Stein fixes

- Cookstyle fixes - Refactor Berksfile to use groups so we can exclude integration testing cookbooks - Update documentation - Enable sensitive resources for template[/etc/keystone/keystone.conf] and execute[bootstrap_keystone] to improve security. - Update delivery configuration to exclude integration cookbooks [1] https://docs.openstack.org/keystone/stein/install/keystone-install-rdo.html#install-and-configure-components Depends-On: https://review.opendev.org/701027 Depends-On: https://review.opendev.org/706101 Depends-On: https://review.opendev.org/706140 Depends-On: https://review.opendev.org/706147 Depends-On: https://review.opendev.org/706158 Change-Id: I6c5005b23ee209650911146e373c4cf082cbee9e
2020-02-05 14:52:14 -08:00 · 2020-02-05 14:52:14 -08:00 · c49dedfbcd
parent 453ab3bb95
commit c49dedfbcd
16 changed files with 129 additions and 137 deletions
--- a/.delivery/project.toml
+++ b/.delivery/project.toml
@ -1 +1,9 @@
-remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml"
+[local_phases]
+unit = 'rspec spec/'
+lint = 'cookstyle --display-cop-names --extra-details'
+syntax = "berks install -e integration"
+provision = "echo skipping"
+deploy = "echo skipping"
+smoke = "echo skipping"
+functional = "echo skipping"
+cleanup = "echo skipping"
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -1,5 +1,3 @@
-inherit_from: .rubocop_todo.yml
-
 AllCops:
  Include:
    - metadata.rb
@ -14,24 +12,3 @@ AllCops:
    - .cookbooks/**/*
    - berks-cookbooks/**/*
    - .bundle/**/*
-
-Encoding:
-  Exclude:
-    - metadata.rb
-    - Gemfile
-
-NumericLiterals:
-  Enabled: false
-
-LineLength:
-  Enabled: false
-
-WordArray:
-  MinSize: 3
-
-# TODO(galstom21)
-# The rescue exception statements in providers/**.rb need to be modified,
-# to rescue specific exceptions.
-RescueException:
-  Exclude:
-    - providers/register.rb
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@ -1,19 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2018-08-03 05:25:58 -0700 using RuboCop version 0.55.0.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/IfUnlessModifier:
-  Exclude:
-    - 'recipes/server-apache.rb'
-
-# Offense count: 65
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 224
--- a/24
+++ b/24
@ -4,19 +4,19 @@ solver :ruby, :required

 metadata

-%w(
-  client
-  -common
-  -dns
-  -image
-  -integration-test
-  -network
-  -ops-database
-  -ops-messaging
-).each do |cookbook|
+[
+  %w(client dep),
+  %w(-common dep),
+  %w(-dns integration),
+  %w(-image integration),
+  %w(-integration-test integration),
+  %w(-network integration),
+  %w(-ops-database integration),
+  %w(-ops-messaging integration)
+].each do |cookbook, group|
  if Dir.exist?("../cookbook-openstack#{cookbook}")
-    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}", group: group
  else
-    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}"
+    cookbook "openstack#{cookbook}", git: "https://opendev.org/openstack/cookbook-openstack#{cookbook}", group: group
  end
 end
--- a/README.rst
+++ b/README.rst
@ -21,9 +21,9 @@ https://docs.openstack.org/keystone/latest/
 Requirements
 ============

- Chef 14 or higher
- ChefDK 3.2.30 for testing (also includes Berkshelf for cookbook
-  dependency resolution)
+- Chef 15 or higher
+- Chef Workstation 0.15.18 for testing (also includes Berkshelf for
+  cookbook dependency resolution)

 Platform
 ========
@ -38,7 +38,7 @@ Cookbooks
 The following cookbooks are dependencies:

 - 'apache2', '~> 8.0'
- 'openstack-common', '>= 18.0.0'
+- 'openstack-common', '>= 19.0.0'
 - 'openstackclient'

 Attributes
@ -63,7 +63,17 @@ openstack-identity::cloud_config
 openstack-identity::_credential_tokens
 --------------------------------------

- Helper recipe to manage credential keys
+- Helper recipe to manage credential keys.
+
+If you prefer, you can manually create the keys by doing the following:
+
+.. code-block:: console
+
+  $ keystone-manage credential_setup \
+    --keystone-user keystone --keystone-group keystone
+
+This should create a directory ``/etc/keystone/credential-keys`` with
+the keys residing in it.

 openstack-identity::_fernet_tokens
 ----------------------------------
@ -141,7 +151,7 @@ License and Author
 +---------------+----------------------------------------------+
 | **Copyright** | GmbH Copyright 2013-2014, IBM, Corp.         |
 +---------------+----------------------------------------------+
-| **Copyright** | Copyright 2016-2019, Oregon State University |
+| **Copyright** | Copyright 2016-2020, Oregon State University |
 +---------------+----------------------------------------------+

 Licensed under the Apache License, Version 2.0 (the "License"); you may
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -1,14 +1,15 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: default
 #
-# Copyright 2012-2013, AT&T Services, Inc.
-# Copyright 2013, Opscode, Inc.
-# Copyright 2013, IBM Corp.
-# Copyright 2017, x-ion GmbH
-# Copyright 2018, Workday, Inc.
-# Copyright 2019, x-ion GmbH
+# Copyright:: 2012-2013, AT&T Services, Inc.
+# Copyright:: 2013, Opscode, Inc.
+# Copyright:: 2013, IBM Corp.
+# Copyright:: 2017, x-ion GmbH
+# Copyright:: 2018, Workday, Inc.
+# Copyright:: 2019, x-ion GmbH
+# Copyright:: 2016-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/metadata.rb
+++ b/metadata.rb
@ -3,14 +3,7 @@ maintainer       'openstack-chef'
 maintainer_email 'openstack-discuss@lists.openstack.org'
 license          'Apache-2.0'
 description      'The OpenStack Identity service Keystone.'
-version          '18.0.0'
-
-recipe 'cloud_config', 'Manage the cloud config file located at /root/clouds.yaml'
-recipe '_credential_tokens', 'Helper recipe to manage credential keys'
-recipe '_fernet_tokens', 'Helper recipe to manage fernet tokens'
-recipe 'openrc', 'Creates a fully usable openrc file'
-recipe 'registration', 'Registers the initial keystone endpoint as well as users, tenants and roles'
-recipe 'server-apache', 'Installs and configures the OpenStack Identity Service running inside of an apache webserver.'
+version          '19.0.0'

 %w(ubuntu redhat centos).each do |os|
  supports os
@ -18,8 +11,8 @@ end

 depends 'apache2', '~> 8.0'
 depends 'openstackclient'
-depends 'openstack-common', '>= 18.0.0'
+depends 'openstack-common', '>= 19.0.0'

 issues_url 'https://launchpad.net/openstack-chef'
 source_url 'https://opendev.org/openstack/cookbook-openstack-identity'
-chef_version '>= 14.0'
+chef_version '>= 15.0'
--- a/recipes/_credential_tokens.rb
+++ b/recipes/_credential_tokens.rb
@ -1,8 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: _credential_tokens
 #
+# Copyright:: 2020, Oregon State University
+#
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@ -24,23 +26,23 @@ class ::Chef::Recipe
  include ::Openstack
 end

-key_repository =
-  node['openstack']['identity']['conf']['credential']['key_repository']
+key_repository = node['openstack']['identity']['conf']['credential']['key_repository']
+keystone_user = node['openstack']['identity']['user']
+keystone_group = node['openstack']['identity']['group']

 directory key_repository do
-  owner node['openstack']['identity']['user']
-  group node['openstack']['identity']['group']
-  mode 0o0700
+  owner keystone_user
+  group keystone_group
+  mode '700'
 end

 node['openstack']['identity']['credential']['keys'].each do |key_index|
-  key = secret(node['openstack']['secret']['secrets_data_bag'],
-               "credential_key#{key_index}")
+  key = secret(node['openstack']['secret']['secrets_data_bag'], "credential_key#{key_index}")
  file File.join(key_repository, key_index.to_s) do
    content key
-    owner node['openstack']['identity']['user']
-    group node['openstack']['identity']['group']
-    mode 0o0400
+    owner keystone_user
+    group keystone_group
+    mode '400'
    sensitive true
  end
 end
--- a/recipes/_fernet_tokens.rb
+++ b/recipes/_fernet_tokens.rb
@ -1,8 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: _fernet_tokens
 #
+# Copyright:: 2020, Oregon State University
+#
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@ -23,23 +25,28 @@ class ::Chef::Recipe
  include ::Openstack
 end

-key_repository =
-  node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
+key_repository = node['openstack']['identity']['conf']['fernet_tokens']['key_repository']
+keystone_user = node['openstack']['identity']['user']
+keystone_group = node['openstack']['identity']['group']

 directory key_repository do
-  owner node['openstack']['identity']['user']
-  group node['openstack']['identity']['group']
-  mode 0o0700
+  owner keystone_user
+  group keystone_group
+  mode '700'
 end

 node['openstack']['identity']['fernet']['keys'].each do |key_index|
-  key = secret(node['openstack']['secret']['secrets_data_bag'],
-               "fernet_key#{key_index}")
+  key = secret(node['openstack']['secret']['secrets_data_bag'], "fernet_key#{key_index}")
  file File.join(key_repository, key_index.to_s) do
    content key
-    owner node['openstack']['identity']['user']
-    group node['openstack']['identity']['group']
-    mode 0o0400
+    owner keystone_user
+    group keystone_group
+    mode '400'
    sensitive true
  end
 end
+
+execute 'keystone-manage fernet_setup' do
+  command "keystone-manage fernet_setup --keystone-user #{keystone_user} --keystone-group #{keystone_group}"
+  creates '/etc/keystone/fernet-keys'
+end
--- a/recipes/cloud_config.rb
+++ b/recipes/cloud_config.rb
@ -1,9 +1,9 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # recipe:: cloud_config
 #
-# Copyright 2019 x-ion GmbH
+# Copyright:: 2019 x-ion GmbH
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/recipes/openrc.rb
+++ b/recipes/openrc.rb
@ -1,9 +1,9 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # recipe:: openrc
 #
-# Copyright 2014 IBM Corp.
+# Copyright:: 2014 IBM Corp.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/recipes/registration.rb
+++ b/recipes/registration.rb
@ -1,10 +1,11 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: setup
 #
-# Copyright 2012, Rackspace US, Inc.
-# Copyright 2012-2013, Opscode, Inc.
+# Copyright:: 2012, Rackspace US, Inc.
+# Copyright:: 2012-2013, Opscode, Inc.
+# Copyright:: 2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -48,11 +49,11 @@ admin_domain = node['openstack']['identity']['admin_domain_name']
 # endpoint_type = node['openstack']['identity']['endpoint_type']

 connection_params = {
-  openstack_auth_url:      auth_url,
-  openstack_username:      admin_user,
-  openstack_api_key:       admin_pass,
-  openstack_project_name:  admin_project,
-  openstack_domain_id:     admin_domain,
+  openstack_auth_url: auth_url,
+  openstack_username: admin_user,
+  openstack_api_key: admin_pass,
+  openstack_project_name: admin_project,
+  openstack_domain_id: admin_domain,
  # openstack_endpoint_type: endpoint_type,
 }

@ -77,8 +78,8 @@ openstack_role 'service' do
  connection_params connection_params
 end

-node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
-node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
+node.default['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
+node.default['openstack']['identity']['publicURL'] = identity_endpoint.to_s

 Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
 Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
--- a/recipes/server-apache.rb
+++ b/recipes/server-apache.rb
@ -1,9 +1,10 @@
 # encoding: UTF-8
 #
-# Cookbook Name:: openstack-identity
+# Cookbook:: openstack-identity
 # Recipe:: server-apache
 #
-# Copyright 2015, IBM Corp. Inc.
+# Copyright:: 2015, IBM Corp. Inc.
+# Copyright:: 2016-2020, Oregon State University
 #
 # Licensed under the Apache License, Version 2.0 (the 'License');
 # you may not use this file except in compliance with the License.
@ -50,8 +51,8 @@ admin_user = node['openstack']['identity']['admin_user']
 admin_pass = get_password 'user', node['openstack']['identity']['admin_user']
 admin_role = node['openstack']['identity']['admin_role']
 region = node['openstack']['identity']['region']
-keystone_user    = node['openstack']['identity']['user']
-keystone_group   = node['openstack']['identity']['group']
+keystone_user = node['openstack']['identity']['user']
+keystone_group = node['openstack']['identity']['group']

 # install the database python adapter packages for the selected database
 # service_type
@ -101,14 +102,14 @@ end
 directory '/etc/keystone' do
  owner keystone_user
  group keystone_group
-  mode 0o0700
+  mode '700'
 end

 # create keystone domain config dir if needed
 directory node['openstack']['identity']['domain_config_dir'] do
  owner keystone_user
  group keystone_group
-  mode 0o0700
+  mode '700'
  only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] }
 end

@ -119,8 +120,8 @@ file '/var/lib/keystone/keystone.db' do
 end

 # include the recipes to setup tokens
-include_recipe 'openstack-identity::_credential_tokens'
 include_recipe 'openstack-identity::_fernet_tokens'
+include_recipe 'openstack-identity::_credential_tokens'

 # define the address to bind the keystone apache public service to
 bind_service = node['openstack']['bind_service']['public']['identity']
@ -145,14 +146,14 @@ if node['openstack']['identity']['pastefile_url']
    source node['openstack']['identity']['pastefile_url']
    owner keystone_user
    group keystone_group
-    mode 0o0644
+    mode '644'
  end
 else
  template '/etc/keystone/keystone-paste.ini' do
    source 'keystone-paste.ini.erb'
    owner keystone_user
    group keystone_group
-    mode 0o0644
+    mode '644'
  end
 end

@ -176,7 +177,8 @@ template '/etc/keystone/keystone.conf' do
  cookbook 'openstack-common'
  owner keystone_user
  group keystone_group
-  mode 0o0640
+  mode '640'
+  sensitive true
  variables(
    service_config: keystone_conf_options
  )
@ -210,6 +212,7 @@ execute 'bootstrap_keystone' do
          --bootstrap-admin-url #{identity_internal_endpoint} \\
          --bootstrap-public-url #{identity_endpoint} \\
          --bootstrap-internal-url #{identity_internal_endpoint}"
+  sensitive true
 end

 #### Start of Apache specific work
@ -236,7 +239,7 @@ keystone_apache_dir = "#{default_docroot_dir}/keystone"
 directory keystone_apache_dir do
  owner 'root'
  group 'root'
-  mode 0o0755
+  mode '755'
 end

 # create the keystone apache config using template
--- a/spec/credential_tokens_spec.rb
+++ b/spec/credential_tokens_spec.rb
@ -13,7 +13,7 @@ describe 'openstack-identity::_credential_tokens' do

    it do
      expect(chef_run).to create_directory('/etc/keystone/credential-tokens')
-        .with(owner: 'keystone', user: 'keystone', mode: 0o0700)
+        .with(owner: 'keystone', user: 'keystone', mode: '700')
    end

    [0, 1].each do |key_index|
@ -23,7 +23,7 @@ describe 'openstack-identity::_credential_tokens' do
            content: "thisiscredentialkey#{key_index}",
            owner: 'keystone',
            group: 'keystone',
-            mode: 0o0400
+            mode: '400'
          )
      end
    end
--- a/spec/fernet_tokens_spec.rb
+++ b/spec/fernet_tokens_spec.rb
@ -13,7 +13,7 @@ describe 'openstack-identity::_fernet_tokens' do

    it do
      expect(chef_run).to create_directory('/etc/keystone/fernet-tokens')
-        .with(owner: 'keystone', user: 'keystone', mode: 0o0700)
+        .with(owner: 'keystone', user: 'keystone', mode: '700')
    end

    [0, 1].each do |key_index|
@ -23,9 +23,14 @@ describe 'openstack-identity::_fernet_tokens' do
            content: "thisisfernetkey#{key_index}",
            owner: 'keystone',
            group: 'keystone',
-            mode: 0o0400
+            mode: '400'
          )
      end
    end
+    it do
+      expect(chef_run).to run_execute('keystone-manage fernet_setup').with(
+        command: 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'
+      )
+    end
  end
 end
--- a/spec/server-apache_spec.rb
+++ b/spec/server-apache_spec.rb
@ -54,7 +54,8 @@ describe 'openstack-identity::server-apache' do
    end

    it 'bootstrap with keystone-manage' do
-      expect(chef_run).to run_execute('bootstrap_keystone').with(command: "keystone-manage bootstrap \\
+      expect(chef_run).to run_execute('bootstrap_keystone').with(
+        command: "keystone-manage bootstrap \\
          --bootstrap-password #{password} \\
          --bootstrap-username #{service_user} \\
          --bootstrap-project-name #{project_name} \\
@ -63,7 +64,9 @@ describe 'openstack-identity::server-apache' do
          --bootstrap-region-id #{region} \\
          --bootstrap-admin-url #{public_url} \\
          --bootstrap-public-url #{public_url} \\
-          --bootstrap-internal-url #{public_url}")
+          --bootstrap-internal-url #{public_url}",
+        sensitive: true
+      )
    end

    describe '/etc/keystone' do
@ -73,7 +76,7 @@ describe 'openstack-identity::server-apache' do
        expect(chef_run).to create_directory(dir.name).with(
          user: 'keystone',
          group: 'keystone',
-          mode: 0o0700
+          mode: '700'
        )
      end
    end
@ -94,7 +97,7 @@ describe 'openstack-identity::server-apache' do
          expect(chef_run).to create_directory(dir).with(
            user: 'keystone',
            group: 'keystone',
-            mode: 0o0700
+            mode: '700'
          )
        end
      end
@ -122,7 +125,8 @@ describe 'openstack-identity::server-apache' do
          expect(chef_run).to create_template(resource.name).with(
            user: 'keystone',
            group: 'keystone',
-            mode: 0o0640
+            mode: '640',
+            sensitive: true
          )
        end
      end
@ -207,13 +211,13 @@ describe 'openstack-identity::server-apache' do
        end
      end
      describe '[fernet_tokens] section' do
-        it do
+        it 'key_repository = /etc/keystone/fernet-tokens' do
          r = %r{^key_repository = /etc/keystone/fernet-tokens$}
          expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r)
        end
      end
      describe '[credential] section' do
-        it do
+        it 'key_repository = /etc/keystone/credential-tokens' do
          r = %r{^key_repository = /etc/keystone/credential-tokens$}
          expect(chef_run).to render_config_file(path).with_section_content('credential', r)
        end
@ -301,7 +305,7 @@ describe 'openstack-identity::server-apache' do
          source: 'http://server/mykeystone-paste.ini',
          user: 'keystone',
          group: 'keystone',
-          mode: 0o0644
+          mode: '644'
        )
      end
    end