Use a separate user for ceph-rgw rather than keystone admin user

If not, change admin user password will break ceph rgw service. Change-Id: Ia872f6f1aa2d9917d3f5851e0edcffed61e71355 Closes-Bug: #1705929
2017-07-24 00:03:43 +08:00 · 2017-07-24 00:03:43 +08:00 · 1cf116cd6c
parent ffc4fb3793
commit 1cf116cd6c
5 changed files with 24 additions and 3 deletions
--- a/ansible/roles/ceph/defaults/main.yml
+++ b/ansible/roles/ceph/defaults/main.yml
@ -35,6 +35,8 @@ swift_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ rgw_p
 swift_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ rgw_port }}/swift/v1"
 swift_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ rgw_port }}/swift/v1"

+ceph_rgw_keystone_user: "ceph_rgw"
+
 openstack_swift_auth: "{{ openstack_auth }}"

 ####################
--- a/ansible/roles/ceph/tasks/start_rgw_keystone.yml
+++ b/ansible/roles/ceph/tasks/start_rgw_keystone.yml
@ -23,3 +23,16 @@
    - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'}
    - {'interface': 'internal', 'url': '{{ swift_internal_endpoint }}'}
    - {'interface': 'public', 'url': '{{ swift_public_endpoint }}'}
+
+- name: Registering keystone ceph_rgw user
+  kolla_toolbox:
+    module_name: kolla_keystone_user
+    module_args:
+      project: "service"
+      user: "{{ ceph_rgw_keystone_user }}"
+      password: "{{ ceph_rgw_keystone_password }}"
+      role: "admin"
+      region_name: "{{ openstack_region_name }}"
+      auth: "{{ '{{ openstack_ceph_rgw_auth }}' }}"
+    module_extra_vars:
+      openstack_ceph_rgw_auth: "{{ openstack_swift_auth }}"
--- a/ansible/roles/ceph/templates/ceph.conf.j2
+++ b/ansible/roles/ceph/templates/ceph.conf.j2
@ -34,9 +34,9 @@ host = {{ hostvars[inventory_hostname]['ansible_' + storage_interface]['ipv4']['
 rgw frontends = civetweb port={{ api_interface_address }}:{{ rgw_port }}
 {% if enable_ceph_rgw_keystone | bool %}
 rgw_keystone_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
-rgw_keystone_admin_user = {{ openstack_auth.username }}
-rgw_keystone_admin_password = {{ openstack_auth.password }}
-rgw_keystone_admin_project = {{ openstack_auth.project_name }}
+rgw_keystone_admin_user = {{ ceph_rgw_keystone_user }}
+rgw_keystone_admin_password = {{ ceph_rgw_keystone_password }}
+rgw_keystone_admin_project = service
 rgw_keystone_admin_domain = default
 rgw_keystone_api_version = 3
 rgw_keystone_accepted_roles = admin, {{ keystone_default_user_role }}
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -5,6 +5,7 @@
 # These options must be UUID4 values in string format
 # XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
 ceph_cluster_fsid:
+ceph_rgw_keystone_password:
 # for backward compatible consideration, rbd_secret_uuid is only used for nova,
 # cinder_rbd_secret_uuid is used for cinder
 rbd_secret_uuid:
--- a/releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml
+++ b/releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    ceph_rgw_keystone_password is required in passwords.yml file. And ceph-rgw
+    depends on a separate user rather than keystone admin user now.