openstack
/
cookbook-openstack-telemetry
Code Issues Proposed changes

Allow ceilometer auth settings to be configurable 

This patch is for allowing cafile, os_cacert, insecure,
memcached_servers, memcache_security_strategy,
memcache_secret_key and hash_algorithms to be
configurable.

Change-Id: I4d8f94195a75f590849e5a1ea948a3837cdf38a0
Closes-Bug: #1372371
This commit is contained in:
chenxiao 2014-09-22 17:32:22 +08:00
parent b98c3327ae
commit 7a188bf3b1
5 changed files with 143 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -7,6 +7,8 @@ This file is used to list changes made in each version of the openstack-metering
* Sync conf files with Juno
* Set os_region_name properly
* Upgrading berkshelf from 2.0.18 to 3.1.5
* Allow cafile, os_cacert, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and has
h_algorithms to be configurable
## 10.0.0
* Upgrading to Juno

10
README.md
View File

@ -60,7 +60,15 @@ Attributes
==========
* `openstack['telemetry']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
* `openstack['telemetry']['sample_source'] - The source name of emitted samples, default value is openstack.
* `openstack['telemetry']['sample_source']` - The source name of emitted samples, default value is openstack.
* `openstack['telemetry']['api']['auth']['memcached_servers']` - A list of memcached server(s) to use for caching
* `openstack['telemetry']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
* `openstack['telemetry']['api']['auth']['memcache_secret_key']` - This string is used for key derivation
* `openstack['telemetry']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens
* `openstack['telemetry']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections
* `openstack['telemetry']['api']['auth']['insecure']` - Set whether to verify HTTPS connections
* `openstack['telemetry']['service-credentials']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication)
* `openstack['telemetry']['service-credentials']['insecure']` - Set whether to verify HTTPS connections (for service polling authentication)
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:

24
attributes/default.rb
View File

@ -34,6 +34,24 @@ default['openstack']['telemetry']['api']['auth']['cache_dir'] = '/var/cache/ceil
default['openstack']['telemetry']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
# A list of memcached server(s) to use for caching
default['openstack']['telemetry']['api']['auth']['memcached_servers'] = nil
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
default['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = nil
# This string is used for key derivation
default['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = nil
# Hash algorithms to use for hashing PKI tokens
default['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'md5'
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
default['openstack']['telemetry']['api']['auth']['cafile'] = nil
# Verify HTTPS connections
default['openstack']['telemetry']['api']['auth']['insecure'] = false
default['openstack']['telemetry']['user'] = 'ceilometer'
default['openstack']['telemetry']['group'] = 'ceilometer'
@ -42,6 +60,12 @@ default['openstack']['telemetry']['service_user'] = 'ceilometer'
default['openstack']['telemetry']['service_tenant_name'] = 'service'
default['openstack']['telemetry']['service_role'] = 'admin'
# A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication)
default['openstack']['telemetry']['service-credentials']['cafile'] = nil
# Verify HTTPS connections (for service polling authentication)
default['openstack']['telemetry']['service-credentials']['insecure'] = false
default['openstack']['telemetry']['sample_source'] = 'openstack'
case node['openstack']['compute']['driver']

74
spec/common_spec.rb
View File

@ -132,6 +132,50 @@ describe 'openstack-telemetry::common' do
end
end
context 'service_credentials attributes with default values' do
it 'sets cafile' do
expect(chef_run).not_to render_file(file.name).with_content(/^os_cacert = $/)
end
it 'sets insecure' do
expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/)
end
end
context 'service_credentials attributes' do
it 'sets cafile' do
node.set['openstack']['telemetry']['service-credentials']['cafile'] = 'dir/to/path'
expect(chef_run).to render_file(file.name).with_content(%r{^os_cacert = dir/to/path$})
end
it 'sets insecure' do
node.set['openstack']['telemetry']['service-credentials']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
end
end
context 'keystone authtoken attributes with default values' do
it 'sets memcached server(s)' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcached_servers = $/)
end
it 'sets memcache security strategy' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_security_strategy = $/)
end
it 'sets memcache secret key' do
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_secret_key = $/)
end
it 'sets cafile' do
expect(chef_run).not_to render_file(file.name).with_content(/^cafile = $/)
end
it 'sets token hash algorithms' do
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/)
end
end
context 'has keystone authtoken configuration' do
it 'has auth_uri' do
expect(chef_run).to render_file(file.name).with_content(
@ -177,6 +221,36 @@ describe 'openstack-telemetry::common' do
expect(chef_run).to render_file(file.name).with_content(
/^#{Regexp.quote('signing_dir = /var/cache/ceilometer/api')}$/)
end
it 'sets memcached server(s)' do
node.set['openstack']['telemetry']['api']['auth']['memcached_servers'] = 'localhost:11211'
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/)
end
it 'sets memcache security strategy' do
node.set['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = 'MAC'
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/)
end
it 'sets memcache secret key' do
node.set['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/)
end
it 'sets cafile' do
node.set['openstack']['telemetry']['api']['auth']['cafile'] = 'dir/to/path'
expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$})
end
it 'sets insecure' do
node.set['openstack']['telemetry']['api']['auth']['insecure'] = true
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
end
it 'sets token hash algorithm' do
node.set['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'sha2'
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/)
end
end
it 'has metering secret' do

34
templates/default/ceilometer.conf.erb
View File

@ -74,6 +74,32 @@ admin_user = <%= @service_user %>
admin_password = <%= @service_pass %>
signing_dir = <%= node["openstack"]["telemetry"]["api"]["auth"]["cache_dir"] %>
# A list of memcached server(s) to use for caching.
<% if node['openstack']['telemetry']['api']['auth']['memcached_servers'] %>
memcached_servers = <%= node['openstack']['telemetry']['api']['auth']['memcached_servers'] %>
<% end %>
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
<% if node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %>
memcache_security_strategy = <%= node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %>
<% end %>
# This string is used for key derivation.
<% if node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %>
memcache_secret_key = <%= node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %>
<% end %>
# Hash algorithms to use for hashing PKI tokens.
hash_algorithms = <%= node['openstack']['telemetry']['api']['auth']['hash_algorithms'] %>
# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
<% if node['openstack']['telemetry']['api']['auth']['cafile'] %>
cafile = <%= node['openstack']['telemetry']['api']['auth']['cafile'] %>
<% end %>
# Verify HTTPS connections. (boolean value)
insecure = <%= node['openstack']['telemetry']['api']['auth']['insecure'] %>
[publisher_rpc]
metering_secret = <%= @metering_secret %>
@ -91,3 +117,11 @@ wsdl_location = <%= node['openstack']['compute']['vmware']['wsdl_location'] %>
[service_credentials]
os_region_name = <%= node['openstack']['telemetry']['region'] %>
# A PEM encoded Certificate Authority to use when verifying HTTPs connections. (for service polling authentication)
<% if node['openstack']['telemetry']['service-credentials']['cafile'] %>
os_cacert = <%= node['openstack']['telemetry']['service-credentials']['cafile'] %>
<% end %>
# Verify HTTPS connections. (boolean value, for service polling authentication)
insecure = <%= node['openstack']['telemetry']['service-credentials']['insecure'] %>