+++ /dev/null
-# == Definition: keystone::resource::authtoken
-#
-# This resource configures Keystone authentication resources for an OpenStack
-# service. It will manage the [keystone_authtoken] section in the given
-# config resource. It supports all of the authentication parameters specified
-# at http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/
-# with the addition of the default domain for user and project.
-#
-# The username and project_name parameters may be given in the form
-# "name::domainname". The authtoken resource will use the domains in
-# the following order:
-# 1) The given domain parameter (user_domain_name or project_domain_name)
-# 2) The domain given as the "::domainname" part of username or project_name
-# 3) The default_domain_name
-#
-# For example, instead of doing this::
-#
-# glance_api_config {
-# 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
-# 'keystone_authtoken/admin_user' : value => $keystone_user;
-# 'keystone_authtoken/admin_password' : value => $keystone_password;
-# secret => true;
-# ...
-# }
-#
-# manifests should do this instead::
-#
-# keystone::resource::authtoken { 'glance_api_config':
-# username => $keystone_user,
-# password => $keystone_password,
-# auth_url => $real_identity_uri,
-# project_name => $keystone_tenant,
-# user_domain_name => $keystone_user_domain,
-# project_domain_name => $keystone_project_domain,
-# default_domain_name => $keystone_default_domain,
-# cacert => $ca_file,
-# ...
-# }
-#
-# The use of `keystone::resource::authtoken` makes it easy to avoid mistakes,
-# and makes it easier to support some of the newer authentication types coming
-# with Keystone Kilo and later, such as Kerberos, Federation, etc.
-#
-# == Parameters:
-#
-# [*name*]
-# The name of the resource corresponding to the config file. For example,
-# keystone::resource::authtoken { 'glance_api_config': ... }
-# Where 'glance_api_config' is the name of the resource used to manage
-# the glance api configuration.
-# string; required
-#
-# [*username*]
-# The name of the service user;
-# string; required
-#
-# [*password*]
-# Password to create for the service user;
-# string; required
-#
-# [*auth_url*]
-# The URL to use for authentication.
-# string; required
-#
-# [*auth_plugin*]
-# The plugin to use for authentication.
-# string; optional: default to 'password'
-#
-# [*user_id*]
-# The ID of the service user;
-# string; optional: default to undef
-#
-# [*user_domain_name*]
-# (Optional) Name of domain for $username
-# Defaults to undef
-#
-# [*user_domain_id*]
-# (Optional) ID of domain for $username
-# Defaults to undef
-#
-# [*project_name*]
-# Service project name;
-# string; optional: default to undef
-#
-# [*project_id*]
-# Service project ID;
-# string; optional: default to undef
-#
-# [*project_domain_name*]
-# (Optional) Name of domain for $project_name
-# Defaults to undef
-#
-# [*project_domain_id*]
-# (Optional) ID of domain for $project_name
-# Defaults to undef
-#
-# [*domain_name*]
-# (Optional) Use this for auth to obtain a domain-scoped token.
-# If using this option, do not specify $project_name or $project_id.
-# Defaults to undef
-#
-# [*domain_id*]
-# (Optional) Use this for auth to obtain a domain-scoped token.
-# If using this option, do not specify $project_name or $project_id.
-# Defaults to undef
-#
-# [*default_domain_name*]
-# (Optional) Name of domain for $username and $project_name
-# If user_domain_name is not specified, use $default_domain_name
-# If project_domain_name is not specified, use $default_domain_name
-# Defaults to undef
-#
-# [*default_domain_id*]
-# (Optional) ID of domain for $user_id and $project_id
-# If user_domain_id is not specified, use $default_domain_id
-# If project_domain_id is not specified, use $default_domain_id
-# Defaults to undef
-#
-# [*trust_id*]
-# (Optional) Trust ID
-# Defaults to undef
-#
-# [*cacert*]
-# (Optional) CA certificate file for TLS (https)
-# Defaults to undef
-#
-# [*cert*]
-# (Optional) Certificate file for TLS (https)
-# Defaults to undef
-#
-# [*key*]
-# (Optional) Key file for TLS (https)
-# Defaults to undef
-#
-# [*insecure*]
-# If true, explicitly allow TLS without checking server cert against any
-# certificate authorities. WARNING: not recommended. Use with caution.
-# boolean; Defaults to false (which means be secure)
-#
-define keystone::resource::authtoken(
- $username,
- $password,
- $auth_url,
- $auth_plugin = 'password',
- $user_id = undef,
- $user_domain_name = undef,
- $user_domain_id = undef,
- $project_name = undef,
- $project_id = undef,
- $project_domain_name = undef,
- $project_domain_id = undef,
- $domain_name = undef,
- $domain_id = undef,
- $default_domain_name = undef,
- $default_domain_id = undef,
- $trust_id = undef,
- $cacert = undef,
- $cert = undef,
- $key = undef,
- $insecure = false,
-) {
-
- if !$project_name and !$project_id and !$domain_name and !$domain_id {
- fail('Must specify either a project (project_name or project_id, for a project scoped token) or a domain (domain_name or domain_id, for a domain scoped token)')
- }
-
- if ($project_name or $project_id) and ($domain_name or $domain_id) {
- fail('Cannot specify both a project (project_name or project_id) and a domain (domain_name or domain_id)')
- }
-
- $user_and_domain_array = split($username, '::')
- $real_username = $user_and_domain_array[0]
- $real_user_domain_name = pick($user_domain_name, $user_and_domain_array[1], $default_domain_name, '__nodomain__')
-
- $project_and_domain_array = split($project_name, '::')
- $real_project_name = $project_and_domain_array[0]
- $real_project_domain_name = pick($project_domain_name, $project_and_domain_array[1], $default_domain_name, '__nodomain__')
-
- create_resources($name, {'keystone_authtoken/auth_plugin' => {'value' => $auth_plugin}})
- create_resources($name, {'keystone_authtoken/auth_url' => {'value' => $auth_url}})
- create_resources($name, {'keystone_authtoken/username' => {'value' => $real_username}})
- create_resources($name, {'keystone_authtoken/password' => {'value' => $password, 'secret' => true}})
- if $user_id {
- create_resources($name, {'keystone_authtoken/user_id' => {'value' => $user_id}})
- } else {
- create_resources($name, {'keystone_authtoken/user_id' => {'ensure' => 'absent'}})
- }
- if $real_user_domain_name == '__nodomain__' {
- create_resources($name, {'keystone_authtoken/user_domain_name' => {'ensure' => 'absent'}})
- } else {
- create_resources($name, {'keystone_authtoken/user_domain_name' => {'value' => $real_user_domain_name}})
- }
- if $user_domain_id {
- create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $user_domain_id}})
- } elsif $default_domain_id {
- create_resources($name, {'keystone_authtoken/user_domain_id' => {'value' => $default_domain_id}})
- } else {
- create_resources($name, {'keystone_authtoken/user_domain_id' => {'ensure' => 'absent'}})
- }
- if $project_name {
- create_resources($name, {'keystone_authtoken/project_name' => {'value' => $real_project_name}})
- } else {
- create_resources($name, {'keystone_authtoken/project_name' => {'ensure' => 'absent'}})
- }
- if $project_id {
- create_resources($name, {'keystone_authtoken/project_id' => {'value' => $project_id}})
- } else {
- create_resources($name, {'keystone_authtoken/project_id' => {'ensure' => 'absent'}})
- }
- if $real_project_domain_name == '__nodomain__' {
- create_resources($name, {'keystone_authtoken/project_domain_name' => {'ensure' => 'absent'}})
- } else {
- create_resources($name, {'keystone_authtoken/project_domain_name' => {'value' => $real_project_domain_name}})
- }
- if $project_domain_id {
- create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $project_domain_id}})
- } elsif $default_domain_id {
- create_resources($name, {'keystone_authtoken/project_domain_id' => {'value' => $default_domain_id}})
- } else {
- create_resources($name, {'keystone_authtoken/project_domain_id' => {'ensure' => 'absent'}})
- }
- if $domain_name {
- create_resources($name, {'keystone_authtoken/domain_name' => {'value' => $domain_name}})
- } else {
- create_resources($name, {'keystone_authtoken/domain_name' => {'ensure' => 'absent'}})
- }
- if $domain_id {
- create_resources($name, {'keystone_authtoken/domain_id' => {'value' => $domain_id}})
- } else {
- create_resources($name, {'keystone_authtoken/domain_id' => {'ensure' => 'absent'}})
- }
- if $trust_id {
- create_resources($name, {'keystone_authtoken/trust_id' => {'value' => $trust_id}})
- } else {
- create_resources($name, {'keystone_authtoken/trust_id' => {'ensure' => 'absent'}})
- }
- if $cacert {
- create_resources($name, {'keystone_authtoken/cacert' => {'value' => $cacert}})
- } else {
- create_resources($name, {'keystone_authtoken/cacert' => {'ensure' => 'absent'}})
- }
- if $cert {
- create_resources($name, {'keystone_authtoken/cert' => {'value' => $cert}})
- } else {
- create_resources($name, {'keystone_authtoken/cert' => {'ensure' => 'absent'}})
- }
- if $key {
- create_resources($name, {'keystone_authtoken/key' => {'value' => $key}})
- } else {
- create_resources($name, {'keystone_authtoken/key' => {'ensure' => 'absent'}})
- }
- create_resources($name, {'keystone_authtoken/insecure' => {'value' => $insecure}})
-}