2 # Module for managing keystone config.
6 # [package_ensure] Desired ensure state of packages. Optional. Defaults to present.
7 # accepts latest or specific versions.
8 # [bind_host] Host that keystone binds to.
9 # [bind_port] Port that keystone binds to.
13 # [admin_port] Port that can be used for admin tasks.
14 # [admin_token] Admin token that can be used to authenticate as a keystone
16 # [verbose] Rather keystone should log at verbose level. Optional.
18 # [debug] Rather keystone should log at debug level. Optional.
20 # [use_syslog] Use syslog for logging. Optional.
22 # [log_facility] Syslog facility to receive log lines. Optional.
23 # [catalog_type] Type of catalog that keystone uses to store endpoints,services. Optional.
24 # Defaults to sql. (Also accepts template)
25 # [catalog_driver] Catalog driver used by Keystone to store endpoints and services. Optional.
26 # Setting this value will override and ignore catalog_type.
27 # [catalog_template_file] Path to the catalog used if catalog_type equals 'template'.
28 # Defaults to '/etc/keystone/default_catalog.templates'
29 # [token_provider] Format keystone uses for tokens. Optional.
30 # Defaults to 'keystone.token.providers.uuid.Provider'
31 # Supports PKI and UUID.
32 # [token_driver] Driver to use for managing tokens.
33 # Optional. Defaults to 'keystone.token.persistence.backends.sql.Token'
34 # [token_expiration] Amount of time a token should remain valid (seconds).
35 # Optional. Defaults to 3600 (1 hour).
36 # [token_format] Deprecated: Use token_provider instead.
37 # [cache_dir] Directory created when token_provider is pki. Optional.
38 # Defaults to /var/cache/keystone.
41 # List of memcache servers in format of server:port.
42 # Used with token_driver 'keystone.token.backends.memcache.Token'.
43 # Optional. Defaults to false. Example: ['localhost:11211']
46 # Dogpile.cache backend module. It is recommended that Memcache with pooling
47 # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production.
48 # This has no effects unless 'memcache_servers' is set.
49 # Optional. Defaults to 'keystone.common.cache.noop'
51 # [cache_backend_argument]
52 # List of arguments in format of argname:value supplied to the backend module.
53 # Specify this option once per argument to be passed to the dogpile.cache backend.
54 # This has no effects unless 'memcache_servers' is set.
55 # Optional. Default to undef.
57 # [debug_cache_backend]
58 # Extra debugging from the cache backend (cache keys, get/set/delete calls).
59 # This has no effects unless 'memcache_servers' is set.
60 # Optional. Default to false.
63 # Toggle for token system caching. This has no effects unless 'memcache_servers' is set.
64 # Optional. Default to true.
66 # [enabled] If the keystone services should be enabled. Optional. Default to true.
68 # [*database_connection*]
69 # (optional) Url used to connect to database.
70 # Defaults to sqlite:////var/lib/keystone/keystone.db
73 # (optional) Deprecated. Use database_connection instead.
75 # [*database_idle_timeout*]
76 # (optional) Timeout when db connections should be reaped.
80 # (optional) Deprecated. Use database_idle_timeout instead.
82 # [enable_pki_setup] Enable call to pki_setup to generate the cert for signing pki tokens and
83 # revocation lists if it doesn't already exist. This generates a cert and key stored in file
84 # locations based on the signing_certfile and signing_keyfile paramters below. If you are
85 # providing your own signing cert, make this false.
86 # [signing_certfile] Location of the cert file for signing pki tokens and revocation lists.
87 # Optional. Note that if this file already exists (i.e. you are providing your own signing cert),
88 # the file will not be overwritten, even if enable_pki_setup is set to true.
89 # Default: /etc/keystone/ssl/certs/signing_cert.pem
90 # [signing_keyfile] Location of the key file for signing pki tokens and revocation lists. Optional.
91 # Note that if this file already exists (i.e. you are providing your own signing cert), the file
92 # will not be overwritten, even if enable_pki_setup is set to true.
93 # Default: /etc/keystone/ssl/private/signing_key.pem
94 # [signing_ca_certs] Use this CA certs file along with signing_certfile/signing_keyfile for
95 # signing pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/certs/ca.pem
96 # [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
97 # pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
99 # [*signing_cert_subject*]
100 # (optional) Certificate subject (auto generated certificate) for token signing.
101 # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
103 # [*signing_key_size*]
104 # (optional) Key size (in bits) for token signing cert (auto generated certificate)
107 # [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
108 # [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
109 # [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
110 # [rabbit_password] Password used to connect to rabbitmq. Optional. Defaults to guest.
111 # [rabbit_userid] User used to connect to rabbitmq. Optional. Defaults to guest.
112 # [rabbit_virtual_host] The RabbitMQ virtual host. Optional. Defaults to /.
115 # (optional) Connect over SSL for RabbitMQ
118 # [*kombu_ssl_ca_certs*]
119 # (optional) SSL certification authority file (valid only if SSL enabled).
122 # [*kombu_ssl_certfile*]
123 # (optional) SSL cert file (valid only if SSL enabled).
126 # [*kombu_ssl_keyfile*]
127 # (optional) SSL key file (valid only if SSL enabled).
130 # [*kombu_ssl_version*]
131 # (optional) SSL version to use (valid only if SSL enabled).
132 # Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
133 # available on some distributions.
134 # Defaults to 'TLSv1'
136 # [notification_driver] RPC driver. Not enabled by default
137 # [notification_topics] AMQP topics to publish to when using the RPC notification driver.
138 # [control_exchange] AMQP exchange to connect to if using RabbitMQ or Qpid
140 # [*public_bind_host*]
141 # (optional) The IP address of the public network interface to listen on
142 # Deprecates bind_host
143 # Default to '0.0.0.0'.
145 # [*admin_bind_host*]
146 # (optional) The IP address of the public network interface to listen on
147 # Deprecates bind_host
148 # Default to '0.0.0.0'.
151 # (optional) Directory where logs should be stored
152 # If set to boolean false, it will not log to any directory
153 # Defaults to '/var/log/keystone'
156 # (optional) Where to log
159 # [*public_endpoint*]
160 # (optional) The base public endpoint URL for keystone that are
161 # advertised to clients (NOTE: this does NOT affect how
162 # keystone listens for connections) (string value)
163 # If set to false, no public_endpoint will be defined in keystone.conf.
164 # Sample value: 'http://localhost:5000/'
168 # (optional) The base admin endpoint URL for keystone that are
169 # advertised to clients (NOTE: this does NOT affect how keystone listens
170 # for connections) (string value)
171 # If set to false, no admin_endpoint will be defined in keystone.conf.
172 # Sample value: 'http://localhost:35357/'
176 # (optional) Toggle for SSL support on the keystone eventlet servers.
181 # (optional) Path of the certfile for SSL. (string value)
182 # Defaults to '/etc/keystone/ssl/certs/keystone.pem'
185 # (optional) Path of the keyfile for SSL. (string value)
186 # Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
189 # (optional) Path of the ca cert file for SSL. (string value)
190 # Defaults to '/etc/keystone/ssl/certs/ca.pem'
193 # (optional) Path of the CA key file for SSL (string value)
194 # Defaults to '/etc/keystone/ssl/private/cakey.pem'
196 # [*ssl_cert_subject*]
197 # (optional) SSL Certificate Subject (auto generated certificate)
199 # Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
202 # (optional) Deprecated. Does nothing.
204 # [*validate_service*]
205 # (optional) Whether to validate keystone connections after
206 # the service is started.
209 # [*validate_insecure*]
210 # (optional) Whether to validate keystone connections
211 # using the --insecure option with keystone client.
214 # [*validate_cacert*]
215 # (optional) Whether to validate keystone connections
216 # using the specified argument with the --os-cacert option
217 # with keystone client.
220 # [*validate_auth_url*]
221 # (optional) The url to validate keystone against
224 # [*service_provider*]
225 # (optional) Provider, that can be used for keystone service.
226 # Default value defined in keystone::params for given operation system.
227 # If you use Pacemaker or another Cluster Resource Manager, you can make
228 # custom service provider for changing start/stop/status behavior of service,
232 # (optional) Name of the service that will be providing the
233 # server functionality of keystone. For example, the default
234 # is just 'keystone', which means keystone will be run as a
235 # standalone eventlet service, and will able to be managed
236 # separately by the operating system's service manager. For
237 # example, you will be able to use
238 # service openstack-keystone restart
239 # to restart the service.
240 # If the value is 'httpd', this means keystone will be a web
241 # service, and you must use another class to configure that
242 # web service. For example, after calling class {'keystone'...}
243 # use class { 'keystone::wsgi::apache'...} to make keystone be
244 # a web app using apache mod_wsgi.
245 # Defaults to 'keystone'
246 # NOTE: validate_service only applies if the value is 'keystone'
253 # class { 'keystone':
254 # log_verbose => 'True',
255 # admin_token => 'my_special_token',
260 # class { 'keystone':
262 # service_name => 'httpd',
265 # class { 'keystone::wsgi::apache':
271 # Dan Bode dan@puppetlabs.com
275 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
279 $package_ensure = 'present',
281 $public_bind_host = '0.0.0.0',
282 $admin_bind_host = '0.0.0.0',
283 $public_port = '5000',
284 $admin_port = '35357',
285 $compute_port = '8774',
288 $log_dir = '/var/log/keystone',
291 $log_facility = 'LOG_USER',
292 $catalog_type = 'sql',
293 $catalog_driver = false,
294 $catalog_template_file = '/etc/keystone/default_catalog.templates',
295 $token_format = false,
296 $token_provider = 'keystone.token.providers.uuid.Provider',
297 $token_driver = 'keystone.token.persistence.backends.sql.Token',
298 $token_expiration = 3600,
299 $public_endpoint = false,
300 $admin_endpoint = false,
302 $ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
303 $ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
304 $ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
305 $ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
306 $ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
307 $cache_dir = '/var/cache/keystone',
308 $memcache_servers = false,
309 $cache_backend = 'keystone.common.cache.noop',
310 $cache_backend_argument = undef,
311 $debug_cache_backend = false,
312 $token_caching = true,
314 $database_connection = 'sqlite:////var/lib/keystone/keystone.db',
315 $database_idle_timeout = '200',
316 $enable_pki_setup = true,
317 $signing_certfile = '/etc/keystone/ssl/certs/signing_cert.pem',
318 $signing_keyfile = '/etc/keystone/ssl/private/signing_key.pem',
319 $signing_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
320 $signing_ca_key = '/etc/keystone/ssl/private/cakey.pem',
321 $signing_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
322 $signing_key_size = 2048,
323 $rabbit_host = 'localhost',
324 $rabbit_hosts = false,
325 $rabbit_password = 'guest',
326 $rabbit_port = '5672',
327 $rabbit_userid = 'guest',
328 $rabbit_virtual_host = '/',
329 $rabbit_use_ssl = false,
330 $kombu_ssl_ca_certs = undef,
331 $kombu_ssl_certfile = undef,
332 $kombu_ssl_keyfile = undef,
333 $kombu_ssl_version = 'TLSv1',
334 $notification_driver = false,
335 $notification_topics = false,
336 $control_exchange = false,
337 $validate_service = false,
338 $validate_insecure = false,
339 $validate_auth_url = false,
340 $validate_cacert = undef,
341 $service_provider = $::keystone::params::service_provider,
342 $service_name = 'keystone',
343 # DEPRECATED PARAMETERS
344 $mysql_module = undef,
345 $sql_connection = undef,
346 $idle_timeout = undef,
347 ) inherits keystone::params {
349 if ! $catalog_driver {
350 validate_re($catalog_type, 'template|sql')
354 warning('The mysql_module parameter is deprecated. The latest 2.x mysql module will be used.')
358 warning('The sql_connection parameter is deprecated, use database_connection instead.')
359 $database_connection_real = $sql_connection
361 $database_connection_real = $database_connection
365 warning('The idle_timeout parameter is deprecated, use database_idle_timeout instead.')
366 $database_idle_timeout_real = $idle_timeout
368 $database_idle_timeout_real = $database_idle_timeout
371 if ($admin_endpoint and 'v2.0' in $admin_endpoint) {
372 warning('Version string /v2.0/ should not be included in keystone::admin_endpoint')
375 if ($public_endpoint and 'v2.0' in $public_endpoint) {
376 warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
380 if !$kombu_ssl_ca_certs {
381 fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
383 if !$kombu_ssl_certfile {
384 fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
386 if !$kombu_ssl_keyfile {
387 fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
391 File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
392 Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
393 Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
394 include ::keystone::params
396 package { 'keystone':
397 ensure => $package_ensure,
398 name => $::keystone::params::package_name,
401 # TODO: Move this to openstacklib::openstackclient in Kilo
402 package { 'python-openstackclient':
410 require => Package['keystone'],
417 require => Package['keystone'],
420 file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
425 require => Package['keystone'],
426 notify => Service[$service_name],
429 file { '/etc/keystone/keystone.conf':
434 require => Package['keystone'],
435 notify => Service[$service_name],
439 warning('The bind_host parameter is deprecated, use public_bind_host and admin_bind_host instead.')
440 $public_bind_host_real = $bind_host
441 $admin_bind_host_real = $bind_host
443 $public_bind_host_real = $public_bind_host
444 $admin_bind_host_real = $admin_bind_host
449 'DEFAULT/admin_token': value => $admin_token, secret => true;
450 'DEFAULT/public_bind_host': value => $public_bind_host_real;
451 'DEFAULT/admin_bind_host': value => $admin_bind_host_real;
452 'DEFAULT/public_port': value => $public_port;
453 'DEFAULT/admin_port': value => $admin_port;
454 'DEFAULT/compute_port': value => $compute_port;
455 'DEFAULT/verbose': value => $verbose;
456 'DEFAULT/debug': value => $debug;
459 # Endpoint configuration
460 if $public_endpoint {
462 'DEFAULT/public_endpoint': value => $public_endpoint;
466 'DEFAULT/public_endpoint': ensure => absent;
471 'DEFAULT/admin_endpoint': value => $admin_endpoint;
475 'DEFAULT/admin_endpoint': ensure => absent;
478 # requirements for memcache token driver
479 if ($token_driver =~ /memcache/ ) {
480 package { 'python-memcache':
482 name => $::keystone::params::python_memcache_package_name,
486 # token driver config
488 'token/driver': value => $token_driver;
489 'token/expiration': value => $token_expiration;
495 'ssl/enable': value => true;
496 'ssl/certfile': value => $ssl_certfile;
497 'ssl/keyfile': value => $ssl_keyfile;
498 'ssl/ca_certs': value => $ssl_ca_certs;
499 'ssl/ca_key': value => $ssl_ca_key;
500 'ssl/cert_subject': value => $ssl_cert_subject;
504 'ssl/enable': value => false;
508 if($database_connection_real =~ /mysql:\/\/\S+:\S+@\S+\/\S+/) {
509 require 'mysql::bindings'
510 require 'mysql::bindings::python'
511 } elsif($database_connection_real =~ /postgresql:\/\/\S+:\S+@\S+\/\S+/) {
513 } elsif($database_connection_real =~ /sqlite:\/\//) {
516 fail("Invalid db connection ${database_connection_real}")
519 # memcache connection config
520 if $memcache_servers {
521 validate_array($memcache_servers)
522 Service<| title == 'memcached' |> -> Service['keystone']
524 'cache/enabled': value => true;
525 'cache/backend': value => $cache_backend;
526 'cache/debug_cache_backend': value => $debug_cache_backend;
527 'token/caching': value => $token_caching;
528 'memcache/servers': value => join($memcache_servers, ',');
530 if $cache_backend_argument {
531 validate_array($cache_backend_argument)
533 'cache/backend_argument': value => join($cache_backend_argument, ',');
537 'cache/backend_argument': ensure => absent;
542 'cache/enabled': ensure => absent;
543 'cache/backend': ensure => absent;
544 'cache/backend_argument': ensure => absent;
545 'cache/debug_cache_backend': ensure => absent;
546 'token/caching': ensure => absent;
547 'memcache/servers': ensure => absent;
551 # db connection config
553 'database/connection': value => $database_connection_real, secret => true;
554 'database/idle_timeout': value => $database_idle_timeout_real;
557 # configure based on the catalog backend
559 $catalog_driver_real = $catalog_driver
561 elsif ($catalog_type == 'template') {
562 $catalog_driver_real = 'keystone.catalog.backends.templated.Catalog'
564 elsif ($catalog_type == 'sql') {
565 $catalog_driver_real = 'keystone.catalog.backends.sql.Catalog'
569 'catalog/driver': value => $catalog_driver_real;
570 'catalog/template_file': value => $catalog_template_file;
574 warning('token_format parameter is deprecated. Use token_provider instead.')
577 # remove the old format in case of an upgrade
578 keystone_config { 'signing/token_format': ensure => absent }
580 # Set the signing key/cert configuration values.
582 'signing/certfile': value => $signing_certfile;
583 'signing/keyfile': value => $signing_keyfile;
584 'signing/ca_certs': value => $signing_ca_certs;
585 'signing/ca_key': value => $signing_ca_key;
586 'signing/cert_subject': value => $signing_cert_subject;
587 'signing/key_size': value => $signing_key_size;
590 # Create cache directory used for signing.
595 # Only do pki_setup if we were asked to do so. This is needed
596 # regardless of the token provider since token revocation lists
598 if $enable_pki_setup {
599 exec { 'keystone-manage pki_setup':
603 creates => $signing_keyfile,
604 notify => Service[$service_name],
605 subscribe => Package['keystone'],
606 require => User['keystone'],
610 if ($token_format == false and $token_provider == 'keystone.token.providers.pki.Provider') or $token_format == 'PKI' {
611 keystone_config { 'token/provider': value => 'keystone.token.providers.pki.Provider' }
612 } elsif $token_format == 'UUID' {
613 keystone_config { 'token/provider': value => 'keystone.token.providers.uuid.Provider' }
615 keystone_config { 'token/provider': value => $token_provider }
618 if $notification_driver {
619 keystone_config { 'DEFAULT/notification_driver': value => $notification_driver }
621 keystone_config { 'DEFAULT/notification_driver': ensure => absent }
623 if $notification_topics {
624 keystone_config { 'DEFAULT/notification_topics': value => $notification_topics }
626 keystone_config { 'DEFAULT/notification_topics': ensure => absent }
628 if $control_exchange {
629 keystone_config { 'DEFAULT/control_exchange': value => $control_exchange }
631 keystone_config { 'DEFAULT/control_exchange': ensure => absent }
635 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
636 'DEFAULT/rabbit_userid': value => $rabbit_userid;
637 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
641 keystone_config { 'DEFAULT/rabbit_hosts': value => join($rabbit_hosts, ',') }
642 keystone_config { 'DEFAULT/rabbit_ha_queues': value => true }
644 keystone_config { 'DEFAULT/rabbit_host': value => $rabbit_host }
645 keystone_config { 'DEFAULT/rabbit_port': value => $rabbit_port }
646 keystone_config { 'DEFAULT/rabbit_hosts': value => "${rabbit_host}:${rabbit_port}" }
647 keystone_config { 'DEFAULT/rabbit_ha_queues': value => false }
650 keystone_config { 'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl }
653 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
654 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
655 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
656 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version;
660 'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
661 'DEFAULT/kombu_ssl_certfile': ensure => absent;
662 'DEFAULT/kombu_ssl_keyfile': ensure => absent;
663 'DEFAULT/kombu_ssl_version': ensure => absent;
668 $service_ensure = 'running'
670 $service_ensure = 'stopped'
673 if $service_name == 'keystone' {
674 if $validate_service {
675 if $validate_auth_url {
676 $v_auth_url = $validate_auth_url
678 $v_auth_url = $admin_endpoint
681 class { 'keystone::service':
682 ensure => $service_ensure,
683 service_name => $::keystone::params::service_name,
687 provider => $service_provider,
689 admin_endpoint => $v_auth_url,
690 admin_token => $admin_token,
691 insecure => $validate_insecure,
692 cacert => $validate_cacert,
695 class { 'keystone::service':
696 ensure => $service_ensure,
697 service_name => $::keystone::params::service_name,
701 provider => $service_provider,
708 include ::keystone::db::sync
709 Class['::keystone::db::sync'] ~> Service[$service_name]
712 # Syslog configuration
715 'DEFAULT/use_syslog': value => true;
716 'DEFAULT/syslog_log_facility': value => $log_facility;
720 'DEFAULT/use_syslog': value => false;
726 'DEFAULT/log_file': value => $log_file;
727 'DEFAULT/log_dir': value => $log_dir;
732 'DEFAULT/log_dir': value => $log_dir;
733 'DEFAULT/log_file': ensure => absent;
737 'DEFAULT/log_dir': ensure => absent;
738 'DEFAULT/log_file': ensure => absent;