Merge "Change swift authtoken"

2016-08-25 22:07:05 +00:00 · 2016-08-25 22:07:05 +00:00 · 0917dd0ed9
parent f5344c16aa a266ab91ed
commit 0917dd0ed9
6 changed files with 154 additions and 159 deletions
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -4,64 +4,79 @@
 #
 # == Parameters
 #
-#  [*admin_token*]
-#    Keystone admin token that can serve as a shared secret
-#    for authenticating. If this is choosen if is used instead of a user,tenant,password.
-#    Optional. Defaults to false.
+# [*delay_auth_decision*]
+#   (Optional) Do not handle authorization requests within the middleware, but
+#   delegate the authorization decision to downstream WSGI components. Boolean value
+#   Defaults to 1
 #
-#  [*admin_user*]
-#    User used to authenticate service.
-#    Optional. Defaults to 'swift'.
-#
-#  [*admin_tenant_name*]
-#    Tenant used to authenticate service.
-#    Optional. Defaults to 'services'.
-#
-#  [*admin_password*]
-#    Password used with user to authenticate service.
-#    Optional. Defaults to 'password'.
-#
-#  [*delay_auth_decision*]
-#    Set to 1 to support token-less access (anonymous access, tempurl, ...)
-#    Optional, Defaults to 0
-#
-#  [*auth_host*]
-#    Host providing the keystone service API endpoint. Optional.
-#    Defaults to 127.0.0.1
-#
-#  [*auth_port*]
-#    Port where keystone service is listening. Optional.
-#    Defaults to 3557.
-#
-#  [*auth_protocol*]
-#    Protocol to use to communicate with keystone. Optional.
-#    Defaults to https.
-#
-#  [*auth_admin_prefix*]
-#    Path part of the auth url. Optional.
-#    This allows admin auth URIs like http://host/keystone/admin/v2.0.
-#    Defaults to false for empty. It defined, should be a string with a leading '/' and no trailing '/'.
-#
-#  [*auth_uri*]
-#    The public auth url to redirect unauthenticated requests.
-#    Defaults to false to be expanded to '${auth_protocol}://${auth_host}:5000'.
-#    Should be set to your public keystone endpoint (without version).
-#
-#  [*identity_uri*]
-#    identity_uri points to the Keystone Admin service. This information is
-#    used by the middleware to actually query Keystone about the validity of the
-#    authentication tokens. It is not necessary to append any Keystone API version
-#    number to this URI.
-#    Defaults to false.
-#
-#  [*signing_dir*]
+# [*signing_dir*]
 #    The cache directory for signing certificates.
 #    Defaults to '/var/cache/swift'
 #
-#  [*cache*]
+# [*cache*]
 #    The cache backend to use
 #    Optional. Defaults to 'swift.cache'
 #
+# [*auth_uri*]
+#   (Optional) Complete public Identity API endpoint.
+#   Defaults to 'http://127.0.0.1:5000'
+#
+# [*auth_url*]
+#   (Optional) The URL to use for authentication.
+#   Defaults to 'http://127.0.0.1:35357'
+#
+# [*auth_plugin*]
+#   (Optional) The plugin for authentication
+#   Defaults to 'password'
+#
+# [*username*]
+#   (Optional) The name of the service user
+#   Defaults to 'swift'
+#
+# [*password*]
+#   (Optional) The password for the user
+#   Defaults to 'password'
+#
+# [*project_name*]
+#   (Optional) Service project name
+#   Defaults to 'services'
+#
+# [*project_domain_id*]
+#   (Optional) id of domain for $project_name
+#   Defaults to 'default'
+#
+# [*user_domain_id*]
+#   (Optional) id of domain for $username
+#   Defaults to 'default'
+#
+# [*include_service_catalog*]
+#   (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#   middleware will not ask for service catalog on token validation and will
+#   not set the X-Service-Catalog header. Boolean value.
+#   Defaults to false
+#
+# == DEPRECATED
+#
+# [*admin_token*]
+#   (optional) Depreated.
+#   Defaults to undef
+#
+# [*identity_uri*]
+#   (optional) Deprecated. Use auth_url instead.
+#   Defaults to undef
+#
+# [*admin_user*]
+#   (optional) Deprecated. Use username instead.
+#   Defaults to undef
+#
+# [*admin_tenant_name*]
+#   (optional) Deprecated. Use project_name instead.
+#   Defaults to undef
+#
+# [*admin_password*]
+#   (optional) Deprecated. Use password instead.
+#   Defaults to undef
+#
 # == Authors
 #
 #   Dan Bode dan@puppetlabs.com
@ -71,47 +86,53 @@
 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
 #
 class swift::proxy::authtoken(
-  $admin_user          = 'swift',
-  $admin_tenant_name   = 'services',
-  $admin_password      = 'password',
-  $auth_uri            = false,
-  $identity_uri        = false,
-  $delay_auth_decision = 1,
-  $admin_token         = false,
-  $signing_dir         = '/var/cache/swift',
-  $cache               = 'swift.cache',
+  $delay_auth_decision     = 1,
+  $signing_dir             = '/var/cache/swift',
+  $cache                   = 'swift.cache',
+  $auth_uri                = 'http://127.0.0.1:5000',
+  $auth_url                = 'http://127.0.0.1:35357',
+  $auth_plugin             = 'password',
+  $project_domain_id       = 'default',
+  $user_domain_id          = 'default',
+  $project_name            = 'services',
+  $username                = 'swift',
+  $password                = 'password',
+  $include_service_catalog = false,
  # DEPRECATED PARAMETERS
-  $auth_host           = '127.0.0.1',
-  $auth_port           = '35357',
-  $auth_protocol       = 'http',
-  $auth_admin_prefix   = false,
+  $admin_user              = undef,
+  $admin_tenant_name       = undef,
+  $admin_password          = undef,
+  $identity_uri            = undef,
+  $admin_token             = undef,
 ) {

  include ::swift::deps

-  if $auth_uri {
-    $auth_uri_real = $auth_uri
-  } else {
-    $auth_uri_real = "${auth_protocol}://${auth_host}:5000"
+  if $admin_token {
+    warning('admin_token is deprecated, has no usage and will be removed in the O release')
  }

-  # if both auth_uri and identity_uri are set we skip these deprecated warnings
-  if !$auth_uri or !$identity_uri {
-    if $auth_host {
-      warning('The auth_host parameter is deprecated. Please use auth_uri and identity_uri instead.')
-    }
-    if $auth_port {
-      warning('The auth_port parameter is deprecated. Please use auth_uri and identity_uri instead.')
-    }
-    if $auth_protocol {
-      warning('The auth_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.')
-    }
-    if $auth_admin_prefix {
-      warning('The auth_admin_prefix parameter is deprecated. Please use auth_uri and identity_uri instead.')
-      validate_re($auth_admin_prefix, '^(/.+[^/])?$')
-    }
+  if $identity_uri {
+    warning('identity_uri is deprecated and will be removed, please use auth_url instead')
  }

+  if $admin_user {
+    warning('admin_user is deprecated and will be removed, please use username instead')
+  }
+
+  if $admin_tenant_name {
+    warning('admin_tenant_name is deprecated and will be removed, please use project_name instead')
+  }
+
+  if $admin_password {
+    warning('admin_password is deprecated and will be removed, please use password isntead')
+  }
+
+  $auth_url_real = pick($identity_uri, $auth_url)
+  $username_real = pick($admin_user, $username)
+  $project_name_real = pick($admin_tenant_name, $project_name)
+  $password_real = pick($admin_password, $password)
+
  file { $signing_dir:
    ensure                  => directory,
    mode                    => '0700',
--- a/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml
+++ b/releasenotes/notes/authtoken-b49c75db4b7429cb.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - add new parameters to configure authtoken for swift, like
+    username, password, project_name, auth_url, auth_plugin,
+    project_domain_id, user_domain_id, include_service_catalog
+deprecations:
+  - admin_token
+  - admin_tenant_name in favor of project_name
+  - admin_password in favor of password
+  - admin_user in favor of username
+  - identity_uri in favor of auth_url
+fixes:
+  - remove auth_host, auth_port, auth_protocol, auth_admin_prefix
--- a/spec/acceptance/basic_swift_spec.rb
+++ b/spec/acceptance/basic_swift_spec.rb
@ -57,7 +57,7 @@ describe 'basic swift' do
        account_autocreate => true,
      }
      class { '::swift::proxy::authtoken':
-        admin_password => 'a_big_secret',
+        password => 'a_big_secret',
      }
      class { '::swift::keystone::dispersion': } -> class { '::swift::dispersion': }
      class {'::swift::objectexpirer':
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -32,39 +32,27 @@ log_name = swift
 signing_dir = /var/cache/swift
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory

-auth_host = 127.0.0.1
-auth_port = 35357
-auth_protocol = http
 auth_uri = http://127.0.0.1:5000
-admin_tenant_name = services
-admin_user = swift
-admin_password = password
+auth_url = http://127.0.0.1:35357
+auth_plugin = password
+project_domain_id = default
+user_domain_id = default
+project_name = services
+username = swift
+password = password
+
 delay_auth_decision = 1
+
 cache = swift.cache
-include_service_catalog = False
+include_service_catalog = false
 ')
    end
  end

-  describe "when overriding admin_token" do
-    let :params do
-      {
-        :admin_token => 'ADMINTOKEN'
-      }
-    end
-
-    it 'should build the fragment with correct parameters' do
-      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/admin_token = ADMINTOKEN/)
-    end
-  end

  describe "when overriding parameters" do
    let :params do
      {
-        :auth_host           => 'some.host',
-        :auth_port           => '443',
-        :auth_protocol       => 'https',
-        :auth_admin_prefix   => '/keystone/admin',
        :admin_tenant_name   => 'admin',
        :admin_user          => 'swiftuser',
        :admin_password      => 'swiftpassword',
@ -81,17 +69,19 @@ log_name = swift
 signing_dir = /home/swift/keystone-signing
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory

-auth_host = some.host
-auth_port = 443
-auth_protocol = https
-auth_admin_prefix = /keystone/admin
-auth_uri = https://some.host:5000
-admin_tenant_name = admin
-admin_user = swiftuser
-admin_password = swiftpassword
+auth_uri = http://127.0.0.1:5000
+auth_url = http://127.0.0.1:35357
+auth_plugin = password
+project_domain_id = default
+user_domain_id = default
+project_name = admin
+username = swiftuser
+password = swiftpassword
+
 delay_auth_decision = 0
+
 cache = foo
-include_service_catalog = False
+include_service_catalog = false
 ')
    end
  end
@ -104,24 +94,6 @@ include_service_catalog = False
    it { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = http:\/\/public\.host\/keystone\/main/)}
  end

-  [
-    'keystone',
-    'keystone/',
-    '/keystone/',
-    '/keystone/admin/',
-    'keystone/admin/',
-    'keystone/admin'
-  ].each do |auth_admin_prefix|
-    describe "when overriding auth_admin_prefix with incorrect value #{auth_admin_prefix}" do
-      let :params do
-        { :auth_admin_prefix => auth_admin_prefix }
-      end
-
-      it { expect { is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_admin_prefix = #{auth_admin_prefix}/) }.to \
-        raise_error(Puppet::Error, /validate_re\(\): "#{auth_admin_prefix}" does not match/) }
-    end
-  end
-
  describe "when identity_uri is set" do
    let :params do
      {
@ -130,7 +102,7 @@ include_service_catalog = False
    end

    it 'should build the fragment with correct parameters' do
-      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//)
+      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//)
    end
  end

@ -144,7 +116,7 @@ include_service_catalog = False

    it 'should build the fragment with correct parameters' do
      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_uri = https:\/\/foo\.bar:5000\/v2\.0\//)
-      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/identity_uri = https:\/\/foo\.bar:35357\//)
+      is_expected.to contain_concat_fragment('swift_authtoken').with_content(/auth_url = https:\/\/foo\.bar:35357\//)
    end
  end

--- a/templates/proxy/authtoken.conf.erb
+++ b/templates/proxy/authtoken.conf.erb
@ -4,25 +4,16 @@ log_name = swift
 signing_dir = <%= @signing_dir %>
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory

-<% if not @identity_uri or not @auth_uri then -%>
-auth_host = <%= @auth_host %>
-auth_port = <%= @auth_port %>
-auth_protocol = <%= @auth_protocol %>
-<% if @auth_admin_prefix -%>
-auth_admin_prefix = <%= @auth_admin_prefix %>
-<% end -%>
-<% end -%>
-auth_uri = <%= @auth_uri_real %>
-<% if @identity_uri -%>
-identity_uri = <%= @identity_uri %>
-<% end -%>
-<% if @admin_token -%>
-admin_token = <%= @admin_token %>
-<% else -%>
-admin_tenant_name = <%= @admin_tenant_name %>
-admin_user = <%= @admin_user %>
-admin_password = <%= @admin_password %>
-<% end -%>
+auth_uri = <%= @auth_uri %>
+auth_url = <%= @auth_url_real %>
+auth_plugin = <%= @auth_plugin %>
+project_domain_id = <%= @project_domain_id %>
+user_domain_id = <%= @user_domain_id %>
+project_name = <%= @project_name_real %>
+username = <%= @username_real %>
+password = <%= @password_real %>
+
 delay_auth_decision = <%= @delay_auth_decision %>
+
 cache = <%= @cache %>
-include_service_catalog = False
+include_service_catalog = <%= @include_service_catalog %>
--- a/tests/site.pp
+++ b/tests/site.pp
@ -251,11 +251,9 @@ node /swift-proxy/ {
    operator_roles => ['admin', 'SwiftOperator'],
  }
  class { '::swift::proxy::authtoken':
-    admin_user        => 'swift',
-    admin_tenant_name => 'services',
-    admin_password    => $swift_admin_password,
+    password  => $swift_admin_password,
    # assume that the controller host is the swift api server
-    auth_host         => $swift_keystone_node,
+    auth_host => $swift_keystone_node,
  }

  # collect all of the resources that are needed