2 # Module for managing keystone config.
7 # (optional) Desired ensure state of packages.
8 # accepts latest or specific versions.
11 # [*client_package_ensure*]
12 # (optional) Desired ensure state of the client package.
13 # accepts latest or specific versions.
14 # Defaults to present.
17 # (optional) Port that keystone binds to.
21 # (optional) DEPRECATED The port for compute servie.
25 # (optional) Port that can be used for admin tasks.
29 # Admin token that can be used to authenticate as a keystone
33 # (optional) Rather keystone should log at verbose level.
37 # (optional) Rather keystone should log at debug level.
41 # (optional) Use syslog for logging.
45 # (optional) Syslog facility to receive log lines.
46 # Defaults to 'LOG_USER'.
49 # (optional) Type of catalog that keystone uses to store endpoints,services.
50 # Defaults to sql. (Also accepts template)
53 # (optional) Catalog driver used by Keystone to store endpoints and services.
54 # Setting this value will override and ignore catalog_type.
57 # [*catalog_template_file*]
58 # (optional) Path to the catalog used if catalog_type equals 'template'.
59 # Defaults to '/etc/keystone/default_catalog.templates'
62 # (optional) Format keystone uses for tokens.
63 # Defaults to 'keystone.token.providers.uuid.Provider'
64 # Supports PKI, PKIZ, Fernet, and UUID.
67 # (optional) Driver to use for managing tokens.
68 # Defaults to 'keystone.token.persistence.backends.sql.Token'
70 # [*token_expiration*]
71 # (optional) Amount of time a token should remain valid (seconds).
72 # Defaults to 3600 (1 hour).
75 # (optional) Driver for token revocation.
76 # Defaults to 'keystone.contrib.revoke.backends.sql.Revoke'
79 # (optional) Directory created when token_provider is pki.
80 # Defaults to /var/cache/keystone.
82 # [*memcache_servers*]
83 # (optional) List of memcache servers in format of server:port.
84 # Used with token_driver 'keystone.token.backends.memcache.Token'.
85 # Defaults to false. Example: ['localhost:11211']
88 # (optional) Dogpile.cache backend module. It is recommended that Memcache with pooling
89 # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
90 # This has no effects unless 'memcache_servers' is set.
91 # Defaults to 'keystone.common.cache.noop'
93 # [*cache_backend_argument*]
94 # (optional) List of arguments in format of argname:value supplied to the backend module.
95 # Specify this option once per argument to be passed to the dogpile.cache backend.
96 # This has no effects unless 'memcache_servers' is set.
99 # [*debug_cache_backend*]
100 # (optional) Extra debugging from the cache backend (cache keys, get/set/delete calls).
101 # This has no effects unless 'memcache_servers' is set.
105 # (optional) Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
109 # (Optional) If Puppet should manage service startup / shutdown.
113 # (optional) If the keystone services should be enabled.
116 # [*database_connection*]
117 # (optional) Url used to connect to database.
118 # Defaults to sqlite:////var/lib/keystone/keystone.db
120 # [*database_idle_timeout*]
121 # (optional) Timeout when db connections should be reaped.
124 # [*enable_pki_setup*]
125 # (optional) Enable call to pki_setup to generate the cert for signing pki tokens and
126 # revocation lists if it doesn't already exist. This generates a cert and key stored in file
127 # locations based on the signing_certfile and signing_keyfile paramters below. If you are
128 # providing your own signing cert, make this false.
131 # [*signing_certfile*]
132 # (optional) Location of the cert file for signing pki tokens and revocation lists.
133 # Note that if this file already exists (i.e. you are providing your own signing cert),
134 # the file will not be overwritten, even if enable_pki_setup is set to true.
135 # Default: /etc/keystone/ssl/certs/signing_cert.pem
137 # [*signing_keyfile*]
138 # (optional) Location of the key file for signing pki tokens and revocation lists.
139 # Note that if this file already exists (i.e. you are providing your own signing cert), the file
140 # will not be overwritten, even if enable_pki_setup is set to true.
141 # Default: /etc/keystone/ssl/private/signing_key.pem
143 # [*signing_ca_certs*]
144 # (optional) Use this CA certs file along with signing_certfile/signing_keyfile for
145 # signing pki tokens and revocation lists.
146 # Default: /etc/keystone/ssl/certs/ca.pem
149 # (optional) Use this CA key file along with signing_certfile/signing_keyfile for signing
150 # pki tokens and revocation lists.
151 # Default: /etc/keystone/ssl/private/cakey.pem
153 # [*signing_cert_subject*]
154 # (optional) Certificate subject (auto generated certificate) for token signing.
155 # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
157 # [*signing_key_size*]
158 # (optional) Key size (in bits) for token signing cert (auto generated certificate)
162 # (optional) Location of rabbitmq installation.
163 # Defaults to localhost.
166 # (optional) Port for rabbitmq instance.
170 # (optional) Location of rabbitmq installation.
173 # [*rabbit_password*]
174 # (optional) Password used to connect to rabbitmq.
178 # (optional) User used to connect to rabbitmq.
181 # [*rabbit_virtual_host*]
182 # (optional) The RabbitMQ virtual host.
186 # (optional) Connect over SSL for RabbitMQ
189 # [*kombu_ssl_ca_certs*]
190 # (optional) SSL certification authority file (valid only if SSL enabled).
193 # [*kombu_ssl_certfile*]
194 # (optional) SSL cert file (valid only if SSL enabled).
197 # [*kombu_ssl_keyfile*]
198 # (optional) SSL key file (valid only if SSL enabled).
201 # [*kombu_ssl_version*]
202 # (optional) SSL version to use (valid only if SSL enabled).
203 # Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
204 # available on some distributions.
205 # Defaults to 'TLSv1'
207 # [*notification_driver*]
208 # RPC driver. Not enabled by default
210 # [*notification_topics*]
211 # (optional) AMQP topics to publish to when using the RPC notification driver.
214 # [*notification_format*]
215 # Format for the notifications. Valid values are 'basic' and 'cadf'.
218 # [*control_exchange*]
219 # (optional) AMQP exchange to connect to if using RabbitMQ or Qpid
222 # [*public_bind_host*]
223 # (optional) The IP address of the public network interface to listen on
224 # Default to '0.0.0.0'.
226 # [*admin_bind_host*]
227 # (optional) The IP address of the public network interface to listen on
228 # Default to '0.0.0.0'.
231 # (optional) Directory where logs should be stored
232 # If set to boolean false, it will not log to any directory
233 # Defaults to '/var/log/keystone'
236 # (optional) Where to log
239 # [*public_endpoint*]
240 # (optional) The base public endpoint URL for keystone that are
241 # advertised to clients (NOTE: this does NOT affect how
242 # keystone listens for connections) (string value)
243 # If set to false, no public_endpoint will be defined in keystone.conf.
244 # Sample value: 'http://localhost:5000/'
248 # (optional) The base admin endpoint URL for keystone that are
249 # advertised to clients (NOTE: this does NOT affect how keystone listens
250 # for connections) (string value)
251 # If set to false, no admin_endpoint will be defined in keystone.conf.
252 # Sample value: 'http://localhost:35357/'
256 # (optional) Toggle for SSL support on the keystone eventlet servers.
261 # (optional) Path of the certfile for SSL. (string value)
262 # Defaults to '/etc/keystone/ssl/certs/keystone.pem'
265 # (optional) Path of the keyfile for SSL. (string value)
266 # Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
269 # (optional) Path of the ca cert file for SSL. (string value)
270 # Defaults to '/etc/keystone/ssl/certs/ca.pem'
273 # (optional) Path of the CA key file for SSL (string value)
274 # Defaults to '/etc/keystone/ssl/private/cakey.pem'
276 # [*ssl_cert_subject*]
277 # (optional) SSL Certificate Subject (auto generated certificate)
279 # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
282 # (optional) Deprecated. Does nothing.
284 # [*validate_service*]
285 # (optional) Whether to validate keystone connections after
286 # the service is started.
289 # [*validate_insecure*]
290 # (optional) Whether to validate keystone connections
291 # using the --insecure option with keystone client.
294 # [*validate_cacert*]
295 # (optional) Whether to validate keystone connections
296 # using the specified argument with the --os-cacert option
297 # with keystone client.
300 # [*validate_auth_url*]
301 # (optional) The url to validate keystone against
304 # [*service_provider*]
305 # (optional) Provider, that can be used for keystone service.
306 # Default value defined in keystone::params for given operation system.
307 # If you use Pacemaker or another Cluster Resource Manager, you can make
308 # custom service provider for changing start/stop/status behavior of service,
312 # (optional) Name of the service that will be providing the
313 # server functionality of keystone. For example, the default
314 # is just 'keystone', which means keystone will be run as a
315 # standalone eventlet service, and will able to be managed
316 # separately by the operating system's service manager. For
317 # example, you will be able to use
318 # service openstack-keystone restart
319 # to restart the service.
320 # If the value is 'httpd', this means keystone will be a web
321 # service, and you must use another class to configure that
322 # web service. For example, after calling class {'keystone'...}
323 # use class { 'keystone::wsgi::apache'...} to make keystone be
324 # a web app using apache mod_wsgi.
325 # Defaults to '$::keystone::params::service_name'
326 # NOTE: validate_service only applies if the default value is used.
329 # (optional) Name of the paste configuration file that defines the
330 # available pipelines. (string value)
331 # Defaults to '/usr/share/keystone/keystone-dist-paste.ini' on RedHat and
332 # undef on other platforms.
335 # (optional) maximum allowable Keystone token size
339 # (optional) The number of worker processes to serve the admin WSGI application.
340 # Defaults to max($::processorcount, 2)
343 # (optional) The number of worker processes to serve the public WSGI application.
344 # Defaults to max($::processorcount, 2)
347 # (Optional) Run db sync on the node.
350 # [*enable_fernet_setup*]
351 # (Optional) Setup keystone for fernet tokens. This is typically only
352 # run on a single node, then the keys are replicated to the other nodes
353 # in a cluster. You would typically also pair this with a fernet token
357 # [*fernet_key_repository*]
358 # (Optional) Location for the fernet key repository. This value must
359 # be set if enable_fernet_setup is set to true.
360 # Defaults to '/etc/keystone/fernet-keys'
362 # [*fernet_max_active_keys*]
363 # (Optional) Number of maximum active Fernet keys. Integer > 0.
367 # (optional) When Keystone v3 support is enabled, v2 clients will need
368 # to have a domain assigned for certain operations. For example,
369 # doing a user create operation must have a domain associated with it.
370 # This is the domain which will be used if a domain is needed and not
371 # explicitly set in the request.
372 # Defaults to undef (will use built-in Keystone default)
379 # class { 'keystone':
380 # log_verbose => 'True',
381 # admin_token => 'my_special_token',
386 # class { 'keystone':
388 # service_name => 'httpd',
391 # class { 'keystone::wsgi::apache':
397 # Dan Bode dan@puppetlabs.com
401 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
405 $package_ensure = 'present',
406 $client_package_ensure = 'present',
407 $public_bind_host = '0.0.0.0',
408 $admin_bind_host = '0.0.0.0',
409 $public_port = '5000',
410 $admin_port = '35357',
413 $log_dir = '/var/log/keystone',
416 $log_facility = 'LOG_USER',
417 $catalog_type = 'sql',
418 $catalog_driver = false,
419 $catalog_template_file = '/etc/keystone/default_catalog.templates',
420 $token_provider = 'keystone.token.providers.uuid.Provider',
421 $token_driver = 'keystone.token.persistence.backends.sql.Token',
422 $token_expiration = 3600,
423 $revoke_driver = 'keystone.contrib.revoke.backends.sql.Revoke',
424 $public_endpoint = false,
425 $admin_endpoint = false,
427 $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
428 $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
429 $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
430 $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
431 $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
432 $cache_dir = '/var/cache/keystone',
433 $memcache_servers = false,
434 $manage_service = true,
435 $cache_backend = 'keystone.common.cache.noop',
436 $cache_backend_argument = undef,
437 $debug_cache_backend = false,
438 $token_caching = true,
440 $database_connection = 'sqlite:////var/lib/keystone/keystone.db',
441 $database_idle_timeout = '200',
442 $enable_pki_setup = true,
443 $signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
444 $signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
445 $signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
446 $signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
447 $signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
448 $signing_key_size = 2048,
449 $rabbit_host = 'localhost',
450 $rabbit_hosts = false,
451 $rabbit_password = 'guest',
452 $rabbit_port = '5672',
453 $rabbit_userid = 'guest',
454 $rabbit_virtual_host = '/',
455 $rabbit_use_ssl = false,
456 $kombu_ssl_ca_certs = undef,
457 $kombu_ssl_certfile = undef,
458 $kombu_ssl_keyfile = undef,
459 $kombu_ssl_version = 'TLSv1',
460 $notification_driver = false,
461 $notification_topics = false,
462 $notification_format = undef,
463 $control_exchange = false,
464 $validate_service = false,
465 $validate_insecure = false,
466 $validate_auth_url = false,
467 $validate_cacert = undef,
468 $paste_config = $::keystone::params::paste_config,
469 $service_provider = $::keystone::params::service_provider,
470 $service_name = $::keystone::params::service_name,
471 $max_token_size = undef,
472 $admin_workers = max($::processorcount, 2),
473 $public_workers = max($::processorcount, 2),
475 $enable_fernet_setup = false,
476 $fernet_key_repository = '/etc/keystone/fernet-keys',
477 $fernet_max_active_keys = undef,
478 $default_domain = undef,
479 # DEPRECATED PARAMETERS
480 $mysql_module = undef,
481 $compute_port = undef,
482 ) inherits keystone::params {
484 if ! $catalog_driver {
485 validate_re($catalog_type, 'template|sql')
489 warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
492 if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
493 warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
496 if ($public_endpoint and 'v2.0' in $public_endpoint) {
497 warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
501 if !$kombu_ssl_ca_certs {
502 fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
504 if !$kombu_ssl_certfile {
505 fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
507 if !$kombu_ssl_keyfile {
508 fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
512 File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
513 Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
514 Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
515 Keystone_config<||> ~> Exec<| title == 'keystone-manage fernet_setup'|>
517 include ::keystone::params
519 package { 'keystone':
520 ensure => $package_ensure,
521 name => $::keystone::params::package_name,
524 if $client_package_ensure == 'present' {
525 include '::openstacklib::openstackclient'
527 class { '::openstacklib::openstackclient':
528 package_ensure => $client_package_ensure,
535 require => Package['keystone'],
542 require => Package['keystone'],
545 file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
550 require => Package['keystone'],
551 notify => Service[$service_name],
554 file { '/etc/keystone/keystone.conf':
559 require => Package['keystone'],
560 notify => Service[$service_name],
564 'DEFAULT/admin_token': value => $admin_token, secret => true;
565 'DEFAULT/public_bind_host': value => $public_bind_host;
566 'DEFAULT/admin_bind_host': value => $admin_bind_host;
567 'DEFAULT/public_port': value => $public_port;
568 'DEFAULT/admin_port': value => $admin_port;
569 'DEFAULT/verbose': value => $verbose;
570 'DEFAULT/debug': value => $debug;
574 warning('The compute_port parameter is deprecated and will be removed in L')
576 'DEFAULT/compute_port': value => $compute_port;
580 'DEFAULT/compute_port': ensure => absent;
584 # Endpoint configuration
585 if $public_endpoint {
587 'DEFAULT/public_endpoint': value => $public_endpoint;
591 'DEFAULT/public_endpoint': ensure => absent;
596 'DEFAULT/admin_endpoint': value => $admin_endpoint;
600 'DEFAULT/admin_endpoint': ensure => absent;
603 # requirements for memcache token driver
604 if ($token_driver =~ /memcache/ ) {
605 package { 'python-memcache':
607 name => $::keystone::params::python_memcache_package_name,
611 # token driver config
613 'token/driver': value => $token_driver;
614 'token/expiration': value => $token_expiration;
619 'revoke/driver': value => $revoke_driver;
623 'revoke/driver': ensure => absent;
630 'ssl/enable': value => true;
631 'ssl/certfile': value => $ssl_certfile;
632 'ssl/keyfile': value => $ssl_keyfile;
633 'ssl/ca_certs': value => $ssl_ca_certs;
634 'ssl/ca_key': value => $ssl_ca_key;
635 'ssl/cert_subject': value => $ssl_cert_subject;
639 'ssl/enable': value => false;
643 if($database_connection =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
644 require 'mysql::bindings'
645 require 'mysql::bindings::python'
646 } elsif($database_connection =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
648 } elsif($database_connection =~ /sqlite:\/\//) {
651 fail("Invalid db connection ${database_connection}")
654 # memcache connection config
655 if $memcache_servers {
656 validate_array($memcache_servers)
657 Service<| title == 'memcached' |> -> Service['keystone']
659 'cache/enabled': value => true;
660 'cache/backend': value => $cache_backend;
661 'cache/debug_cache_backend': value => $debug_cache_backend;
662 'token/caching': value => $token_caching;
663 'memcache/servers': value => join($memcache_servers, ',');
665 if $cache_backend_argument {
666 validate_array($cache_backend_argument)
668 'cache/backend_argument': value => join($cache_backend_argument, ',');
672 'cache/backend_argument': ensure => absent;
677 'cache/enabled': ensure => absent;
678 'cache/backend': ensure => absent;
679 'cache/backend_argument': ensure => absent;
680 'cache/debug_cache_backend': ensure => absent;
681 'token/caching': ensure => absent;
682 'memcache/servers': ensure => absent;
686 # db connection config
688 'database/connection': value => $database_connection, secret => true;
689 'database/idle_timeout': value => $database_idle_timeout;
692 # configure based on the catalog backend
694 $catalog_driver_real = $catalog_driver
696 elsif ($catalog_type == 'template') {
697 $catalog_driver_real = 'keystone.catalog.backends.templated.Catalog'
699 elsif ($catalog_type == 'sql') {
700 $catalog_driver_real = 'keystone.catalog.backends.sql.Catalog'
704 'catalog/driver': value => $catalog_driver_real;
705 'catalog/template_file': value => $catalog_template_file;
708 # Set the signing key/cert configuration values.
710 'signing/certfile': value => $signing_certfile;
711 'signing/keyfile': value => $signing_keyfile;
712 'signing/ca_certs': value => $signing_ca_certs;
713 'signing/ca_key': value => $signing_ca_key;
714 'signing/cert_subject': value => $signing_cert_subject;
715 'signing/key_size': value => $signing_key_size;
718 # Create cache directory used for signing.
723 # Only do pki_setup if we were asked to do so. This is needed
724 # regardless of the token provider since token revocation lists
726 if $enable_pki_setup {
727 exec { 'keystone-manage pki_setup':
731 creates => $signing_keyfile,
732 notify => Service[$service_name],
733 subscribe => Package['keystone'],
734 require => User['keystone'],
738 keystone_config { 'token/provider': value => $token_provider }
741 keystone_config { 'DEFAULT/max_token_size': value => $max_token_size }
743 keystone_config { 'DEFAULT/max_token_size': ensure => absent }
746 if $notification_driver {
747 keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
749 keystone_config { 'DEFAULT/notification_driver': ensure => absent }
751 if $notification_topics {
752 keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
754 keystone_config { 'DEFAULT/notification_topics': ensure => absent }
756 if $notification_format {
757 keystone_config { 'DEFAULT/notification_format': value => $notification_format }
759 keystone_config { 'DEFAULT/notification_format': ensure => absent }
761 if $control_exchange {
762 keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
764 keystone_config { 'DEFAULT/control_exchange': ensure => absent }
768 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
769 'DEFAULT/rabbit_userid': value => $rabbit_userid;
770 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
774 keystone_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') }
775 keystone_config { 'DEFAULT/rabbit_ha_queues': value => true }
777 keystone_config { 'DEFAULT/rabbit_host': value => $rabbit_host }
778 keystone_config { 'DEFAULT/rabbit_port': value => $rabbit_port }
779 keystone_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" }
780 keystone_config { 'DEFAULT/rabbit_ha_queues': value => false }
783 keystone_config { 'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl }
786 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
787 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
788 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
789 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version;
793 'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
794 'DEFAULT/kombu_ssl_certfile': ensure => absent;
795 'DEFAULT/kombu_ssl_keyfile': ensure => absent;
796 'DEFAULT/kombu_ssl_version': ensure => absent;
801 'DEFAULT/admin_workers': value => $admin_workers;
802 'DEFAULT/public_workers': value => $public_workers;
807 $service_ensure = 'running'
809 $service_ensure = 'stopped'
812 warning('Execution of db_sync does not depend on $enabled anymore. Please use sync_db instead.')
815 if $service_name == $::keystone::params::service_name {
816 if $validate_service {
817 if $validate_auth_url {
818 $v_auth_url = $validate_auth_url
820 $v_auth_url = $admin_endpoint
823 class { '::keystone::service':
824 ensure => $service_ensure,
825 service_name => $service_name,
829 provider => $service_provider,
831 admin_endpoint => $v_auth_url,
832 admin_token => $admin_token,
833 insecure => $validate_insecure,
834 cacert => $validate_cacert,
837 class { '::keystone::service':
838 ensure => $service_ensure,
839 service_name => $service_name,
843 provider => $service_provider,
847 } elsif $service_name == 'httpd' {
848 class { '::keystone::service':
850 service_name => $::keystone::params::service_name,
852 provider => $service_provider,
856 fail('Invalid service_name. Either keystone/openstack-keystone for running as a standalone service, or httpd for being run by a httpd server')
860 include ::keystone::db::sync
861 Class['::keystone::db::sync'] ~> Service[$service_name]
864 # Syslog configuration
867 'DEFAULT/use_syslog': value => true;
868 'DEFAULT/syslog_log_facility': value => $log_facility;
872 'DEFAULT/use_syslog': value => false;
878 'DEFAULT/log_file': value => $log_file;
879 'DEFAULT/log_dir': value => $log_dir;
884 'DEFAULT/log_dir': value => $log_dir;
885 'DEFAULT/log_file': ensure => absent;
889 'DEFAULT/log_dir': ensure => absent;
890 'DEFAULT/log_file': ensure => absent;
897 'paste_deploy/config_file': value => $paste_config;
901 'paste_deploy/config_file': ensure => absent;
905 # Fernet tokens support
906 if $enable_fernet_setup {
907 validate_string($fernet_key_repository)
909 exec { 'keystone-manage fernet_setup':
913 creates => "${fernet_key_repository}/0",
914 notify => Service[$service_name],
915 subscribe => [Package['keystone'], Keystone_config['fernet_tokens/key_repository']],
919 if $fernet_key_repository {
921 'fernet_tokens/key_repository': value => $fernet_key_repository;
925 'fernet_tokens/key_repository': ensure => absent;
929 if $fernet_max_active_keys {
931 'fernet_tokens/max_active_keys': value => $fernet_max_active_keys;
935 'fernet_tokens/max_active_keys': ensure => absent;
940 keystone_domain { $default_domain:
944 require => File['/etc/keystone/keystone.conf'],
945 notify => Exec['restart_keystone'],
947 # Update this code when https://bugs.launchpad.net/keystone/+bug/1472285 is addressed.
948 # 1/ Keystone needs to be started before creating the default domain
949 # 2/ Once the default domain is created, we can query Keystone to get the default domain ID
950 # 3/ The Keystone_domain provider has in charge of doing the query and configure keystone.conf
951 # 4/ After such a change, we need to restart Keystone service.
952 # restart_keystone exec is doing 4/, it restart Keystone if we have a new default domain setted
953 # and if we manage the service to be enabled.
954 if $manage_service and $enabled {
955 exec { 'restart_keystone':
956 path => ['/usr/sbin', '/usr/bin', '/sbin', '/bin/'],
957 command => "service ${service_name} restart",