diff --git a/manifests/profile/params.pp b/manifests/profile/params.pp index f2486549..3613a176 100644 --- a/manifests/profile/params.pp +++ b/manifests/profile/params.pp @@ -139,6 +139,25 @@ # Set to 0 to disable it. # Optional. Default provided by Ceph # +# [*rgw_keystone_version*] The api version for keystone. +# Possible values 'v2.0', 'v3' +# Optional. Default is 'v2.0' +# +# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin +# privilege when using OpenStack Identity API v3 +# Optional. Default is undef +# +# [*rgw_keystone_admin_project*] The name of OpenStack project with admin +# privilege when using OpenStack Identity API v3 +# Optional. Default is undef +# +# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin +# privilege (Service Tenant) +# Required if is 'v3'. +# +# [*rgw_keystone_admin_password*] The password for OpenStack admin user +# Required if is 'v3'. + class ceph::profile::params ( $fsid = undef, @@ -172,6 +191,12 @@ class ceph::profile::params ( $osd_recovery_max_single_start = undef, $osd_max_scrubs = undef, $osd_op_threads = undef, + $rgw_keystone_version = 'v2.0', + $rgw_keystone_admin_domain = undef, + $rgw_keystone_admin_project = undef, + $rgw_keystone_admin_user = undef, + $rgw_keystone_admin_password = undef, + ) { validate_hash($client_keys) diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp index 4a726fa2..ccd6c273 100644 --- a/manifests/rgw/keystone.pp +++ b/manifests/rgw/keystone.pp @@ -24,12 +24,13 @@ ### == Parameters # # [*rgw_keystone_admin_token*] The keystone admin token. -# Mandatory. +# Required if rgw_keystone_version is v2.0. # # [*rgw_keystone_url*] The internal or admin url for keystone. # Optional. Default is 'http://127.0.0.1:5000' # # [*rgw_keystone_version*] The api version for keystone. +# Possible values 'v2.0', 'v3' # Optional. Default is 'v2.0' # # [*rgw_keystone_accepted_roles*] Roles to accept from keystone. @@ -56,8 +57,23 @@ # [*user*] User running the web frontend. # Optional. Default is 'www-data'. # +# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin +# privilege when using OpenStack Identity API v3 +# Optional. Default is undef +# +# [*rgw_keystone_admin_project*] The name of OpenStack project with admin +# privilege when using OpenStack Identity API v3 +# Optional. Default is 'openstack' +# +# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin +# privilege (Service Tenant) +# Required if rgw_keystone_version is 'v3'. +# +# [*rgw_keystone_admin_password*] The password for OpenStack admin user +# Required if rgw_keystone_version is 'v3'. + define ceph::rgw::keystone ( - $rgw_keystone_admin_token, + $rgw_keystone_admin_token = undef, $rgw_keystone_url = 'http://127.0.0.1:5000', $rgw_keystone_version = 'v2.0', $rgw_keystone_accepted_roles = '_member_, Member', @@ -67,6 +83,10 @@ define ceph::rgw::keystone ( $rgw_keystone_revocation_interval = 600, $nss_db_path = '/var/lib/ceph/nss', $user = $::ceph::params::user_radosgw, + $rgw_keystone_admin_domain = $::ceph::profile::params::rgw_keystone_admin_domain, + $rgw_keystone_admin_project = $::ceph::profile::params::rgw_keystone_admin_project, + $rgw_keystone_admin_user = $::ceph::profile::params::rgw_keystone_admin_user, + $rgw_keystone_admin_password = $::ceph::profile::params::rgw_keystone_admin_password, ) { unless $name =~ /^radosgw\..+/ { @@ -74,13 +94,41 @@ define ceph::rgw::keystone ( } ceph_config { - "client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token; "client.${name}/rgw_keystone_url": value => $rgw_keystone_url; "client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ','); "client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size; "client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone; } + if $rgw_keystone_version == 'v2.0' { + if $rgw_keystone_admin_token == undef + { + fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration') + } + ceph_config { + "client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token; + } + } elsif $rgw_keystone_version == 'v3' { + if $rgw_keystone_admin_domain == undef + or $rgw_keystone_admin_project == undef + or $rgw_keystone_admin_user == undef + or $rgw_keystone_admin_password == undef + { + fail( 'Incomplete parameters for Keystone V3 integration') + } + ceph_config { + "client.${name}/rgw_keystone_api_version": value => 3; + "client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain; + "client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project; + "client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user; + "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password; + "client.${name}/rgw_keystone_admin_token": ensure => absent; + } + + } else { + fail("Unsupported keystone version: ${rgw_keystone_version}") + } + if $use_pki { # fetch the keystone signing cert, add to nss db $pkg_nsstools = $::ceph::params::pkg_nsstools @@ -100,7 +148,7 @@ define ceph::rgw::keystone ( exec { "${name}-nssdb-ca": command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - | +wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - | openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\" ", unless => "/bin/true # comment to satisfy puppet syntax requirements @@ -113,7 +161,7 @@ certutil -d ${nss_db_path} -L | grep ^ca exec { "${name}-nssdb-signing": command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - | +wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - | openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\" ", unless => "/bin/true # comment to satisfy puppet syntax requirements diff --git a/manifests/rgw/keystone/auth.pp b/manifests/rgw/keystone/auth.pp new file mode 100644 index 00000000..d978131f --- /dev/null +++ b/manifests/rgw/keystone/auth.pp @@ -0,0 +1,89 @@ +# == Class: ceph::rgw::keystone::auth +# +# Configures RGW user, service and endpoint in Keystone V3. +# +# === Parameters +# +# [*password*] +# Password for the RGW user. Required +# +# [*user*] +# Username for the RGW user. Optional. +# Defaults to 'rgwuser' +# +# [*email*] +# Email for the RGW user. Optional. +# Defaults to 'rgwuser@localhost' +# +# [*roles*] +# Accepted RGW roles. Optional. +# Defaults to ['admin', 'Member'] +# +# [*public_url*] +# The public URL. Optional. +# Defaults to 'http://127.0.0.1:8080/swift/v1 +# +# [*admin_url*] +# The admin URL. Optional. +# Defaults to 'http://127.0.0.1:8080/swift/v1 +# +# [*internal_url*] +# The internal URL. Optional. +# Defaults to 'http://127.0.0.1:8080/swift/v1 +# +# [*region*] +# Region for endpoint. Optional. +# Defaults to 'RegionOne' +# +# [*tenant*] +# Tenant for user. Optional. +# Defaults to 'services' +# +# [*rgw_service*] +# Name of the keystone service used by RGW +# Defaults to 'swift::object-store' +# + +class ceph::rgw::keystone::auth ( + $password, + $user = 'rgwuser', + $email = 'rgwuser@localhost', + $roles = ['admin', 'Member'], + $public_url = 'http://127.0.0.1:8080/swift/v1', + $admin_url = 'http://127.0.0.1:8080/swift/v1', + $internal_url = 'http://127.0.0.1:8080/swift/v1', + $region = 'RegionOne', + $tenant = 'services', + $rgw_service = 'swift::object-store', +) { + + include ::openstacklib::openstackclient + + ensure_resource('keystone_service', 'swift::object-store', { + 'ensure' => 'present', + 'description' => 'Ceph RGW Service', + } ) + + ensure_resource('keystone_endpoint', "${region}/swift::object-store", { + 'ensure' => 'present', + 'public_url' => $public_url, + 'admin_url' => $admin_url, + 'internal_url' => $internal_url, + } ) + + keystone_user { $user: + ensure => present, + password => $password, + email => $email, + } + + ensure_resource('keystone_role', $roles, { + 'ensure' => 'present' + } ) + + keystone_user_role { "${user}@${tenant}": + ensure => present, + roles => $roles, + } +} + diff --git a/releasenotes/notes/radosgw-keystone-v3-93b3895e24b5f913.yaml b/releasenotes/notes/radosgw-keystone-v3-93b3895e24b5f913.yaml new file mode 100644 index 00000000..8b1c6a47 --- /dev/null +++ b/releasenotes/notes/radosgw-keystone-v3-93b3895e24b5f913.yaml @@ -0,0 +1,11 @@ +--- +features: + - Updates 'ceph::rgw::keystone' to integrate with keystone V3. + Adds new parameters rgw_keystone_admin_domain, + rgw_keyston_admin_project, rgw_keystone_admin_user + and rgw_keystone_admin_password. + Extends rgw_keystone_version to add 'v3' as a valid option +issues: + - At this time radosgw uses pki to verify Keystone revocation + lists. 'keystone::enable_pki_setup' must be set to true + to provide the needed keystone support diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb index 9f91c304..ad5ab4b0 100644 --- a/spec/defines/ceph_rgw_keystone_spec.rb +++ b/spec/defines/ceph_rgw_keystone_spec.rb @@ -140,7 +140,46 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin 'user' => 'www-data', ) } - end end + end + + describe "create with keystone v3 and no pki params" do + + let :pre_condition do + " + include ceph::params + class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } + class { 'ceph::repo': fastcgi => true, } + include ceph + ceph::rgw { 'radosgw.gateway': } + ceph::rgw::apache_fastcgi { 'radosgw.gateway': } + " + end + + let :title do + 'radosgw.gateway' + end + + let :params do + { + :rgw_keystone_url => 'http://keystone.default:5000', + :rgw_keystone_version => 'v3', + :rgw_keystone_admin_domain => 'default', + :rgw_keystone_admin_project => 'openstack', + :rgw_keystone_admin_user => 'rgwuser', + :rgw_keystone_admin_password => '123456', + } + end + + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } + + end + + end describe 'RedHat Family' do @@ -262,7 +301,47 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin 'user' => 'apache', ) } - end end + end + + describe "create with keystone v3 and no pki params" do + + let :pre_condition do + " + include ceph::params + class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } + class { 'ceph::repo': fastcgi => true, } + include ceph + ceph::rgw { 'radosgw.gateway': } + ceph::rgw::apache_fastcgi { 'radosgw.gateway': } + " + end + + let :title do + 'radosgw.gateway' + end + + let :params do + { + :rgw_keystone_url => 'http://keystone.default:5000', + :rgw_keystone_version => 'v3', + :rgw_keystone_admin_domain => 'default', + :rgw_keystone_admin_project => 'openstack', + :rgw_keystone_admin_user => 'rgwuser', + :rgw_keystone_admin_password => '123456', + } + end + + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } + it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } + + end + + + end end # Local Variables: