Allow ceilometer auth settings to be configurable
This patch is for allowing cafile, os_cacert, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and hash_algorithms to be configurable. Change-Id: I4d8f94195a75f590849e5a1ea948a3837cdf38a0 Closes-Bug: #1372371
This commit is contained in:
parent
b98c3327ae
commit
7a188bf3b1
|
@ -7,6 +7,8 @@ This file is used to list changes made in each version of the openstack-metering
|
|||
* Sync conf files with Juno
|
||||
* Set os_region_name properly
|
||||
* Upgrading berkshelf from 2.0.18 to 3.1.5
|
||||
* Allow cafile, os_cacert, insecure, memcached_servers, memcache_security_strategy, memcache_secret_key and has
|
||||
h_algorithms to be configurable
|
||||
|
||||
## 10.0.0
|
||||
* Upgrading to Juno
|
||||
|
|
10
README.md
10
README.md
|
@ -60,7 +60,15 @@ Attributes
|
|||
==========
|
||||
|
||||
* `openstack['telemetry']['api']['auth']['version']` - Select v2.0 or v3.0. Default v2.0. The auth API version used to interact with identity service.
|
||||
* `openstack['telemetry']['sample_source'] - The source name of emitted samples, default value is openstack.
|
||||
* `openstack['telemetry']['sample_source']` - The source name of emitted samples, default value is openstack.
|
||||
* `openstack['telemetry']['api']['auth']['memcached_servers']` - A list of memcached server(s) to use for caching
|
||||
* `openstack['telemetry']['api']['auth']['memcache_security_strategy']` - Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
|
||||
* `openstack['telemetry']['api']['auth']['memcache_secret_key']` - This string is used for key derivation
|
||||
* `openstack['telemetry']['api']['auth']['hash_algorithms']` - Hash algorithms to use for hashing PKI tokens
|
||||
* `openstack['telemetry']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections
|
||||
* `openstack['telemetry']['api']['auth']['insecure']` - Set whether to verify HTTPS connections
|
||||
* `openstack['telemetry']['service-credentials']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication)
|
||||
* `openstack['telemetry']['service-credentials']['insecure']` - Set whether to verify HTTPS connections (for service polling authentication)
|
||||
|
||||
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
|
||||
|
||||
|
|
|
@ -34,6 +34,24 @@ default['openstack']['telemetry']['api']['auth']['cache_dir'] = '/var/cache/ceil
|
|||
|
||||
default['openstack']['telemetry']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
|
||||
|
||||
# A list of memcached server(s) to use for caching
|
||||
default['openstack']['telemetry']['api']['auth']['memcached_servers'] = nil
|
||||
|
||||
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT
|
||||
default['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = nil
|
||||
|
||||
# This string is used for key derivation
|
||||
default['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = nil
|
||||
|
||||
# Hash algorithms to use for hashing PKI tokens
|
||||
default['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'md5'
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections
|
||||
default['openstack']['telemetry']['api']['auth']['cafile'] = nil
|
||||
|
||||
# Verify HTTPS connections
|
||||
default['openstack']['telemetry']['api']['auth']['insecure'] = false
|
||||
|
||||
default['openstack']['telemetry']['user'] = 'ceilometer'
|
||||
default['openstack']['telemetry']['group'] = 'ceilometer'
|
||||
|
||||
|
@ -42,6 +60,12 @@ default['openstack']['telemetry']['service_user'] = 'ceilometer'
|
|||
default['openstack']['telemetry']['service_tenant_name'] = 'service'
|
||||
default['openstack']['telemetry']['service_role'] = 'admin'
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections (for service polling authentication)
|
||||
default['openstack']['telemetry']['service-credentials']['cafile'] = nil
|
||||
|
||||
# Verify HTTPS connections (for service polling authentication)
|
||||
default['openstack']['telemetry']['service-credentials']['insecure'] = false
|
||||
|
||||
default['openstack']['telemetry']['sample_source'] = 'openstack'
|
||||
|
||||
case node['openstack']['compute']['driver']
|
||||
|
|
|
@ -132,6 +132,50 @@ describe 'openstack-telemetry::common' do
|
|||
end
|
||||
end
|
||||
|
||||
context 'service_credentials attributes with default values' do
|
||||
it 'sets cafile' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^os_cacert = $/)
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure = false$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'service_credentials attributes' do
|
||||
it 'sets cafile' do
|
||||
node.set['openstack']['telemetry']['service-credentials']['cafile'] = 'dir/to/path'
|
||||
expect(chef_run).to render_file(file.name).with_content(%r{^os_cacert = dir/to/path$})
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
node.set['openstack']['telemetry']['service-credentials']['insecure'] = true
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'keystone authtoken attributes with default values' do
|
||||
it 'sets memcached server(s)' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcached_servers = $/)
|
||||
end
|
||||
|
||||
it 'sets memcache security strategy' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_security_strategy = $/)
|
||||
end
|
||||
|
||||
it 'sets memcache secret key' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^memcache_secret_key = $/)
|
||||
end
|
||||
|
||||
it 'sets cafile' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^cafile = $/)
|
||||
end
|
||||
|
||||
it 'sets token hash algorithms' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = md5$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'has keystone authtoken configuration' do
|
||||
it 'has auth_uri' do
|
||||
expect(chef_run).to render_file(file.name).with_content(
|
||||
|
@ -177,6 +221,36 @@ describe 'openstack-telemetry::common' do
|
|||
expect(chef_run).to render_file(file.name).with_content(
|
||||
/^#{Regexp.quote('signing_dir = /var/cache/ceilometer/api')}$/)
|
||||
end
|
||||
|
||||
it 'sets memcached server(s)' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['memcached_servers'] = 'localhost:11211'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcached_servers = localhost:11211$/)
|
||||
end
|
||||
|
||||
it 'sets memcache security strategy' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] = 'MAC'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_security_strategy = MAC$/)
|
||||
end
|
||||
|
||||
it 'sets memcache secret key' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['memcache_secret_key'] = '0123456789ABCDEF'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^memcache_secret_key = 0123456789ABCDEF$/)
|
||||
end
|
||||
|
||||
it 'sets cafile' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['cafile'] = 'dir/to/path'
|
||||
expect(chef_run).to render_file(file.name).with_content(%r{^cafile = dir/to/path$})
|
||||
end
|
||||
|
||||
it 'sets insecure' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['insecure'] = true
|
||||
expect(chef_run).to render_file(file.name).with_content(/^insecure = true$/)
|
||||
end
|
||||
|
||||
it 'sets token hash algorithm' do
|
||||
node.set['openstack']['telemetry']['api']['auth']['hash_algorithms'] = 'sha2'
|
||||
expect(chef_run).to render_file(file.name).with_content(/^hash_algorithms = sha2$/)
|
||||
end
|
||||
end
|
||||
|
||||
it 'has metering secret' do
|
||||
|
|
|
@ -74,6 +74,32 @@ admin_user = <%= @service_user %>
|
|||
admin_password = <%= @service_pass %>
|
||||
signing_dir = <%= node["openstack"]["telemetry"]["api"]["auth"]["cache_dir"] %>
|
||||
|
||||
# A list of memcached server(s) to use for caching.
|
||||
<% if node['openstack']['telemetry']['api']['auth']['memcached_servers'] %>
|
||||
memcached_servers = <%= node['openstack']['telemetry']['api']['auth']['memcached_servers'] %>
|
||||
<% end %>
|
||||
|
||||
# Whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.
|
||||
<% if node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %>
|
||||
memcache_security_strategy = <%= node['openstack']['telemetry']['api']['auth']['memcache_security_strategy'] %>
|
||||
<% end %>
|
||||
|
||||
# This string is used for key derivation.
|
||||
<% if node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %>
|
||||
memcache_secret_key = <%= node['openstack']['telemetry']['api']['auth']['memcache_secret_key'] %>
|
||||
<% end %>
|
||||
|
||||
# Hash algorithms to use for hashing PKI tokens.
|
||||
hash_algorithms = <%= node['openstack']['telemetry']['api']['auth']['hash_algorithms'] %>
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
|
||||
<% if node['openstack']['telemetry']['api']['auth']['cafile'] %>
|
||||
cafile = <%= node['openstack']['telemetry']['api']['auth']['cafile'] %>
|
||||
<% end %>
|
||||
|
||||
# Verify HTTPS connections. (boolean value)
|
||||
insecure = <%= node['openstack']['telemetry']['api']['auth']['insecure'] %>
|
||||
|
||||
[publisher_rpc]
|
||||
metering_secret = <%= @metering_secret %>
|
||||
|
||||
|
@ -91,3 +117,11 @@ wsdl_location = <%= node['openstack']['compute']['vmware']['wsdl_location'] %>
|
|||
|
||||
[service_credentials]
|
||||
os_region_name = <%= node['openstack']['telemetry']['region'] %>
|
||||
|
||||
# A PEM encoded Certificate Authority to use when verifying HTTPs connections. (for service polling authentication)
|
||||
<% if node['openstack']['telemetry']['service-credentials']['cafile'] %>
|
||||
os_cacert = <%= node['openstack']['telemetry']['service-credentials']['cafile'] %>
|
||||
<% end %>
|
||||
|
||||
# Verify HTTPS connections. (boolean value, for service polling authentication)
|
||||
insecure = <%= node['openstack']['telemetry']['service-credentials']['insecure'] %>
|
||||
|
|
Loading…
Reference in New Issue