1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
#
# This class can be used to manage keystone's authtoken middleware
# for swift proxy
#
# == Parameters
#
# [*password*]
# (Required) The password for the user
#
# [*delay_auth_decision*]
# (Optional) Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components. Boolean value
# Defaults to 1
#
# [*cache*]
# The cache backend to use
# Optional. Defaults to 'swift.cache'
#
# [*www_authenticate_uri*]
# (Optional) Complete public Identity API endpoint.
# Defaults to 'http://127.0.0.1:5000'
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://127.0.0.1:5000'
#
# [*auth_type*]
# (Optional) The plugin for authentication
# Defaults to 'password'
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'swift'
#
# [*user_domain_id*]
# (Optional) id of domain for $username
# Defaults to 'default'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*project_domain_id*]
# (Optional) id of domain for $project_name
# Defaults to 'default'
#
# [*system_scope*]
# (Optional) Scope for system operations
# Defaults to $facts['os_service_default']
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $facts['os_service_default'].
#
# [*include_service_catalog*]
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will
# not set the X-Service-Catalog header. Boolean value.
# Defaults to false
#
# [*service_token_roles*]
# (Optional) A choice of roles that must be present in a service token.
# Service tokens are allowed to request that an expired token
# can be used and so this check should tightly control that
# only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list
# must be present. For backwards compatibility reasons this
# currently only affects the allow_expired check. (list value)
# Defaults to $facts['os_service_default'].
#
# [*service_token_roles_required*]
# (optional) backwards compatibility to ensure that the service tokens are
# compared against a list of possible roles for validity
# true/false
# Defaults to $facts['os_service_default'].
#
# [*service_type*]
# (Optional) The name or type of the service as it appears in the service
# catalog. This is used to validate tokens that have restricted access rules.
# Defaults to $facts['os_service_default'].
#
# [*interface*]
# (Optional) Interface to use for the Identity API endpoint. Valid values are
# "public", "internal" or "admin".
# Defaults to $facts['os_service_default'].
#
# == Authors
#
# Dan Bode dan@puppetlabs.com
#
# == Copyright
#
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class swift::proxy::authtoken(
String[1] $password,
$delay_auth_decision = 1,
$cache = 'swift.cache',
$www_authenticate_uri = 'http://127.0.0.1:5000',
$auth_url = 'http://127.0.0.1:5000',
$auth_type = 'password',
$username = 'swift',
$user_domain_id = 'default',
$project_name = 'services',
$project_domain_id = 'default',
$system_scope = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$include_service_catalog = false,
$service_token_roles = $facts['os_service_default'],
$service_token_roles_required = $facts['os_service_default'],
$service_type = $facts['os_service_default'],
$interface = $facts['os_service_default'],
) inherits swift::params {
include swift::deps
if is_service_default($system_scope) {
$project_name_real = $project_name
$project_domain_id_real = $project_domain_id
} else {
$project_name_real = $facts['os_service_default']
$project_domain_id_real = $facts['os_service_default']
}
swift_proxy_config {
'filter:authtoken/log_name': value => 'swift';
'filter:authtoken/paste.filter_factory': value => 'keystonemiddleware.auth_token:filter_factory';
'filter:authtoken/www_authenticate_uri': value => $www_authenticate_uri;
'filter:authtoken/auth_url': value => $auth_url;
'filter:authtoken/auth_type': value => $auth_type;
'filter:authtoken/username': value => $username;
'filter:authtoken/user_domain_id': value => $user_domain_id;
'filter:authtoken/password': value => $password, secret => true;
'filter:authtoken/project_name': value => $project_name_real;
'filter:authtoken/project_domain_id': value => $project_domain_id_real;
'filter:authtoken/system_scope': value => $system_scope;
'filter:authtoken/region_name': value => $region_name;
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
'filter:authtoken/cache': value => $cache;
'filter:authtoken/include_service_catalog': value => $include_service_catalog;
'filter:authtoken/service_token_roles': value => join(any2array($service_token_roles), ',');
'filter:authtoken/service_token_roles_required': value => $service_token_roles_required;
'filter:authtoken/service_type': value => $service_type;
'filter:authtoken/interface': value => $interface,
}
}
|
