Update keystone to 6b0e35989aa380fc5c2c363de9d8512086f0c260

6b0e35989aa380fc5c2c363de9d8512086f0c260 Merge "Add a package ensure for openstackclient"
c910654949b3594d2b7fbb87e0e4dac2f6ff6ef8 Merge "Add admin_workers and public_workers configuration options"
3a5fb6a6f9a62ceacd67caa589f7ffbbe578524c Add a package ensure for openstackclient
b52930b912c60ff3fbeda49514bf6a0b670e211f Fix README endpoint example
dadf82220b33bbae20eec5ff06f6285d6229f592 Add support for LDAP connection pools
31190c46716322f240dba4b5fc417ffe4e3cf0b0 Add admin_workers and public_workers configuration options
d4237bba94c656e462a0fd6fefa7e56637b58c30 Merge "Rename resource instance variable"
d336c2eaa20f9bd984e475745d78ba4dc97e82a7 Merge "Tag packages with 'openstack'"
224b3ee8df17494689ac7b554f2d5194e17e46d3 Merge "Implement caching lookup for keystone_user_role"
349d0844547adb0d668906b831c09384ba1d951f Merge "Shorten HTTP request timeout length"
2287a350c731444f07f82ca6854ee9616c2de190 Rename resource instance variable
011aeb0d3e7da8ad81becf054a665ac488395510 Tag packages with 'openstack'
6d4f7640fbfe63cf50e3944d0072637237533229 Implement caching lookup for keystone_user_role
eb4f43e25cc40160980bf1fc45a48e1abe147d65 Shorten HTTP request timeout length

Signed-off-by: Gael Chamoulaud <[email protected]>

Puppetfile

@@ -71,7 +71,7 @@ mod 'ironic',
   :git => 'https://github.com/stackforge/puppet-ironic.git'
 
 mod 'keystone',
-  :commit => '36e4c8861803c7b698a3f36612fffeb1614646d1',
+  :commit => '6b0e35989aa380fc5c2c363de9d8512086f0c260',
   :git => 'https://github.com/stackforge/puppet-keystone.git'
 
 mod 'manila',

keystone/README.md

@@ -59,10 +59,10 @@ class { 'keystone::roles::admin':
 
 # Installs the service user endpoint.
 class { 'keystone::endpoint':
-  public_address   => '10.16.0.101',
-  admin_address    => '10.16.1.101',
-  internal_address => '10.16.2.101',
-  region           => 'example-1',
+  public_url   => 'http://10.16.0.101:5000/v2.0',
+  admin_url    => 'http://10.16.1.101:35357/v2.0',
+  internal_url => 'http://10.16.2.101:5000/v2.0',
+  region       => 'example-1',
 }
 ```
 

keystone/examples/ldap_full.pp

@@ -28,7 +28,7 @@
   user_allow_create           => 'False',
   user_allow_update           => 'False',
   user_allow_delete           => 'False',
-  user_enabled_emulation      =>  'True',
+  user_enabled_emulation      => 'True',
   user_enabled_emulation_dn   => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
   group_tree_dn               => 'ou=groups,ou=openstack,dc=example,dc=com',
   group_objectclass           => 'organizationalRole',
@@ -56,11 +56,17 @@
   role_name_attribute         => 'cn',
   role_member_attribute       => 'roleOccupant',
   role_allow_create           => 'True',
-  role_allow_update           =>   'True',
+  role_allow_update           => 'True',
   role_allow_delete           => 'True',
   identity_driver             => 'keystone.identity.backends.ldap.Identity',
   assignment_driver           => 'keystone.assignment.backends.ldap.Assignment',
   use_tls                     => 'True',
   tls_cacertfile              => '/etc/ssl/certs/ca-certificates.crt',
   tls_req_cert                => 'demand',
+  use_pool                    => 'True',
+  use_auth_pool               => 'True',
+  pool_size                   => 5,
+  auth_pool_size              => 5,
+  pool_retry_max              => 3,
+  pool_connection_timeout     => 120,
 }

keystone/lib/puppet/provider/keystone_endpoint/openstack.rb

@@ -108,7 +108,7 @@ def instances
   end
 
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
   end
 
   def flush

keystone/lib/puppet/provider/keystone_role/openstack.rb

@@ -46,7 +46,7 @@ def instances
   end
 
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
   end
 
 end

keystone/lib/puppet/provider/keystone_service/openstack.rb

@@ -82,7 +82,7 @@ def instances
   end
 
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
   end
 
   def flush

keystone/lib/puppet/provider/keystone_tenant/openstack.rb

@@ -83,7 +83,7 @@ def instances
   end
 
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
   end
 
   def flush

keystone/lib/puppet/provider/keystone_user/openstack.rb

@@ -195,7 +195,7 @@ def instances
   end
 
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    @instance ||= instances.select { |instance| instance[:name] == name }.first || {}
   end
 
   def set_project(newproject)

keystone/lib/puppet/provider/keystone_user_role/openstack.rb

@@ -7,11 +7,6 @@
 
   desc "Provider to manage keystone role assignments to users."
 
-  def initialize(value={})
-    super(value)
-    @property_flush = {}
-  end
-
   def create
     properties = []
     properties << '--project' << get_project
@@ -24,23 +19,46 @@ def create
   end
 
   def exists?
-    ! instance(resource[:name]).empty?
+    # If we just ran self.instances, no need to make the request again
+    # instance() will find it cached in @user_role_hash
+    if self.class.user_role_hash
+      return ! instance(resource[:name]).empty?
+    # If we don't have the hash ready, we don't need to rebuild the
+    # whole thing just to check on one particular user/role
+    else
+      roles = request('user role', 'list', nil, resource[:auth], ['--project', get_project, get_user])
+      # Since requesting every combination of users, roles, and
+      # projects is so expensive, construct the property hash here
+      # instead of in self.instances so it can be used in the role
+      # and destroy methods
+      @property_hash[:name] = resource[:name]
+      if roles.empty?
+        @property_hash[:ensure] = :absent
+      else
+        @property_hash[:ensure] = :present
+        @property_hash[:roles]  = roles.collect do |role|
+          role[:name]
+        end
+      end
+      return @property_hash[:ensure] == :present
+    end
   end
 
   def destroy
     properties = []
     properties << '--project' << get_project
     properties << '--user' << get_user
-    if resource[:roles]
-      resource[:roles].each do |role|
+    if @property_hash[:roles]
+      @property_hash[:roles].each do |role|
         request('role', 'remove', role, resource[:auth], properties)
       end
     end
+    @property_hash[:ensure] = :absent
   end
 
 
   def roles
-    instance(resource[:name])[:roles]
+    @property_hash[:roles]
   end
 
   def roles=(value)
@@ -70,18 +88,8 @@ def self.instances
     end
   end
 
-  def instances
-    instances = build_user_role_hash
-    instances.collect do |title, roles|
-      {
-        :name  => title,
-        :roles => roles
-      }
-    end
-  end
-
   def instance(name)
-    @instances ||= instances.select { |instance| instance[:name] == name }.first || {}
+    self.class.user_role_hash.select { |role_name, roles| role_name == name } || {}
   end
 
   private
@@ -120,24 +128,19 @@ def self.get_users(project)
     end
   end
 
-  def build_user_role_hash
-    hash = {}
-    projects = get_projects
-    projects.each do |project|
-      users = get_users(project)
-      users.each do |user|
-        user_roles = request('user role', 'list', nil, resource[:auth], ['--project', project, user])
-        user_roles.each do |role|
-          hash["#{user}@#{project}"] ||= []
-          hash["#{user}@#{project}"] << role[:name]
-        end
-      end
-    end
-    hash
+  # Class methods for caching user_role_hash so both class and instance
+  # methods can access the value
+  def self.set_user_role_hash(user_role_hash)
+    @user_role_hash = user_role_hash
+  end
+
+  def self.user_role_hash
+    @user_role_hash
   end
 
   def self.build_user_role_hash
-    hash = {}
+    hash = user_role_hash || {}
+    return hash unless hash.empty?
     projects = get_projects
     projects.each do |project|
       users = get_users(project)
@@ -149,6 +152,7 @@ def self.build_user_role_hash
         end
       end
     end
+    set_user_role_hash(hash)
     hash
   end
 

keystone/lib/puppet/provider/openstack.rb

@@ -46,7 +46,7 @@ def self.request(service, action, object, *properties)
   # with underscores instead of spaces
   def self.authenticate_request(service, action, *args)
     rv = nil
-    timeout = 120
+    timeout = 10
     end_time = Time.now.to_i + timeout
     loop do
       begin

keystone/manifests/client.pp

@@ -13,5 +13,6 @@
 
   package { 'python-keystoneclient':
     ensure => $ensure,
+    tag    => 'openstack',
   }
 }

keystone/manifests/init.pp

@@ -5,6 +5,8 @@
 #
 #   [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
 #     accepts latest or specific versions.
+#   [client_package_ensure] Desired ensure state of the client package. Optional. Defaults to present.
+#     accepts latest or specific versions.
 #   [bind_host] Host that keystone binds to.
 #   [bind_port] Port that keystone binds to.
 #   [public_port]
@@ -248,6 +250,14 @@
 #     (optional) maximum allowable Keystone token size
 #     Defaults to undef
 #
+#   [*admin_workers*]
+#     (optional) The number of worker processes to serve the admin WSGI application.
+#     Defaults to max($::processorcount, 2)
+#
+#   [*public_workers*]
+#     (optional) The number of worker processes to serve the public WSGI application.
+#     Defaults to max($::processorcount, 2)
+#
 # == Dependencies
 #  None
 #
@@ -280,6 +290,7 @@
 class keystone(
   $admin_token,
   $package_ensure         = 'present',
+  $client_package_ensure  = 'present',
   $bind_host              = false,
   $public_bind_host       = '0.0.0.0',
   $admin_bind_host        = '0.0.0.0',
@@ -344,6 +355,8 @@
   $service_provider       = $::keystone::params::service_provider,
   $service_name           = 'keystone',
   $max_token_size         = undef,
+  $admin_workers          = max($::processorcount, 2),
+  $public_workers         = max($::processorcount, 2),
   # DEPRECATED PARAMETERS
   $mysql_module           = undef,
 ) inherits keystone::params {
@@ -384,10 +397,12 @@
   package { 'keystone':
     ensure => $package_ensure,
     name   => $::keystone::params::package_name,
+    tag    => 'openstack',
   }
   # TODO: Move this to openstacklib::openstackclient in Kilo
   package { 'python-openstackclient':
-    ensure => present,
+    ensure => $client_package_ensure,
+    tag    => 'openstack',
   }
 
   group { 'keystone':
@@ -633,6 +648,11 @@
     }
   }
 
+  keystone_config {
+    'DEFAULT/admin_workers':  value => $admin_workers;
+    'DEFAULT/public_workers': value => $public_workers;
+  }
+
   if $enabled {
     $service_ensure = 'running'
   } else {

keystone/manifests/ldap.pp

@@ -99,6 +99,15 @@
   $tls_req_cert                        = undef,
   $identity_driver                     = undef,
   $assignment_driver                   = undef,
+  $use_pool                            = false,
+  $pool_size                           = 10,
+  $pool_retry_max                      = 3,
+  $pool_retry_delay                    = 0.1,
+  $pool_connection_timeout             = -1,
+  $pool_connection_lifetime            = 600,
+  $use_auth_pool                       = false,
+  $auth_pool_size                      = 100,
+  $auth_pool_connection_lifetime       = 60,
 ) {
 
   # In Juno the term "tenant" was deprecated in the config in favor of "project"
@@ -373,6 +382,15 @@
     'ldap/tls_cacertdir':                        value => $tls_cacertdir;
     'ldap/tls_cacertfile':                       value => $tls_cacertfile;
     'ldap/tls_req_cert':                         value => $tls_req_cert;
+    'ldap/use_pool':                             value => $use_pool;
+    'ldap/pool_size':                            value => $pool_size;
+    'ldap/pool_retry_max':                       value => $pool_retry_max;
+    'ldap/pool_retry_delay':                     value => $pool_retry_delay;
+    'ldap/pool_connection_timeout':              value => $pool_connection_timeout;
+    'ldap/pool_connection_lifetime':             value => $pool_connection_lifetime;
+    'ldap/use_auth_pool':                        value => $use_auth_pool;
+    'ldap/auth_pool_size':                       value => $auth_pool_size;
+    'ldap/auth_pool_connection_lifetime':        value => $auth_pool_connection_lifetime;
     'identity/driver':                           value => $identity_driver;
     'assignment/driver':                         value => $assignment_driver;
   }

keystone/spec/classes/keystone_client_spec.rb

@@ -3,14 +3,20 @@
 describe 'keystone::client' do
 
   describe "with default parameters" do
-    it { should contain_package('python-keystoneclient').with_ensure('present') }
+    it { should contain_package('python-keystoneclient').with(
+        'ensure' => 'present',
+        'tag'    => 'openstack'
+    ) }
   end
 
   describe "with specified version" do
     let :params do
       {:ensure => '2013.1'}
     end
 
-    it { should contain_package('python-keystoneclient').with_ensure('2013.1') }
+    it { should contain_package('python-keystoneclient').with(
+        'ensure' => '2013.1',
+        'tag'    => 'openstack'
+    ) }
   end
 end