From 20824c70d576791d68a101c9bbc6d56140c832d7 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 23 May 2023 10:14:59 +0900 Subject: [PATCH] Enable service user token for interaction with nova/barbican This enables usage of service user token for interaction with nova and barbican to avoid failure caused by token expiration during operations. This also enables service_token_roles_required option in authtoken middleware to allow only users with the service role to use this feature. Change-Id: Id6b0aad7aa24af2b6d03d484ada23357828c4325 --- manifests/aodh.pp | 14 ++++++++------ manifests/barbican.pp | 14 ++++++++------ manifests/ceilometer.pp | 1 + manifests/cinder.pp | 14 ++++++++++++++ manifests/designate.pp | 16 +++++++++------- manifests/ec2api.pp | 14 ++++++++------ manifests/glance.pp | 20 ++++++++++++++------ manifests/gnocchi.pp | 14 ++++++++------ manifests/heat.pp | 18 ++++++++++-------- manifests/ironic.pp | 28 ++++++++++++++++------------ manifests/magnum.pp | 14 ++++++++------ manifests/manila.pp | 14 ++++++++------ manifests/mistral.pp | 14 ++++++++------ manifests/murano.pp | 16 +++++++++------- manifests/neutron.pp | 14 ++++++++------ manifests/nova.pp | 19 +++++++++++++------ manifests/octavia.pp | 14 ++++++++------ manifests/placement.pp | 14 ++++++++------ manifests/sahara.pp | 14 ++++++++------ manifests/swift.pp | 8 +++++--- manifests/trove.pp | 16 +++++++++------- manifests/vitrage.pp | 14 ++++++++------ manifests/watcher.pp | 18 ++++++++++-------- manifests/zaqar.pp | 17 +++++++++-------- 24 files changed, 215 insertions(+), 144 deletions(-) diff --git a/manifests/aodh.pp b/manifests/aodh.pp index 28bf21e3f..a206681d5 100644 --- a/manifests/aodh.pp +++ b/manifests/aodh.pp @@ -68,15 +68,17 @@ class openstack_integration::aodh ( public_url => "${::openstack_integration::config::base_url}:8042", internal_url => "${::openstack_integration::config::base_url}:8042", admin_url => "${::openstack_integration::config::base_url}:8042", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'aodh::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'aodh::api': enabled => true, diff --git a/manifests/barbican.pp b/manifests/barbican.pp index 0b11198fa..62b23c12e 100644 --- a/manifests/barbican.pp +++ b/manifests/barbican.pp @@ -38,6 +38,7 @@ class openstack_integration::barbican { public_url => "${::openstack_integration::config::base_url}:9311", internal_url => "${::openstack_integration::config::base_url}:9311", admin_url => "${::openstack_integration::config::base_url}:9311", + roles => ['admin', 'service'], password => 'a_big_secret', } include barbican::quota @@ -48,12 +49,13 @@ class openstack_integration::barbican { debug => true, } class { 'barbican::keystone::authtoken': - password => 'a_big_secret', - auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", - www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", - user_domain_name => 'Default', - project_domain_name => 'Default', - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", + www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", + user_domain_name => 'Default', + project_domain_name => 'Default', + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'barbican::api': default_transport_url => os_transport_url({ diff --git a/manifests/ceilometer.pp b/manifests/ceilometer.pp index b64e79afc..71fe7b987 100644 --- a/manifests/ceilometer.pp +++ b/manifests/ceilometer.pp @@ -60,6 +60,7 @@ class openstack_integration::ceilometer ( amqp_sasl_mechanisms => 'PLAIN', } class { 'ceilometer::keystone::auth': + roles => ['admin', 'service'], password => 'a_big_secret', } diff --git a/manifests/cinder.pp b/manifests/cinder.pp index 491bbe9af..b57823fae 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -51,6 +51,7 @@ class openstack_integration::cinder ( public_url_v3 => "${::openstack_integration::config::base_url}:8776/v3", internal_url_v3 => "${::openstack_integration::config::base_url}:8776/v3", admin_url_v3 => "${::openstack_integration::config::base_url}:8776/v3", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'cinder::logging': @@ -64,6 +65,12 @@ class openstack_integration::cinder ( barbican_endpoint => "${::openstack_integration::config::base_url}:9311", auth_endpoint => "${::openstack_integration::config::keystone_auth_uri}/v3" } + class { 'cinder::key_manager::barbican::service_user': + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + } } class { 'cinder::db': database_connection => os_database_connection({ @@ -105,6 +112,13 @@ class openstack_integration::cinder ( memcached_servers => $::openstack_integration::config::memcached_servers, service_token_roles_required => true, } + class { 'cinder::keystone::service_user': + send_service_user_token => true, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + } class { 'cinder::api': default_volume_type => 'BACKEND_1', public_endpoint => "${::openstack_integration::config::base_url}:8776", diff --git a/manifests/designate.pp b/manifests/designate.pp index afb82519f..50526ca61 100644 --- a/manifests/designate.pp +++ b/manifests/designate.pp @@ -57,18 +57,20 @@ class openstack_integration::designate { include 'designate::client' class { 'designate::keystone::auth': - password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:9001", internal_url => "${::openstack_integration::config::base_url}:9001", admin_url => "${::openstack_integration::config::base_url}:9001", + roles => ['admin', 'service'], + password => 'a_big_secret', } class { 'designate::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'designate::api': diff --git a/manifests/ec2api.pp b/manifests/ec2api.pp index 0f44f7d1e..ea9ceb2ea 100644 --- a/manifests/ec2api.pp +++ b/manifests/ec2api.pp @@ -18,6 +18,7 @@ class openstack_integration::ec2api { internal_url => "${::openstack_integration::config::base_url}:8788", admin_url => "${::openstack_integration::config::base_url}:8788", password => 'a_big_secret', + roles => ['admin', 'service'], } class { 'ec2api::db::mysql': charset => $::openstack_integration::params::mysql_charset, @@ -45,12 +46,13 @@ class openstack_integration::ec2api { } class { 'ec2api': } class { 'ec2api::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'ec2api::api': my_ip => $::openstack_integration::config::host, diff --git a/manifests/glance.pp b/manifests/glance.pp index c9f25d11e..298d46ba3 100644 --- a/manifests/glance.pp +++ b/manifests/glance.pp @@ -46,15 +46,17 @@ class openstack_integration::glance ( public_url => "http://${::openstack_integration::config::ip_for_url}:9292", internal_url => "http://${::openstack_integration::config::ip_for_url}:9292", admin_url => "http://${::openstack_integration::config::ip_for_url}:9292", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'glance::api::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } case $backend { 'file': { @@ -144,5 +146,11 @@ class openstack_integration::glance ( barbican_endpoint => "${::openstack_integration::config::base_url}:9311", auth_endpoint => "${::openstack_integration::config::keystone_auth_uri}/v3" } + class { 'glance::key_manager::barbican::service_user': + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + } } } diff --git a/manifests/gnocchi.pp b/manifests/gnocchi.pp index 0d19a109e..c2632e9b2 100644 --- a/manifests/gnocchi.pp +++ b/manifests/gnocchi.pp @@ -72,15 +72,17 @@ class openstack_integration::gnocchi ( public_url => "${::openstack_integration::config::base_url}:8041", internal_url => "${::openstack_integration::config::base_url}:8041", admin_url => "${::openstack_integration::config::base_url}:8041", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'gnocchi::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'gnocchi::api': enabled => true, diff --git a/manifests/heat.pp b/manifests/heat.pp index c7610a783..022426c60 100644 --- a/manifests/heat.pp +++ b/manifests/heat.pp @@ -30,12 +30,13 @@ class openstack_integration::heat ( } class { 'heat::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'heat::trustee': password => 'a_big_secret', @@ -83,11 +84,12 @@ class openstack_integration::heat ( host => $::openstack_integration::config::host, } class { 'heat::keystone::auth': - password => 'a_big_secret', - configure_delegated_roles => true, public_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s", internal_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s", admin_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s", + roles => ['admin', 'service'], + password => 'a_big_secret', + configure_delegated_roles => true, } class { 'heat::keystone::auth_cfn': password => 'a_big_secret', diff --git a/manifests/ironic.pp b/manifests/ironic.pp index a92261936..32f4da904 100644 --- a/manifests/ironic.pp +++ b/manifests/ironic.pp @@ -50,20 +50,23 @@ class openstack_integration::ironic { public_url => "${::openstack_integration::config::base_url}:6385", internal_url => "${::openstack_integration::config::base_url}:6385", admin_url => "${::openstack_integration::config::base_url}:6385", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'ironic::api::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'ironic::keystone::auth_inspector': public_url => "http://${::openstack_integration::config::ip_for_url}:5050", internal_url => "http://${::openstack_integration::config::ip_for_url}:5050", admin_url => "http://${::openstack_integration::config::ip_for_url}:5050", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'ironic::client': } @@ -98,12 +101,13 @@ class openstack_integration::ironic { host => $::openstack_integration::config::host, } class { 'ironic::inspector::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'ironic::pxe': } class { 'ironic::inspector::db': diff --git a/manifests/magnum.pp b/manifests/magnum.pp index 0e2288040..eaf3519de 100644 --- a/manifests/magnum.pp +++ b/manifests/magnum.pp @@ -35,6 +35,7 @@ class openstack_integration::magnum ( public_url => "${::openstack_integration::config::base_url}:9511", internal_url => "${::openstack_integration::config::base_url}:9511", admin_url => "${::openstack_integration::config::base_url}:9511", + roles => ['admin', 'service'], password => 'a_big_secret', } @@ -46,12 +47,13 @@ class openstack_integration::magnum ( } class { 'magnum::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'magnum::db::mysql': diff --git a/manifests/manila.pp b/manifests/manila.pp index 71682c73c..f0ada4e73 100644 --- a/manifests/manila.pp +++ b/manifests/manila.pp @@ -43,6 +43,7 @@ class openstack_integration::manila ( public_url_v2 => "${::openstack_integration::config::base_url}:8786/v2", internal_url_v2 => "${::openstack_integration::config::base_url}:8786/v2", admin_url_v2 => "${::openstack_integration::config::base_url}:8786/v2", + roles => ['admin', 'service'], password => 'a_big_secret', configure_user_v2 => false, configure_user_role_v2 => false, @@ -82,12 +83,13 @@ class openstack_integration::manila ( amqp_sasl_mechanisms => 'PLAIN', } class { 'manila::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'manila::api': service_name => 'httpd', diff --git a/manifests/mistral.pp b/manifests/mistral.pp index d17a02b8f..3e66a5c56 100644 --- a/manifests/mistral.pp +++ b/manifests/mistral.pp @@ -15,12 +15,13 @@ class openstack_integration::mistral { Exec['update-ca-certificates'] ~> Service['httpd'] } class { 'mistral::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'mistral::logging': debug => true, @@ -50,6 +51,7 @@ class openstack_integration::mistral { public_url => "${::openstack_integration::config::base_url}:8989/v2", admin_url => "${::openstack_integration::config::base_url}:8989/v2", internal_url => "${::openstack_integration::config::base_url}:8989/v2", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'mistral::db::mysql': diff --git a/manifests/murano.pp b/manifests/murano.pp index ab8f5b05e..aed85a3a1 100644 --- a/manifests/murano.pp +++ b/manifests/murano.pp @@ -65,12 +65,13 @@ class openstack_integration::murano { }), } class { 'murano::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'murano': default_transport_url => os_transport_url({ @@ -99,10 +100,11 @@ class openstack_integration::murano { class { 'murano::engine': } class { 'murano::keystone::auth': - password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:8082", internal_url => "${::openstack_integration::config::base_url}:8082", admin_url => "${::openstack_integration::config::base_url}:8082", + roles => ['admin', 'service'], + password => 'a_big_secret', } -> murano_application { 'io.murano': package_path => "${application_package_path}/io.murano.zip", diff --git a/manifests/neutron.pp b/manifests/neutron.pp index 2b79158d6..e79a2347b 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -157,6 +157,7 @@ class openstack_integration::neutron ( public_url => "${::openstack_integration::config::base_url}:9696", internal_url => "${::openstack_integration::config::base_url}:9696", admin_url => "${::openstack_integration::config::base_url}:9696", + roles => ['admin', 'service'], password => 'a_big_secret', } @@ -240,12 +241,13 @@ class openstack_integration::neutron ( } class { 'neutron::client': } class { 'neutron::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } if $facts['os']['family'] == 'Debian' { diff --git a/manifests/nova.pp b/manifests/nova.pp index 7016b46d9..2f6a01a92 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -105,12 +105,13 @@ class openstack_integration::nova ( password => 'a_big_secret', } class { 'nova::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'nova::keystone::service_user': send_service_user_token => true, @@ -199,6 +200,12 @@ class openstack_integration::nova ( auth_endpoint => "${::openstack_integration::config::keystone_auth_uri}/v3", barbican_endpoint => "${::openstack_integration::config::base_url}:9311" } + class { 'nova::key_manager::barbican::service_user': + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + } } class { 'nova::compute': vnc_enabled => true, diff --git a/manifests/octavia.pp b/manifests/octavia.pp index b88214432..84df4180e 100644 --- a/manifests/octavia.pp +++ b/manifests/octavia.pp @@ -103,15 +103,17 @@ class openstack_integration::octavia ( public_url => "${::openstack_integration::config::base_url}:9876", internal_url => "${::openstack_integration::config::base_url}:9876", admin_url => "${::openstack_integration::config::base_url}:9876", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'octavia::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } File { '/etc/octavia/certs': diff --git a/manifests/placement.pp b/manifests/placement.pp index 613371ff1..0482580f1 100644 --- a/manifests/placement.pp +++ b/manifests/placement.pp @@ -27,15 +27,17 @@ class openstack_integration::placement { public_url => "${::openstack_integration::config::base_url}:8778", internal_url => "${::openstack_integration::config::base_url}:8778", admin_url => "${::openstack_integration::config::base_url}:8778", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'placement::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'placement::logging': debug => true, diff --git a/manifests/sahara.pp b/manifests/sahara.pp index eb47317e1..8256f0939 100644 --- a/manifests/sahara.pp +++ b/manifests/sahara.pp @@ -35,6 +35,7 @@ class openstack_integration::sahara ( public_url => "${::openstack_integration::config::base_url}:8386", internal_url => "${::openstack_integration::config::base_url}:8386", admin_url => "${::openstack_integration::config::base_url}:8386", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'sahara::logging': @@ -64,12 +65,13 @@ class openstack_integration::sahara ( amqp_sasl_mechanisms => 'PLAIN', } class { 'sahara::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'sahara::service::api': service_name => 'httpd', diff --git a/manifests/swift.pp b/manifests/swift.pp index 73ec89209..190eb7807 100644 --- a/manifests/swift.pp +++ b/manifests/swift.pp @@ -72,9 +72,10 @@ class openstack_integration::swift { include swift::proxy::tempurl include swift::proxy::ratelimit class { 'swift::proxy::authtoken': - www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", - auth_url => "${::openstack_integration::config::keystone_admin_uri}/", - password => 'a_big_secret', + www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", + auth_url => "${::openstack_integration::config::keystone_admin_uri}/", + password => 'a_big_secret', + service_token_roles_required => true, } class { 'swift::proxy::keystone': operator_roles => ['member', 'admin', 'SwiftOperator'] @@ -99,6 +100,7 @@ class openstack_integration::swift { public_url_s3 => "http://${::openstack_integration::config::ip_for_url}:8080", admin_url_s3 => "http://${::openstack_integration::config::ip_for_url}:8080", internal_url_s3 => "http://${::openstack_integration::config::ip_for_url}:8080", + roles => ['admin', 'service'], password => 'a_big_secret', operator_roles => ['admin', 'SwiftOperator', 'ResellerAdmin'], } diff --git a/manifests/trove.pp b/manifests/trove.pp index 6e2d8ad18..d68182f72 100644 --- a/manifests/trove.pp +++ b/manifests/trove.pp @@ -55,18 +55,20 @@ class openstack_integration::trove { host => $::openstack_integration::config::host, } class { 'trove::keystone::auth': - password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s", internal_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s", admin_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s", + roles => ['admin', 'service'], + password => 'a_big_secret', } class { 'trove::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'trove::api::service_credentials': password => 'a_big_secret', diff --git a/manifests/vitrage.pp b/manifests/vitrage.pp index 223fcba38..2b43afdd7 100644 --- a/manifests/vitrage.pp +++ b/manifests/vitrage.pp @@ -83,15 +83,17 @@ class openstack_integration::vitrage { public_url => "${::openstack_integration::config::base_url}:8999", internal_url => "${::openstack_integration::config::base_url}:8999", admin_url => "${::openstack_integration::config::base_url}:8999", + roles => ['admin', 'service'], password => 'a_big_secret', } class { 'vitrage::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'vitrage::api': enabled => true, diff --git a/manifests/watcher.pp b/manifests/watcher.pp index d2367156d..a30c71544 100644 --- a/manifests/watcher.pp +++ b/manifests/watcher.pp @@ -33,19 +33,21 @@ class openstack_integration::watcher { }), } class { 'watcher::keystone::auth': - password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:9322", admin_url => "${::openstack_integration::config::base_url}:9322", internal_url => "${::openstack_integration::config::base_url}:9322", + roles => ['admin', 'service'], + password => 'a_big_secret', } class {'watcher::keystone::authtoken': - password => 'a_big_secret', - auth_version => 'v3', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", - www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + auth_version => 'v3', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", + www_authenticate_uri => "${::openstack_integration::config::keystone_auth_uri}/v3", + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class { 'watcher::logging': debug => true, diff --git a/manifests/zaqar.pp b/manifests/zaqar.pp index 3030b5e7d..d274b62dd 100644 --- a/manifests/zaqar.pp +++ b/manifests/zaqar.pp @@ -19,11 +19,11 @@ class openstack_integration::zaqar { host => $::openstack_integration::config::host, } class { 'zaqar::keystone::auth': - password => 'a_big_secret', - roles => ['admin', 'ResellerAdmin'], public_url => "${::openstack_integration::config::base_url}:8888", internal_url => "${::openstack_integration::config::base_url}:8888", admin_url => "${::openstack_integration::config::base_url}:8888", + roles => ['admin', 'service'], + password => 'a_big_secret', } class { 'zaqar::keystone::auth_websocket': public_url => "ws://${::openstack_integration::config::ip_for_url}:8888", @@ -46,12 +46,13 @@ class openstack_integration::zaqar { uri => 'swift://zaqar:a_big_secret@/services', } class {'zaqar::keystone::authtoken': - password => 'a_big_secret', - user_domain_name => 'Default', - project_domain_name => 'Default', - auth_url => $::openstack_integration::config::keystone_admin_uri, - www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, - memcached_servers => $::openstack_integration::config::memcached_servers, + password => 'a_big_secret', + user_domain_name => 'Default', + project_domain_name => 'Default', + auth_url => $::openstack_integration::config::keystone_admin_uri, + www_authenticate_uri => $::openstack_integration::config::keystone_auth_uri, + memcached_servers => $::openstack_integration::config::memcached_servers, + service_token_roles_required => true, } class {'zaqar': unreliable => true,