Configure keystone authtoken options

Update designate::api to leverage keystone::resource::authtoken to configure the keystone middleware. This patch also allows designate to be able to leverage Keystone v3. Some deprecations: - designate::api::keystone_tenant is deprecated in favor of designate::api::project_name. - designate::api::keystone_user is deprecated in favor of designate::api::username. - designate::api::keystone_password is deprecated in favor of designate::api::password. - designate::api::keystone_host, designate::api::keystone_port, designate::api::keystone_protocol are deprecated in favor of designate::api::auth_uri and designate::api_auth_url. - designate::api::keystone_memcached_servers is deprecated in favor of designate::api::memcached_servers. The patch is backward compatible. Change-Id: I2cb4076b3e8679adac2722871f8391e750e8b4b0 Closes-Bug: #1604463
2016-07-21 09:35:38 -06:00 · 2016-07-21 09:35:38 -06:00 · e18e6eb355
parent 39c0d279c9
commit e18e6eb355
4 changed files with 412 additions and 77 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -21,38 +21,10 @@
 #  Defaults to 'running'
 #
 # [*auth_strategy*]
-#  (optional) Authentication strategy to use, can be either "noauth" or "keystone"
+#  (optional) Authentication strategy to use, can be either "noauth" or
+#  "keystone"
 #  Defaults to 'noauth'
 #
-# [*keystone_host*]
-#  (optional) Host running auth service.
-#  Defaults to '127.0.0.1'
-#
-# [*keystone_port*]
-#  (optional) Port to use for auth service on auth_host.
-#  Defaults to '35357'
-#
-# [*keystone_protocol*]
-#  (optional) Protocol to use for auth.
-#  Defaults to 'http'
-#
-# [*keystone_tenant*]
-#  (optional) Tenant to authenticate to.
-#  Defaults to 'services'
-#
-# [*keystone_user*]
-#  (optional) User to authenticate as with keystone.
-#  Defaults to 'designate'
-#
-# [*keystone_password*]
-#  (optional) Password used to authentication.
-#  Defaults to false
-#
-# [*keystone_memcached_servers*]
-#  (optional) Memcached Servers for keystone. Supply a list of memcached server
-#  IP's:Memcached Port.
-#  Defaults to false
-#
 # [*enable_api_v1*]
 #  (optional) Enable Designate API Version 1
 #  Defaults to true
@ -76,25 +48,283 @@
 # [*api_base_uri*]
 #  Set the base URI of the Designate API service.
 #
+# KeystoneMiddleware Parameters
+#
+# [*username*]
+#  (optional) The name of the service user
+#  Defaults to 'designate'
+#
+# [*password*]
+#  (optional) Password for the user
+#  Defaults to $::os_service_default
+#
+# [*auth_url*]
+#  (optional) The URL to use for admin authentication.
+#  Defaults to: 'http://localhost:35357'
+#
+# [*auth_uri*]
+#  (optional) The URL to use for public authentication.
+#  Defaults to: 'http://localhost:5000'.
+#
+# [*project_name*]
+#  (optional) Service project name
+#  Defaults to 'services'
+#
+# [*user_domain_name*]
+#  (optional) Name of domain for $username
+#  Defaults to $::os_service_default
+#
+# [*project_domain_name*]
+#  (optional) Name of domain for $project_name
+#  Defaults to $::os_service_default
+#
+# [*insecure*]
+#  (optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.
+#  WARNING: not recommended.  Use with caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_section*]
+#  (optional) Config Section from which to load plugin specific options
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (optional) Authentication type to load
+#  Defaults to $::os_service_default
+#
+# [*cache*]
+#  (optional) Env key for the swift cache.
+#  Defaults to $::os_service_default
+#
+# [*cafile*]
+#  (optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections
+#  Defaults to $::os_service_default
+#
+# [*certfile*]
+#  (optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default
+#
+# [*check_revocations_for_cached*]
+#  (optional) If true, the revocation list will be checked for cached tokens.
+#  This requires that PKI tokens are configured on the identity server.
+#  boolean value.
+#  Defaults to $::os_service_default
+#
+# [*delay_auth_decision*]
+#  (optional) Do not handle authorization requests within the middleware, but
+#  delegate the authorization decision to downstream WSGI components. Boolean
+#  value
+#  Defaults to $::os_service_default
+#
+# [*enforce_token_bind*]
+#  (Optional) Used to control the use and type of token binding. Can be set
+#  to: "disabled" to not check token binding. "permissive" (default) to
+#  validate binding information if the bind type is of a form known to the
+#  server and ignore it if not. "strict" like "permissive" but if the bind
+#  type is unknown the token will be rejected. "required" any form of token
+#  binding is needed to be allowed. Finally the name of a binding method that
+#  must be present in tokens. String value.
+#  Defaults to $::os_service_default.
+#
+# [*hash_algorithms*]
+#  (Optional) Hash algorithms to use for hashing PKI tokens. This may be a
+#  single algorithm or multiple. The algorithms are those supported by Python
+#  standard hashlib.new(). The hashes will be tried in the order given, so put
+#  the preferred one first for performance. The result of the first hash will
+#  be stored in the cache. This will typically be set to multiple values only
+#  while migrating from a less secure algorithm to a more secure one. Once all
+#  the old tokens are expired this option should be set to a single value for
+#  better performance. List value.
+#  Defaults to $::os_service_default.
+#
+# [*http_connect_timeout*]
+#  (optional) Request timeout value for communicating with Identity API server.
+#  Defaults to $::os_service_default
+#
+# [*http_request_max_retries*]
+#  (optional) How many times are we trying to reconnect when communicating
+#  with Identity API Server. Integer value
+#  Defaults to $::os_service_default
+#
+# [*include_service_catalog*]
+#  (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+#  middleware will not ask for service catalog on token validation and will not
+#  set the X-Service-Catalog header. Boolean value.
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_conn_get_timeout*]
+#  (Optional) Number of seconds that an operation will wait to get a memcached
+#  client connection from the pool. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_dead_retry*]
+#  (Optional) Number of seconds memcached server is considered dead before it
+#  is tried again. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_maxsize*]
+#  (Optional) Maximum total number of open connections to every memcached
+#  server. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_socket_timeout*]
+#  (Optional) Number of seconds a connection to memcached is held unused in
+#  the
+#  pool before it is closed. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_pool_unused_timeout*]
+#  (Optional) Number of seconds a connection to memcached is held unused in
+#  the
+#  pool before it is closed. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*memcache_secret_key*]
+#  (Optional, mandatory if memcache_security_strategy is defined) This string
+#  is used for key derivation.
+#  Defaults to $::os_service_default.
+#
+# [*memcache_security_strategy*]
+#  (Optional) If defined, indicate whether token data should be authenticated
+#  or
+#  authenticated and encrypted. If MAC, token data is authenticated (with
+#  HMAC)
+#  in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+#  cache. If the value is not one of these options or empty, auth_token will
+#  raise an exception on initialization.
+#  Defaults to $::os_service_default.
+#
+# [*memcache_use_advanced_pool*]
+#  (Optional)  Use the advanced (eventlet safe) memcached client pool. The
+#  advanced pool will only work under python 2.x Boolean value
+#  Defaults to $::os_service_default.
+#
+# [*memcached_servers*]
+#  (Optional) Optionally specify a list of memcached server(s) to use for
+#  caching. If left undefined, tokens will instead be cached in-process.
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (optional)
+#  Defaults to $::os_service_default
+#
+# [*revocation_cache_time*]
+#  (Optional) Determines the frequency at which the list of revoked tokens is
+#  retrieved from the Identity service (in seconds). A high number of
+#  revocation events combined with a low cache duration may significantly
+#  reduce performance. Only valid for PKI tokens. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*signing_dir*]
+#  (Optional) Directory used to cache files related to PKI tokens.
+#  Defaults to $::os_service_default.
+#
+# [*token_cache_time*]
+#  (Optional) In order to prevent excessive effort spent validating tokens,
+#  the middleware caches previously-seen tokens for a configurable duration
+#  (in seconds). Set to -1 to disable caching completely. Integer value
+#  Defaults to $::os_service_default.
+#
+# [*auth_version*]
+#   (optional) API version of the identity API endpoint
+#   Defaults to $::os_service_default.
+#
+# DEPRECATED PARAMETERS
+#
+# [*keystone_host*]
+#  (optional) Host running auth service.
+#  Defaults to undef
+#
+# [*keystone_port*]
+#  (optional) Port to use for auth service on auth_host.
+#  Defaults to undef
+#
+# [*keystone_protocol*]
+#  (optional) Protocol to use for auth.
+#  Defaults to undef
+#
+# [*keystone_tenant*]
+#  (optional) Tenant to authenticate to.
+#  Defaults to undef
+#
+# [*keystone_user*]
+#  (optional) User to authenticate as with keystone.
+#  Defaults to undef
+#
+# [*keystone_password*]
+#  (optional) Password used to authentication.
+#  Defaults to undef
+#
+# [*keystone_memcached_servers*]
+#  (optional) Memcached Servers for keystone. Supply a list of memcached server
+#  IP's:Memcached Port.
+#  Defaults to false
+#
 class designate::api (
-  $package_ensure             = present,
-  $api_package_name           = $::designate::params::api_package_name,
-  $enabled                    = true,
-  $service_ensure             = 'running',
-  $auth_strategy              = 'noauth',
-  $keystone_host              = '127.0.0.1',
-  $keystone_port              = '35357',
-  $keystone_protocol          = 'http',
-  $keystone_tenant            = 'services',
-  $keystone_user              = 'designate',
-  $keystone_password          = false,
-  $keystone_memcached_servers = false,
-  $enable_api_v1              = true,
-  $enable_api_v2              = false,
-  $enable_api_admin           = false,
-  $api_host                   = '0.0.0.0',
-  $api_port                   = '9001',
-  $api_base_uri               = $::os_service_default,
+  $package_ensure                 = present,
+  $api_package_name               = $::designate::params::api_package_name,
+  $enabled                        = true,
+  $service_ensure                 = 'running',
+  $auth_strategy                  = 'noauth',
+  $enable_api_v1                  = true,
+  $enable_api_v2                  = false,
+  $enable_api_admin               = false,
+  $api_host                       = '0.0.0.0',
+  $api_port                       = '9001',
+  $api_base_uri                   = $::os_service_default,
+  # keystone::resource::authtoken parameters
+  $username                       = 'designate',
+  $password                       = $::os_service_default,
+  $auth_url                       = 'http://localhost:35357',
+  $auth_uri                       = 'http://localhost:5000',
+  $project_name                   = 'services',
+  $user_domain_name               = $::os_service_default,
+  $project_domain_name            = $::os_service_default,
+  $insecure                       = $::os_service_default,
+  $auth_section                   = $::os_service_default,
+  $auth_type                      = 'password',
+  $cache                          = $::os_service_default,
+  $cafile                         = $::os_service_default,
+  $certfile                       = $::os_service_default,
+  $check_revocations_for_cached   = $::os_service_default,
+  $delay_auth_decision            = $::os_service_default,
+  $enforce_token_bind             = $::os_service_default,
+  $hash_algorithms                = $::os_service_default,
+  $http_connect_timeout           = $::os_service_default,
+  $http_request_max_retries       = $::os_service_default,
+  $include_service_catalog        = $::os_service_default,
+  $keyfile                        = $::os_service_default,
+  $memcache_pool_conn_get_timeout = $::os_service_default,
+  $memcache_pool_dead_retry       = $::os_service_default,
+  $memcache_pool_maxsize          = $::os_service_default,
+  $memcache_pool_socket_timeout   = $::os_service_default,
+  $memcache_secret_key            = $::os_service_default,
+  $memcache_security_strategy     = $::os_service_default,
+  $memcache_use_advanced_pool     = $::os_service_default,
+  $memcache_pool_unused_timeout   = $::os_service_default,
+  $memcached_servers              = $::os_service_default,
+  $region_name                    = $::os_service_default,
+  $revocation_cache_time          = $::os_service_default,
+  $signing_dir                    = $::os_service_default,
+  $token_cache_time               = $::os_service_default,
+  $auth_version                   = $::os_service_default,
+  # DEPRECATED PARAMETERS
+  $keystone_host                  = undef,
+  $keystone_port                  = undef,
+  $keystone_protocol              = undef,
+  $keystone_tenant                = undef,
+  $keystone_user                  = undef,
+  $keystone_password              = undef,
+  $keystone_memcached_servers     = undef,
 ) inherits designate {

  # API Service
@ -109,19 +339,79 @@ class designate::api (
  }

  # Keystone Middleware
-  if $keystone_memcached_servers {
-    designate_config { 'keystone_authtoken/memcached_servers'  : value => join(any2array($keystone_memcached_servers), ',') }
+  if ($keystone_host and $keystone_port and $keystone_protocol) {
+    warning('keystone_host, keystone_port and keystone_protocol are deprecated, use auth_uri and auth_url instead')
+    $auth_uri_real = "${keystone_protocol}://${keystone_host}:${keystone_port}"
+    $auth_url_real = "${keystone_protocol}://${keystone_host}:${keystone_port}"
  } else {
-    designate_config { 'keystone_authtoken/memcached_servers'  : ensure => absent, }
+    $auth_uri_real = $auth_uri
+    $auth_url_real = $auth_url
  }

-  designate_config {
-    'keystone_authtoken/auth_host'          : value => $keystone_host;
-    'keystone_authtoken/auth_port'          : value => $keystone_port;
-    'keystone_authtoken/auth_protocol'      : value => $keystone_protocol;
-    'keystone_authtoken/admin_tenant_name'  : value => $keystone_tenant;
-    'keystone_authtoken/admin_user'         : value => $keystone_user;
-    'keystone_authtoken/admin_password'     : value => $keystone_password, secret => true;
+  if ($keystone_user) {
+    warning('keystone_user is deprecated, use username instead')
+    $username_real = $keystone_user
+  } else {
+    $username_real = $username
+  }
+
+  if ($keystone_password) {
+    warning('keystone_password is deprecated, use password instead')
+    $password_real = $keystone_password
+  } else {
+    $password_real = $password
+  }
+
+  if ($keystone_tenant) {
+    warning('keystone_tenant is deprecated, use project_name instead')
+    $project_name_real = $keystone_tenant
+  } else {
+    $project_name_real = $project_name
+  }
+
+  if ($keystone_memcached_servers) {
+    warning('keystone_memcached_servers is deprecated use memcached_servers instead')
+    $memcached_servers_real = $keystone_memcached_servers
+  } else {
+    $memcached_servers_real = $memcached_servers
+  }
+
+  keystone::resource::authtoken { 'designate_config':
+    username                       => $username_real,
+    password                       => $password_real,
+    auth_url                       => $auth_url_real,
+    project_name                   => $project_name_real,
+    user_domain_name               => $user_domain_name,
+    project_domain_name            => $project_domain_name,
+    insecure                       => $insecure,
+    auth_section                   => $auth_section,
+    auth_type                      => $auth_type,
+    auth_uri                       => $auth_uri_real,
+    auth_version                   => $auth_version,
+    cache                          => $cache,
+    cafile                         => $cafile,
+    certfile                       => $certfile,
+    check_revocations_for_cached   => $check_revocations_for_cached,
+    delay_auth_decision            => $delay_auth_decision,
+    enforce_token_bind             => $enforce_token_bind,
+    hash_algorithms                => $hash_algorithms,
+    http_connect_timeout           => $http_connect_timeout,
+    http_request_max_retries       => $http_request_max_retries,
+    include_service_catalog        => $include_service_catalog,
+    keyfile                        => $keyfile,
+    memcache_pool_conn_get_timeout => $memcache_pool_conn_get_timeout,
+    memcache_pool_dead_retry       => $memcache_pool_dead_retry,
+    memcache_pool_maxsize          => $memcache_pool_maxsize,
+    memcache_pool_socket_timeout   => $memcache_pool_socket_timeout,
+    memcache_pool_unused_timeout   => $memcache_pool_unused_timeout,
+    memcache_secret_key            => $memcache_secret_key,
+    memcache_security_strategy     => $memcache_security_strategy,
+    memcache_use_advanced_pool     => $memcache_use_advanced_pool,
+    memcached_servers              => $memcached_servers_real,
+    region_name                    => $region_name,
+    revocation_cache_time          => $revocation_cache_time,
+    signing_dir                    => $signing_dir,
+    token_cache_time               => $token_cache_time,
  }

  designate::generic_service { 'api':
--- a/releasenotes/notes/authtoken-e83781cebdc8ea4c.yaml
+++ b/releasenotes/notes/authtoken-e83781cebdc8ea4c.yaml
@ -0,0 +1,16 @@
+---
+features:
+  - Configure keystonemiddleware in a consistent way with all options required
+    for Keystone v3.
+deprecations:
+  - designate::api::keystone_tenant is deprecated in favor of
+    designate::api::project_name.
+  - designate::api::keystone_user is deprecated in favor of
+    designate::api::username.
+  - designate::api::keystone_password is deprecated in favor of
+    designate::api::password.
+  - designate::api::keystone_host, designate::api::keystone_port,
+    designate::api::keystone_protocol are deprecated in favor of
+    designate::api::auth_uri and designate::api_auth_url.
+  - designate::api::keystone_memcached_servers is deprecated in favor of
+    designate::api::memcached_servers.
--- a/spec/acceptance/basic_designate_spec.rb
+++ b/spec/acceptance/basic_designate_spec.rb
@ -35,15 +35,15 @@ describe 'basic designate' do
        password => 'a_big_secret',
      }
      class { '::designate':
-        rabbit_userid       => 'designate',
-        rabbit_password     => 'an_even_bigger_secret',
-        rabbit_host         => '127.0.0.1',
-        debug               => true,
+        rabbit_userid   => 'designate',
+        rabbit_password => 'an_even_bigger_secret',
+        rabbit_host     => '127.0.0.1',
+        debug           => true,
      }
      class { '::designate::api':
-        enabled           => true,
-        auth_strategy     => 'keystone',
-        keystone_password => 'a_big_secret',
+        enabled       => true,
+        auth_strategy => 'keystone',
+        password      => 'a_big_secret',
      }
      class {'::designate::central':
          backend_driver => 'bind9',
--- a/spec/classes/designate_api_spec.rb
+++ b/spec/classes/designate_api_spec.rb
@ -6,12 +6,11 @@ require 'spec_helper'
 describe 'designate::api' do
  let :params do
    {
-      :keystone_password => 'passw0rd',
-      :keystone_host     => '10.0.0.42',
-      :keystone_port     => '35357',
-      :keystone_protocol => 'https',
-      :keystone_tenant   => '_services_',
-      :keystone_user     => 'designate',
+      :username => 'designate',
+      :password => 'passw0rd',
+      :auth_uri => 'https://10.0.0.42:5000',
+      :auth_url => 'https://10.0.0.42:35357',
+      :project_name => '_services_',
    }
  end

@ -39,12 +38,11 @@ describe 'designate::api' do
        is_expected.to contain_designate_config('service:api/api_host').with_value('0.0.0.0')
        is_expected.to contain_designate_config('service:api/api_port').with_value('9001')
        is_expected.to contain_designate_config('service:api/api_base_uri').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_designate_config('keystone_authtoken/auth_host').with_value('10.0.0.42')
-        is_expected.to contain_designate_config('keystone_authtoken/auth_port').with_value('35357')
-        is_expected.to contain_designate_config('keystone_authtoken/auth_protocol').with_value('https')
-        is_expected.to contain_designate_config('keystone_authtoken/admin_tenant_name').with_value('_services_')
-        is_expected.to contain_designate_config('keystone_authtoken/admin_user').with_value('designate')
-        is_expected.to contain_designate_config('keystone_authtoken/admin_password').with_value('passw0rd')
+        is_expected.to contain_designate_config('keystone_authtoken/auth_url').with_value('https://10.0.0.42:35357')
+        is_expected.to contain_designate_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.42:5000')
+        is_expected.to contain_designate_config('keystone_authtoken/project_name').with_value('_services_')
+        is_expected.to contain_designate_config('keystone_authtoken/username').with_value('designate')
+        is_expected.to contain_designate_config('keystone_authtoken/password').with_value('passw0rd')

      end

@ -76,6 +74,37 @@ describe 'designate::api' do
        )
      end
    end
+
+    context 'with backwards compatible parameters' do
+      let :params do
+        {
+          :keystone_password => 'passw0rd',
+          :keystone_host     => '10.0.0.42',
+          :keystone_port     => '35357',
+          :keystone_protocol => 'https',
+          :keystone_tenant   => '_services_',
+          :keystone_user     => 'designate',
+        }
+      end
+
+      it 'configures designate-api with correct parameters' do
+        is_expected.to contain_designate_config('service:api/auth_strategy').with_value('noauth')
+        is_expected.to contain_designate_config('service:api/enable_api_v1').with_value(true)
+        is_expected.to contain_designate_config('service:api/enable_api_v2').with_value(false)
+        is_expected.to contain_designate_config('service:api/enable_api_admin').with_value(false)
+        is_expected.to contain_designate_config('service:api/api_host').with_value('0.0.0.0')
+        is_expected.to contain_designate_config('service:api/api_port').with_value('9001')
+        is_expected.to contain_designate_config('service:api/api_base_uri').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_designate_config('keystone_authtoken/auth_url').with_value('https://10.0.0.42:35357')
+        is_expected.to contain_designate_config('keystone_authtoken/auth_uri').with_value('https://10.0.0.42:35357')
+        is_expected.to contain_designate_config('keystone_authtoken/project_name').with_value('_services_')
+        is_expected.to contain_designate_config('keystone_authtoken/username').with_value('designate')
+        is_expected.to contain_designate_config('keystone_authtoken/password').with_value('passw0rd')
+
+      end
+
+    end
+
  end

  on_supported_os({