From becca2e139d389f579d5241e9dfa499267aeecec Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 15 Feb 2016 13:16:09 -0500
Subject: [PATCH] disabling the admin_token after bootstrap

The keystone documentation highly recommends disabling the admin_token
authentication after the initial bootstrap because it exposes a major
attack vector.

A patch in puppet-keystone [1] added the support to remove
admin_token_auth keyword from the pipeline lists.

This patch aims to use this new class when deploying Keystone.

[1] https://review.openstack.org/#/c/256248

Change-Id: Ic545005122a0f7b92b8a9d3f1e4978b397bfc9c2
---
 manifests/keystone.pp  | 11 +++++++++++
 manifests/provision.pp |  1 +
 2 files changed, 12 insertions(+)

diff --git a/manifests/keystone.pp b/manifests/keystone.pp
index c7335e29f..9af2123f4 100644
--- a/manifests/keystone.pp
+++ b/manifests/keystone.pp
@@ -43,5 +43,16 @@ class openstack_integration::keystone (
   class { '::keystone::endpoint':
     default_domain => $default_domain,
   }
+  class { '::keystone::disable_admin_token_auth': }
 
+  if $default_domain {
+    $default_domain_real = $default_domain
+  } else {
+    $default_domain_real = 'default'
+  }
+  class { '::openstack_extras::auth_file':
+    password       => 'a_big_secret',
+    project_domain => $default_domain_real,
+    user_domain    => $default_domain_real,
+  }
 }
diff --git a/manifests/provision.pp b/manifests/provision.pp
index b8484e12d..2d15c3dbc 100644
--- a/manifests/provision.pp
+++ b/manifests/provision.pp
@@ -88,4 +88,5 @@ class openstack_integration::provision {
     # source        => '/home/jenkins/cache/files/cirros-0.3.4-x86_64-disk.img',
     source           => 'http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img',
   }
+  Keystone_user_role['admin@openstack'] -> Glance_image<||>
 }