diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 7b31879..3ac9ba1 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,11 +1,16 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2017-02-23 16:58:29 +0100 using RuboCop version 0.39.0. +# on 2017-08-01 10:39:17 -0400 using RuboCop version 0.47.1. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. +# Offense count: 20 +# Configuration parameters: CountComments, ExcludedMethods. +Metrics/BlockLength: + Max: 408 + # Offense count: 4 # Configuration parameters: EnforcedStyle, SupportedStyles. # SupportedStyles: nested, compact diff --git a/attributes/keystone_conf.rb b/attributes/keystone_conf.rb index 2eeb491..c45a95d 100644 --- a/attributes/keystone_conf.rb +++ b/attributes/keystone_conf.rb @@ -16,16 +16,16 @@ default['openstack']['identity']['conf'].tap do |conf| end # [assignment] option in keystone.conf to set driver - conf['assignment']['driver'] = 'keystone.assignment.backends.sql.Assignment' + conf['assignment']['driver'] = 'sql' # [auth] option in keystone.conf to set auth plugins - conf['auth']['external'] = 'keystone.auth.plugins.external.DefaultDomain' + conf['auth']['external'] = 'DefaultDomain' # [auth] option in keystone.conf to set auth methods conf['auth']['methods'] = 'external, password, token, oauth1' # [catalog] option in keystone.conf to set catalog driver - conf['catalog']['driver'] = 'keystone.catalog.backends.sql.Catalog' + conf['catalog']['driver'] = 'sql' # [policy] option in keystone.conf to set policy backend driver - conf['policy']['driver'] = 'keystone.policy.backends.sql.Policy' + conf['policy']['driver'] = 'sql' end diff --git a/metadata.rb b/metadata.rb index 400af6c..a4a2ee3 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,17 +1,20 @@ -name 'openstack-identity' -maintainer 'openstack-chef' +name 'openstack-identity' +maintainer 'openstack-chef' maintainer_email 'openstack-dev@lists.openstack.org' -issues_url 'https://launchpad.net/openstack-chef' if respond_to?(:issues_url) -source_url 'https://github.com/openstack/cookbook-openstack-identity' if respond_to?(:source_url) -license 'Apache 2.0' -description 'The OpenStack Identity service Keystone.' +license 'Apache 2.0' +description 'The OpenStack Identity service Keystone.' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '15.0.0' +version '15.0.0' %w(ubuntu redhat centos).each do |os| supports os end -depends 'apache2', '~> 3.2' depends 'openstack-common', '>= 15.0.0' depends 'openstackclient' + +depends 'apache2', '~> 3.2' + +issues_url 'https://launchpad.net/openstack-chef' if respond_to?(:issues_url) +source_url 'https://github.com/openstack/cookbook-openstack-identity' if respond_to?(:source_url) +chef_version '>= 12.5' if respond_to?(:chef_version) diff --git a/recipes/_fernet_tokens.rb b/recipes/_fernet_tokens.rb index 878c22f..91f0c3b 100644 --- a/recipes/_fernet_tokens.rb +++ b/recipes/_fernet_tokens.rb @@ -29,7 +29,7 @@ key_repository = directory key_repository do owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00700 + mode 0o0700 end node['openstack']['identity']['fernet']['keys'].each do |key_index| @@ -38,6 +38,6 @@ node['openstack']['identity']['fernet']['keys'].each do |key_index| content key owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00400 + mode 0o0400 end end diff --git a/recipes/registration.rb b/recipes/registration.rb index f6ca94a..9a53fd1 100644 --- a/recipes/registration.rb +++ b/recipes/registration.rb @@ -41,20 +41,6 @@ admin_user = node['openstack']['identity']['admin_user'] admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] admin_role = node['openstack']['identity']['admin_role'] admin_domain = node['openstack']['identity']['admin_domain_name'] -region = node['openstack']['identity']['region'] - -execute 'bootstrap_keystone' do - command "keystone-manage bootstrap \\ - --bootstrap-password #{admin_pass} \\ - --bootstrap-username #{admin_user} \\ - --bootstrap-project-name #{admin_project} \\ - --bootstrap-role-name #{admin_role} \\ - --bootstrap-service-name keystone \\ - --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{identity_admin_endpoint} \\ - --bootstrap-public-url #{identity_public_endpoint} \\ - --bootstrap-internal-url #{identity_internal_endpoint}" -end connection_params = { openstack_auth_url: "#{auth_url}/auth/tokens", diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index 40511b2..be866e4 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -48,6 +48,16 @@ end platform_options = node['openstack']['identity']['platform'] +identity_admin_endpoint = admin_endpoint 'identity' +identity_internal_endpoint = internal_endpoint 'identity' +identity_public_endpoint = public_endpoint 'identity' + +# define the credentials to use for the initial admin user +admin_pass = get_password 'user', node['openstack']['identity']['admin_user'] +region = node['openstack']['identity']['region'] +keystone_user = node['openstack']['identity']['user'] +keystone_group = node['openstack']['identity']['group'] + # install the database python adapter packages for the selected database # service_type db_type = node['openstack']['db']['identity']['service_type'] @@ -90,14 +100,14 @@ end directory '/etc/keystone' do owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00700 + mode 0o0700 end # create keystone domain config dir if needed directory node['openstack']['identity']['identity']['domain_config_dir'] do owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00700 + mode 0o0700 only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] } end @@ -110,6 +120,26 @@ end # include the recipe to setup fernet tokens include_recipe 'openstack-identity::_fernet_tokens' +# initialize fernet tokens +execute 'fernet setup' do + user 'root' + command <<-EOH.gsub(/\s+/, ' ').strip! + keystone-manage fernet_setup + --keystone-user #{keystone_user} + --keystone-group #{keystone_group} + EOH + notifies :run, 'execute[credential setup]', :immediately +end + +execute 'credential setup' do + user 'root' + command <<-EOH.gsub(/\s+/, ' ').strip! + keystone-manage credential_setup + --keystone-user #{keystone_user} + --keystone-group #{keystone_group} + EOH +end + # define the address to bind the keystone apache main service to main_bind_service = node['openstack']['bind_service']['main']['identity'] main_bind_address = bind_address main_bind_service @@ -149,14 +179,14 @@ if node['openstack']['identity']['pastefile_url'] source node['openstack']['identity']['pastefile_url'] owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00644 + mode 0o0644 end else template '/etc/keystone/keystone-paste.ini' do source 'keystone-paste.ini.erb' owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00644 + mode 0o0644 end end @@ -181,7 +211,7 @@ template '/etc/keystone/keystone.conf' do cookbook 'openstack-common' owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00640 + mode 0o0640 variables( service_config: keystone_conf_options ) @@ -226,7 +256,7 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated' source 'default_catalog.templates.erb' owner node['openstack']['identity']['user'] group node['openstack']['identity']['group'] - mode 00644 + mode 0o0644 variables( uris: uris ) @@ -235,12 +265,16 @@ end # sync db after keystone.conf is generated execute 'keystone-manage db_sync' do - user node['openstack']['identity']['user'] - group node['openstack']['identity']['group'] - + user 'root' only_if { node['openstack']['db']['identity']['migrate'] } end +# bootstrap keystone after keystone.conf is generated +execute 'keystone bootstrap' do + user 'root' + command "keystone-manage bootstrap --bootstrap-password \"#{admin_pass}\" --bootstrap-region-id \"#{region}\" --bootstrap-admin-url #{identity_admin_endpoint} --bootstrap-public-url #{identity_public_endpoint} --bootstrap-internal-url #{identity_internal_endpoint}" +end + # configure the flush tokens cronjob should_run_cron = node['openstack']['identity']['token_flush_cron']['enabled'] && node['openstack']['identity']['token']['backend'] == 'sql' log_file = node['openstack']['identity']['token_flush_cron']['log_file'] @@ -278,7 +312,7 @@ keystone_apache_dir = "#{node['apache']['docroot_dir']}/keystone" directory keystone_apache_dir do owner 'root' group 'root' - mode 00755 + mode 0o0755 end wsgi_apps = { diff --git a/spec/fernet_tokens_spec.rb b/spec/fernet_tokens_spec.rb index 3e4e58a..4627e91 100644 --- a/spec/fernet_tokens_spec.rb +++ b/spec/fernet_tokens_spec.rb @@ -15,7 +15,7 @@ describe 'openstack-identity::_fernet_tokens' do it do expect(chef_run).to create_directory('/etc/keystone/fernet-tokens') - .with(owner: 'keystone', user: 'keystone', mode: 00700) + .with(owner: 'keystone', user: 'keystone', mode: 0o0700) end [0, 1].each do |key_index| @@ -25,7 +25,7 @@ describe 'openstack-identity::_fernet_tokens' do content: "thisisfernetkey#{key_index}", owner: 'keystone', group: 'keystone', - mode: 00400 + mode: 0o0400 ) end end diff --git a/spec/openrc_spec.rb b/spec/openrc_spec.rb index 2c528cc..343cc04 100644 --- a/spec/openrc_spec.rb +++ b/spec/openrc_spec.rb @@ -48,9 +48,11 @@ describe 'openstack-identity::openrc' do it 'templates misc_openrc array correctly' do node.set['openstack']['misc_openrc'] = ['export MISC1=OPTION1', 'export MISC2=OPTION2'] expect(chef_run).to render_file(file.name).with_content( - /^export MISC1=OPTION1$/) + /^export MISC1=OPTION1$/ + ) expect(chef_run).to render_file(file.name).with_content( - /^export MISC2=OPTION2$/) + /^export MISC2=OPTION2$/ + ) end it 'contains overridden auth environment variables' do diff --git a/spec/registration_spec.rb b/spec/registration_spec.rb index 0e2ac30..b867e1a 100644 --- a/spec/registration_spec.rb +++ b/spec/registration_spec.rb @@ -18,33 +18,12 @@ describe 'openstack-identity::registration' do openstack_project_name: 'admin', openstack_domain_name: 'default' } - service_name = 'keystone' service_user = 'admin' - region = 'RegionOne' - project_name = 'admin' role_name = 'admin' - password = 'admin' domain_name = 'default' - admin_url = 'http://127.0.0.1:35357/v3' - public_url = 'http://127.0.0.1:5000/v3' - internal_url = 'http://127.0.0.1:5000/v3' describe 'keystone bootstrap' do context 'default values' do - it 'bootstrap with keystone-manage' do - expect(chef_run).to run_execute('bootstrap_keystone' - ).with(command: "keystone-manage bootstrap \\ - --bootstrap-password #{password} \\ - --bootstrap-username #{service_user} \\ - --bootstrap-project-name #{project_name} \\ - --bootstrap-role-name #{role_name} \\ - --bootstrap-service-name #{service_name} \\ - --bootstrap-region-id #{region} \\ - --bootstrap-admin-url #{admin_url} \\ - --bootstrap-public-url #{public_url} \\ - --bootstrap-internal-url #{internal_url}") - end - it do expect(chef_run).to run_ruby_block('wait for identity admin endpoint') end @@ -106,20 +85,6 @@ describe 'openstack-identity::registration' do 'identity_domain' end - it 'bootstrap with keystone-manage' do - expect(chef_run).to run_execute('bootstrap_keystone' - ).with(command: "keystone-manage bootstrap \\ - --bootstrap-password identity_admin_pass \\ - --bootstrap-username identity_admin \\ - --bootstrap-project-name admin_project \\ - --bootstrap-role-name identity_role \\ - --bootstrap-service-name #{service_name} \\ - --bootstrap-region-id otherRegion \\ - --bootstrap-admin-url https://admin.identity:1234/v3 \\ - --bootstrap-public-url https://public.identity:9753/v3 \\ - --bootstrap-internal-url https://internal.identity:5678/v3") - end - it 'registers identity_domain domain' do expect(chef_run).to create_openstack_domain( 'identity_domain' diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index 92862c7..100c6c2 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -14,6 +14,12 @@ describe 'openstack-identity::server-apache' do include Helpers include_context 'identity_stubs' + region = 'RegionOne' + password = 'admin' + admin_url = 'http://127.0.0.1:35357/v3' + public_url = 'http://127.0.0.1:5000/v3' + internal_url = 'http://127.0.0.1:5000/v3' + it 'runs logging recipe if node attributes say to' do node.set['openstack']['identity']['syslog']['use'] = true expect(chef_run).to include_recipe('openstack-common::logging') @@ -40,6 +46,9 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to upgrade_package('identity cookbook package keystone') end + it 'bootstrap with keystone-manage' do + expect(chef_run).to run_execute('keystone bootstrap').with(command: "keystone-manage bootstrap --bootstrap-password \"#{password}\" --bootstrap-region-id \"#{region}\" --bootstrap-admin-url #{admin_url} --bootstrap-public-url #{public_url} --bootstrap-internal-url #{internal_url}") + end it 'has flush tokens cronjob running every day at 3:30am' do expect(chef_run).to create_cron('keystone-manage-token-flush').with_command(/keystone-manage token_flush/) expect(chef_run).to create_cron('keystone-manage-token-flush').with_minute('0') @@ -60,7 +69,7 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to create_directory(dir.name).with( user: 'keystone', group: 'keystone', - mode: 00700 + mode: 0o0700 ) end end @@ -77,7 +86,7 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to create_directory(dir).with( user: 'keystone', group: 'keystone', - mode: 00700 + mode: 0o0700 ) end end @@ -99,7 +108,7 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to create_template(resource.name).with( user: 'keystone', group: 'keystone', - mode: 00640 + mode: 0o0640 ) end end @@ -204,7 +213,7 @@ describe 'openstack-identity::server-apache' do describe '[assignment] section' do it 'configures driver' do - r = line_regexp('driver = keystone.assignment.backends.sql.Assignment') + r = line_regexp('driver = sql') expect(chef_run).to render_config_file(path).with_section_content('assignment', r) end end @@ -216,7 +225,7 @@ describe 'openstack-identity::server-apache' do line_regexp(str) end let(:sql) do - line_regexp('driver = keystone.catalog.backends.sql.Catalog') + line_regexp('driver = sql') end it 'configures driver' do @@ -227,7 +236,7 @@ describe 'openstack-identity::server-apache' do describe '[policy] section' do it 'configures driver' do - r = line_regexp('driver = keystone.policy.backends.sql.Policy') + r = line_regexp('driver = sql') expect(chef_run).to render_config_file(path).with_section_content('policy', r) end end @@ -248,16 +257,14 @@ describe 'openstack-identity::server-apache' do it 'runs migrations' do expect(chef_run).to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' + user: 'root' ) end it 'does not run migrations' do node.set['openstack']['db']['identity']['migrate'] = false expect(chef_run).not_to run_execute(cmd).with( - user: 'keystone', - group: 'keystone' + user: 'root' ) end end @@ -270,7 +277,7 @@ describe 'openstack-identity::server-apache' do expect(chef_run).to create_template(template.name).with( user: 'keystone', group: 'keystone', - mode: 0644 + mode: 0o644 ) end @@ -308,9 +315,11 @@ describe 'openstack-identity::server-apache' do it 'template misc_paste array correctly' do node.set['openstack']['identity']['misc_paste'] = ['MISC1 = OPTION1', 'MISC2 = OPTION2'] expect(chef_run).to render_file(path).with_content( - /^MISC1 = OPTION1$/) + /^MISC1 = OPTION1$/ + ) expect(chef_run).to render_file(path).with_content( - /^MISC2 = OPTION2$/) + /^MISC2 = OPTION2$/ + ) end end @@ -323,7 +332,7 @@ describe 'openstack-identity::server-apache' do source: 'http://server/mykeystone-paste.ini', user: 'keystone', group: 'keystone', - mode: 00644 + mode: 0o0644 ) end end diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb index 8479c3e..5e78296 100644 --- a/templates/default/keystone-paste.ini.erb +++ b/templates/default/keystone-paste.ini.erb @@ -1,12 +1,12 @@ -<%= node["openstack"]["identity"]["custom_template_banner"] %> +<%= node['openstack']['identity']['custom_template_banner'] %> # Keystone PasteDeploy configuration file. [filter:debug] -use = egg:keystone#debug +use = egg:oslo.middleware#debug [filter:request_id] -use = egg:keystone#request_id +use = egg:oslo.middleware#request_id [filter:build_auth_context] use = egg:keystone#build_auth_context @@ -40,7 +40,7 @@ use = egg:keystone#s3_extension use = egg:keystone#url_normalize [filter:sizelimit] -use = egg:keystone#sizelimit +use = egg:oslo.middleware#sizelimit [filter:osprofiler] use = egg:osprofiler#osprofiler @@ -55,13 +55,13 @@ use = egg:keystone#service_v3 use = egg:keystone#admin_service [pipeline:public_api] -pipeline = <%=node["openstack"]["identity"]["pipeline"]["public_api"] %> +pipeline = <%=node['openstack']['identity']['pipeline']['public_api'] %> [pipeline:admin_api] -pipeline = <%=node["openstack"]["identity"]["pipeline"]["admin_api"] %> +pipeline = <%=node['openstack']['identity']['pipeline']['admin_api'] %> [pipeline:api_v3] -pipeline = <%=node["openstack"]["identity"]["pipeline"]["api_v3"] %> +pipeline = <%=node['openstack']['identity']['pipeline']['api_v3'] %> [app:public_version_service] use = egg:keystone#public_version_service @@ -87,8 +87,8 @@ use = egg:Paste#urlmap /v3 = api_v3 / = admin_version_api -<% if node["openstack"]["identity"]["misc_paste"] %> -<% node["openstack"]["identity"]["misc_paste"].each do |m| %> +<% if node['openstack']['identity']['misc_paste'] %> +<% node['openstack']['identity']['misc_paste'].each do |m| %> <%= m %> <% end %> <% end %>