X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-stx%2Frecipes-support%2Fpuppet%2Ffiles%2Fpuppet-keystone%2F0001-pike-rebase-squash-titanium-patches.patch;fp=meta-stx%2Frecipes-support%2Fpuppet%2Ffiles%2Fpuppet-keystone%2F0001-pike-rebase-squash-titanium-patches.patch;h=69858acc8a4383b025192c53e8222e9b41ec9f0c;hb=57fdea704bd62af847872c40508f00aa1d7cac60;hp=0000000000000000000000000000000000000000;hpb=f23f21bccfb750b9e30141fd9676515215ffbc4e;p=pti%2Frtp.git diff --git a/meta-stx/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch b/meta-stx/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch new file mode 100644 index 0000000..69858ac --- /dev/null +++ b/meta-stx/recipes-support/puppet/files/puppet-keystone/0001-pike-rebase-squash-titanium-patches.patch @@ -0,0 +1,440 @@ +From 2c51d6f4ccf4a473089c08857262e769f7a8fc3a Mon Sep 17 00:00:00 2001 +From: Al Bailey +Date: Thu, 7 Mar 2019 13:43:40 -0600 +Subject: [PATCH 1/4] WRS: Patch1: + 0001-pike-rebase-squash-titanium-patches.patch + +--- + lib/puppet/provider/keystone.rb | 79 ++++++++++++++++++++++- + manifests/db/sync.pp | 3 + + manifests/init.pp | 76 +++++++++++++++++----- + manifests/ldap.pp | 7 ++ + manifests/logging.pp | 2 +- + manifests/resource/service_identity.pp | 7 ++ + manifests/security_compliance.pp | 45 +++++++++++++ + spec/classes/keystone_security_compliance_spec.rb | 19 ++++++ + 8 files changed, 220 insertions(+), 18 deletions(-) + create mode 100644 manifests/security_compliance.pp + create mode 100644 spec/classes/keystone_security_compliance_spec.rb + +diff --git a/lib/puppet/provider/keystone.rb b/lib/puppet/provider/keystone.rb +index 3841418..0857ac1 100644 +--- a/lib/puppet/provider/keystone.rb ++++ b/lib/puppet/provider/keystone.rb +@@ -3,6 +3,7 @@ require 'puppet/provider/openstack' + require 'puppet/provider/openstack/auth' + require 'puppet/provider/openstack/credentials' + require File.join(File.dirname(__FILE__), '..','..', 'puppet/provider/keystone/util') ++require 'hiera_puppet' + + class Puppet::Provider::Keystone < Puppet::Provider::Openstack + +@@ -230,12 +231,88 @@ class Puppet::Provider::Keystone < Puppet::Provider::Openstack + end + end + ++ ### WRS Modifications (Start) ### ++ ++ def self.hiera_lookup(key) ++ HieraPuppet.lookup(key, :undef, self, nil, :priority) ++ end ++ ++ def self.initial_config_primary? ++ return true if ENV['INITIAL_CONFIG_PRIMARY'] == "true" ++ end ++ ++ ++ def self.upgrading? ++ return true if hiera_lookup('platform::params::controller_upgrade') == true ++ end ++ + def self.request(service, action, properties=nil, options={}) + super + rescue Puppet::Error::OpenstackAuthInputError, Puppet::Error::OpenstackUnauthorizedError => error +- request_by_service_token(service, action, error, properties, options=options) ++ if initial_config_primary? ++ # admin user account might not have been created ++ request_by_service_token(service, action, error, properties) ++ else ++ if upgrading? ++ # when running the Keystone manifest during an upgrade ++ # (on controller-1), we need to use an AUTH token and ++ # a bypass URL since using the default AUTL URL will ++ # send the Request to the service catalog URL (internalURL), ++ # running on the non-upgraded controller-0 which cannot ++ # service this request ++ request_by_upgrading_token(service, action, error, properties) ++ else ++ request_by_admin_credential(service, action, error, properties) ++ end ++ end + end + ++ def self.request_by_admin_credential(service, action, error, properties=nil) ++ properties ||= [] ++ @credentials.username = hiera_lookup('platform::client::params::admin_username') ++ @credentials.password = hiera_lookup('keystone::admin_password') ++ @credentials.project_name = 'admin' ++ @credentials.auth_url = service_url ++ @credentials.identity_api_version = @credentials.version ++ if @credentials.version == '3' ++ @credentials.user_domain_name = hiera_lookup('platform::client::params::admin_user_domain') ++ @credentials.project_domain_name = hiera_lookup('platform::client::params::admin_project_domain') ++ end ++ raise error unless @credentials.set? ++ Puppet::Provider::Openstack.request(service, action, properties, @credentials) ++ end ++ ++ def self.get_upgrade_token ++ upgrade_token_file = hiera_lookup('openstack::keystone::upgrade::upgrade_token_file') ++ # the upgrade token file may get refreshed by the same Puppet event ++ # that triggered this call, and therefore may not be available ++ # immediately. Try for timeout before quitting with error ++ timeout = 10 # 10 seconds ++ 1.upto(timeout) do |iter| ++ if File.exists?(upgrade_token_file) ++ upgrade_token = File.read(upgrade_token_file).strip ++ notice("Found #{upgrade_token_file} token file and upgrade token #{upgrade_token}.") ++ return upgrade_token ++ else ++ Puppet.debug("#{upgrade_token_file} not found. Retrying for #{iter} more seconds.") ++ sleep(1) ++ end ++ end ++ raise(Puppet::ExecutionFailure, "Can't retrieve #{upgrade_token_file} in #{timeout}s retry attempts.") ++ end ++ ++ ++ def self.request_by_upgrading_token(service, action, error, properties=nil, options={}) ++ properties ||= [] ++ @credentials.token = get_upgrade_token ++ @credentials.url = hiera_lookup('openstack::keystone::upgrade::url') ++ raise error unless @credentials.service_token_set? ++ Puppet::Provider::Openstack.request(service, action, properties, @credentials, options) ++ end ++ ++ ### WRS Additions (End) ### ++ ++ + def self.request_by_service_token(service, action, error, properties=nil, options={}) + properties ||= [] + @credentials.token = admin_token +diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp +index cee869b..cea217c 100644 +--- a/manifests/db/sync.pp ++++ b/manifests/db/sync.pp +@@ -36,5 +36,8 @@ class keystone::db::sync( + ], + notify => Anchor['keystone::dbsync::end'], + tag => 'keystone-exec', ++ # Only do the db sync if both controllers are running the same software ++ # version. Avoids impacting mate controller during an upgrade. ++ onlyif => "test $::controller_sw_versions_match = true", + } + } +diff --git a/manifests/init.pp b/manifests/init.pp +index 2adc685..4d79d30 100644 +--- a/manifests/init.pp ++++ b/manifests/init.pp +@@ -28,6 +28,15 @@ + # The admin_token has been deprecated by the Keystone service and this + # will be deprecated in a future changeset. Required. + # ++# [*upgrade_token_cmd*] ++# (optional) WRS - if we are in an upgrade scenario, an upgrade token ++# will be required to bypass authentication. ++# Defaults to undef ++# ++# [*upgrade_token_file*] ++# (optional) WRS - the file where the upgrade token will be stowed ++# Defaults to undef ++# + # [*admin_password*] + # Keystone password for the admin user. This is not the admin_token. + # This is the password that the admin user signs into keystone with. +@@ -663,6 +672,8 @@ + # + class keystone( + $admin_token, ++ $upgrade_token_cmd = undef, ++ $upgrade_token_file = undef, + $admin_password = undef, + $package_ensure = 'present', + $client_package_ensure = 'present', +@@ -857,10 +868,13 @@ admin_token will be removed in a later release") + + keystone_config { + 'DEFAULT/admin_token': value => $admin_token, secret => true; ++ # WRS: the following options are deprecated for removal ++ # however public_bind_host and admin_bind_host are still required as long as ++ # keystone is running under eventlet + 'DEFAULT/public_bind_host': value => $public_bind_host; + 'DEFAULT/admin_bind_host': value => $admin_bind_host; +- 'DEFAULT/public_port': value => $public_port; +- 'DEFAULT/admin_port': value => $admin_port; ++ #'DEFAULT/public_port': value => $public_port; ++ #'DEFAULT/admin_port': value => $admin_port; + 'DEFAULT/member_role_id': value => $member_role_id; + 'DEFAULT/member_role_name': value => $member_role_name; + 'paste_deploy/config_file': value => $paste_config; +@@ -897,18 +911,21 @@ admin_token will be removed in a later release") + # ssl config + if ($enable_ssl) { + keystone_config { +- 'ssl/enable': value => true; ++ # WRS ssl/enable is deprecated for removal ++ #'ssl/enable': value => true; + 'ssl/certfile': value => $ssl_certfile; + 'ssl/keyfile': value => $ssl_keyfile; + 'ssl/ca_certs': value => $ssl_ca_certs; + 'ssl/ca_key': value => $ssl_ca_key; + 'ssl/cert_subject': value => $ssl_cert_subject; + } +- } else { +- keystone_config { +- 'ssl/enable': value => false; +- } + } ++ # WRS ssl/enable is deprecated for removal ++ # else { ++ # keystone_config { ++ # 'ssl/enable': value => false; ++ # } ++ #} + + if !is_service_default($memcache_servers) or !is_service_default($cache_memcache_servers) { + Service<| title == 'memcached' |> -> Anchor['keystone::service::begin'] +@@ -1016,14 +1033,15 @@ Fernet or UUID tokens are recommended.") + Fernet or UUID tokens are recommended.") + } + +- keystone_config { +- 'signing/certfile': value => $signing_certfile; +- 'signing/keyfile': value => $signing_keyfile; +- 'signing/ca_certs': value => $signing_ca_certs; +- 'signing/ca_key': value => $signing_ca_key; +- 'signing/cert_subject': value => $signing_cert_subject; +- 'signing/key_size': value => $signing_key_size; +- } ++ # WRS: the following signing options are deprecated for removal ++ #keystone_config { ++ # 'signing/certfile': value => $signing_certfile; ++ # 'signing/keyfile': value => $signing_keyfile; ++ # 'signing/ca_certs': value => $signing_ca_certs; ++ # 'signing/ca_key': value => $signing_ca_key; ++ # 'signing/cert_subject': value => $signing_cert_subject; ++ # 'signing/key_size': value => $signing_key_size; ++ #} + + # Only do pki_setup if we were asked to do so. This is needed + # regardless of the token provider since token revocation lists +@@ -1089,6 +1107,9 @@ Fernet or UUID tokens are recommended.") + heartbeat_rate => $rabbit_heartbeat_rate, + } + ++ # WRS: The following options are deprecated for removal ++ # however they are still required as long as keystone ++ # is running under eventlet + keystone_config { + 'eventlet_server/admin_workers': value => $admin_workers; + 'eventlet_server/public_workers': value => $public_workers; +@@ -1135,7 +1156,8 @@ Fernet or UUID tokens are recommended.") + validate => false, + } + } +- warning("Keystone under Eventlet has been deprecated during the Kilo cycle. \ ++ # Drop this to info. ++ info("Keystone under Eventlet has been deprecated during the Kilo cycle. \ + Support for deploying under eventlet will be dropped as of the M-release of OpenStack.") + } elsif $service_name == 'httpd' { + include ::apache::params +@@ -1280,6 +1302,27 @@ running as a standalone service, or httpd for being run by a httpd server") + } + } + ++ # WRS: Now that the keystone service has started, ++ # check if we are in an Upgrade scenario, and generate ++ # an upgrade token which will be used to bypass Keystone ++ # authentication (specifically the service catalog) for ++ # all operations during upgrades. ++ # This operation is similar to the keystone bootstrap ++ # operation (above) which would generate an admin ++ # token, and therefore also requires the database to ++ # be up and running and configured and is only run once, ++ # so we don't need to notify the service ++ if $upgrade_token_cmd and $upgrade_token_file { ++ exec { 'upgrade token issue': ++ command => "${upgrade_token_cmd} > ${upgrade_token_file}", ++ path => '/usr/bin', ++ creates => $upgrade_token_file, ++ subscribe => Service[$service_name], ++ notify => Anchor['keystone::service::end'], ++ tag => 'keystone-exec', ++ } ++ } ++ + if $using_domain_config { + validate_absolute_path($domain_config_directory) + # Better than ensure resource. We don't want to conflict with any +@@ -1311,4 +1354,5 @@ running as a standalone service, or httpd for being run by a httpd server") + {'value' => $domain_config_directory} + ) + } ++ + } +diff --git a/manifests/ldap.pp b/manifests/ldap.pp +index 11620bf..728ca40 100644 +--- a/manifests/ldap.pp ++++ b/manifests/ldap.pp +@@ -4,6 +4,11 @@ + # + # === parameters: + # ++# [*debug_level*] ++# LDAP debugging level for LDAP calls; a value of zero("0") disables ++# debugging. (integer value) ++# Defaults to 'undef' ++# + # [*url*] + # URL for connecting to the LDAP server. (string value) + # Defaults to 'undef' +@@ -384,6 +389,7 @@ + # Copyright 2012 Puppetlabs Inc, unless otherwise noted. + # + class keystone::ldap( ++ $debug_level = undef, + $url = undef, + $user = undef, + $password = undef, +@@ -494,6 +500,7 @@ class keystone::ldap( + } + + keystone_config { ++ 'ldap/debug_level': value => $debug_level; + 'ldap/url': value => $url; + 'ldap/user': value => $user; + 'ldap/password': value => $password, secret => true; +diff --git a/manifests/logging.pp b/manifests/logging.pp +index e737c4f..3d8df63 100644 +--- a/manifests/logging.pp ++++ b/manifests/logging.pp +@@ -110,7 +110,7 @@ class keystone::logging( + $log_file = $::os_service_default, + $debug = $::os_service_default, + $logging_context_format_string = $::os_service_default, +- $logging_default_format_string = $::os_service_default, ++ $logging_default_format_string = 'keystone:log %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s', + $logging_debug_format_suffix = $::os_service_default, + $logging_exception_prefix = $::os_service_default, + $logging_user_identity_format = $::os_service_default, +diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp +index 09e7d94..243c9ec 100644 +--- a/manifests/resource/service_identity.pp ++++ b/manifests/resource/service_identity.pp +@@ -187,6 +187,8 @@ define keystone::resource::service_identity( + if $service_type { + ensure_resource('keystone_service', "${service_name_real}::${service_type}", { + 'ensure' => $ensure, ++ 'name' => $service_name_real, ++ 'type' => $service_type, + 'description' => $service_description, + }) + } else { +@@ -199,6 +201,9 @@ define keystone::resource::service_identity( + if $public_url and $admin_url and $internal_url { + ensure_resource('keystone_endpoint', "${region}/${service_name_real}::${service_type}", { + 'ensure' => $ensure, ++ 'name' => $service_name_real, ++ 'type' => $service_type, ++ 'region' => $region, + 'public_url' => $public_url, + 'admin_url' => $admin_url, + 'internal_url' => $internal_url, +@@ -210,6 +215,8 @@ define keystone::resource::service_identity( + if $public_url and $admin_url and $internal_url { + ensure_resource('keystone_endpoint', "${region}/${service_name_real}", { + 'ensure' => $ensure, ++ 'name' => $service_name_real, ++ 'region' => $region, + 'public_url' => $public_url, + 'admin_url' => $admin_url, + 'internal_url' => $internal_url, +diff --git a/manifests/security_compliance.pp b/manifests/security_compliance.pp +new file mode 100644 +index 0000000..64830ec +--- /dev/null ++++ b/manifests/security_compliance.pp +@@ -0,0 +1,45 @@ ++# == class: keystone::security_compliance ++# ++# Implements security compliance configuration for keystone. ++# ++# === parameters: ++# ++# [*unique_last_password_count*] ++# This controls the number of previous user password iterations ++# to keep in history, in order to enforce that newly created passwords ++# are unique. Setting the value to 1 (the default) disables this feature. ++# (integer value) ++# Defaults to 'undef' ++# ++# [*password_regex*] ++# The regular expression used to validate password strength ++# requirements. By default, the regular expression will match ++# any password. (string value) ++# Defaults to 'undef' ++# ++# [*password_regex_description*] ++# If a password fails to match the regular expression (*password_regex*), ++# the contents of this configuration will be returned to users to explain ++# why their requested password was insufficient. (string value) ++# Defaults to 'undef' ++# ++# === DEPRECATED group/name ++# ++# == Copyright ++# ++# Copyright 2017 Wind River Systems, unless otherwise noted. ++# ++class keystone::security_compliance( ++ $unique_last_password_count = undef, ++ $password_regex = undef, ++ $password_regex_description = undef, ++) { ++ ++ include ::keystone::deps ++ ++ keystone_config { ++ 'security_compliance/unique_last_password_count': value => $unique_last_password_count; ++ 'security_compliance/password_regex': value => $password_regex; ++ 'security_compliance/password_regex_description': value => $password_regex_description; ++ } ++} +diff --git a/spec/classes/keystone_security_compliance_spec.rb b/spec/classes/keystone_security_compliance_spec.rb +new file mode 100644 +index 0000000..d0d4724 +--- /dev/null ++++ b/spec/classes/keystone_security_compliance_spec.rb +@@ -0,0 +1,19 @@ ++require 'spec_helper' ++ ++describe 'keystone::security_compliance' do ++ describe 'with basic params' do ++ let :params do ++ { ++ :unique_last_password_count => 2, ++ :password_regex => '^(?=.*\d)(?=.*[a-zA-Z]).{7,}$', ++ :password_regex_description => 'password must be at least 7 characters long and contain 1 digit', ++ } ++ end ++ it 'should have basic params' do ++ # basic params ++ is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('2') ++ is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('^(?=.*\d)(?=.*[a-zA-Z]).{7,}$') ++ is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('password must be at least 7 characters long and contain 1 digit') ++ end ++ end ++end +-- +1.8.3.1 +