Update keystone to 821cc4a

821cc4a Allow disabling or delaying the token_flush cron
d1000fb Merge "Release 5.0.0 - Juno"
50efef4 Release 5.0.0 - Juno
4477c63 Merge "Add memcache configs for backend and token"
776006f Merge "Add keystone::resource::service_identity"
e1d96ec Merge "keystone_user_role fix for when user not granted roles yet"
183650c Add keystone::resource::service_identity
1c5f655 Merge "Fix config options deprecated in Juno"
a0e8e9a Remove duplicate entries from endpoint.pp comments
c38e7a6 fix apache::vhost concat test breakage
8548a52 Fix config options deprecated in Juno
b97447c Add memcache configs for backend and token
5a3ba40 keystone_user_role fix for when user not granted roles yet

Author: xbezdick

Puppetfile

@@ -63,7 +63,7 @@ mod 'ipa',
   :git => 'https://github.com/xbezdick/puppet-ipa.git'
 
 mod 'keystone',
-  :commit => '38518cbcb3ef8ad3bb068730a21d790b27a29b74',
+  :commit => '821cc4ada1f50b5a6c6244cd5c689a467d06d736',
   :git => 'https://github.com/stackforge/puppet-keystone.git'
 
 mod 'memcached',

keystone/README.md

@@ -1,7 +1,7 @@
 keystone
 =======
 
-4.0.0 - 2014.1.0 - Icehouse
+5.0.0 - 2014.2.0 - Juno
 
 #### Table of Contents
 
@@ -163,6 +163,45 @@ Contributors
 Release Notes
 -------------
 
+**5.0.0**
+
+* Stable Juno release
+* Updated token driver, logging, and ldap config parameters for Juno
+* Changed admin_roles parameter to accept an array in order to configure multiple admin roles
+* Installs python-ldappool package for ldap
+* Added new parameters to keystone class to configure pki signing
+* Changed keystone class to inherit from keystone::params
+* Changed pki_setup to run regardless of token provider
+* Made UUID the default token provider
+* Made keystone_user_role idempotent
+* Added parameters to control whether to configure users
+* Stopped managing _member_ role since it is created automatically
+* Stopped overriding token_flush log file
+* Changed the usage of admin_endpoint to not include the API version
+* Allowed keystone_user_role to accept email as username
+* Added ability to set up keystone using Apache mod_wsgi
+* Migrated the keystone::db::mysql class to use openstacklib::db::mysql and deprecated the mysql_module parameter
+* Installs python-memcache when using token driver memcache
+* Enabled setting cert and key paths for PKI token signing
+* Added parameters for SSL communication between keystone and rabbitmq
+* Added parameter ignore_default_tenant to keystone::role::admin
+* Added parameter service_provider to keystone class
+* Added parameters for service validation to keystone class
+
+**4.2.0**
+
+* Added class for extended logging options
+* Fixed rabbit password leaking
+* Added parameters to set tenant descriptions
+* Fixed keystone user authorization error handling
+
+**4.1.0**
+
+* Added token flushing with cron.
+* Updated database api for consistency with other projects.
+* Fixed admin_token with secret parameter.
+* Fixed deprecated catalog driver.
+
 **4.0.0**
 
 * Stable Icehouse release.

keystone/lib/puppet/provider/keystone_user_role/keystone.rb

@@ -183,6 +183,11 @@ def self.get_user(tenant_id, name)
           @users["#{user[1]}@#{tenant_id}"] = user[0]
         end
       end
+      # If the user doesn't already have a role on this tenant,
+      # we need to look them up specifically
+      unless @users[user_key]
+        @users[user_key] = get_keystone_object('user', name, 'id')
+      end
       @users[user_key]
     end
 

keystone/manifests/cron/token_flush.pp

@@ -21,6 +21,10 @@
 #
 # === Parameters
 #
+#  [*ensure*]
+#    (optional) Defaults to present.
+#    Valid values are present, absent.
+#
 #  [*minute*]
 #    (optional) Defaults to '1'.
 #
@@ -36,16 +40,30 @@
 #  [*weekday*]
 #    (optional) Defaults to '*'.
 #
+#  [*maxdelay*]
+#    (optional) Seconds. Defaults to 0. Should be a positive integer.
+#    Induces a random delay before running the cronjob to avoid running all
+#    cron jobs at the same time on all hosts this job is configured.
+#
 class keystone::cron::token_flush (
+  $ensure   = present,
   $minute   = 1,
   $hour     = 0,
   $monthday = '*',
   $month    = '*',
   $weekday  = '*',
+  $maxdelay = 0,
 ) {
 
+  if $maxdelay == 0 {
+    $sleep = ''
+  } else {
+    $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+  }
+
   cron { 'keystone-manage token_flush':
-    command     => 'keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1',
+    ensure      => $ensure,
+    command     => "${sleep}keystone-manage token_flush >>/var/log/keystone/keystone-tokenflush.log 2>&1",
     environment => 'PATH=/bin:/usr/bin:/usr/sbin',
     user        => 'keystone',
     minute      => $minute,

keystone/manifests/endpoint.pp

@@ -6,31 +6,22 @@
 #
 # [*public_url*]
 #   (optional) Public url for keystone endpoint. (Defaults to 'http://127.0.0.1:5000')
+#   This url should *not* contain any version or trailing '/'.
 #
 # [*internal_url*]
 #   (optional) Internal url for keystone endpoint. (Defaults to $public_url)
+#   This url should *not* contain any version or trailing '/'.
 #
 # [*admin_url*]
 #   (optional) Admin url for keystone endpoint. (Defaults to 'http://127.0.0.1:35357')
+#   This url should *not* contain any version or trailing '/'.
 #
 # [*region*]
 #   (optional) Region for endpoint. (Defaults to 'RegionOne')
 #
 # [*version*]
 #   (optional) API version for endpoint. Appended to all endpoint urls. (Defaults to 'v2.0')
 #
-# [*public_url*]
-#   (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:5000')
-#   This url should *not* contain any version or trailing '/'.
-#
-# [*admin_url*]
-#   (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:5000')
-#   This url should *not* contain any version or trailing '/'.
-#
-# [*internal_url*]
-#   (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:35357')
-#   This url should *not* contain any version or trailing '/'.
-#
 # [*public_protocol*]
 #   (optional) DEPRECATED: Use public_url instead.
 #   Protocol for public access to keystone endpoint. (Defaults to 'http')
@@ -95,6 +86,8 @@
   $admin_port        = undef,
 ) {
 
+  warning('keystone::endpoint class is deprecated, use keystone::resource::service_identity instead.')
+
   if $public_port {
     warning('The public_port parameter is deprecated, use public_url instead.')
   }
@@ -153,17 +146,15 @@
       "#{@admin_url}/#{@version}"
     end %>')
 
-  keystone_service { 'keystone':
-    ensure      => present,
-    type        => 'identity',
-    description => 'OpenStack Identity Service',
+  keystone::resource::service_identity { 'keystone':
+    configure_user      => false,
+    configure_user_role => false,
+    service_type        => 'identity',
+    service_description => 'OpenStack Identity Service',
+    public_url          => $public_url_real,
+    admin_url           => $admin_url_real,
+    internal_url        => $internal_url_real,
+    region              => $region,
   }
 
-  keystone_endpoint { "${region}/keystone":
-    ensure       => present,
-    public_url   => $public_url_real,
-    admin_url    => $admin_url_real,
-    internal_url => $internal_url_real,
-    region       => $region,
-  }
 }

keystone/manifests/init.pp

@@ -36,8 +36,33 @@
 #   [token_format] Deprecated: Use token_provider instead.
 #   [cache_dir] Directory created when token_provider is pki. Optional.
 #     Defaults to /var/cache/keystone.
-#   [memcache_servers] List of memcache servers/ports. Optional. Used with
-#     token_driver keystone.token.backends.memcache.Token.  Defaults to false.
+#
+#   [memcache_servers]
+#     List of memcache servers in format of server:port.
+#     Used with token_driver 'keystone.token.backends.memcache.Token'.
+#     Optional. Defaults to false. Example: ['localhost:11211']
+#
+#   [cache_backend]
+#     Dogpile.cache backend module. It is recommended that Memcache with pooling
+#     (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
+#     This has no effects unless 'memcache_servers' is set.
+#     Optional. Defaults to 'keystone.common.cache.noop'
+#
+#   [cache_backend_argument]
+#     List of arguments in format of argname:value supplied to the backend module.
+#     Specify this option once per argument to be passed to the dogpile.cache backend.
+#     This has no effects unless 'memcache_servers' is set.
+#     Optional. Default to undef.
+#
+#   [debug_cache_backend]
+#     Extra debugging from the cache backend (cache keys, get/set/delete calls).
+#     This has no effects unless 'memcache_servers' is set.
+#     Optional. Default to false.
+#
+#   [token_caching]
+#     Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
+#     Optional. Default to true.
+#
 #   [enabled] If the keystone services should be enabled. Optional. Default to true.
 #
 #   [*database_connection*]
@@ -251,70 +276,74 @@
 #
 class keystone(
   $admin_token,
-  $package_ensure        = 'present',
-  $bind_host             = false,
-  $public_bind_host      = '0.0.0.0',
-  $admin_bind_host       = '0.0.0.0',
-  $public_port           = '5000',
-  $admin_port            = '35357',
-  $compute_port          = '8774',
-  $verbose               = false,
-  $debug                 = false,
-  $log_dir               = '/var/log/keystone',
-  $log_file              = false,
-  $use_syslog            = false,
-  $log_facility          = 'LOG_USER',
-  $catalog_type          = 'sql',
-  $catalog_driver        = false,
-  $catalog_template_file = '/etc/keystone/default_catalog.templates',
-  $token_format          = false,
-  $token_provider        = 'keystone.token.providers.uuid.Provider',
-  $token_driver          = 'keystone.token.persistence.backends.sql.Token',
-  $token_expiration      = 3600,
-  $public_endpoint       = false,
-  $admin_endpoint        = false,
-  $enable_ssl            = false,
-  $ssl_certfile          = '/etc/keystone/ssl/certs/keystone.pem',
-  $ssl_keyfile           = '/etc/keystone/ssl/private/keystonekey.pem',
-  $ssl_ca_certs          = '/etc/keystone/ssl/certs/ca.pem',
-  $ssl_ca_key            = '/etc/keystone/ssl/private/cakey.pem',
-  $ssl_cert_subject      = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
-  $cache_dir             = '/var/cache/keystone',
-  $memcache_servers      = false,
-  $enabled               = true,
-  $database_connection   = 'sqlite:////var/lib/keystone/keystone.db',
-  $database_idle_timeout = '200',
-  $enable_pki_setup      = true,
-  $signing_certfile      = '/etc/keystone/ssl/certs/signing_cert.pem',
-  $signing_keyfile       = '/etc/keystone/ssl/private/signing_key.pem',
-  $signing_ca_certs      = '/etc/keystone/ssl/certs/ca.pem',
-  $signing_ca_key        = '/etc/keystone/ssl/private/cakey.pem',
-  $signing_cert_subject  = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
-  $signing_key_size      = 2048,
-  $rabbit_host           = 'localhost',
-  $rabbit_hosts          = false,
-  $rabbit_password       = 'guest',
-  $rabbit_port           = '5672',
-  $rabbit_userid         = 'guest',
-  $rabbit_virtual_host   = '/',
-  $rabbit_use_ssl        = false,
-  $kombu_ssl_ca_certs    = undef,
-  $kombu_ssl_certfile    = undef,
-  $kombu_ssl_keyfile     = undef,
-  $kombu_ssl_version     = 'SSLv3',
-  $notification_driver   = false,
-  $notification_topics   = false,
-  $control_exchange      = false,
-  $validate_service      = false,
-  $validate_insecure     = false,
-  $validate_auth_url     = false,
-  $validate_cacert       = undef,
-  $service_provider      = $::keystone::params::service_provider,
-  $service_name          = 'keystone',
+  $package_ensure         = 'present',
+  $bind_host              = false,
+  $public_bind_host       = '0.0.0.0',
+  $admin_bind_host        = '0.0.0.0',
+  $public_port            = '5000',
+  $admin_port             = '35357',
+  $compute_port           = '8774',
+  $verbose                = false,
+  $debug                  = false,
+  $log_dir                = '/var/log/keystone',
+  $log_file               = false,
+  $use_syslog             = false,
+  $log_facility           = 'LOG_USER',
+  $catalog_type           = 'sql',
+  $catalog_driver         = false,
+  $catalog_template_file  = '/etc/keystone/default_catalog.templates',
+  $token_format           = false,
+  $token_provider         = 'keystone.token.providers.uuid.Provider',
+  $token_driver           = 'keystone.token.persistence.backends.sql.Token',
+  $token_expiration       = 3600,
+  $public_endpoint        = false,
+  $admin_endpoint         = false,
+  $enable_ssl             = false,
+  $ssl_certfile           = '/etc/keystone/ssl/certs/keystone.pem',
+  $ssl_keyfile            = '/etc/keystone/ssl/private/keystonekey.pem',
+  $ssl_ca_certs           = '/etc/keystone/ssl/certs/ca.pem',
+  $ssl_ca_key             = '/etc/keystone/ssl/private/cakey.pem',
+  $ssl_cert_subject       = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
+  $cache_dir              = '/var/cache/keystone',
+  $memcache_servers       = false,
+  $cache_backend          = 'keystone.common.cache.noop',
+  $cache_backend_argument = undef,
+  $debug_cache_backend    = false,
+  $token_caching          = true,
+  $enabled                = true,
+  $database_connection    = 'sqlite:////var/lib/keystone/keystone.db',
+  $database_idle_timeout  = '200',
+  $enable_pki_setup       = true,
+  $signing_certfile       = '/etc/keystone/ssl/certs/signing_cert.pem',
+  $signing_keyfile        = '/etc/keystone/ssl/private/signing_key.pem',
+  $signing_ca_certs       = '/etc/keystone/ssl/certs/ca.pem',
+  $signing_ca_key         = '/etc/keystone/ssl/private/cakey.pem',
+  $signing_cert_subject   = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
+  $signing_key_size       = 2048,
+  $rabbit_host            = 'localhost',
+  $rabbit_hosts           = false,
+  $rabbit_password        = 'guest',
+  $rabbit_port            = '5672',
+  $rabbit_userid          = 'guest',
+  $rabbit_virtual_host    = '/',
+  $rabbit_use_ssl         = false,
+  $kombu_ssl_ca_certs     = undef,
+  $kombu_ssl_certfile     = undef,
+  $kombu_ssl_keyfile      = undef,
+  $kombu_ssl_version      = 'SSLv3',
+  $notification_driver    = false,
+  $notification_topics    = false,
+  $control_exchange       = false,
+  $validate_service       = false,
+  $validate_insecure      = false,
+  $validate_auth_url      = false,
+  $validate_cacert        = undef,
+  $service_provider       = $::keystone::params::service_provider,
+  $service_name           = 'keystone',
   # DEPRECATED PARAMETERS
-  $mysql_module          = undef,
-  $sql_connection        = undef,
-  $idle_timeout          = undef,
+  $mysql_module           = undef,
+  $sql_connection         = undef,
+  $idle_timeout           = undef,
 ) inherits keystone::params {
 
   if ! $catalog_driver {
@@ -484,12 +513,32 @@
   # memcache connection config
   if $memcache_servers {
     validate_array($memcache_servers)
+    Service<| title == 'memcached' |> -> Service['keystone']
     keystone_config {
-      'memcache/servers': value => join($memcache_servers, ',');
+      'cache/enabled':              value => true;
+      'cache/backend':              value => $cache_backend;
+      'cache/debug_cache_backend':  value => $debug_cache_backend;
+      'token/caching':              value => $token_caching;
+      'memcache/servers':           value => join($memcache_servers, ',');
+    }
+    if $cache_backend_argument {
+      validate_array($cache_backend_argument)
+      keystone_config {
+        'cache/backend_argument':   value => join($cache_backend_argument, ',');
+      }
+    } else {
+      keystone_config {
+        'cache/backend_argument':  ensure => absent;
+      }
     }
   } else {
     keystone_config {
-      'memcache/servers': ensure => absent;
+      'cache/enabled':             ensure => absent;
+      'cache/backend':             ensure => absent;
+      'cache/backend_argument':    ensure => absent;
+      'cache/debug_cache_backend': ensure => absent;
+      'token/caching':             ensure => absent;
+      'memcache/servers':          ensure => absent;
     }
   }