openstack
/
puppet-keystone
Code Issues Proposed changes

Add support for Fernet Tokens 

This adds support for Fernet token creation during the installation and
config options for Fernet tokens.

Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
This commit is contained in:
Matt Fischer 2015-05-25 12:47:09 -06:00
parent 58cdeac78a
commit bca04a399e
2 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
manifests/init.pp
View File

@ -61,7 +61,7 @@
# [*token_provider*]
# (optional) Format keystone uses for tokens.
# Defaults to 'keystone.token.providers.uuid.Provider'
# Supports PKI and UUID.
# Supports PKI, PKIZ, Fernet, and UUID.
#
# [*token_driver*]
# (optional) Driver to use for managing tokens.
@ -347,6 +347,22 @@
# (Optional) Run db sync on the node.
# Defaults to true
#
# [*enable_fernet_setup*]
# (Optional) Setup keystone for fernet tokens. This is typically only
# run on a single node, then the keys are replicated to the other nodes
# in a cluster. You would typically also pair this with a fernet token
# provider setting.
# Defaults to false
#
# [*fernet_key_repository*]
# (Optional) Location for the fernet key repository. This value must
# be set if enable_fernet_setup is set to true.
# Defaults to '/etc/keystone/fernet-keys'
#
# [*fernet_max_active_keys*]
# (Optional) Number of maximum active Fernet keys. Integer > 0.
# Defaults to undef
#
# == Dependencies
# None
#
@ -448,6 +464,9 @@ class keystone(
$admin_workers = max($::processorcount, 2),
$public_workers = max($::processorcount, 2),
$sync_db = true,
$enable_fernet_setup = false,
$fernet_key_repository = '/etc/keystone/fernet-keys',
$fernet_max_active_keys = undef,
# DEPRECATED PARAMETERS
$mysql_module = undef,
$compute_port = undef,
@ -484,6 +503,8 @@ class keystone(
File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
include ::keystone::params
package { 'keystone':
@ -872,4 +893,38 @@ class keystone(
}
}
# Fernet tokens support
if $enable_fernet_setup {
validate_string($fernet_key_repository)
exec { 'keystone-manage fernet_setup':
path => '/usr/bin',
user => 'keystone',
refreshonly => true,
creates => "${fernet_key_repository}/0",
notify => Service[$service_name],
subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']],
}
}
if $fernet_key_repository {
keystone_config {
'fernet_tokens/key_repository': value => $fernet_key_repository;
}
} else {
keystone_config {
'fernet_tokens/key_repository': ensure => absent;
}
}
if $fernet_max_active_keys {
keystone_config {
'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
}
} else {
keystone_config {
'fernet_tokens/max_active_keys': ensure => absent;
}
}
}

29
spec/classes/keystone_spec.rb
View File

@ -778,6 +778,35 @@ describe 'keystone' do
end
end
describe 'when using fernet tokens' do
describe 'when enabling fernet_setup' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_max_active_keys' => 5,
})
end
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
:creates => '/etc/keystone/fernet-keys/0'
) }
it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
end
describe 'when overriding the fernet key directory' do
let :params do
default_params.merge({
'enable_fernet_setup' => true,
'fernet_key_repository' => '/var/lib/fernet-keys',
})
end
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
:creates => '/var/lib/fernet-keys/0'
) }
end
end
describe 'when configuring paste_deploy' do
describe 'with default paste config on Debian' do
let :params do