From 98a8f7688e83200aa6350d25d46a108467b02aa2 Mon Sep 17 00:00:00 2001 From: Ivan Chavero Date: Fri, 12 Dec 2014 15:06:11 -0700 Subject: [PATCH] Automatic update This module update commit was generated by Bade. For more info please check https://github.com/paramite/bade This commit is setting modules to following state: keystone - old commit: e61e4c2ab5c67150237e59dab25679ec739d3ebf - new commit: bab7304c88a065aa3f4d3a970d82abdb65cb9169 Needed for this patch: https://review.openstack.org/#/c/136415 --- Puppetfile | 3 +- keystone/Modulefile | 2 +- keystone/README.md | 16 +- .../puppet/provider/keystone_user/keystone.rb | 2 +- keystone/manifests/init.pp | 126 +++++-- keystone/manifests/logging.pp | 208 +++++++++++ keystone/manifests/params.pp | 5 +- keystone/manifests/roles/admin.pp | 14 +- keystone/manifests/wsgi/apache.pp | 71 ++-- .../spec/classes/keystone_logging_spec.rb | 107 ++++++ .../spec/classes/keystone_roles_admin_spec.rb | 16 +- keystone/spec/classes/keystone_spec.rb | 329 ++++++++++-------- .../spec/classes/keystone_wsgi_apache_spec.rb | 58 ++- 13 files changed, 707 insertions(+), 250 deletions(-) create mode 100644 keystone/manifests/logging.pp create mode 100644 keystone/spec/classes/keystone_logging_spec.rb diff --git a/Puppetfile b/Puppetfile index 6fb3f316c..b00052155 100644 --- a/Puppetfile +++ b/Puppetfile @@ -55,7 +55,7 @@ mod 'inifile', :git => 'https://github.com/puppetlabs/puppetlabs-inifile.git' mod 'keystone', - :commit => 'e61e4c2ab5c67150237e59dab25679ec739d3ebf', + :commit => 'bab7304c88a065aa3f4d3a970d82abdb65cb9169', :git => 'https://github.com/stackforge/puppet-keystone.git' mod 'memcached', @@ -157,3 +157,4 @@ mod 'vswitch', mod 'xinetd', :commit => '6b02de8d4f30a819eb404048e4258e3a5e8023c8', :git => 'https://github.com/puppetlabs/puppetlabs-xinetd.git' + diff --git a/keystone/Modulefile b/keystone/Modulefile index a520e7d3c..c17b1a418 100644 --- a/keystone/Modulefile +++ b/keystone/Modulefile @@ -1,5 +1,5 @@ name 'puppetlabs-keystone' -version '4.0.0' +version '4.2.0' source 'https://github.com/stackforge/puppet-keystone' author 'Puppet Labs' license 'Apache License 2.0' diff --git a/keystone/README.md b/keystone/README.md index eb35f4cac..c8645e8e6 100644 --- a/keystone/README.md +++ b/keystone/README.md @@ -1,7 +1,7 @@ keystone ======= -4.0.0 - 2014.1.0 - Icehouse +4.2.0 - 2014.1.0 - Icehouse #### Table of Contents @@ -165,6 +165,20 @@ Contributors Release Notes ------------- +**4.2.0** + +* Added class for extended logging options +* Fixed rabbit password leaking +* Added parameters to set tenant descriptions +* Fixed keystone user authorization error handling + +**4.1.0** + +* Added token flushing with cron. +* Updated database api for consistency with other projects. +* Fixed admin_token with secret parameter. +* Fixed deprecated catalog driver. + **4.0.0** * Stable Icehouse release. diff --git a/keystone/lib/puppet/provider/keystone_user/keystone.rb b/keystone/lib/puppet/provider/keystone_user/keystone.rb index 07842d0af..a2da28ff2 100644 --- a/keystone/lib/puppet/provider/keystone_user/keystone.rb +++ b/keystone/lib/puppet/provider/keystone_user/keystone.rb @@ -88,7 +88,7 @@ def password begin token_out = creds_keystone(resource[:name], resource[:tenant], resource[:password], "token-get") rescue Exception => e - return nil if e.message =~ /Not Authorized/ + return nil if e.message =~ /Not Authorized/ or e.message =~ /HTTP 401/ raise e end return resource[:password] diff --git a/keystone/manifests/init.pp b/keystone/manifests/init.pp index 87cd61393..04cd50f9f 100644 --- a/keystone/manifests/init.pp +++ b/keystone/manifests/init.pp @@ -39,8 +39,21 @@ # [memcache_servers] List of memcache servers/ports. Optional. Used with # token_driver keystone.token.backends.memcache.Token. Defaults to false. # [enabled] If the keystone services should be enabled. Optional. Default to true. -# [sql_connection] Url used to connect to database. -# [idle_timeout] Timeout when db connections should be reaped. +# +# [*database_connection*] +# (optional) Url used to connect to database. +# Defaults to sqlite:////var/lib/keystone/keystone.db +# +# [*sql_connection*] +# (optional) Deprecated. Use database_connection instead. +# +# [*database_idle_timeout*] +# (optional) Timeout when db connections should be reaped. +# Defaults to 200. +# +# [*idle_timeout*] +# (optional) Deprecated. Use database_idle_timeout instead. +# # [enable_pki_setup] Enable call to pki_setup. # [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost. # [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672. @@ -118,6 +131,22 @@ # Tested versions include 0.9 and 2.2 # Default to '0.9' # +# [*service_name*] +# (optional) Name of the service that will be providing the +# server functionality of keystone. For example, the default +# is just 'keystone', which means keystone will be run as a +# standalone eventlet service, and will able to be managed +# separately by the operating system's service manager. For +# example, you will be able to use +# service openstack-keystone restart +# to restart the service. +# If the value is 'httpd', this means keystone will be a web +# service, and you must use another class to configure that +# web service. For example, after calling class {'keystone'...} +# use class { 'keystone::wsgi::apache'...} to make keystone be +# a web app using apache mod_wsgi. +# Defaults to 'keystone' +# # == Dependencies # None # @@ -128,6 +157,17 @@ # admin_token => 'my_special_token', # } # +# OR +# +# class { 'keystone': +# ... +# service_name => 'httpd', +# ... +# } +# class { 'keystone::wsgi::apache': +# ... +# } +# # == Authors # # Dan Bode dan@puppetlabs.com @@ -169,8 +209,8 @@ $cache_dir = '/var/cache/keystone', $memcache_servers = false, $enabled = true, - $sql_connection = 'sqlite:////var/lib/keystone/keystone.db', - $idle_timeout = '200', + $database_connection = 'sqlite:////var/lib/keystone/keystone.db', + $database_idle_timeout = '200', $enable_pki_setup = true, $mysql_module = '0.9', $rabbit_host = 'localhost', @@ -181,27 +221,36 @@ $rabbit_virtual_host = '/', $notification_driver = false, $notification_topics = false, - $control_exchange = false + $control_exchange = false, + $service_name = 'keystone', + # DEPRECATED PARAMETERS + $sql_connection = undef, + $idle_timeout = undef, ) { if ! $catalog_driver { validate_re($catalog_type, 'template|sql') } - File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service['keystone'] - Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|> - Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|> - - include keystone::params + if $sql_connection { + warning('The sql_connection parameter is deprecated, use database_connection instead.') + $database_connection_real = $sql_connection + } else { + $database_connection_real = $database_connection + } - File { - ensure => present, - owner => 'keystone', - group => 'keystone', - require => Package['keystone'], - notify => Service['keystone'], + if $idle_timeout { + warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.') + $database_idle_timeout_real = $idle_timeout + } else { + $database_idle_timeout_real = $database_idle_timeout } + File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name] + Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|> + Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|> + include ::keystone::params + package { 'keystone': ensure => $package_ensure, name => $::keystone::params::package_name, @@ -223,10 +272,19 @@ file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']: ensure => directory, mode => '0750', + owner => 'keystone', + group => 'keystone', + require => Package['keystone'], + notify => Service[$service_name], } file { '/etc/keystone/keystone.conf': + ensure => present, mode => '0600', + owner => 'keystone', + group => 'keystone', + require => Package['keystone'], + notify => Service[$service_name], } if $bind_host { @@ -292,19 +350,19 @@ } } - if($sql_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) { + if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) { if ($mysql_module >= 2.2) { require 'mysql::bindings' require 'mysql::bindings::python' } else { require 'mysql::python' } - } elsif($sql_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) { + } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) { - } elsif($sql_connection =~ /sqlite:\/\//) { + } elsif($database_connection_real =~ /sqlite:\/\//) { } else { - fail("Invalid db connection ${sql_connection}") + fail("Invalid db connection ${database_connection_real}") } # memcache connection config @@ -321,8 +379,8 @@ # db connection config keystone_config { - 'database/connection': value => $sql_connection, secret => true; - 'database/idle_timeout': value => $idle_timeout; + 'database/connection': value => $database_connection_real, secret => true; + 'database/idle_timeout': value => $database_idle_timeout_real; } # configure based on the catalog backend @@ -360,7 +418,7 @@ user => 'keystone', refreshonly => true, creates => '/etc/keystone/ssl/private/signing_key.pem', - notify => Service['keystone'], + notify => Service[$service_name], subscribe => Package['keystone'], require => User['keystone'], } @@ -388,7 +446,7 @@ } keystone_config { - 'DEFAULT/rabbit_password': value => $rabbit_password; + 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true; 'DEFAULT/rabbit_userid': value => $rabbit_userid; 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host; } @@ -409,18 +467,20 @@ $service_ensure = 'stopped' } - service { 'keystone': - ensure => $service_ensure, - name => $::keystone::params::service_name, - enable => $enabled, - hasstatus => true, - hasrestart => true, - provider => $::keystone::params::service_provider, + if $service_name == 'keystone' { + service { 'keystone': + ensure => $service_ensure, + name => $::keystone::params::service_name, + enable => $enabled, + hasstatus => true, + hasrestart => true, + provider => $::keystone::params::service_provider, + } } if $enabled { - include keystone::db::sync - Class['keystone::db::sync'] ~> Service['keystone'] + include ::keystone::db::sync + Class['::keystone::db::sync'] ~> Service[$service_name] } # Syslog configuration diff --git a/keystone/manifests/logging.pp b/keystone/manifests/logging.pp new file mode 100644 index 000000000..aa355c88d --- /dev/null +++ b/keystone/manifests/logging.pp @@ -0,0 +1,208 @@ +# Class keystone::logging +# +# keystone extended logging configuration +# +# == parameters +# +# [*logging_context_format_string*] +# (optional) Format string to use for log messages with context. +# Defaults to undef. +# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\ +# [%(request_id)s %(user_identity)s] %(instance)s%(message)s' +# +# [*logging_default_format_string*] +# (optional) Format string to use for log messages without context. +# Defaults to undef. +# Example: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s\ +# [-] %(instance)s%(message)s' +# +# [*logging_debug_format_suffix*] +# (optional) Formatted data to append to log format when level is DEBUG. +# Defaults to undef. +# Example: '%(funcName)s %(pathname)s:%(lineno)d' +# +# [*logging_exception_prefix*] +# (optional) Prefix each line of exception output with this format. +# Defaults to undef. +# Example: '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s' +# +# [*log_config_append*] +# The name of an additional logging configuration file. +# Defaults to undef. +# See https://docs.python.org/2/howto/logging.html +# +# [*default_log_levels*] +# (optional) Hash of logger (keys) and level (values) pairs. +# Defaults to undef. +# Example: +# { 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN', +# 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO', +# 'iso8601' => 'WARN', +# 'requests.packages.urllib3.connectionpool' => 'WARN' } +# +# [*publish_errors*] +# (optional) Publish error events (boolean value). +# Defaults to undef (false if unconfigured). +# +# [*fatal_deprecations*] +# (optional) Make deprecations fatal (boolean value) +# Defaults to undef (false if unconfigured). +# +# [*instance_format*] +# (optional) If an instance is passed with the log message, format it +# like this (string value). +# Defaults to undef. +# Example: '[instance: %(uuid)s] ' +# +# [*instance_uuid_format*] +# (optional) If an instance UUID is passed with the log message, format +# it like this (string value). +# Defaults to undef. +# Example: instance_uuid_format='[instance: %(uuid)s] ' + +# [*log_date_format*] +# (optional) Format string for %%(asctime)s in log records. +# Defaults to undef. +# Example: 'Y-%m-%d %H:%M:%S' + +class keystone::logging( + $logging_context_format_string = undef, + $logging_default_format_string = undef, + $logging_debug_format_suffix = undef, + $logging_exception_prefix = undef, + $log_config_append = undef, + $default_log_levels = undef, + $publish_errors = undef, + $fatal_deprecations = undef, + $instance_format = undef, + $instance_uuid_format = undef, + $log_date_format = undef, +) { + + if $logging_context_format_string { + keystone_config { + 'DEFAULT/logging_context_format_string' : + value => $logging_context_format_string; + } + } + else { + keystone_config { + 'DEFAULT/logging_context_format_string' : ensure => absent; + } + } + + if $logging_default_format_string { + keystone_config { + 'DEFAULT/logging_default_format_string' : + value => $logging_default_format_string; + } + } + else { + keystone_config { + 'DEFAULT/logging_default_format_string' : ensure => absent; + } + } + + if $logging_debug_format_suffix { + keystone_config { + 'DEFAULT/logging_debug_format_suffix' : + value => $logging_debug_format_suffix; + } + } + else { + keystone_config { + 'DEFAULT/logging_debug_format_suffix' : ensure => absent; + } + } + + if $logging_exception_prefix { + keystone_config { + 'DEFAULT/logging_exception_prefix' : value => $logging_exception_prefix; + } + } + else { + keystone_config { + 'DEFAULT/logging_exception_prefix' : ensure => absent; + } + } + + if $log_config_append { + keystone_config { + 'DEFAULT/log_config_append' : value => $log_config_append; + } + } + else { + keystone_config { + 'DEFAULT/log_config_append' : ensure => absent; + } + } + + if $default_log_levels { + keystone_config { + 'DEFAULT/default_log_levels' : + value => join(sort(join_keys_to_values($default_log_levels, '=')), ','); + } + } + else { + keystone_config { + 'DEFAULT/default_log_levels' : ensure => absent; + } + } + + if $publish_errors { + keystone_config { + 'DEFAULT/publish_errors' : value => $publish_errors; + } + } + else { + keystone_config { + 'DEFAULT/publish_errors' : ensure => absent; + } + } + + if $fatal_deprecations { + keystone_config { + 'DEFAULT/fatal_deprecations' : value => $fatal_deprecations; + } + } + else { + keystone_config { + 'DEFAULT/fatal_deprecations' : ensure => absent; + } + } + + if $instance_format { + keystone_config { + 'DEFAULT/instance_format' : value => $instance_format; + } + } + else { + keystone_config { + 'DEFAULT/instance_format' : ensure => absent; + } + } + + if $instance_uuid_format { + keystone_config { + 'DEFAULT/instance_uuid_format' : value => $instance_uuid_format; + } + } + else { + keystone_config { + 'DEFAULT/instance_uuid_format' : ensure => absent; + } + } + + if $log_date_format { + keystone_config { + 'DEFAULT/log_date_format' : value => $log_date_format; + } + } + else { + keystone_config { + 'DEFAULT/log_date_format' : ensure => absent; + } + } + + +} diff --git a/keystone/manifests/params.pp b/keystone/manifests/params.pp index 8127036ef..720b08135 100644 --- a/keystone/manifests/params.pp +++ b/keystone/manifests/params.pp @@ -15,6 +15,9 @@ $keystone_wsgi_script_source = '/usr/share/keystone/wsgi.py' } default: { + # NOTE: Ubuntu does not currently provide the keystone wsgi script in the + # keystone packages. When Ubuntu does provide the script, change this + # to use the correct path (which I'm assuming will be the same as Debian). $service_provider = 'upstart' $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py' } @@ -25,7 +28,7 @@ $service_name = 'openstack-keystone' $keystone_wsgi_script_path = '/var/www/cgi-bin/keystone' $service_provider = undef - $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py' + $keystone_wsgi_script_source = '/usr/share/keystone/keystone.wsgi' } } } diff --git a/keystone/manifests/roles/admin.pp b/keystone/manifests/roles/admin.pp index eed03c74a..4dc8b783b 100644 --- a/keystone/manifests/roles/admin.pp +++ b/keystone/manifests/roles/admin.pp @@ -15,6 +15,8 @@ # [password] The admin password. Required. # [admin_tenant] The name of the tenant to be used for admin privileges. Optional. Defaults to openstack. # [admin] Admin user. Optional. Defaults to admin. +# [admin_tenant_desc] Optional. Description for admin tenant, defaults to 'admin tenant' +# [service_tenant_desc] Optional. Description for admin tenant, defaults to 'Tenant for the openstack services' # # == Dependencies # == Examples @@ -29,20 +31,22 @@ class keystone::roles::admin( $email, $password, - $admin = 'admin', - $admin_tenant = 'openstack', - $service_tenant = 'services' + $admin = 'admin', + $admin_tenant = 'openstack', + $service_tenant = 'services', + $admin_tenant_desc = 'admin tenant', + $service_tenant_desc = 'Tenant for the openstack services', ) { keystone_tenant { $service_tenant: ensure => present, enabled => true, - description => 'Tenant for the openstack services', + description => $service_tenant_desc, } keystone_tenant { $admin_tenant: ensure => present, enabled => true, - description => 'admin tenant', + description => $admin_tenant_desc, } keystone_user { $admin: ensure => present, diff --git a/keystone/manifests/wsgi/apache.pp b/keystone/manifests/wsgi/apache.pp index 967b9d540..b2a3b10c3 100644 --- a/keystone/manifests/wsgi/apache.pp +++ b/keystone/manifests/wsgi/apache.pp @@ -93,16 +93,19 @@ $ssl_ca = undef, $ssl_crl_path = undef, $ssl_crl = undef, - $ssl_certs_dir = undef + $ssl_certs_dir = undef, + $threads = $::processorcount, + $priority = '10', ) { - include keystone::params + include ::keystone::params include ::apache include ::apache::mod::wsgi - include keystone::db::sync + if $ssl { + include ::apache::mod::ssl + } - Exec <| title == 'keystone-manage pki_setup' |> ~> Service['httpd'] - Exec <| title == 'keystone-manage db_sync' |> ~> Service['httpd'] + Package['keystone'] -> Package['httpd'] Package['keystone'] ~> Service['httpd'] Keystone_config <| |> ~> Service['httpd'] Service['httpd'] -> Keystone_endpoint <| |> @@ -137,7 +140,8 @@ owner => 'keystone', group => 'keystone', mode => '0644', - require => File[$::keystone::params::keystone_wsgi_script_path], + # source file provided by keystone package + require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], } file { 'keystone_wsgi_main': @@ -147,14 +151,15 @@ owner => 'keystone', group => 'keystone', mode => '0644', - require => File[$::keystone::params::keystone_wsgi_script_path], + # source file provided by keystone package + require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], } $wsgi_daemon_process_options = { user => 'keystone', group => 'keystone', processes => $workers, - threads => '1' + threads => $threads, } $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"]) $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"]) @@ -165,13 +170,15 @@ $wsgi_script_aliases_main_real = $wsgi_script_aliases_main } - apache::vhost { 'keystone_wsgi_main': + ::apache::vhost { 'keystone_wsgi_main': + ensure => 'present', servername => $servername, ip => $bind_host, port => $public_port, docroot => $::keystone::params::keystone_wsgi_script_path, docroot_owner => 'keystone', docroot_group => 'keystone', + priority => $priority, ssl => $ssl, ssl_cert => $ssl_cert, ssl_key => $ssl_key, @@ -180,32 +187,36 @@ ssl_crl_path => $ssl_crl_path, ssl_crl => $ssl_crl, ssl_certs_dir => $ssl_certs_dir, - wsgi_daemon_process => 'keystone', + wsgi_daemon_process => 'keystone_main', wsgi_daemon_process_options => $wsgi_daemon_process_options, - wsgi_process_group => 'keystone', + wsgi_process_group => 'keystone_main', wsgi_script_aliases => $wsgi_script_aliases_main_real, - require => [Class['apache::mod::wsgi'], File['keystone_wsgi_main']], + require => File['keystone_wsgi_main'], } if $public_port != $admin_port { - apache::vhost { 'keystone_wsgi_admin': - servername => $servername, - ip => $bind_host, - port => $admin_port, - docroot => $::keystone::params::keystone_wsgi_script_path, - docroot_owner => 'keystone', - docroot_group => 'keystone', - ssl => $ssl, - ssl_cert => $ssl_cert, - ssl_key => $ssl_key, - ssl_chain => $ssl_chain, - ssl_ca => $ssl_ca, - ssl_crl_path => $ssl_crl_path, - ssl_crl => $ssl_crl, - ssl_certs_dir => $ssl_certs_dir, - wsgi_process_group => 'keystone', - wsgi_script_aliases => $wsgi_script_aliases_admin, - require => [Class['apache::mod::wsgi'], File['keystone_wsgi_admin']], + ::apache::vhost { 'keystone_wsgi_admin': + ensure => 'present', + servername => $servername, + ip => $bind_host, + port => $admin_port, + docroot => $::keystone::params::keystone_wsgi_script_path, + docroot_owner => 'keystone', + docroot_group => 'keystone', + priority => $priority, + ssl => $ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_chain => $ssl_chain, + ssl_ca => $ssl_ca, + ssl_crl_path => $ssl_crl_path, + ssl_crl => $ssl_crl, + ssl_certs_dir => $ssl_certs_dir, + wsgi_daemon_process => 'keystone_admin', + wsgi_daemon_process_options => $wsgi_daemon_process_options, + wsgi_process_group => 'keystone_admin', + wsgi_script_aliases => $wsgi_script_aliases_admin, + require => File['keystone_wsgi_admin'], } } } diff --git a/keystone/spec/classes/keystone_logging_spec.rb b/keystone/spec/classes/keystone_logging_spec.rb new file mode 100644 index 000000000..7ae935201 --- /dev/null +++ b/keystone/spec/classes/keystone_logging_spec.rb @@ -0,0 +1,107 @@ +require 'spec_helper' + +describe 'keystone::logging' do + + let :params do + { + } + end + + let :log_params do + { + :logging_context_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s', + :logging_default_format_string => '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s', + :logging_debug_format_suffix => '%(funcName)s %(pathname)s:%(lineno)d', + :logging_exception_prefix => '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s', + :log_config_append => '/etc/keystone/logging.conf', + :publish_errors => true, + :default_log_levels => { + 'amqp' => 'WARN', 'amqplib' => 'WARN', 'boto' => 'WARN', + 'qpid' => 'WARN', 'sqlalchemy' => 'WARN', 'suds' => 'INFO', + 'iso8601' => 'WARN', + 'requests.packages.urllib3.connectionpool' => 'WARN' }, + :fatal_deprecations => true, + :instance_format => '[instance: %(uuid)s] ', + :instance_uuid_format => '[instance: %(uuid)s] ', + :log_date_format => '%Y-%m-%d %H:%M:%S', + } + end + + shared_examples_for 'keystone-logging' do + + context 'with extended logging options' do + before { params.merge!( log_params ) } + it_configures 'logging params set' + end + + context 'without extended logging options' do + it_configures 'logging params unset' + end + + end + + shared_examples_for 'logging params set' do + it 'enables logging params' do + should contain_keystone_config('DEFAULT/logging_context_format_string').with_value( + '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s') + + should contain_keystone_config('DEFAULT/logging_default_format_string').with_value( + '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s') + + should contain_keystone_config('DEFAULT/logging_debug_format_suffix').with_value( + '%(funcName)s %(pathname)s:%(lineno)d') + + should contain_keystone_config('DEFAULT/logging_exception_prefix').with_value( + '%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s') + + should contain_keystone_config('DEFAULT/log_config_append').with_value( + '/etc/keystone/logging.conf') + should contain_keystone_config('DEFAULT/publish_errors').with_value( + true) + + should contain_keystone_config('DEFAULT/default_log_levels').with_value( + 'amqp=WARN,amqplib=WARN,boto=WARN,iso8601=WARN,qpid=WARN,requests.packages.urllib3.connectionpool=WARN,sqlalchemy=WARN,suds=INFO') + + should contain_keystone_config('DEFAULT/fatal_deprecations').with_value( + true) + + should contain_keystone_config('DEFAULT/instance_format').with_value( + '[instance: %(uuid)s] ') + + should contain_keystone_config('DEFAULT/instance_uuid_format').with_value( + '[instance: %(uuid)s] ') + + should contain_keystone_config('DEFAULT/log_date_format').with_value( + '%Y-%m-%d %H:%M:%S') + end + end + + + shared_examples_for 'logging params unset' do + [ :logging_context_format_string, :logging_default_format_string, + :logging_debug_format_suffix, :logging_exception_prefix, + :log_config_append, :publish_errors, + :default_log_levels, :fatal_deprecations, + :instance_format, :instance_uuid_format, + :log_date_format, ].each { |param| + it { should contain_keystone_config("DEFAULT/#{param}").with_ensure('absent') } + } + end + + context 'on Debian platforms' do + let :facts do + { :osfamily => 'Debian' } + end + + it_configures 'keystone-logging' + end + + context 'on RedHat platforms' do + let :facts do + { :osfamily => 'RedHat' } + end + + it_configures 'keystone-logging' + end + +end diff --git a/keystone/spec/classes/keystone_roles_admin_spec.rb b/keystone/spec/classes/keystone_roles_admin_spec.rb index 7605a450d..20667529b 100644 --- a/keystone/spec/classes/keystone_roles_admin_spec.rb +++ b/keystone/spec/classes/keystone_roles_admin_spec.rb @@ -42,23 +42,25 @@ let :params do { - :admin => 'admin', - :email => 'foo@baz', - :password => 'foo', - :admin_tenant => 'admin', - :service_tenant => 'foobar' + :admin => 'admin', + :email => 'foo@baz', + :password => 'foo', + :admin_tenant => 'admin', + :service_tenant => 'foobar', + :admin_tenant_desc => 'admin something else', + :service_tenant_desc => 'foobar description', } end it { should contain_keystone_tenant('foobar').with( :ensure => 'present', :enabled => true, - :description => 'Tenant for the openstack services' + :description => 'foobar description' )} it { should contain_keystone_tenant('admin').with( :ensure => 'present', :enabled => true, - :description => 'admin tenant' + :description => 'admin something else' )} it { should contain_keystone_user('admin').with( :ensure => 'present', diff --git a/keystone/spec/classes/keystone_spec.rb b/keystone/spec/classes/keystone_spec.rb index 178f4fd6a..2e4d6be74 100644 --- a/keystone/spec/classes/keystone_spec.rb +++ b/keystone/spec/classes/keystone_spec.rb @@ -2,109 +2,182 @@ describe 'keystone' do + let :global_facts do + { + :processorcount => 42, + :concat_basedir => '/var/lib/puppet/concat', + :fqdn => 'some.host.tld' + } + end + let :facts do - {:osfamily => 'Debian'} + global_facts.merge({ + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '7.0' + }) end - let :default_params do - { - 'package_ensure' => 'present', - 'public_bind_host' => '0.0.0.0', - 'admin_bind_host' => '0.0.0.0', - 'public_port' => '5000', - 'admin_port' => '35357', - 'admin_token' => 'service_token', - 'compute_port' => '8774', - 'verbose' => false, - 'debug' => false, - 'catalog_type' => 'sql', - 'catalog_driver' => false, - 'token_provider' => 'keystone.token.providers.pki.Provider', - 'token_driver' => 'keystone.token.backends.sql.Token', - 'cache_dir' => '/var/cache/keystone', - 'enable_ssl' => false, - 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem', - 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem', - 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', - 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem', - 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', - 'enabled' => true, - 'sql_connection' => 'sqlite:////var/lib/keystone/keystone.db', - 'idle_timeout' => '200', - 'mysql_module' => '0.9', - 'rabbit_host' => 'localhost', - 'rabbit_password' => 'guest', - 'rabbit_userid' => 'guest', + default_params = { + 'admin_token' => 'service_token', + 'package_ensure' => 'present', + 'public_bind_host' => '0.0.0.0', + 'admin_bind_host' => '0.0.0.0', + 'public_port' => '5000', + 'admin_port' => '35357', + 'admin_token' => 'service_token', + 'compute_port' => '8774', + 'verbose' => false, + 'debug' => false, + 'catalog_type' => 'sql', + 'catalog_driver' => false, + 'token_provider' => 'keystone.token.providers.pki.Provider', + 'token_driver' => 'keystone.token.backends.sql.Token', + 'cache_dir' => '/var/cache/keystone', + 'enable_ssl' => false, + 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem', + 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem', + 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', + 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem', + 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', + 'enabled' => true, + 'database_connection' => 'sqlite:////var/lib/keystone/keystone.db', + 'database_idle_timeout' => '200', + 'mysql_module' => '0.9', + 'rabbit_host' => 'localhost', + 'rabbit_password' => 'guest', + 'rabbit_userid' => 'guest', } - end - [{'admin_token' => 'service_token'}, - { - 'package_ensure' => 'latest', - 'public_bind_host' => '0.0.0.0', - 'admin_bind_host' => '0.0.0.0', - 'public_port' => '5001', - 'admin_port' => '35358', - 'admin_token' => 'service_token_override', - 'compute_port' => '8778', - 'verbose' => true, - 'debug' => true, - 'catalog_type' => 'template', - 'token_provider' => 'keystone.token.providers.uuid.Provider', - 'token_driver' => 'keystone.token.backends.kvs.Token', - 'public_endpoint' => 'https://localhost:5000/v2.0/', - 'admin_endpoint' => 'https://localhost:35357/v2.0/', - 'enable_ssl' => true, - 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem', - 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem', - 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', - 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem', - 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', - 'enabled' => false, - 'sql_connection' => 'mysql://a:b@c/d', - 'idle_timeout' => '300', - 'rabbit_host' => '127.0.0.1', - 'rabbit_password' => 'openstack', - 'rabbit_userid' => 'admin', + override_params = { + 'package_ensure' => 'latest', + 'public_bind_host' => '0.0.0.0', + 'admin_bind_host' => '0.0.0.0', + 'public_port' => '5001', + 'admin_port' => '35358', + 'admin_token' => 'service_token_override', + 'compute_port' => '8778', + 'verbose' => true, + 'debug' => true, + 'catalog_type' => 'template', + 'token_provider' => 'keystone.token.providers.uuid.Provider', + 'token_driver' => 'keystone.token.backends.kvs.Token', + 'public_endpoint' => 'https://localhost:5000/v2.0/', + 'admin_endpoint' => 'https://localhost:35357/v2.0/', + 'enable_ssl' => true, + 'ssl_certfile' => '/etc/keystone/ssl/certs/keystone.pem', + 'ssl_keyfile' => '/etc/keystone/ssl/private/keystonekey.pem', + 'ssl_ca_certs' => '/etc/keystone/ssl/certs/ca.pem', + 'ssl_ca_key' => '/etc/keystone/ssl/private/cakey.pem', + 'ssl_cert_subject' => '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost', + 'enabled' => false, + 'database_connection' => 'mysql://a:b@c/d', + 'database_idle_timeout' => '300', + 'rabbit_host' => '127.0.0.1', + 'rabbit_password' => 'openstack', + 'rabbit_userid' => 'admin', } - ].each do |param_set| - describe "when #{param_set == {} ? "using default" : "specifying"} class parameters" do - let :param_hash do - default_params.merge(param_set) + httpd_params = {'service_name' => 'httpd'}.merge(default_params) + + shared_examples_for 'core keystone examples' do |param_hash| + it { should contain_class('keystone::params') } + + it { should contain_package('keystone').with( + 'ensure' => param_hash['package_ensure'] + ) } + + it { should contain_group('keystone').with( + 'ensure' => 'present', + 'system' => true + ) } + + it { should contain_user('keystone').with( + 'ensure' => 'present', + 'gid' => 'keystone', + 'system' => true + ) } + + it 'should contain the expected directories' do + ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone'].each do |d| + should contain_file(d).with( + 'ensure' => 'directory', + 'owner' => 'keystone', + 'group' => 'keystone', + 'mode' => '0750', + 'require' => 'Package[keystone]' + ) end + end - let :params do - param_set + it 'should only synchronize the db if $enabled is true' do + if param_hash['enabled'] + should contain_exec('keystone-manage db_sync').with( + :user => 'keystone', + :refreshonly => true, + :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], + :require => 'User[keystone]' + ) end + end - it { should contain_class('keystone::params') } + it 'should contain correct config' do + [ + 'public_bind_host', + 'admin_bind_host', + 'public_port', + 'admin_port', + 'compute_port', + 'verbose', + 'debug' + ].each do |config| + should contain_keystone_config("DEFAULT/#{config}").with_value(param_hash[config]) + end + end - it { should contain_package('keystone').with( - 'ensure' => param_hash['package_ensure'] - ) } + it 'should contain correct admin_token config' do + should contain_keystone_config('DEFAULT/admin_token').with_value(param_hash['admin_token']).with_secret(true) + end - it { should contain_group('keystone').with( - 'ensure' => 'present', - 'system' => true - ) } - it { should contain_user('keystone').with( - 'ensure' => 'present', - 'gid' => 'keystone', - 'system' => true - ) } + it 'should contain correct mysql config' do + should contain_keystone_config('database/idle_timeout').with_value(param_hash['database_idle_timeout']) + should contain_keystone_config('database/connection').with_value(param_hash['database_connection']).with_secret(true) + end - it 'should contain the expected directories' do - ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone'].each do |d| - should contain_file(d).with( - 'ensure' => 'directory', - 'owner' => 'keystone', - 'group' => 'keystone', - 'mode' => '0750', - 'require' => 'Package[keystone]' - ) - end + it { should contain_keystone_config('token/provider').with_value( + param_hash['token_provider'] + ) } + + it 'should contain correct token driver' do + should contain_keystone_config('token/driver').with_value(param_hash['token_driver']) + end + + it 'should ensure proper setting of admin_endpoint and public_endpoint' do + if param_hash['admin_endpoint'] + should contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint']) + else + should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent') end + if param_hash['public_endpoint'] + should contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint']) + else + should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent') + end + end + + it 'should contain correct rabbit_password' do + should contain_keystone_config('DEFAULT/rabbit_password').with_value(param_hash['rabbit_password']).with_secret(true) + end + end + + [default_params, override_params].each do |param_hash| + describe "when #{param_hash == default_params ? "using default" : "specifying"} class parameters for service" do + + let :params do + param_hash + end + + it_configures 'core keystone examples', param_hash it { should contain_service('keystone').with( 'ensure' => param_hash['enabled'] ? 'running' : 'stopped', @@ -113,61 +186,44 @@ 'hasrestart' => true ) } - it 'should only migrate the db if $enabled is true' do - if param_hash['enabled'] - should contain_exec('keystone-manage db_sync').with( - :user => 'keystone', - :refreshonly => true, - :subscribe => ['Package[keystone]', 'Keystone_config[database/connection]'], - :require => 'User[keystone]' - ) - end - end + end + end - it 'should contain correct config' do - [ - 'public_bind_host', - 'admin_bind_host', - 'public_port', - 'admin_port', - 'compute_port', - 'verbose', - 'debug' - ].each do |config| - should contain_keystone_config("DEFAULT/#{config}").with_value(param_hash[config]) - end - end + describe "when using default class parameters for httpd" do + let :params do + httpd_params + end - it 'should contain correct admin_token config' do - should contain_keystone_config('DEFAULT/admin_token').with_value(param_hash['admin_token']).with_secret(true) - end + let :pre_condition do + 'include ::apache' + end - it 'should contain correct mysql config' do - should contain_keystone_config('database/idle_timeout').with_value(param_hash['idle_timeout']) - should contain_keystone_config('database/connection').with_value(param_hash['sql_connection']).with_secret(true) - end + it_configures 'core keystone examples', httpd_params - it { should contain_keystone_config('token/provider').with_value( - param_hash['token_provider'] - ) } + it do + expect { + should contain_service('keystone') + }.to raise_error(RSpec::Expectations::ExpectationNotMetError, /expected that the catalogue would contain Service\[keystone\]/) + end - it 'should contain correct token driver' do - should contain_keystone_config('token/driver').with_value(param_hash['token_driver']) - end + end - it 'should ensure proper setting of admin_endpoint and public_endpoint' do - if param_hash['admin_endpoint'] - should contain_keystone_config('DEFAULT/admin_endpoint').with_value(param_hash['admin_endpoint']) - else - should contain_keystone_config('DEFAULT/admin_endpoint').with_ensure('absent') - end - if param_hash['public_endpoint'] - should contain_keystone_config('DEFAULT/public_endpoint').with_value(param_hash['public_endpoint']) - else - should contain_keystone_config('DEFAULT/public_endpoint').with_ensure('absent') - end - end + describe 'with deprecated sql_connection parameter' do + let :params do + { :admin_token => 'service_token', + :sql_connection => 'mysql://a:b@c/d' } + end + + it { should contain_keystone_config('database/connection').with_value(params[:sql_connection]) } + end + + describe 'with deprecated idle_timeout parameter' do + let :params do + { :admin_token => 'service_token', + :idle_timeout => 365 } end + + it { should contain_keystone_config('database/idle_timeout').with_value(params[:idle_timeout]) } end describe 'when configuring signing token provider' do @@ -493,4 +549,5 @@ it { should contain_keystone_config('catalog/driver').with_value('keystone.catalog.backends.templated.Catalog') } it { should contain_keystone_config('catalog/template_file').with_value('/some/template_file') } end + end diff --git a/keystone/spec/classes/keystone_wsgi_apache_spec.rb b/keystone/spec/classes/keystone_wsgi_apache_spec.rb index 9deaaa038..c022c9793 100644 --- a/keystone/spec/classes/keystone_wsgi_apache_spec.rb +++ b/keystone/spec/classes/keystone_wsgi_apache_spec.rb @@ -11,8 +11,9 @@ end let :pre_condition do - 'include apache - class { keystone: admin_token => "dummy" }' + [ + 'class { keystone: admin_token => "dummy", service_name => "httpd", enable_ssl => true }' + ] end shared_examples_for 'apache serving keystone with mod_wsgi' do @@ -38,7 +39,7 @@ class { keystone: admin_token => "dummy" }' 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => "File[#{platform_parameters[:wsgi_script_path]}]" + 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] )} it { should contain_file('keystone_wsgi_main').with( @@ -48,7 +49,7 @@ class { keystone: admin_token => "dummy" }' 'owner' => 'keystone', 'group' => 'keystone', 'mode' => '0644', - 'require' => "File[#{platform_parameters[:wsgi_script_path]}]" + 'require' => ["File[#{platform_parameters[:wsgi_script_path]}]", "Package[keystone]"] )} it { should contain_apache__vhost('keystone_wsgi_admin').with( @@ -59,9 +60,10 @@ class { keystone: admin_token => "dummy" }' 'docroot_owner' => 'keystone', 'docroot_group' => 'keystone', 'ssl' => 'true', - 'wsgi_process_group' => 'keystone', + 'wsgi_daemon_process' => 'keystone_admin', + 'wsgi_process_group' => 'keystone_admin', 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/admin" }, - 'require' => ['Class[Apache::Mod::Wsgi]', 'File[keystone_wsgi_admin]'] + 'require' => 'File[keystone_wsgi_admin]' )} it { should contain_apache__vhost('keystone_wsgi_main').with( @@ -72,16 +74,11 @@ class { keystone: admin_token => "dummy" }' 'docroot_owner' => 'keystone', 'docroot_group' => 'keystone', 'ssl' => 'true', - 'wsgi_daemon_process' => 'keystone', - 'wsgi_process_group' => 'keystone', + 'wsgi_daemon_process' => 'keystone_main', + 'wsgi_process_group' => 'keystone_main', 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/main" }, - 'require' => ['Class[Apache::Mod::Wsgi]', 'File[keystone_wsgi_main]'] + 'require' => 'File[keystone_wsgi_main]' )} - it "should set keystone wsgi options" do - contain_file('25-keystone_wsgi_main.conf').with_content( - /^ WSGIDaemonProcess keystone group=keystone processes=1 threads=1 user=keystone$/ - ) - end end describe 'when overriding parameters using different ports' do @@ -104,9 +101,10 @@ class { keystone: admin_token => "dummy" }' 'docroot_owner' => 'keystone', 'docroot_group' => 'keystone', 'ssl' => 'false', - 'wsgi_process_group' => 'keystone', + 'wsgi_daemon_process' => 'keystone_admin', + 'wsgi_process_group' => 'keystone_admin', 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/admin" }, - 'require' => ['Class[Apache::Mod::Wsgi]', 'File[keystone_wsgi_admin]'] + 'require' => 'File[keystone_wsgi_admin]' )} it { should contain_apache__vhost('keystone_wsgi_main').with( @@ -117,16 +115,11 @@ class { keystone: admin_token => "dummy" }' 'docroot_owner' => 'keystone', 'docroot_group' => 'keystone', 'ssl' => 'false', - 'wsgi_daemon_process' => 'keystone', - 'wsgi_process_group' => 'keystone', + 'wsgi_daemon_process' => 'keystone_main', + 'wsgi_process_group' => 'keystone_main', 'wsgi_script_aliases' => { '/' => "#{platform_parameters[:wsgi_script_path]}/main" }, - 'require' => ['Class[Apache::Mod::Wsgi]', 'File[keystone_wsgi_main]'] + 'require' => 'File[keystone_wsgi_main]' )} - it "should set keystone wsgi options" do - contain_file('25-keystone_wsgi_main.conf').with_content( - /^ WSGIDaemonProcess keystone group=keystone processes=37 threads=1 user=keystone$/ - ) - end end describe 'when overriding parameters using same port' do @@ -152,19 +145,14 @@ class { keystone: admin_token => "dummy" }' 'docroot_owner' => 'keystone', 'docroot_group' => 'keystone', 'ssl' => 'true', - 'wsgi_daemon_process' => 'keystone', - 'wsgi_process_group' => 'keystone', + 'wsgi_daemon_process' => 'keystone_main', + 'wsgi_process_group' => 'keystone_main', 'wsgi_script_aliases' => { '/main/endpoint' => "#{platform_parameters[:wsgi_script_path]}/main", '/admin/endpoint' => "#{platform_parameters[:wsgi_script_path]}/admin" - }, - 'require' => ['Class[Apache::Mod::Wsgi]', 'File[keystone_wsgi_main]'] + }, + 'require' => 'File[keystone_wsgi_main]' )} - it "should set keystone wsgi options" do - contain_file('25-keystone_wsgi_main.conf').with_content( - /^ WSGIDaemonProcess keystone group=keystone processes=37 threads=1 user=keystone$/ - ) - end end describe 'when overriding parameters using same port and same path' do @@ -195,8 +183,9 @@ class { keystone: admin_token => "dummy" }' let :platform_parameters do { :httpd_service_name => 'httpd', + :httpd_ports_file => '/etc/httpd/conf/ports.conf', :wsgi_script_path => '/var/www/cgi-bin/keystone', - :wsgi_script_source => 'puppet:///modules/keystone/httpd/keystone.py' + :wsgi_script_source => '/usr/share/keystone/keystone.wsgi' } end @@ -215,6 +204,7 @@ class { keystone: admin_token => "dummy" }' let :platform_parameters do { :httpd_service_name => 'apache2', + :httpd_ports_file => '/etc/apache2/ports.conf', :wsgi_script_path => '/usr/lib/cgi-bin/keystone', :wsgi_script_source => '/usr/share/keystone/wsgi.py' }