Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/191471
Change subject: Roughed in designate class
......................................................................
Roughed in designate class
Very much a WIP, definitely will not work!
Change-Id: Ic06414d1a942ad0ef9f1fd4be5f5bd002cd07cda
---
A modules/openstack/files/icehouse/designate/policy.json
A modules/openstack/files/icehouse/designate/rootwrap.conf
A modules/openstack/manifests/designate/init.pp
A modules/openstack/templates/icehouse/designate/api-paste.ini.erb
A modules/openstack/templates/icehouse/designate/designate.conf
5 files changed, 467 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/71/191471/1
diff --git a/modules/openstack/files/icehouse/designate/policy.json
b/modules/openstack/files/icehouse/designate/policy.json
new file mode 100644
index 0000000..9d96379
--- /dev/null
+++ b/modules/openstack/files/icehouse/designate/policy.json
@@ -0,0 +1,94 @@
+{
+ "admin": "role:admin or is_admin:True",
+ "owner": "tenant:%(tenant_id)s",
+ "admin_or_owner": "rule:admin or rule:owner",
+ "target": "tenant:%(target_tenant_id)s",
+ "owner_or_target":"rule:target or rule:owner",
+ "admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
+ "admin_or_target":"rule:admin or rule:target",
+
+ "default": "rule:admin_or_owner",
+
+ "all_tenants": "rule:admin",
+
+ "use_low_ttl": "rule:admin",
+
+ "get_quotas": "rule:admin_or_owner",
+ "get_quota": "rule:admin_or_owner",
+ "set_quota": "rule:admin",
+ "reset_quotas": "rule:admin",
+
+ "create_tld": "rule:admin",
+ "find_tlds": "rule:admin",
+ "get_tld": "rule:admin",
+ "update_tld": "rule:admin",
+ "delete_tld": "rule:admin",
+
+ "create_tsigkey": "rule:admin",
+ "find_tsigkeys": "rule:admin",
+ "get_tsigkey": "rule:admin",
+ "update_tsigkey": "rule:admin",
+ "delete_tsigkey": "rule:admin",
+
+ "find_tenants": "rule:admin",
+ "get_tenant": "rule:admin",
+ "count_tenants": "rule:admin",
+
+ "create_domain": "rule:admin_or_owner",
+ "get_domains": "rule:admin_or_owner",
+ "get_domain": "rule:admin_or_owner",
+ "get_domain_servers": "rule:admin_or_owner",
+ "find_domains": "rule:admin_or_owner",
+ "find_domain": "rule:admin_or_owner",
+ "update_domain": "rule:admin_or_owner",
+ "delete_domain": "rule:admin_or_owner",
+ "abandon_domain": "rule:admin",
+ "count_domains": "rule:admin_or_owner",
+ "touch_domain": "rule:admin_or_owner",
+
+ "create_record": "rule:admin_or_owner",
+ "get_records": "rule:admin_or_owner",
+ "get_record": "rule:admin_or_owner",
+ "find_records": "rule:admin_or_owner",
+ "find_record": "rule:admin_or_owner",
+ "update_record": "rule:admin_or_owner",
+ "delete_record": "rule:admin_or_owner",
+ "count_records": "rule:admin_or_owner",
+
+ "use_sudo": "rule:admin",
+
+ "create_blacklist": "rule:admin",
+ "find_blacklist": "rule:admin",
+ "find_blacklists": "rule:admin",
+ "get_blacklist": "rule:admin",
+ "update_blacklist": "rule:admin",
+ "delete_blacklist": "rule:admin",
+ "use_blacklisted_domain": "rule:admin",
+
+ "create_pool": "rule:admin",
+ "find_pools": "rule:admin",
+ "find_pool": "rule:admin",
+ "get_pool": "rule:admin",
+ "update_pool": "rule:admin",
+ "delete_pool": "rule:admin",
+
+ "diagnostics_ping": "rule:admin",
+ "diagnostics_sync_domains": "rule:admin",
+ "diagnostics_sync_domain": "rule:admin",
+ "diagnostics_sync_record": "rule:admin",
+
+ "create_zone_transfer_request": "rule:admin_or_owner",
+ "get_zone_transfer_request": "rule:admin_or_owner or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
+ "get_zone_transfer_request_detailed": "rule:admin_or_owner",
+ "find_zone_transfer_requests": "@",
+ "find_zone_transfer_request": "@",
+ "update_zone_transfer_request": "rule:admin_or_owner",
+ "delete_zone_transfer_request": "rule:admin_or_owner",
+
+ "create_zone_transfer_accept": "rule:admin_or_owner or
tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
+ "get_zone_transfer_accept": "rule:admin_or_owner",
+ "find_zone_transfer_accepts": "rule:admin",
+ "find_zone_transfer_accept": "rule:admin",
+ "update_zone_transfer_accept": "rule:admin",
+ "delete_zone_transfer_accept": "rule:admin"
+}
diff --git a/modules/openstack/files/icehouse/designate/rootwrap.conf
b/modules/openstack/files/icehouse/designate/rootwrap.conf
new file mode 100644
index 0000000..79bfb40
--- /dev/null
+++ b/modules/openstack/files/icehouse/designate/rootwrap.conf
@@ -0,0 +1,27 @@
+# Configuration for designate-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/designate/rootwrap.d,/usr/share/designate/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
diff --git a/modules/openstack/manifests/designate/init.pp
b/modules/openstack/manifests/designate/init.pp
new file mode 100644
index 0000000..85c97d8
--- /dev/null
+++ b/modules/openstack/manifests/designate/init.pp
@@ -0,0 +1,38 @@
+class openstack::designate ($openstack_version=$::openstack::version,
$designateconfig) {
+ package { [ ]:
+ ensure => present;
+ }
+
+ file {
+ "/etc/designate/designate.conf":
+ content =>
template("openstack/${openstack_version}/designate/designate.conf.erb"),
+ owner => designate,
+ group => designate,
+ notify => Service["designate"],
+ require => Package["designate"],
+ mode => '0440';
+ "/etc/designate/api-paste.ini":
+ content =>
template("openstack/${$openstack_version}/designate/api-paste.ini.erb"),
+ owner => 'designate',
+ group => 'designate',
+ notify => Service["designate-api"],
+ require => Package["designate"],
+ mode => '0440';
+ "/etc/designate/policy.json":
+ content => file("${$openstack_version}/designate/policy.json"),
+ owner => 'designate',
+ group => 'designate',
+ require => Package["designate"],
+ mode => '0440';
+ "/etc/designate/rootwrap.conf":
+ content => file("${$openstack_version}/designate/rootwrap.conf"),
+ owner => 'root',
+ group => 'root',
+ require => Package["designate"],
+ mode => '0440';
+ }
+
+ # include rootwrap.d entries
+}
+
+
diff --git a/modules/openstack/templates/icehouse/designate/api-paste.ini.erb
b/modules/openstack/templates/icehouse/designate/api-paste.ini.erb
new file mode 100644
index 0000000..159d1f5
--- /dev/null
+++ b/modules/openstack/templates/icehouse/designate/api-paste.ini.erb
@@ -0,0 +1,45 @@
+[composite:osapi_dns]
+use = egg:Paste#urlmap
+/: osapi_dns_app_versions
+/v1: osapi_dns_v1
+/v2: osapi_dns_v2
+
+[app:osapi_dns_app_versions]
+paste.app_factory = designate.api.versions:factory
+
+[composite:osapi_dns_v1]
+use = call:designate.api.middleware:auth_pipeline_factory
+noauth = request_id noauthcontext maintenance faultwrapper normalizeuri
osapi_dns_app_v1
+keystone = request_id authtoken keystonecontext maintenance faultwrapper
normalizeuri osapi_dns_app_v1
+
+[app:osapi_dns_app_v1]
+paste.app_factory = designate.api.v1:factory
+
+[composite:osapi_dns_v2]
+use = call:designate.api.middleware:auth_pipeline_factory
+noauth = request_id faultwrapper noauthcontext maintenance normalizeuri
osapi_dns_app_v2
+keystone = request_id faultwrapper authtoken keystonecontext maintenance
normalizeuri osapi_dns_app_v2
+
+[app:osapi_dns_app_v2]
+paste.app_factory = designate.api.v2:factory
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:noauthcontext]
+paste.filter_factory = designate.api.middleware:NoAuthContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:keystonecontext]
+paste.filter_factory =
designate.api.middleware:KeystoneContextMiddleware.factory
+
+[filter:maintenance]
+paste.filter_factory = designate.api.middleware:MaintenanceMiddleware.factory
+
+[filter:normalizeuri]
+paste.filter_factory = designate.api.middleware:NormalizeURIMiddleware.factory
+
+[filter:faultwrapper]
+paste.filter_factory = designate.api.middleware:FaultWrapperMiddleware.factory
diff --git a/modules/openstack/templates/icehouse/designate/designate.conf
b/modules/openstack/templates/icehouse/designate/designate.conf
new file mode 100644
index 0000000..74d5c78
--- /dev/null
+++ b/modules/openstack/templates/icehouse/designate/designate.conf
@@ -0,0 +1,263 @@
+[DEFAULT]
+# Where an option is commented out, but filled in this shows the default
+# value of that option
+
+########################
+## General Configuration
+########################
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = False
+
+# Top-level directory for maintaining designate's state
+#state_path = /var/lib/designate
+
+# Log Configuration
+#log_config = None
+
+# Log directory
+#logdir = /var/log/designate
+
+# Driver used for issuing notifications
+#notification_driver = messaging
+
+# Notification Topics
+#notification_topics = notifications
+
+# Use "sudo designate-rootwrap /etc/designate/rootwrap.conf" to use the real
+# root filter facility.
+# Change to "sudo" to skip the filtering and just run the comand directly
+#root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf
+
+# Which networking API to use, Defaults to neutron
+#network_api = neutron
+
+# RabbitMQ Config
+#rabbit_userid = guest
+#rabbit_password = guest
+#rabbit_virtual_host = /
+#rabbit_use_ssl = False
+#rabbit_hosts = 127.0.0.1:5672
+
+########################
+## Service Configuration
+########################
+#-----------------------
+# Central Service
+#-----------------------
+[service:central]
+# Maximum domain name length
+#max_domain_name_len = 255
+
+# Maximum record name length
+#max_record_name_len = 255
+
+# Minimum TTL
+#min_ttl = None
+
+## Managed resources settings
+
+# Email to use for managed resources like domains created by the FloatingIP API
+#managed_resource_email = [email protected].
+
+# Tenant ID to own all managed resources - like auto-created records etc.
+#managed_resource_tenant_id = 123456
+
+#-----------------------
+# API Service
+#-----------------------
+[service:api]
+# Address to bind the API server
+#api_host = 0.0.0.0
+
+# Port the bind the API server to
+#api_port = 9001
+
+# Authentication strategy to use - can be either "noauth" or "keystone"
+#auth_strategy = keystone
+
+# Enable Version 1 API
+#enable_api_v1 = True
+
+# Enable Version 2 API (experimental)
+#enable_api_v2 = False
+
+# Show the pecan HTML based debug interface (v2 only)
+# This is only useful for development, and WILL break python-designateclient
+# if an error occurs
+#pecan_debug = False
+
+# Enabled API Version 1 extensions
+# Can be one or more of : diagnostics, quotas, reports, sync, touch
+#enabled_extensions_v1 =
+
+# Enabled API Version 2 extensions
+# Can be one or more of : reports, quotas
+#enabled_extensions_v2 =
+
+#-----------------------
+# Keystone Middleware
+#-----------------------
+[keystone_authtoken]
+#auth_host = 127.0.0.1
+#auth_port = 35357
+#auth_protocol = http
+#admin_tenant_name = service
+#admin_user = designate
+#admin_password = designate
+
+#-----------------------
+# Sink Service
+#-----------------------
+[service:sink]
+# List of notification handlers to enable, configuration of these needs to
+# correspond to a [handler:my_driver] section below or else in the config
+# Can be one or more of : nova_fixed, neutron_floatingip
+#enabled_notification_handlers =
+
+#-----------------------
+# mDNS Service
+#-----------------------
+[service:mdns]
+#workers = None
+#host = 0.0.0.0
+#port = 5354
+#tcp_backlog = 100
+
+#-----------------------
+# Agent Service
+#-----------------------
+[service:agent]
+#workers = None
+#host = 0.0.0.0
+#port = 5358
+#tcp_backlog = 100
+#allow_notify = 127.0.0.1
+#masters = 127.0.0.1:5354
+#backend_driver = fake
+
+
+#-----------------------
+# Pool Manager Service
+#-----------------------
+[service:pool_manager]
+#backends = bind9
+#workers = None
+#pool_id = 794ccc2c-d751-44fe-b57f-8894c9f5c842
+#threshold_percentage = 100
+#poll_timeout = 30
+#poll_retry_interval = 2
+#poll_max_retries = 3
+#poll_delay = 1
+#periodic_recovery_interval = 120
+#periodic_sync_interval = 300
+#periodic_sync_seconds = None
+#cache_driver = sqlalchemy
+
+##############
+## Network API
+##############
+[network_api:neutron]
+# Comma separated list of values, formatted "<name>|<neutron_uri>"
+#endpoints = RegionOne|http://localhost:9696
+#endpoint_type = publicURL
+#timeout = 30
+#admin_username = designate
+#admin_password = designate
+#admin_tenant_name = designate
+#auth_url = http://localhost:35357/v2.0
+#insecure = False
+#auth_strategy = keystone
+#ca_certificates_file =
+
+########################
+## Storage Configuration
+########################
+#-----------------------
+# SQLAlchemy Storage
+#-----------------------
+[storage:sqlalchemy]
+# Database connection string - to configure options for a given implementation
+# like sqlalchemy or other see below
+#connection = sqlite:///$state_path/designate.sqlite
+#connection_debug = 0
+#connection_trace = False
+#sqlite_synchronous = True
+#idle_timeout = 3600
+#max_retries = 10
+#retry_interval = 10
+
+########################
+## Handler Configuration
+########################
+#-----------------------
+# Nova Fixed Handler
+#-----------------------
+[handler:nova_fixed]
+# Domain ID of domain to create records in. Should be pre-created
+#domain_id =
+#notification_topics = notifications
+#control_exchange = 'nova'
+#format = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(domain)s'
+
+#------------------------
+# Neutron Floating Handler
+#------------------------
+[handler:neutron_floatingip]
+# Domain ID of domain to create records in. Should be pre-created
+#domain_id =
+#notification_topics = notifications
+#control_exchange = 'neutron'
+#format = '%(octet0)s-%(octet1)s-%(octet2)s-%(octet3)s.%(domain)s'
+
+###################################
+## Pool Manager Cache Configuration
+###################################
+#-----------------------
+# SQLAlchemy Pool Manager Cache
+#-----------------------
+[pool_manager_cache:sqlalchemy]
+#connection = sqlite:///$state_path/designate_pool_manager.sqlite
+#connection_debug = 100
+#connection_trace = False
+#sqlite_synchronous = True
+#idle_timeout = 3600
+#max_retries = 10
+#retry_interval = 10
+
+#############################
+## Pool Backend Configuration
+#############################
+
+# This section does not have the defaults filled in but demonstrates an
+# example pool / server set up. Different backends will have different options.
+
+#-----------------------
+# Global Bind9 Pool Backend
+#-----------------------
+[backend:bind9]
+#server_ids = 6a5032b6-2d96-43ee-b25b-7d784e2bf3b2
+#masters = 127.0.0.1:5354
+#rndc_host = 127.0.0.1
+#rndc_port = 953
+#rndc_config_file = /etc/rndc.conf
+#rndc_key_file = /etc/rndc.key
+
+#-----------------------
+# Server Specific Bind9 Pool Backend
+#-----------------------
+[backend:bind9:6a5032b6-2d96-43ee-b25b-7d784e2bf3b2]
+# host = 127.0.0.1
+# port = 53
+
+#############################
+## Agent Backend Configuration
+#############################
+[backend:agent:bind9]
+#rndc_host = 127.0.0.1
+#rndc_port = 953
+#rndc_config_file = /etc/rndc.conf
+#rndc_key_file = /etc/rndc.key
+#zone_file_path = $state_path/zones
--
To view, visit https://gerrit.wikimedia.org/r/191471
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic06414d1a942ad0ef9f1fd4be5f5bd002cd07cda
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
