Add support for Fernet Tokens
This adds support for Fernet token creation during the installation and config options for Fernet tokens. Change-Id: I43657e9ba46f07c316a9e67a134e30aa3a44a867
This commit is contained in:
parent
58cdeac78a
commit
bca04a399e
|
@ -61,7 +61,7 @@
|
|||
# [*token_provider*]
|
||||
# (optional) Format keystone uses for tokens.
|
||||
# Defaults to 'keystone.token.providers.uuid.Provider'
|
||||
# Supports PKI and UUID.
|
||||
# Supports PKI, PKIZ, Fernet, and UUID.
|
||||
#
|
||||
# [*token_driver*]
|
||||
# (optional) Driver to use for managing tokens.
|
||||
|
@ -347,6 +347,22 @@
|
|||
# (Optional) Run db sync on the node.
|
||||
# Defaults to true
|
||||
#
|
||||
# [*enable_fernet_setup*]
|
||||
# (Optional) Setup keystone for fernet tokens. This is typically only
|
||||
# run on a single node, then the keys are replicated to the other nodes
|
||||
# in a cluster. You would typically also pair this with a fernet token
|
||||
# provider setting.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*fernet_key_repository*]
|
||||
# (Optional) Location for the fernet key repository. This value must
|
||||
# be set if enable_fernet_setup is set to true.
|
||||
# Defaults to '/etc/keystone/fernet-keys'
|
||||
#
|
||||
# [*fernet_max_active_keys*]
|
||||
# (Optional) Number of maximum active Fernet keys. Integer > 0.
|
||||
# Defaults to undef
|
||||
#
|
||||
# == Dependencies
|
||||
# None
|
||||
#
|
||||
|
@ -448,6 +464,9 @@ class keystone(
|
|||
$admin_workers = max($::processorcount, 2),
|
||||
$public_workers = max($::processorcount, 2),
|
||||
$sync_db = true,
|
||||
$enable_fernet_setup = false,
|
||||
$fernet_key_repository = '/etc/keystone/fernet-keys',
|
||||
$fernet_max_active_keys = undef,
|
||||
# DEPRECATED PARAMETERS
|
||||
$mysql_module = undef,
|
||||
$compute_port = undef,
|
||||
|
@ -484,6 +503,8 @@ class keystone(
|
|||
File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
|
||||
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
|
||||
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
|
||||
Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
|
||||
|
||||
include ::keystone::params
|
||||
|
||||
package { 'keystone':
|
||||
|
@ -872,4 +893,38 @@ class keystone(
|
|||
}
|
||||
}
|
||||
|
||||
# Fernet tokens support
|
||||
if $enable_fernet_setup {
|
||||
validate_string($fernet_key_repository)
|
||||
|
||||
exec { 'keystone-manage fernet_setup':
|
||||
path => '/usr/bin',
|
||||
user => 'keystone',
|
||||
refreshonly => true,
|
||||
creates => "${fernet_key_repository}/0",
|
||||
notify => Service[$service_name],
|
||||
subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']],
|
||||
}
|
||||
}
|
||||
|
||||
if $fernet_key_repository {
|
||||
keystone_config {
|
||||
'fernet_tokens/key_repository': value => $fernet_key_repository;
|
||||
}
|
||||
} else {
|
||||
keystone_config {
|
||||
'fernet_tokens/key_repository': ensure => absent;
|
||||
}
|
||||
}
|
||||
|
||||
if $fernet_max_active_keys {
|
||||
keystone_config {
|
||||
'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
|
||||
}
|
||||
} else {
|
||||
keystone_config {
|
||||
'fernet_tokens/max_active_keys': ensure => absent;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -778,6 +778,35 @@ describe 'keystone' do
|
|||
end
|
||||
end
|
||||
|
||||
describe 'when using fernet tokens' do
|
||||
describe 'when enabling fernet_setup' do
|
||||
let :params do
|
||||
default_params.merge({
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_max_active_keys' => 5,
|
||||
})
|
||||
end
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
|
||||
:creates => '/etc/keystone/fernet-keys/0'
|
||||
) }
|
||||
it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
|
||||
end
|
||||
|
||||
describe 'when overriding the fernet key directory' do
|
||||
let :params do
|
||||
default_params.merge({
|
||||
'enable_fernet_setup' => true,
|
||||
'fernet_key_repository' => '/var/lib/fernet-keys',
|
||||
})
|
||||
end
|
||||
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
|
||||
:creates => '/var/lib/fernet-keys/0'
|
||||
) }
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
describe 'when configuring paste_deploy' do
|
||||
describe 'with default paste config on Debian' do
|
||||
let :params do
|
||||
|
|
Loading…
Reference in New Issue