Update Jewel Ceph RGW to support Keystone V3

This patch updates ceph::rgw:keystone to support Keystone V3 Usage: The domain, project, user and password are pre-populated in keystone. ceph::rgw::keystone{ 'radosgw.gateway': rgw_keystone_version => 'v3', rgw_keystone_admin_domain => 'default', rgw_keystone_admin_project => 'openstack', rgw_keystone_admin_user => 'rgwuser', rgw_keystone_admin_password => '123456', use_pki => false, } Change-Id: Ifb24615372c962b9e264167888d8da939b46341d Ref: http://docs.ceph.com/docs/master/radosgw/keystone/ Ref: http://docs.ceph.com/docs/master/radosgw/config-ref/#keystone-settings
2016-07-27 13:01:04 -04:00 · 2016-07-27 13:01:04 -04:00 · 26333fd873
commit 26333fd873
parent b72bf9d6b8
5 changed files with 259 additions and 7 deletions
--- a/manifests/profile/params.pp
+++ b/manifests/profile/params.pp
@ -139,6 +139,25 @@
 #   Set to 0 to disable it.
 #   Optional. Default provided by Ceph
 #
+# [*rgw_keystone_version*] The api version for keystone.
+#   Possible values 'v2.0', 'v3'
+#   Optional. Default is 'v2.0'
+#
+# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
+#   privilege when using OpenStack Identity API v3
+#   Optional. Default is undef
+#
+# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
+#   privilege when using OpenStack Identity API v3
+#   Optional. Default is undef
+#
+# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
+#   privilege (Service Tenant)
+#   Required if is 'v3'.
+#
+# [*rgw_keystone_admin_password*] The password for OpenStack admin user
+#   Required if is 'v3'.
+

 class ceph::profile::params (
  $fsid = undef,
@ -172,6 +191,12 @@ class ceph::profile::params (
  $osd_recovery_max_single_start = undef,
  $osd_max_scrubs = undef,
  $osd_op_threads = undef,
+  $rgw_keystone_version = 'v2.0',
+  $rgw_keystone_admin_domain = undef,
+  $rgw_keystone_admin_project = undef,
+  $rgw_keystone_admin_user = undef,
+  $rgw_keystone_admin_password = undef,
+
 ) {
  validate_hash($client_keys)

--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@ -24,12 +24,13 @@
 ### == Parameters
 #
 # [*rgw_keystone_admin_token*] The keystone admin token.
-#   Mandatory.
+#   Required if rgw_keystone_version is v2.0.
 #
 # [*rgw_keystone_url*] The internal or admin url for keystone.
 #   Optional. Default is 'http://127.0.0.1:5000'
 #
 # [*rgw_keystone_version*] The api version for keystone.
+#   Possible values 'v2.0', 'v3'
 #   Optional. Default is 'v2.0'
 #
 # [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
@ -56,8 +57,23 @@
 # [*user*] User running the web frontend.
 #   Optional. Default is 'www-data'.
 #
+# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
+#   privilege when using OpenStack Identity API v3
+#   Optional. Default is undef
+#
+# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
+#   privilege when using OpenStack Identity API v3
+#   Optional. Default is 'openstack'
+#
+# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
+#   privilege (Service Tenant)
+#   Required if rgw_keystone_version is 'v3'.
+#
+# [*rgw_keystone_admin_password*] The password for OpenStack admin user
+#   Required if rgw_keystone_version is 'v3'.
+
 define ceph::rgw::keystone (
-  $rgw_keystone_admin_token,
+  $rgw_keystone_admin_token         = undef,
  $rgw_keystone_url                 = 'http://127.0.0.1:5000',
  $rgw_keystone_version             = 'v2.0',
  $rgw_keystone_accepted_roles      = '_member_, Member',
@ -67,6 +83,10 @@ define ceph::rgw::keystone (
  $rgw_keystone_revocation_interval = 600,
  $nss_db_path                      = '/var/lib/ceph/nss',
  $user                             = $::ceph::params::user_radosgw,
+  $rgw_keystone_admin_domain        = $::ceph::profile::params::rgw_keystone_admin_domain,
+  $rgw_keystone_admin_project       = $::ceph::profile::params::rgw_keystone_admin_project,
+  $rgw_keystone_admin_user          = $::ceph::profile::params::rgw_keystone_admin_user,
+  $rgw_keystone_admin_password      = $::ceph::profile::params::rgw_keystone_admin_password,
 ) {

  unless $name =~ /^radosgw\..+/ {
@ -74,13 +94,41 @@ define ceph::rgw::keystone (
  }

  ceph_config {
-    "client.${name}/rgw_keystone_admin_token":         value => $rgw_keystone_admin_token;
    "client.${name}/rgw_keystone_url":                 value => $rgw_keystone_url;
    "client.${name}/rgw_keystone_accepted_roles":      value => join(any2array($rgw_keystone_accepted_roles), ',');
    "client.${name}/rgw_keystone_token_cache_size":    value => $rgw_keystone_token_cache_size;
    "client.${name}/rgw_s3_auth_use_keystone":         value => $rgw_s3_auth_use_keystone;
  }

+  if $rgw_keystone_version == 'v2.0' {
+    if $rgw_keystone_admin_token == undef
+    {
+      fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration')
+    }
+    ceph_config {
+      "client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
+    }
+  } elsif $rgw_keystone_version == 'v3' {
+    if $rgw_keystone_admin_domain == undef
+      or $rgw_keystone_admin_project == undef
+      or $rgw_keystone_admin_user == undef
+      or $rgw_keystone_admin_password == undef
+    {
+      fail( 'Incomplete parameters for Keystone V3 integration')
+    }
+    ceph_config {
+      "client.${name}/rgw_keystone_api_version":    value => 3;
+      "client.${name}/rgw_keystone_admin_domain":   value => $rgw_keystone_admin_domain;
+      "client.${name}/rgw_keystone_admin_project":  value => $rgw_keystone_admin_project;
+      "client.${name}/rgw_keystone_admin_user":     value => $rgw_keystone_admin_user;
+      "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
+      "client.${name}/rgw_keystone_admin_token":    ensure => absent;
+    }
+
+  } else {
+    fail("Unsupported keystone version: ${rgw_keystone_version}")
+  }
+
  if $use_pki {
    # fetch the keystone signing cert, add to nss db
    $pkg_nsstools = $::ceph::params::pkg_nsstools
@ -100,7 +148,7 @@ define ceph::rgw::keystone (
    exec { "${name}-nssdb-ca":
      command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
-wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - |
+wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
 ",
      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
@ -113,7 +161,7 @@ certutil -d ${nss_db_path} -L | grep ^ca
    exec { "${name}-nssdb-signing":
      command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
-wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - |
+wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
 ",
      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
--- a/manifests/rgw/keystone/auth.pp
+++ b/manifests/rgw/keystone/auth.pp
@ -0,0 +1,89 @@
+# == Class: ceph::rgw::keystone::auth
+#
+# Configures RGW user, service and endpoint in Keystone V3.
+#
+# === Parameters
+#
+# [*password*]
+#  Password for the RGW user. Required
+#
+# [*user*]
+#   Username for the RGW user. Optional.
+#   Defaults to 'rgwuser'
+#
+# [*email*]
+#   Email for the RGW user. Optional.
+#   Defaults to 'rgwuser@localhost'
+#
+# [*roles*]
+#   Accepted RGW roles. Optional.
+#   Defaults to ['admin', 'Member']
+#
+# [*public_url*]
+#   The public URL. Optional.
+#   Defaults to 'http://127.0.0.1:8080/swift/v1
+#
+# [*admin_url*]
+#   The admin URL. Optional.
+#   Defaults to 'http://127.0.0.1:8080/swift/v1
+#
+# [*internal_url*]
+#   The internal URL. Optional.
+#   Defaults to 'http://127.0.0.1:8080/swift/v1
+#
+# [*region*]
+#   Region for endpoint. Optional.
+#   Defaults to 'RegionOne'
+#
+# [*tenant*]
+#   Tenant for user. Optional.
+#   Defaults to 'services'
+#
+# [*rgw_service*]
+#   Name of the keystone service used by RGW
+#   Defaults to 'swift::object-store'
+#
+
+class ceph::rgw::keystone::auth (
+  $password,
+  $user         = 'rgwuser',
+  $email        = 'rgwuser@localhost',
+  $roles        = ['admin', 'Member'],
+  $public_url   = 'http://127.0.0.1:8080/swift/v1',
+  $admin_url    = 'http://127.0.0.1:8080/swift/v1',
+  $internal_url = 'http://127.0.0.1:8080/swift/v1',
+  $region       = 'RegionOne',
+  $tenant       = 'services',
+  $rgw_service  = 'swift::object-store',
+) {
+
+  include ::openstacklib::openstackclient
+
+  ensure_resource('keystone_service', 'swift::object-store', {
+    'ensure'      => 'present',
+    'description' => 'Ceph RGW Service',
+  } )
+
+  ensure_resource('keystone_endpoint', "${region}/swift::object-store", {
+    'ensure'       => 'present',
+    'public_url'   => $public_url,
+    'admin_url'    => $admin_url,
+    'internal_url' => $internal_url,
+  } )
+
+  keystone_user { $user:
+    ensure   => present,
+    password => $password,
+    email    => $email,
+  }
+
+  ensure_resource('keystone_role', $roles, {
+    'ensure' => 'present'
+  } )
+
+  keystone_user_role { "${user}@${tenant}":
+    ensure => present,
+    roles  => $roles,
+  }
+}
+
--- a/releasenotes/notes/radosgw-keystone-v3-93b3895e24b5f913.yaml
+++ b/releasenotes/notes/radosgw-keystone-v3-93b3895e24b5f913.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - Updates 'ceph::rgw::keystone' to integrate with keystone V3.
+    Adds new parameters rgw_keystone_admin_domain,
+    rgw_keyston_admin_project, rgw_keystone_admin_user
+    and rgw_keystone_admin_password.
+    Extends rgw_keystone_version to add 'v3' as a valid option
+issues:
+  - At this time radosgw uses pki to verify Keystone revocation
+    lists. 'keystone::enable_pki_setup' must be set to true
+    to provide the needed keystone support
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@ -140,7 +140,46 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
         'user'    => 'www-data',
      ) }

-    end  end
+    end
+
+    describe "create with keystone v3 and no pki params" do
+
+      let :pre_condition do
+        "
+          include ceph::params
+          class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
+          class { 'ceph::repo': fastcgi => true, }
+          include ceph
+          ceph::rgw { 'radosgw.gateway': }
+          ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
+        "
+      end
+
+      let :title do
+        'radosgw.gateway'
+      end
+
+      let :params do
+        {
+          :rgw_keystone_url            => 'http://keystone.default:5000',
+          :rgw_keystone_version        => 'v3',
+          :rgw_keystone_admin_domain   => 'default',
+          :rgw_keystone_admin_project  => 'openstack',
+          :rgw_keystone_admin_user     => 'rgwuser',
+          :rgw_keystone_admin_password => '123456',
+        }
+      end
+
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
+
+    end
+
+  end

  describe 'RedHat Family' do

@ -262,7 +301,47 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
         'user'    => 'apache',
      ) }

-    end  end
+    end  
+
+    describe "create with keystone v3 and no pki params" do
+
+      let :pre_condition do
+        "
+          include ceph::params
+          class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
+          class { 'ceph::repo': fastcgi => true, }
+          include ceph
+          ceph::rgw { 'radosgw.gateway': }
+          ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
+        "
+      end
+
+      let :title do
+        'radosgw.gateway'
+      end
+
+      let :params do
+        {
+          :rgw_keystone_url            => 'http://keystone.default:5000',
+          :rgw_keystone_version        => 'v3',
+          :rgw_keystone_admin_domain   => 'default',
+          :rgw_keystone_admin_project  => 'openstack',
+          :rgw_keystone_admin_user     => 'rgwuser',
+          :rgw_keystone_admin_password => '123456',
+        }
+      end
+
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
+
+    end
+
+
+  end
 end

 # Local Variables: