Update Jewel Ceph RGW to support Keystone V3
This patch updates ceph::rgw:keystone to support Keystone V3 Usage: The domain, project, user and password are pre-populated in keystone. ceph::rgw::keystone{ 'radosgw.gateway': rgw_keystone_version => 'v3', rgw_keystone_admin_domain => 'default', rgw_keystone_admin_project => 'openstack', rgw_keystone_admin_user => 'rgwuser', rgw_keystone_admin_password => '123456', use_pki => false, } Change-Id: Ifb24615372c962b9e264167888d8da939b46341d Ref: http://docs.ceph.com/docs/master/radosgw/keystone/ Ref: http://docs.ceph.com/docs/master/radosgw/config-ref/#keystone-settings
This commit is contained in:
parent
b72bf9d6b8
commit
26333fd873
|
@ -139,6 +139,25 @@
|
||||||
# Set to 0 to disable it.
|
# Set to 0 to disable it.
|
||||||
# Optional. Default provided by Ceph
|
# Optional. Default provided by Ceph
|
||||||
#
|
#
|
||||||
|
# [*rgw_keystone_version*] The api version for keystone.
|
||||||
|
# Possible values 'v2.0', 'v3'
|
||||||
|
# Optional. Default is 'v2.0'
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
|
||||||
|
# privilege when using OpenStack Identity API v3
|
||||||
|
# Optional. Default is undef
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
|
||||||
|
# privilege when using OpenStack Identity API v3
|
||||||
|
# Optional. Default is undef
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
|
||||||
|
# privilege (Service Tenant)
|
||||||
|
# Required if is 'v3'.
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_password*] The password for OpenStack admin user
|
||||||
|
# Required if is 'v3'.
|
||||||
|
|
||||||
|
|
||||||
class ceph::profile::params (
|
class ceph::profile::params (
|
||||||
$fsid = undef,
|
$fsid = undef,
|
||||||
|
@ -172,6 +191,12 @@ class ceph::profile::params (
|
||||||
$osd_recovery_max_single_start = undef,
|
$osd_recovery_max_single_start = undef,
|
||||||
$osd_max_scrubs = undef,
|
$osd_max_scrubs = undef,
|
||||||
$osd_op_threads = undef,
|
$osd_op_threads = undef,
|
||||||
|
$rgw_keystone_version = 'v2.0',
|
||||||
|
$rgw_keystone_admin_domain = undef,
|
||||||
|
$rgw_keystone_admin_project = undef,
|
||||||
|
$rgw_keystone_admin_user = undef,
|
||||||
|
$rgw_keystone_admin_password = undef,
|
||||||
|
|
||||||
) {
|
) {
|
||||||
validate_hash($client_keys)
|
validate_hash($client_keys)
|
||||||
|
|
||||||
|
|
|
@ -24,12 +24,13 @@
|
||||||
### == Parameters
|
### == Parameters
|
||||||
#
|
#
|
||||||
# [*rgw_keystone_admin_token*] The keystone admin token.
|
# [*rgw_keystone_admin_token*] The keystone admin token.
|
||||||
# Mandatory.
|
# Required if rgw_keystone_version is v2.0.
|
||||||
#
|
#
|
||||||
# [*rgw_keystone_url*] The internal or admin url for keystone.
|
# [*rgw_keystone_url*] The internal or admin url for keystone.
|
||||||
# Optional. Default is 'http://127.0.0.1:5000'
|
# Optional. Default is 'http://127.0.0.1:5000'
|
||||||
#
|
#
|
||||||
# [*rgw_keystone_version*] The api version for keystone.
|
# [*rgw_keystone_version*] The api version for keystone.
|
||||||
|
# Possible values 'v2.0', 'v3'
|
||||||
# Optional. Default is 'v2.0'
|
# Optional. Default is 'v2.0'
|
||||||
#
|
#
|
||||||
# [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
|
# [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
|
||||||
|
@ -56,8 +57,23 @@
|
||||||
# [*user*] User running the web frontend.
|
# [*user*] User running the web frontend.
|
||||||
# Optional. Default is 'www-data'.
|
# Optional. Default is 'www-data'.
|
||||||
#
|
#
|
||||||
|
# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
|
||||||
|
# privilege when using OpenStack Identity API v3
|
||||||
|
# Optional. Default is undef
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
|
||||||
|
# privilege when using OpenStack Identity API v3
|
||||||
|
# Optional. Default is 'openstack'
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
|
||||||
|
# privilege (Service Tenant)
|
||||||
|
# Required if rgw_keystone_version is 'v3'.
|
||||||
|
#
|
||||||
|
# [*rgw_keystone_admin_password*] The password for OpenStack admin user
|
||||||
|
# Required if rgw_keystone_version is 'v3'.
|
||||||
|
|
||||||
define ceph::rgw::keystone (
|
define ceph::rgw::keystone (
|
||||||
$rgw_keystone_admin_token,
|
$rgw_keystone_admin_token = undef,
|
||||||
$rgw_keystone_url = 'http://127.0.0.1:5000',
|
$rgw_keystone_url = 'http://127.0.0.1:5000',
|
||||||
$rgw_keystone_version = 'v2.0',
|
$rgw_keystone_version = 'v2.0',
|
||||||
$rgw_keystone_accepted_roles = '_member_, Member',
|
$rgw_keystone_accepted_roles = '_member_, Member',
|
||||||
|
@ -67,6 +83,10 @@ define ceph::rgw::keystone (
|
||||||
$rgw_keystone_revocation_interval = 600,
|
$rgw_keystone_revocation_interval = 600,
|
||||||
$nss_db_path = '/var/lib/ceph/nss',
|
$nss_db_path = '/var/lib/ceph/nss',
|
||||||
$user = $::ceph::params::user_radosgw,
|
$user = $::ceph::params::user_radosgw,
|
||||||
|
$rgw_keystone_admin_domain = $::ceph::profile::params::rgw_keystone_admin_domain,
|
||||||
|
$rgw_keystone_admin_project = $::ceph::profile::params::rgw_keystone_admin_project,
|
||||||
|
$rgw_keystone_admin_user = $::ceph::profile::params::rgw_keystone_admin_user,
|
||||||
|
$rgw_keystone_admin_password = $::ceph::profile::params::rgw_keystone_admin_password,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
unless $name =~ /^radosgw\..+/ {
|
unless $name =~ /^radosgw\..+/ {
|
||||||
|
@ -74,13 +94,41 @@ define ceph::rgw::keystone (
|
||||||
}
|
}
|
||||||
|
|
||||||
ceph_config {
|
ceph_config {
|
||||||
"client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
|
|
||||||
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
|
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
|
||||||
"client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ',');
|
"client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ',');
|
||||||
"client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
|
"client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
|
||||||
"client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone;
|
"client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if $rgw_keystone_version == 'v2.0' {
|
||||||
|
if $rgw_keystone_admin_token == undef
|
||||||
|
{
|
||||||
|
fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration')
|
||||||
|
}
|
||||||
|
ceph_config {
|
||||||
|
"client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
|
||||||
|
}
|
||||||
|
} elsif $rgw_keystone_version == 'v3' {
|
||||||
|
if $rgw_keystone_admin_domain == undef
|
||||||
|
or $rgw_keystone_admin_project == undef
|
||||||
|
or $rgw_keystone_admin_user == undef
|
||||||
|
or $rgw_keystone_admin_password == undef
|
||||||
|
{
|
||||||
|
fail( 'Incomplete parameters for Keystone V3 integration')
|
||||||
|
}
|
||||||
|
ceph_config {
|
||||||
|
"client.${name}/rgw_keystone_api_version": value => 3;
|
||||||
|
"client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain;
|
||||||
|
"client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project;
|
||||||
|
"client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user;
|
||||||
|
"client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
|
||||||
|
"client.${name}/rgw_keystone_admin_token": ensure => absent;
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
fail("Unsupported keystone version: ${rgw_keystone_version}")
|
||||||
|
}
|
||||||
|
|
||||||
if $use_pki {
|
if $use_pki {
|
||||||
# fetch the keystone signing cert, add to nss db
|
# fetch the keystone signing cert, add to nss db
|
||||||
$pkg_nsstools = $::ceph::params::pkg_nsstools
|
$pkg_nsstools = $::ceph::params::pkg_nsstools
|
||||||
|
@ -100,7 +148,7 @@ define ceph::rgw::keystone (
|
||||||
exec { "${name}-nssdb-ca":
|
exec { "${name}-nssdb-ca":
|
||||||
command => "/bin/true # comment to satisfy puppet syntax requirements
|
command => "/bin/true # comment to satisfy puppet syntax requirements
|
||||||
set -ex
|
set -ex
|
||||||
wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - |
|
wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - |
|
||||||
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
|
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
|
||||||
",
|
",
|
||||||
unless => "/bin/true # comment to satisfy puppet syntax requirements
|
unless => "/bin/true # comment to satisfy puppet syntax requirements
|
||||||
|
@ -113,7 +161,7 @@ certutil -d ${nss_db_path} -L | grep ^ca
|
||||||
exec { "${name}-nssdb-signing":
|
exec { "${name}-nssdb-signing":
|
||||||
command => "/bin/true # comment to satisfy puppet syntax requirements
|
command => "/bin/true # comment to satisfy puppet syntax requirements
|
||||||
set -ex
|
set -ex
|
||||||
wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - |
|
wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - |
|
||||||
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
|
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
|
||||||
",
|
",
|
||||||
unless => "/bin/true # comment to satisfy puppet syntax requirements
|
unless => "/bin/true # comment to satisfy puppet syntax requirements
|
||||||
|
|
|
@ -0,0 +1,89 @@
|
||||||
|
# == Class: ceph::rgw::keystone::auth
|
||||||
|
#
|
||||||
|
# Configures RGW user, service and endpoint in Keystone V3.
|
||||||
|
#
|
||||||
|
# === Parameters
|
||||||
|
#
|
||||||
|
# [*password*]
|
||||||
|
# Password for the RGW user. Required
|
||||||
|
#
|
||||||
|
# [*user*]
|
||||||
|
# Username for the RGW user. Optional.
|
||||||
|
# Defaults to 'rgwuser'
|
||||||
|
#
|
||||||
|
# [*email*]
|
||||||
|
# Email for the RGW user. Optional.
|
||||||
|
# Defaults to 'rgwuser@localhost'
|
||||||
|
#
|
||||||
|
# [*roles*]
|
||||||
|
# Accepted RGW roles. Optional.
|
||||||
|
# Defaults to ['admin', 'Member']
|
||||||
|
#
|
||||||
|
# [*public_url*]
|
||||||
|
# The public URL. Optional.
|
||||||
|
# Defaults to 'http://127.0.0.1:8080/swift/v1
|
||||||
|
#
|
||||||
|
# [*admin_url*]
|
||||||
|
# The admin URL. Optional.
|
||||||
|
# Defaults to 'http://127.0.0.1:8080/swift/v1
|
||||||
|
#
|
||||||
|
# [*internal_url*]
|
||||||
|
# The internal URL. Optional.
|
||||||
|
# Defaults to 'http://127.0.0.1:8080/swift/v1
|
||||||
|
#
|
||||||
|
# [*region*]
|
||||||
|
# Region for endpoint. Optional.
|
||||||
|
# Defaults to 'RegionOne'
|
||||||
|
#
|
||||||
|
# [*tenant*]
|
||||||
|
# Tenant for user. Optional.
|
||||||
|
# Defaults to 'services'
|
||||||
|
#
|
||||||
|
# [*rgw_service*]
|
||||||
|
# Name of the keystone service used by RGW
|
||||||
|
# Defaults to 'swift::object-store'
|
||||||
|
#
|
||||||
|
|
||||||
|
class ceph::rgw::keystone::auth (
|
||||||
|
$password,
|
||||||
|
$user = 'rgwuser',
|
||||||
|
$email = 'rgwuser@localhost',
|
||||||
|
$roles = ['admin', 'Member'],
|
||||||
|
$public_url = 'http://127.0.0.1:8080/swift/v1',
|
||||||
|
$admin_url = 'http://127.0.0.1:8080/swift/v1',
|
||||||
|
$internal_url = 'http://127.0.0.1:8080/swift/v1',
|
||||||
|
$region = 'RegionOne',
|
||||||
|
$tenant = 'services',
|
||||||
|
$rgw_service = 'swift::object-store',
|
||||||
|
) {
|
||||||
|
|
||||||
|
include ::openstacklib::openstackclient
|
||||||
|
|
||||||
|
ensure_resource('keystone_service', 'swift::object-store', {
|
||||||
|
'ensure' => 'present',
|
||||||
|
'description' => 'Ceph RGW Service',
|
||||||
|
} )
|
||||||
|
|
||||||
|
ensure_resource('keystone_endpoint', "${region}/swift::object-store", {
|
||||||
|
'ensure' => 'present',
|
||||||
|
'public_url' => $public_url,
|
||||||
|
'admin_url' => $admin_url,
|
||||||
|
'internal_url' => $internal_url,
|
||||||
|
} )
|
||||||
|
|
||||||
|
keystone_user { $user:
|
||||||
|
ensure => present,
|
||||||
|
password => $password,
|
||||||
|
email => $email,
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_resource('keystone_role', $roles, {
|
||||||
|
'ensure' => 'present'
|
||||||
|
} )
|
||||||
|
|
||||||
|
keystone_user_role { "${user}@${tenant}":
|
||||||
|
ensure => present,
|
||||||
|
roles => $roles,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Updates 'ceph::rgw::keystone' to integrate with keystone V3.
|
||||||
|
Adds new parameters rgw_keystone_admin_domain,
|
||||||
|
rgw_keyston_admin_project, rgw_keystone_admin_user
|
||||||
|
and rgw_keystone_admin_password.
|
||||||
|
Extends rgw_keystone_version to add 'v3' as a valid option
|
||||||
|
issues:
|
||||||
|
- At this time radosgw uses pki to verify Keystone revocation
|
||||||
|
lists. 'keystone::enable_pki_setup' must be set to true
|
||||||
|
to provide the needed keystone support
|
|
@ -140,7 +140,46 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
|
||||||
'user' => 'www-data',
|
'user' => 'www-data',
|
||||||
) }
|
) }
|
||||||
|
|
||||||
end end
|
end
|
||||||
|
|
||||||
|
describe "create with keystone v3 and no pki params" do
|
||||||
|
|
||||||
|
let :pre_condition do
|
||||||
|
"
|
||||||
|
include ceph::params
|
||||||
|
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
|
||||||
|
class { 'ceph::repo': fastcgi => true, }
|
||||||
|
include ceph
|
||||||
|
ceph::rgw { 'radosgw.gateway': }
|
||||||
|
ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
|
||||||
|
"
|
||||||
|
end
|
||||||
|
|
||||||
|
let :title do
|
||||||
|
'radosgw.gateway'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:rgw_keystone_url => 'http://keystone.default:5000',
|
||||||
|
:rgw_keystone_version => 'v3',
|
||||||
|
:rgw_keystone_admin_domain => 'default',
|
||||||
|
:rgw_keystone_admin_project => 'openstack',
|
||||||
|
:rgw_keystone_admin_user => 'rgwuser',
|
||||||
|
:rgw_keystone_admin_password => '123456',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
describe 'RedHat Family' do
|
describe 'RedHat Family' do
|
||||||
|
|
||||||
|
@ -262,7 +301,47 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
|
||||||
'user' => 'apache',
|
'user' => 'apache',
|
||||||
) }
|
) }
|
||||||
|
|
||||||
end end
|
end
|
||||||
|
|
||||||
|
describe "create with keystone v3 and no pki params" do
|
||||||
|
|
||||||
|
let :pre_condition do
|
||||||
|
"
|
||||||
|
include ceph::params
|
||||||
|
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
|
||||||
|
class { 'ceph::repo': fastcgi => true, }
|
||||||
|
include ceph
|
||||||
|
ceph::rgw { 'radosgw.gateway': }
|
||||||
|
ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
|
||||||
|
"
|
||||||
|
end
|
||||||
|
|
||||||
|
let :title do
|
||||||
|
'radosgw.gateway'
|
||||||
|
end
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:rgw_keystone_url => 'http://keystone.default:5000',
|
||||||
|
:rgw_keystone_version => 'v3',
|
||||||
|
:rgw_keystone_admin_domain => 'default',
|
||||||
|
:rgw_keystone_admin_project => 'openstack',
|
||||||
|
:rgw_keystone_admin_user => 'rgwuser',
|
||||||
|
:rgw_keystone_admin_password => '123456',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
|
||||||
|
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Local Variables:
|
# Local Variables:
|
||||||
|
|
Loading…
Reference in New Issue