From 08ab3d8e739fc5b499a4cb565cdbcccd6e1c97a1 Mon Sep 17 00:00:00 2001 From: Bertrand Lallau Date: Thu, 1 Jun 2017 18:16:29 +0200 Subject: [PATCH] Fix outdated barbican-api-paste.ini file Kolla-ansible actually bring it's own barbican-api-paste.ini file to enable Keystone authentication, in order to fix this https://bugs.launchpad.net/kolla/+bug/1625337 auth_token middleware is actually managed by Barbican. Furthermore barbican-api-paste.ini brings by Kolla-ansible is outdated: * http_proxy_to_wsgi middleware is missing Hence this file should not be managed statically by kolla-ansible. This patch keep custom paste file feature. Just put the file to /etc/kolla/config/barbican/barbican-api.ini path. Change-Id: Ia50237f7df7f89526a976575b017145c71b11ec0 Closes-bug: #1695026 --- ansible/roles/barbican/tasks/config.yml | 17 ++++-- .../templates/barbican-api-paste.ini.j2 | 60 ------------------- .../barbican/templates/barbican-api.json.j2 | 3 +- 3 files changed, 14 insertions(+), 66 deletions(-) delete mode 100644 ansible/roles/barbican/templates/barbican-api-paste.ini.j2 diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index ee7f8ec061..b4bbc86e35 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -37,18 +37,25 @@ notify: - Restart barbican-api container +- name: Checking whether barbican-api-paste.ini file exists + vars: + barbican-api: "{{ barbican_services['barbican-api'] }}" + local_action: stat path="{{ node_custom_config }}/barbican/barbican-api-paste.ini" + run_once: True + register: check_barbican_api_paste_ini + when: + - barbican-api.enabled | bool + - name: Copying over barbican-api-paste.ini vars: service: "{{ barbican_services['barbican-api'] }}" - merge_configs: - sources: - - "{{ role_path }}/templates/barbican-api-paste.ini.j2" - - "{{ node_custom_config }}/barbican-api/barbican-api-paste.ini" - - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api-paste.ini" + template: + src: "{{ node_custom_config }}/barbican/barbican-api-paste.ini" dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini" when: - inventory_hostname in groups['barbican-api'] - service.enabled | bool + - check_barbican_api_paste_ini.stat.exists register: barbican_api_paste notify: - Restart barbican-api container diff --git a/ansible/roles/barbican/templates/barbican-api-paste.ini.j2 b/ansible/roles/barbican/templates/barbican-api-paste.ini.j2 deleted file mode 100644 index a1030a9f65..0000000000 --- a/ansible/roles/barbican/templates/barbican-api-paste.ini.j2 +++ /dev/null @@ -1,60 +0,0 @@ -[composite:main] -use = egg:Paste#urlmap -/: barbican_version -/v1: barbican-api-keystone - -# Use this pipeline for Barbican API - versions no authentication -[pipeline:barbican_version] -pipeline = cors versionapp - -# Use this pipeline for Barbican API - DEFAULT no authentication -[pipeline:barbican_api] -pipeline = cors unauthenticated-context apiapp - -#Use this pipeline to activate a repoze.profile middleware and HTTP port, -# to provide profiling information for the REST API processing. -[pipeline:barbican-profile] -pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp - -#Use this pipeline for keystone auth -[pipeline:barbican-api-keystone] -pipeline = cors authtoken context apiapp - -#Use this pipeline for keystone auth with audit feature -[pipeline:barbican-api-keystone-audit] -pipeline = authtoken context audit apiapp - -[app:apiapp] -paste.app_factory = barbican.api.app:create_main_app - -[app:versionapp] -paste.app_factory = barbican.api.app:create_version_app - -[filter:simple] -paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory - -[filter:unauthenticated-context] -paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory - -[filter:context] -paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory - -[filter:audit] -paste.filter_factory = keystonemiddleware.audit:filter_factory -audit_map_file = /etc/barbican/api_audit_map.conf - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory - -[filter:profile] -use = egg:repoze.profile -log_filename = myapp.profile -cachegrind_filename = cachegrind.out.myapp -discard_first_request = true -path = /__profile__ -flush_at_shutdown = true -unwind = false - -[filter:cors] -paste.filter_factory = oslo_middleware.cors:filter_factory -oslo_config_project = barbican diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2 index 411d28c119..40c16d19f7 100644 --- a/ansible/roles/barbican/templates/barbican-api.json.j2 +++ b/ansible/roles/barbican/templates/barbican-api.json.j2 @@ -17,7 +17,8 @@ "source": "{{ container_config_directory }}/barbican-api-paste.ini", "dest": "/etc/barbican/barbican-api-paste.ini", "owner": "barbican", - "perm": "0600" + "perm": "0600", + "optional": true }, { "source": "{{ container_config_directory }}/policy.json",