1 # == Definition: keystone::resource::authtoken
3 # This resource configures Keystone authentication resources for an OpenStack
4 # service. It will manage the [keystone_authtoken] section in the given
5 # config resource. It supports all of the authentication parameters specified
6 # at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
7 # with the addition of the default domain for user and project.
9 # The username and project_name parameters may be given in the form
10 # "name::domainname". The authtoken resource will use the domains in
11 # the following order:
12 # 1) The given domain parameter (user_domain_name or project_domain_name)
13 # 2) The domain given as the "::domainname" part of username or project_name
14 # 3) The default_domain_name
16 # For example, instead of doing this::
19 # 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
20 # 'keystone_authtoken/admin_user' : value => $keystone_user;
21 # 'keystone_authtoken/admin_password' : value => $keystone_password;
26 # manifests should do this instead::
28 # keystone::resource::authtoken { 'glance_api_config':
29 # username => $keystone_user,
30 # password => $keystone_password,
31 # auth_url => $real_identity_uri,
32 # project_name => $keystone_tenant,
33 # user_domain_name => $keystone_user_domain,
34 # project_domain_name => $keystone_project_domain,
35 # default_domain_name => $keystone_default_domain,
40 # The use of `keystone::resource::authtoken` makes it easy to avoid mistakes,
41 # and makes it easier to support some of the newer authentication types coming
42 # with Keystone Kilo and later, such as Kerberos, Federation, etc.
47 # The name of the resource corresponding to the config file. For example,
48 # keystone::resource::authtoken { 'glance_api_config': ... }
49 # Where 'glance_api_config' is the name of the resource used to manage
50 # the glance api configuration.
54 # The name of the service user;
58 # Password to create for the service user;
62 # The URL to use for authentication.
66 # The plugin to use for authentication.
67 # string; optional: default to 'password'
70 # The ID of the service user;
71 # string; optional: default to undef
73 # [*user_domain_name*]
74 # (Optional) Name of domain for $username
78 # (Optional) ID of domain for $username
82 # Service project name;
83 # string; optional: default to undef
87 # string; optional: default to undef
89 # [*project_domain_name*]
90 # (Optional) Name of domain for $project_name
93 # [*project_domain_id*]
94 # (Optional) ID of domain for $project_name
98 # (Optional) Use this for auth to obtain a domain-scoped token.
99 # If using this option, do not specify $project_name or $project_id.
103 # (Optional) Use this for auth to obtain a domain-scoped token.
104 # If using this option, do not specify $project_name or $project_id.
107 # [*default_domain_name*]
108 # (Optional) Name of domain for $username and $project_name
109 # If user_domain_name is not specified, use $default_domain_name
110 # If project_domain_name is not specified, use $default_domain_name
113 # [*default_domain_id*]
114 # (Optional) ID of domain for $user_id and $project_id
115 # If user_domain_id is not specified, use $default_domain_id
116 # If project_domain_id is not specified, use $default_domain_id
120 # (Optional) Trust ID
124 # (Optional) CA certificate file for TLS (https)
128 # (Optional) Certificate file for TLS (https)
132 # (Optional) Key file for TLS (https)
136 # If true, explicitly allow TLS without checking server cert against any
137 # certificate authorities. WARNING: not recommended. Use with caution.
138 # boolean; Defaults to false (which means be secure)
140 define keystone::resource::authtoken(
144 $auth_plugin = 'password',
146 $user_domain_name = undef,
147 $user_domain_id = undef,
148 $project_name = undef,
150 $project_domain_name = undef,
151 $project_domain_id = undef,
152 $domain_name = undef,
154 $default_domain_name = undef,
155 $default_domain_id = undef,
163 if !$project_name and !$project_id and !$domain_name and !$domain_id {
164 fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
167 if ($project_name or $project_id) and ($domain_name or $domain_id) {
168 fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)')
171 $user_and_domain_array = split($username, '::')
172 $real_username = $user_and_domain_array[0]
173 $real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name, '__nodomain__')
175 $project_and_domain_array = split($project_name, '::')
176 $real_project_name = $project_and_domain_array[0]
177 $real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name, '__nodomain__')
179 create_resources($name, {'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin}})
180 create_resources($name, {'keystone_authtoken/auth_url' => {'value' => $auth_url}})
181 create_resources($name, {'keystone_authtoken/username' => {'value' => $real_username}})
182 create_resources($name, {'keystone_authtoken/password' => {'value' => $password, 'secret' => true}})
184 create_resources($name, {'keystone_authtoken/user_id' => {'value' => $user_id}})
186 create_resources($name, {'keystone_authtoken/user_id' => {'ensure' => 'absent'}})
188 if $real_user_domain_name == '__nodomain__' {
189 create_resources($name, {'keystone_authtoken/user_domain_name' => {'ensure' => 'absent'}})
191 create_resources($name, {'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name}})
194 create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $user_domain_id}})
195 } elsif $default_domain_id {
196 create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $default_domain_id}})
198 create_resources($name, {'keystone_authtoken/user_domain_id' => {'ensure' => 'absent'}})
201 create_resources($name, {'keystone_authtoken/project_name' => {'value' => $real_project_name}})
203 create_resources($name, {'keystone_authtoken/project_name' => {'ensure' => 'absent'}})
206 create_resources($name, {'keystone_authtoken/project_id' => {'value' => $project_id}})
208 create_resources($name, {'keystone_authtoken/project_id' => {'ensure' => 'absent'}})
210 if $real_project_domain_name == '__nodomain__' {
211 create_resources($name, {'keystone_authtoken/project_domain_name' => {'ensure' => 'absent'}})
213 create_resources($name, {'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name}})
215 if $project_domain_id {
216 create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $project_domain_id}})
217 } elsif $default_domain_id {
218 create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $default_domain_id}})
220 create_resources($name, {'keystone_authtoken/project_domain_id' => {'ensure' => 'absent'}})
223 create_resources($name, {'keystone_authtoken/domain_name' => {'value' => $domain_name}})
225 create_resources($name, {'keystone_authtoken/domain_name' => {'ensure' => 'absent'}})
228 create_resources($name, {'keystone_authtoken/domain_id' => {'value' => $domain_id}})
230 create_resources($name, {'keystone_authtoken/domain_id' => {'ensure' => 'absent'}})
233 create_resources($name, {'keystone_authtoken/trust_id' => {'value' => $trust_id}})
235 create_resources($name, {'keystone_authtoken/trust_id' => {'ensure' => 'absent'}})
238 create_resources($name, {'keystone_authtoken/cacert' => {'value' => $cacert}})
240 create_resources($name, {'keystone_authtoken/cacert' => {'ensure' => 'absent'}})
243 create_resources($name, {'keystone_authtoken/cert' => {'value' => $cert}})
245 create_resources($name, {'keystone_authtoken/cert' => {'ensure' => 'absent'}})
248 create_resources($name, {'keystone_authtoken/key' => {'value' => $key}})
250 create_resources($name, {'keystone_authtoken/key' => {'ensure' => 'absent'}})
252 create_resources($name, {'keystone_authtoken/insecure' => {'value' => $insecure}})