -273,15 +274,21 @@ class nova::api(
   $ec2_listen_port                      = undef,
   $ec2_workers                          = undef,
   $keystone_ec2_url                     = undef,
-  $auth_version                         = false,
+  $auth_version                         = undef,
   $volume_api_class                     = undef,
   $osapi_v3                             = undef,
+  $admin_password                       = undef,
+  $auth_uri                             = undef,
+  $identity_uri                         = undef,
+  $admin_tenant_name                    = undef,
+  $admin_user                           = undef,
 ) inherits nova::params {
 
   include ::nova::deps
   include ::nova::db
   include ::nova::policy
   include ::cinder::client
+  include ::nova::keystone::authtoken
 
   if $osapi_v3 {
     warning('osapi_v3 is deprecated, has no effect and will be removed in a future release.')
@@ -309,6 +316,31 @@ class nova::api(
     }
   }
 
+  if $auth_version {
+    warning('nova::api::auth_version is deprecated, use nova::keystone::authtoken::auth_version instead.')
+  }
+
+  if $identity_uri {
+    warning('nova::api::identity_uri is deprecated, use nova::keystone::authtoken::auth_url instead.')
+  }
+
+  if $auth_uri {
+    warning('nova::api::auth_uri is deprecated, use nova::keystone::authtoken::auth_uri instead.')
+  }
+
+  if $admin_tenant_name {
+    warning('nova::api::admin_tenant_name is deprecated, use nova::keystone::authtoken::project_name instead.')
+  }
+
+  if $admin_user {
+    warning('nova::api::admin_user is deprecated, use nova::keystone::authtoken::username instead.')
+  }
+
+  if $admin_password {
+    warning('nova::api::admin_password is deprecated, use nova::keystone::authtoken::password instead.')
+  }
+
+
   # metadata can't be run in wsgi so we have to enable it in eventlet anyway.
   if ('metadata' in $enabled_apis and $service_name == 'httpd') {
     $enable_metadata = true
@@ -396,21 +428,6 @@ class nova::api(
     }
   }
 
-  if $auth_version {
-    warning('auth_version parameter is deprecated and has no effect during Mitaka and will be dropped during N cycle.')
-  }
-
-  nova_config {
-    'keystone_authtoken/auth_uri'    : value => $auth_uri;
-    'keystone_authtoken/identity_uri': value => $identity_uri;
-  }
-
-  nova_config {
-    'keystone_authtoken/admin_tenant_name': value => $admin_tenant_name;
-    'keystone_authtoken/admin_user':        value => $admin_user;
-    'keystone_authtoken/admin_password':    value => $admin_password, secret => true;
-  }
-
   if ($ratelimits != undef) {
     nova_paste_api_ini {
       'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;
@@ -446,9 +463,12 @@ class nova::api(
   }
 
   if $validate {
+    $admin_user_real = pick($admin_user, $::nova::keystone::authtoken::username)
+    $admin_password_real = pick($admin_password, $::nova::keystone::authtoken::password)
+    $admin_tenant_name_real = pick($admin_tenant_name, $::nova::keystone::authtoken::project_name)
     $defaults = {
       'nova-api' => {
-        'command'  => "nova --os-auth-url ${auth_uri} --os-tenant-name ${admin_tenant_name} --os-username ${admin_user} --os-password ${admin_password} flavor-list",
+        'command'  => "nova --os-auth-url ${::nova::keystone::authtoken::auth_uri} --os-project-name ${admin_tenant_name_real} --os-username ${admin_user_real} --os-password ${admin_password_real} flavor-list",
       }
     }
     $validation_options_hash = merge ($defaults, $validation_options)

manifests/init.pp

@@ -73,10 +73,6 @@
 #   (optional) List of addresses for api servers.
 #   Defaults to 'http://localhost:9292'
 #
-# [*memcached_servers*]
-#   (optional) Use memcached instead of in-process cache. Supply a list of memcached server IP's:Memcached Port.
-#   Defaults to $::os_service_default.
-#
 # [*rabbit_host*]
 #   (optional) Location of rabbitmq installation. (string value)
 #   Defaults to $::os_service_default
@@ -429,6 +425,12 @@
 #   (optional) Set log output to verbose output.
 #   Defaults to undef
 #
+# [*memcached_servers*]
+#   (optional) DEPRECATED. Use memcached_servers from
+#   nova::keystone::authtoken class instead.
+#   memcached server IP's:Memcached Port.
+#   Defaults to undef
+#
 class nova(
   $ensure_package                         = 'present',
   $database_connection                    = undef,
@@ -450,7 +452,6 @@ class nova(
   # these glance params should be optional
   # this should probably just be configured as a glance client
   $glance_api_servers                     = 'http://localhost:9292',
-  $memcached_servers                      = $::os_service_default,
   $rabbit_host                            = $::os_service_default,
   $rabbit_hosts                           = $::os_service_default,
   $rabbit_password                        = $::os_service_default,
@@ -527,6 +528,7 @@ class nova(
   $purge_config                           = false,
   # DEPRECATED PARAMETERS
   $verbose                                = undef,
+  $memcached_servers                      = undef,
 ) inherits nova::params {
 
   include ::nova::deps
@@ -544,6 +546,9 @@ class nova(
     warning('verbose is deprecated, has no effect and will be removed after Newton cycle.')
   }
 
+  if $memcached_servers {
+    warning('nova::memcached_servers is deprecated, use nova::keystone::authtoken::memcached_servers instead.')
+  }
   if $use_ssl {
     if !$cert_file {
       fail('The cert_file parameter is required when use_ssl is set to true')
@@ -643,7 +648,6 @@ class nova(
   nova_config {
     'DEFAULT/image_service':                value => $image_service;
     'DEFAULT/auth_strategy':                value => $auth_strategy;
-    'keystone_authtoken/memcached_servers': value => join(any2array($memcached_servers), ',');
     'DEFAULT/host':                         value => $host;
   }
 

manifests/keystone/authtoken.pp

@@ -0,0 +1,277 @@
+# class: nova::keystone::authtoken
+#
+# Configure the keystone_authtoken section in the configuration file
+#
+# === Parameters
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'nova'
+#
+# [*password*]
+#   (Optional) Password to create for the service user
+#   Defaults to $::os_service_default
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http:://127.0.0.1:35357'
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*user_domain_name*]
+#   (Optional) Name of domain for $username
+#   Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#   (Optional) Name of domain for $project_name
+#   Defaults to $::os_service_default
+#
+# [*insecure*]
+#   (Optional) If true, explicitly allow TLS without checking server cert
+#   against any certificate authorities.  WARNING: not recommended.  Use with
+#   caution.
+#   Defaults to $:os_service_default
+#
+# [*auth_section*]
+#   (Optional) Config Section from which to load plugin specific options
+#   Defaults to $::os_service_default.
+#
+# [*auth_type*]
+#   (Optional) Authentication type to load
+#   Defaults to $::os_service_default
+#
+# [*auth_uri*]
+#   (Optional) Complete public Identity API endpoint.
+#   Defaults to 'http://127.0.0.1:5000/'.
+#
+# [*auth_version*]
+#   (Optional) API version of the admin Identity API endpoint.
+#   Defaults to $::os_service_default.
+#
+# [*cache*]
+#   (Optional) Env key for the swift cache.
+#   Defaults to $::os_service_default.
+#
+# [*cafile*]
+#   (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#   connections.
+#   Defaults to $::os_service_default.
+#
+# [*certfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*check_revocations_for_cached*]
+#   (Optional) If true, the revocation list will be checked for cached tokens.
+#   This requires that PKI tokens are configured on the identity server.
+#   boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*delay_auth_decision*]
+#   (Optional) Do not handle authorization requests within the middleware, but
+#   delegate the authorization decision to downstream WSGI components. Boolean
+#   value
+#   Defaults to $::os_service_default.
+#
+# [*enforce_token_bind*]
+#   (Optional) Used to control the use and type of token binding. Can be set
+#   to: "disabled" to not check token binding. "permissive" (default) to
+#   validate binding information if the bind type is of a form known to the
+#   server and ignore it if not. "strict" like "permissive" but if the bind
+#   type is unknown the token will be rejected. "required" any form of token
+#   binding is needed to be allowed. Finally the name of a binding method that
+#   must be present in tokens. String value.
+#   Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#   (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#   single algorithm or multiple. The algorithms are those supported by Python
+#   standard hashlib.new(). The hashes will be tried in the order given, so put
+#   the preferred one first for performance. The result of the first hash will
+#   be stored in the cache. This will typically be set to multiple values only
+#   while migrating from a less secure algorithm to a more secure one. Once all
+#   the old tokens are expired this option should be set to a single value for
+#   better performance. List value.
+#   Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+#   (Optional) Request timeout value for communicating with Identity API
+#   server.
+#   Defaults to $::os_service_default.
+#
+# [*http_request_max_retries*]
+#   (Optional) How many times are we trying to reconnect when communicating
+#   with Identity API Server. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*include_service_catalog*]
+#   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#   middleware will not ask for service catalog on token validation and will
+#   not set the X-Service-Catalog header. Boolean value.
+#   Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#   (Optional) Required if identity server requires client certificate
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+#   (Optional) Number of seconds that an operation will wait to get a memcached
+#   client connection from the pool. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+#   (Optional) Number of seconds memcached server is considered dead before it
+#   is tried again. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+#   (Optional) Maximum total number of open connections to every memcached
+#    server. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+#   (Optional) Number of seconds a connection to memcached is held unused in
+#   the pool before it is closed. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+#   (Optional, mandatory if memcache_security_strategy is defined) This string
+#   is used for key derivation.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+#   (Optional) If defined, indicate whether token data should be authenticated
+#   or authenticated and encrypted. If MAC, token data is authenticated (with
+#   HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+#   cache. If the value is not one of these options or empty, auth_token will
+#   raise an exception on initialization.
+#   Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+#   (Optional)  Use the advanced (eventlet safe) memcached client pool. The
+#   advanced pool will only work under python 2.x Boolean value
+#   Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+#   (Optional) Optionally specify a list of memcached server(s) to use for
+#   caching. If left undefined, tokens will instead be cached in-process.
+#   Defaults to $::os_service_default.
+#
+# [*region_name*]
+#   (Optional) The region in which the identity server can be found.
+#   Defaults to $::os_service_default.
+#
+# [*revocation_cache_time*]
+#   (Optional) Determines the frequency at which the list of revoked tokens is
+#   retrieved from the Identity service (in seconds). A high number of
+#   revocation events combined with a low cache duration may significantly
+#   reduce performance. Only valid for PKI tokens. Integer value
+#   Defaults to $::os_service_default.
+#
+# [*signing_dir*]
+#   (Optional) Directory used to cache files related to PKI tokens.
+#   Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+#   (Optional) In order to prevent excessive effort spent validating tokens,
+#   the middleware caches previously-seen tokens for a configurable duration
+#   (in seconds). Set to -1 to disable caching completely. Integer value
+#   Defaults to $::os_service_default.
+#
+class nova::keystone::authtoken(
+  $username                       = 'nova',
+  $password                       = $::os_service_default,
+  $auth_url                       = 'http://127.0.0.1:35357/',
+  $project_name                   = 'services',
+  $user_domain_name               = $::os_service_default,
+  $project_domain_name            = $::os_service_default,
+  $insecure                       = $::os_service_default,
+  $auth_section                   = $::os_service_default,
+  $auth_type                      = 'password',
+  $auth_uri                       = 'http://127.0.0.1:5000/',
+  $auth_version                   = $::os_service_default,
+  $cache                          = $::os_service_default,
+  $cafile                         = $::os_service_default,
+  $certfile                       = $::os_service_default,
+  $check_revocations_for_cached   = $::os_service_default,
+  $delay_auth_decision            = $::os_service_default,
+  $enforce_token_bind             = $::os_service_default,
+  $hash_algorithms                = $::os_service_default,
+  $http_connect_timeout           = $::os_service_default,
+  $http_request_max_retries       = $::os_service_default,
+  $include_service_catalog        = $::os_service_default,
+  $keyfile                        = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcache_secret_key            = $::os_service_default,
+  $memcache_security_strategy     = $::os_service_default,
+  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcached_servers              = $::os_service_default,
+  $region_name                    = $::os_service_default,
+  $revocation_cache_time          = $::os_service_default,
+  $signing_dir                    = $::os_service_default,
+  $token_cache_time               = $::os_service_default,
+) {
+
+  include ::nova
+
+  if is_service_default($password) and ! $::nova::api::admin_password {
+    fail('Please set password for nova service user')
+  }
+
+  $username_real = pick($::nova::api::admin_user, $username)
+  $password_real = pick($::nova::api::admin_password, $password)
+  $project_name_real = pick($::nova::api::admin_tenant_name, $project_name)
+  $auth_uri_real = pick($::nova::api::auth_uri, $auth_uri)
+  $auth_version_real = pick($::nova::api::auth_version, $auth_version)
+  $memcached_servers_real = pick($::nova::memcached_servers, $memcached_servers)
+  $auth_url_real = pick($::nova::api::identity_uri, $auth_url)
+
+  keystone::resource::authtoken { 'nova_config':
+    username                       => $username_real,
+    password                       => $password_real,
+    project_name                   => $project_name_real,
+    auth_url                       => $auth_url_real,
+    auth_uri                       => $auth_uri_real,
+    auth_version                   => $auth_version_real,
+    auth_type                      => $auth_type,
+    auth_section                   => $auth_section,
+    user_domain_name               => $user_domain_name,
+    project_domain_name            => $project_domain_name,
+    insecure                       => $insecure,
+    cache                          => $cache,
+    cafile                         => $cafile,
+    certfile                       => $certfile,
+    check_revocations_for_cached   => $check_revocations_for_cached,
+    delay_auth_decision            => $delay_auth_decision,
+    enforce_token_bind             => $enforce_token_bind,
+    hash_algorithms                => $hash_algorithms,
+    http_connect_timeout           => $http_connect_timeout,
+    http_request_max_retries       => $http_request_max_retries,
+    include_service_catalog        => $include_service_catalog,
+    keyfile                        => $keyfile,
+    memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+    memcache_pool_dead_retry       => $memcache_pool_dead_retry,
+    memcache_pool_maxsize          => $memcache_pool_maxsize,
+    memcache_pool_socket_timeout   => $memcache_pool_socket_timeout,
+    memcache_secret_key            => $memcache_secret_key,
+    memcache_security_strategy     => $memcache_security_strategy,
+    memcache_use_advanced_pool     => $memcache_use_advanced_pool,
+    memcache_pool_unused_timeout   => $memcache_pool_unused_timeout,
+    memcached_servers              => $memcached_servers_real,
+    region_name                    => $region_name,
+    revocation_cache_time          => $revocation_cache_time,
+    signing_dir                    => $signing_dir,
+    token_cache_time               => $token_cache_time,
+  }
+}

releasenotes/notes/authtoken-049381ec171680e4.yaml

@@ -0,0 +1,11 @@
+---
+features:
+  - Configure keystonemiddleware in a consistent way with all options required for Keystone v3.
+deprecations:
+ - nova::api::admin_tenant_name is deprecated in favor of nova::keystone::authtoken::project_name.
+ - nova::api::admin_user is deprecated in favor of nova::keystone::authtoken::username.
+ - nova::api::admin_password is deprecated in favor of nova::keystone::authtoken::password.
+ - nova::api::identity_uri is deprecated in favor of nova::keystone::authtoken::auth_url.
+ - nova::api::auth_version is deprecated in favor of nova::keystone::authtoken::auth_version
+ - nova::api::auth_uri is deprecated in favor of nova::keystone::authtoken::auth_uri
+ - nova::memcached_servers is deprecated in favor of nova::keystone::authtoken::memcached_servers.

spec/acceptance/nova_wsgi_apache_spec.rb

@@ -47,9 +47,10 @@ describe 'basic nova' do
       class { '::nova::keystone::auth':
         password => 'a_big_secret',
       }
+      class { '::nova::keystone::authtoken':
+        password => 'a_big_secret',
+      }
       class { '::nova::api':
-        admin_password => 'a_big_secret',
-        identity_uri   => 'http://127.0.0.1:35357/',
         service_name   => 'httpd',
       }
       include ::apache

spec/classes/nova_api_spec.rb

@@ -14,6 +14,8 @@ describe 'nova::api' do
 
     context 'with default parameters' do
 
+      it { is_expected.to contain_class('nova::keystone::authtoken') }
+
       it 'installs nova-api package and service' do
         is_expected.to contain_service('nova-api').with(
           :name      => platform_params[:nova_api_service],
@@ -36,13 +38,13 @@ describe 'nova::api' do
        is_expected.to contain_nova_config(
           'keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000/')
        is_expected.to contain_nova_config(
-          'keystone_authtoken/identity_uri').with_value('http://127.0.0.1:35357/')
+          'keystone_authtoken/auth_url').with_value('http://127.0.0.1:35357/')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_tenant_name').with_value('services')
+          'keystone_authtoken/project_name').with_value('services')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_user').with_value('nova')
+          'keystone_authtoken/username').with_value('nova')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_password').with_value('passw0rd').with_secret(true)
+          'keystone_authtoken/password').with_value('passw0rd').with_secret(true)
       end
 
       it 'enable metadata in evenlet configuration' do
@@ -136,13 +138,13 @@ describe 'nova::api' do
         is_expected.to contain_nova_config(
           'keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/identity_uri').with_value('https://10.0.0.1:8888/')
+          'keystone_authtoken/auth_url').with_value('https://10.0.0.1:8888/')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_tenant_name').with_value('service2')
+          'keystone_authtoken/project_name').with_value('service2')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_user').with_value('nova2')
+          'keystone_authtoken/username').with_value('nova2')
         is_expected.to contain_nova_config(
-          'keystone_authtoken/admin_password').with_value('passw0rd2').with_secret(true)
+          'keystone_authtoken/password').with_value('passw0rd2').with_secret(true)
         is_expected.to contain_nova_paste_api_ini(
           'filter:ratelimit/limits').with_value('(GET, "*", .*, 100, MINUTE);(POST, "*", .*, 200, MINUTE)')
       end
@@ -190,7 +192,7 @@ describe 'nova::api' do
         :provider    => 'shell',
         :tries       => '10',
         :try_sleep   => '2',
-        :command     => 'nova --os-auth-url http://127.0.0.1:5000/ --os-tenant-name services --os-username nova --os-password passw0rd flavor-list',
+        :command     => 'nova --os-auth-url http://127.0.0.1:5000/ --os-project-name services --os-username nova --os-password passw0rd flavor-list',
       )}
 
       it { is_expected.to contain_anchor('create nova-api anchor').with(
@@ -271,30 +273,6 @@ describe 'nova::api' do
       end
     end
 
-    context 'with custom keystone identity_uri' do
-      before do
-        params.merge!({
-          :identity_uri => 'https://foo.bar:1234/',
-        })
-      end
-      it 'configures identity_uri' do
-        is_expected.to contain_nova_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:1234/");
-      end
-    end
-
-    context 'with custom keystone identity_uri and auth_uri ' do
-      before do
-        params.merge!({
-          :identity_uri => 'https://foo.bar:35357/',
-          :auth_uri => 'https://foo.bar:5000/v2.0/',
-        })
-      end
-      it 'configures identity_uri' do
-        is_expected.to contain_nova_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/");
-        is_expected.to contain_nova_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/");
-      end
-    end
-
     context 'when running nova API in wsgi compute, and enabling metadata' do
       before do
         params.merge!({ :service_name => 'httpd' })

spec/classes/nova_init_spec.rb

@@ -151,10 +151,6 @@ describe 'nova' do
         is_expected.to contain_nova_config('oslo_messaging_rabbit/heartbeat_rate').with_value('10')
       end
 
-      it 'configures memcached_servers' do
-        is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
-      end
-
       it 'configures host' do
         is_expected.to contain_nova_config('DEFAULT/host').with_value('test-001.example.org')
       end

spec/classes/nova_keystone_authtoken_spec.rb

@@ -0,0 +1,147 @@
+require 'spec_helper'
+
+describe 'nova::keystone::authtoken' do
+
+  let :params do
+    { :password => 'nova_password', }
+  end
+
+  shared_examples 'nova authtoken' do
+
+    context 'with default parameters' do
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_nova_config('keystone_authtoken/username').with_value('nova')
+        is_expected.to contain_nova_config('keystone_authtoken/password').with_value('nova_password')
+        is_expected.to contain_nova_config('keystone_authtoken/auth_url').with_value('http://127.0.0.1:35357/')
+        is_expected.to contain_nova_config('keystone_authtoken/project_name').with_value('services')
+        is_expected.to contain_nova_config('keystone_authtoken/user_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/project_domain_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/insecure').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/auth_section').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/auth_type').with_value('password')
+        is_expected.to contain_nova_config('keystone_authtoken/auth_uri').with_value('http://127.0.0.1:5000/')
+        is_expected.to contain_nova_config('keystone_authtoken/auth_version').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/cache').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/check_revocations_for_cached').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/delay_auth_decision').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/enforce_token_bind').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/hash_algorithms').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/http_connect_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/http_request_max_retries').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/include_service_catalog').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_dead_retry').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_socket_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_secret_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_security_strategy').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_use_advanced_pool').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/revocation_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/signing_dir').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'when overriding parameters' do
+      before do
+        params.merge!({
+          :auth_uri                             => 'https://10.0.0.1:9999/',
+          :username                             => 'myuser',
+          :password                             => 'mypasswd',
+          :auth_url                             => 'http://:127.0.0.1:35357',
+          :project_name                         => 'service_project',
+          :user_domain_name                     => 'domainX',
+          :project_domain_name                  => 'domainX',
+          :insecure                             => false,
+          :auth_section                         => 'new_section',
+          :auth_type                            => 'password',
+          :auth_version                         => 'v3',
+          :cache                                => 'somevalue',
+          :cafile                               =>
+'/opt/stack/data/cafile.pem',
+          :certfile                             => 'certfile.crt',
+          :check_revocations_for_cached         => false,
+          :delay_auth_decision                  => false,
+          :enforce_token_bind                   => 'permissive',
+          :hash_algorithms                      => 'md5',
+          :http_connect_timeout                 => '300',
+          :http_request_max_retries             => '3',
+          :include_service_catalog              => true,
+          :keyfile                              => 'keyfile',
+          :memcache_pool_conn_get_timeout       => '9',
+          :memcache_pool_dead_retry             => '302',
+          :memcache_pool_maxsize                => '11',
+          :memcache_pool_socket_timeout         => '2',
+          :memcache_pool_unused_timeout         => '61',
+          :memcache_secret_key                  => 'secret_key',
+          :memcache_security_strategy           => 'ENCRYPT',
+          :memcache_use_advanced_pool           => true,
+          :memcached_servers                    =>
+['memcached01:11211','memcached02:11211'],
+          :region_name                          => 'region2',
+          :revocation_cache_time                => '11',
+          :signing_dir                          => '/var/cache',
+          :token_cache_time                     => '301',
+        })
+      end
+
+      it 'configure keystone_authtoken' do
+        is_expected.to contain_nova_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.1:9999/') 
+        is_expected.to contain_nova_config('keystone_authtoken/username').with_value(params[:username])
+        is_expected.to contain_nova_config('keystone_authtoken/password').with_value(params[:password]).with_secret(true)
+        is_expected.to contain_nova_config('keystone_authtoken/auth_url').with_value(params[:auth_url])
+        is_expected.to contain_nova_config('keystone_authtoken/project_name').with_value(params[:project_name])
+        is_expected.to contain_nova_config('keystone_authtoken/user_domain_name').with_value(params[:user_domain_name])
+        is_expected.to contain_nova_config('keystone_authtoken/project_domain_name').with_value(params[:project_domain_name])
+        is_expected.to contain_nova_config('keystone_authtoken/insecure').with_value(params[:insecure])
+        is_expected.to contain_nova_config('keystone_authtoken/auth_section').with_value(params[:auth_section])
+        is_expected.to contain_nova_config('keystone_authtoken/auth_type').with_value(params[:auth_type])
+        is_expected.to contain_nova_config('keystone_authtoken/auth_version').with_value(params[:auth_version])
+        is_expected.to contain_nova_config('keystone_authtoken/cache').with_value(params[:cache])
+        is_expected.to contain_nova_config('keystone_authtoken/cafile').with_value(params[:cafile])
+        is_expected.to contain_nova_config('keystone_authtoken/certfile').with_value(params[:certfile])
+        is_expected.to contain_nova_config('keystone_authtoken/check_revocations_for_cached').with_value(params[:check_revocations_for_cached])
+        is_expected.to contain_nova_config('keystone_authtoken/delay_auth_decision').with_value(params[:delay_auth_decision])
+        is_expected.to contain_nova_config('keystone_authtoken/enforce_token_bind').with_value(params[:enforce_token_bind])
+        is_expected.to contain_nova_config('keystone_authtoken/hash_algorithms').with_value(params[:hash_algorithms])
+        is_expected.to contain_nova_config('keystone_authtoken/http_connect_timeout').with_value(params[:http_connect_timeout])
+        is_expected.to contain_nova_config('keystone_authtoken/http_request_max_retries').with_value(params[:http_request_max_retries])
+        is_expected.to contain_nova_config('keystone_authtoken/include_service_catalog').with_value(params[:include_service_catalog])
+        is_expected.to contain_nova_config('keystone_authtoken/keyfile').with_value(params[:keyfile])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_conn_get_timeout').with_value(params[:memcache_pool_conn_get_timeout])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_dead_retry').with_value(params[:memcache_pool_dead_retry])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_maxsize').with_value(params[:memcache_pool_maxsize])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_socket_timeout').with_value(params[:memcache_pool_socket_timeout])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_pool_unused_timeout').with_value(params[:memcache_pool_unused_timeout])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_secret_key').with_value(params[:memcache_secret_key])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_security_strategy').with_value(params[:memcache_security_strategy])
+        is_expected.to contain_nova_config('keystone_authtoken/memcache_use_advanced_pool').with_value(params[:memcache_use_advanced_pool])
+        is_expected.to contain_nova_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
+        is_expected.to contain_nova_config('keystone_authtoken/region_name').with_value(params[:region_name])
+        is_expected.to contain_nova_config('keystone_authtoken/revocation_cache_time').with_value(params[:revocation_cache_time])
+        is_expected.to contain_nova_config('keystone_authtoken/signing_dir').with_value(params[:signing_dir])
+        is_expected.to contain_nova_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'nova authtoken'
+    end
+  end
+
+end

spec/unit/provider/nova_spec.rb

@@ -12,9 +12,9 @@ describe Puppet::Provider::Nova do
   let :credential_hash do
     {
       'auth_uri'     => 'https://192.168.56.210:35357/v2.0/',
-      'admin_tenant_name' => 'admin_tenant',
+      'project_name' => 'admin_tenant',
-      'admin_user'        => 'admin',
+      'username'     => 'admin',
-      'admin_password'    => 'password',
+      'password'     => 'password',
     }
   end
 
@@ -68,10 +68,10 @@ describe Puppet::Provider::Nova do
 
     it 'should set auth credentials in the environment' do
       authenv = {
-        :OS_AUTH_URL    => auth_endpoint,
+        :OS_AUTH_URL     => auth_endpoint,
-        :OS_USERNAME    => credential_hash['admin_user'],
+        :OS_USERNAME     => credential_hash['username'],
-        :OS_TENANT_NAME => credential_hash['admin_tenant_name'],
+        :OS_PROJECT_NAME => credential_hash['project_name'],
-        :OS_PASSWORD    => credential_hash['admin_password'],
+        :OS_PASSWORD     => credential_hash['password'],
       }
       klass.expects(:get_nova_credentials).with().returns(credential_hash)
       klass.expects(:withenv).with(authenv)