diff --git a/manifests/init.pp b/manifests/init.pp index 3310a327..067b9972 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -118,19 +118,40 @@ # [*auth_uri*] # (Optional) Specifies the public Identity URI for Heat to use. # Located in heat.conf. -# Defaults to: false +# Defaults to: 'http://127.0.0.1:5000/'. # # [*identity_uri*] # (Optional) Specifies the admin Identity URI for Heat to use. # Located in heat.conf. -# Defaults to: false +# Defaults to: 'http://127.0.0.1:35357/'. +# +# [*auth_plugin*] +# Specifies the plugin used for authentication. +# Defaults to undef. # # [*keystone_user*] +# Defaults to 'heat'. # # [*keystone_tenant*] +# Defaults to 'services'. # # [*keystone_password*] # +# [*keystone_project_domain_name*] +# Specifies the project domain of Keystone account for "password" auth_plugin. +# Defaults to 'Default'. +# +# [*keystone_user_domain_id*] +# (Optional) Domain ID of the principal if the principal has a domain. +# Defaults to: 'Default'. +# +# [*keystone_user_domain_name*] +# Defaults to 'Default'. +# +# [*keystone_project_domain_id*] +# (Optional) Domain ID of the scoped project if auth is project-scoped. +# Defaults to: 'Default'. +# # [*keystone_ec2_uri*] # # [*database_connection*] @@ -211,18 +232,6 @@ # [*sql_connection*] # Deprecated. Use database_connection instead. # -# [*keystone_host*] -# (Optional) DEPRECATED The keystone host. -# Defaults to localhost. -# -# [*keystone_port*] -# (Optional) DEPRECATED The port used to access the keystone host. -# Defaults to 35357. -# -# [*keystone_protocol*] -# (Optional) DEPRECATED. The protocol used to access the keystone host -# Defaults to http. -# # [*qpid_hostname*] # # [*qpid_port*] @@ -250,16 +259,21 @@ # [*qpid_reconnect_interval_max*] # class heat( - $auth_uri = false, - $identity_uri = false, + $auth_uri = 'http://127.0.0.1:5000/', + $identity_uri = 'http://127.0.0.1:35357/', $package_ensure = 'present', $verbose = undef, $debug = undef, $log_dir = undef, + $auth_plugin = undef, $keystone_user = 'heat', $keystone_tenant = 'services', $keystone_password = false, $keystone_ec2_uri = 'http://127.0.0.1:5000/v2.0/ec2tokens', + $keystone_project_domain_id = 'Default', + $keystone_project_domain_name = 'Default', + $keystone_user_domain_id = 'Default', + $keystone_user_domain_name = 'Default', $rpc_backend = $::os_service_default, $rpc_response_timeout = $::os_service_default, $rabbit_host = $::os_service_default, @@ -298,9 +312,6 @@ class heat( # Deprecated parameters $mysql_module = undef, $sql_connection = undef, - $keystone_host = '127.0.0.1', - $keystone_port = '35357', - $keystone_protocol = 'http', $instance_user = undef, $qpid_hostname = undef, $qpid_port = undef, @@ -395,62 +406,40 @@ class heat( warning('Qpid driver is removed from Oslo.messaging in the Mitaka release') } - # if both auth_uri and identity_uri are set we skip these deprecated settings entirely - if !$auth_uri or !$identity_uri { - if $keystone_host { - warning('The keystone_host parameter is deprecated. Please use auth_uri and identity_uri instead.') + if $auth_plugin { + if $auth_plugin == 'password' { heat_config { - 'keystone_authtoken/auth_host': value => $keystone_host; + 'keystone_authtoken/auth_url': value => $identity_uri; + 'keystone_authtoken/auth_plugin': value => $auth_plugin; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/password': value => $keystone_password, secret => true; + 'keystone_authtoken/user_domain_id': value => $keystone_user_domain_id; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/project_domain_id': value => $keystone_project_domain_id; } } else { - heat_config { - 'keystone_authtoken/auth_host': ensure => absent; - } - } - - if $keystone_port { - warning('The keystone_port parameter is deprecated. Please use auth_uri and identity_uri instead.') - heat_config { - 'keystone_authtoken/auth_port': value => $keystone_port; - } - } else { - heat_config { - 'keystone_authtoken/auth_port': ensure => absent; - } - } - - if $keystone_protocol { - warning('The keystone_protocol parameter is deprecated. Please use auth_uri and identity_uri instead.') - heat_config { - 'keystone_authtoken/auth_protocol': value => $keystone_protocol; - } - } else { - heat_config { - 'keystone_authtoken/auth_protocol': ensure => absent; - } + fail('Currently only "password" auth_plugin is supported.') } } else { + warning('"admin_user", "admin_password", "admin_tenant_name" configuration options are deprecated in favor of auth_plugin and related options') heat_config { - 'keystone_authtoken/auth_host': ensure => absent; - 'keystone_authtoken/auth_port': ensure => absent; - 'keystone_authtoken/auth_protocol': ensure => absent; + 'keystone_authtoken/auth_uri': value => $auth_uri; + 'keystone_authtoken/identity_uri': value => $identity_uri; + 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant; + 'keystone_authtoken/admin_user': value => $keystone_user; + 'keystone_authtoken/admin_password': value => $keystone_password, secret => true; } } - if $auth_uri { - heat_config { 'keystone_authtoken/auth_uri': value => $auth_uri; } - } else { - heat_config { 'keystone_authtoken/auth_uri': value => "${keystone_protocol}://${keystone_host}:5000/v2.0"; } - } + heat_config { + 'trustee/auth_plugin': value => 'password'; + 'trustee/auth_url': value => $identity_uri; + 'trustee/username': value => $keystone_user; + 'trustee/password': value => $keystone_password, secret => true; + 'trustee/project_domain_id': value => $keystone_project_domain_id; + 'trustee/user_domain_id': value => $keystone_user_domain_id; - if $identity_uri { - heat_config { - 'keystone_authtoken/identity_uri': value => $identity_uri; - } - } else { - heat_config { - 'keystone_authtoken/identity_uri': ensure => absent; - } + 'clients_keystone/auth_uri': value => $identity_uri; } if (!is_service_default($enable_stack_adopt)) { @@ -471,10 +460,6 @@ class heat( 'DEFAULT/enable_stack_abandon': value => $enable_stack_abandon; 'DEFAULT/enable_stack_adopt': value => $enable_stack_adopt; 'ec2authtoken/auth_uri': value => $keystone_ec2_uri; - 'keystone_authtoken/region_name': value => $region_name; - 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant; - 'keystone_authtoken/admin_user': value => $keystone_user; - 'keystone_authtoken/admin_password': value => $keystone_password, secret => true; 'paste_deploy/flavor': value => $flavor; } diff --git a/releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml b/releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml new file mode 100644 index 00000000..1e085179 --- /dev/null +++ b/releasenotes/notes/versionless-auth-urls-08c741084b9a9040.yaml @@ -0,0 +1,11 @@ +--- +features: + - Configure "trustee" and "clients_keystone" sections. + Support auth_plugin and versionless auth urls. +upgrade: + - Removed deprecated options "keystone_host", + "keystone_port", "keystone_protocol". +deprecations: + - Deprecated "admin_user", "admin_password" and + "admin_tenant_name" options in favour of auth_plugin + auth method. diff --git a/spec/classes/heat_init_spec.rb b/spec/classes/heat_init_spec.rb index ccb3bc95..6c264de4 100644 --- a/spec/classes/heat_init_spec.rb +++ b/spec/classes/heat_init_spec.rb @@ -16,7 +16,6 @@ describe 'heat' do :rabbit_virtual_host => '', :database_connection => 'mysql+pymysql://user@host/database', :database_idle_timeout => 3600, - :auth_uri => 'http://127.0.0.1:5000/v2.0', :keystone_ec2_uri => 'http://127.0.0.1:5000/v2.0/ec2tokens', :flavor => 'keystone', :keystone_password => 'secretpassword', @@ -58,8 +57,7 @@ describe 'heat' do it_configures 'with SSL enabled without kombu' it_configures 'with SSL disabled' it_configures 'with SSL wrongly configured' - it_configures "with custom keystone identity_uri" - it_configures "with custom keystone identity_uri and auth_uri" + it_configures "with auth_plugin" it_configures 'with enable_stack_adopt and enable_stack_abandon set' it_configures 'with notification_driver set to a string' end @@ -89,8 +87,32 @@ describe 'heat' do is_expected.to contain_heat_config('DEFAULT/max_json_body_size').with_value('') end - it 'configures auth_uri' do - is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value( params[:auth_uri] ) + it 'configures project_domain_id' do + is_expected.to contain_heat_config('trustee/project_domain_id').with_value( 'Default' ) + end + + it 'configures user_domain_id' do + is_expected.to contain_heat_config('trustee/user_domain_id').with_value( 'Default' ) + end + + it 'configures auth_plugin' do + is_expected.to contain_heat_config('trustee/auth_plugin').with_value( 'password' ) + end + + it 'configures auth_url' do + is_expected.to contain_heat_config('trustee/auth_url').with_value( 'http://127.0.0.1:35357/' ) + end + + it 'configures username' do + is_expected.to contain_heat_config('trustee/username').with_value( 'heat' ) + end + + it 'configures ' do + is_expected.to contain_heat_config('trustee/password').with_secret( true ) + end + + it 'configures auth_uri for clients_keystone' do + is_expected.to contain_heat_config('clients_keystone/auth_uri').with_value( 'http://127.0.0.1:35357/' ) end it 'configures keystone_ec2_uri' do @@ -99,14 +121,11 @@ describe 'heat' do it { is_expected.to contain_heat_config('paste_deploy/flavor').with_value('keystone') } - it 'keeps keystone secrets secret' do - is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret(true) - end - it 'configures notification_driver' do is_expected.to contain_heat_config('DEFAULT/notification_driver').with_value('') end + it_configures "with default auth method" end shared_examples_for 'rabbit without HA support (with backward compatibility)' do @@ -304,18 +323,6 @@ describe 'heat' do end end - shared_examples_for 'with auth uri set' do - before do - params.merge!( - :auth_uri => 'http://1.2.3.4:35357/v2.0' - ) - end - - it do - is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value('http://1.2.3.4:35357/v2.0') - end - end - shared_examples_for 'with region_name set' do before do params.merge!( @@ -325,41 +332,52 @@ describe 'heat' do it 'has region_name set when specified' do is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('East') - is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('East') end end shared_examples_for 'without region_name set' do it 'doesnt have region_name set by default' do is_expected.to contain_heat_config('DEFAULT/region_name_for_services').with_value('') - is_expected.to contain_heat_config('keystone_authtoken/region_name').with_value('') end end - shared_examples_for "with custom keystone identity_uri" do - before do - params.merge!({ - :identity_uri => 'https://foo.bar:1234/', - }) - end - it 'configures identity_uri' do - is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:1234/"); + shared_examples_for "with default auth method" do + it 'configures auth_uri, identity_uri, admin_tenant_name, admin_user, admin_password' do + is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("http://127.0.0.1:5000/") + is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("http://127.0.0.1:35357/") + is_expected.to contain_heat_config('keystone_authtoken/admin_tenant_name').with_value("services") + is_expected.to contain_heat_config('keystone_authtoken/admin_user').with_value("heat") + is_expected.to contain_heat_config('keystone_authtoken/admin_password').with_secret( true ) end end - shared_examples_for "with custom keystone identity_uri and auth_uri" do + shared_examples_for "with auth_plugin" do before do params.merge!({ - :identity_uri => 'https://foo.bar:35357/', - :auth_uri => 'https://foo.bar:5000/v2.0/', + :auth_plugin => 'password', }) end - it 'configures identity_uri and auth_uri but deprecates old auth settings' do - is_expected.to contain_heat_config('keystone_authtoken/identity_uri').with_value("https://foo.bar:35357/"); - is_expected.to contain_heat_config('keystone_authtoken/auth_uri').with_value("https://foo.bar:5000/v2.0/"); - is_expected.to contain_heat_config('keystone_authtoken/auth_port').with(:ensure => 'absent') - is_expected.to contain_heat_config('keystone_authtoken/auth_protocol').with(:ensure => 'absent') - is_expected.to contain_heat_config('keystone_authtoken/auth_host').with(:ensure => 'absent') + it 'configures ' do + is_expected.to contain_heat_config('keystone_authtoken/auth_plugin').with_value("password") + is_expected.to contain_heat_config('keystone_authtoken/auth_url').with_value("http://127.0.0.1:35357/") + is_expected.to contain_heat_config('keystone_authtoken/username').with_value("heat") + is_expected.to contain_heat_config('keystone_authtoken/password').with_secret( true ) + is_expected.to contain_heat_config('keystone_authtoken/project_name').with_value("services") + is_expected.to contain_heat_config('keystone_authtoken/user_domain_id').with_value('Default') + is_expected.to contain_heat_config('keystone_authtoken/project_domain_id').with_value('Default') + end + end + + shared_examples_for "with custom keystone project_domain_id and user_domain_id" do + before do + params.merge!({ + :keystone_project_domain_id => 'domain1', + :keystone_user_domain_id => 'domain1', + }) + end + it 'configures project_domain_id and user_domain_id' do + is_expected.to contain_heat_config('trustee/project_domain_id').with_value("domain1"); + is_expected.to contain_heat_config('trustee/user_domain_id').with_value("domain1"); end end