Fix keystone part for non-pki tokens

* Give possibility to deploy w/o errors when non-PKI tokens are used on keystone * Provide new parameters rgw_s3_auth_use_keystone and use_pki Change-Id: I74b258710063ed767a8db08d3bc7ef697bade864
2016-05-30 15:47:42 +03:00 · 2016-05-30 15:47:42 +03:00 · 4b8fbc5e7a
commit 4b8fbc5e7a
parent a783f01eec
2 changed files with 67 additions and 42 deletions
--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@ -40,6 +40,12 @@
 #   Optional. Default is 500.
 #   Not useful when using PKI as every token is checked.
 #
+# [*rgw_s3_auth_use_keystone*] Whether to enable keystone auth for S3.
+#   Optional. Default to true.
+#
+# [*use_pki*] Whether to use PKI related configuration.
+#   Optional. Default to true.
+#
 # [*rgw_keystone_revocation_interval*] Interval to check for expired tokens.
 #   Optional. Default is 600 (seconds).
 #   Not useful if not using PKI tokens (if not, set to high value).
@ -52,13 +58,15 @@
 #
 define ceph::rgw::keystone (
  $rgw_keystone_admin_token,
-  $rgw_keystone_url = 'http://127.0.0.1:5000',
-  $rgw_keystone_version = 'v2.0',
-  $rgw_keystone_accepted_roles = '_member_, Member',
-  $rgw_keystone_token_cache_size = 500,
+  $rgw_keystone_url                 = 'http://127.0.0.1:5000',
+  $rgw_keystone_version             = 'v2.0',
+  $rgw_keystone_accepted_roles      = '_member_, Member',
+  $rgw_keystone_token_cache_size    = 500,
+  $rgw_s3_auth_use_keystone         = true,
+  $use_pki                          = true,
  $rgw_keystone_revocation_interval = 600,
-  $nss_db_path = '/var/lib/ceph/nss',
-  $user = $::ceph::params::user_radosgw,
+  $nss_db_path                      = '/var/lib/ceph/nss',
+  $user                             = $::ceph::params::user_radosgw,
 ) {

  unless $name =~ /^radosgw\..+/ {
@ -70,52 +78,61 @@ define ceph::rgw::keystone (
    "client.${name}/rgw_keystone_url":                 value => $rgw_keystone_url;
    "client.${name}/rgw_keystone_accepted_roles":      value => $rgw_keystone_accepted_roles;
    "client.${name}/rgw_keystone_token_cache_size":    value => $rgw_keystone_token_cache_size;
-    "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
-    "client.${name}/rgw_s3_auth_use_keystone":         value => true;
-    "client.${name}/nss_db_path":                      value => $nss_db_path;
+    "client.${name}/rgw_s3_auth_use_keystone":         value => $rgw_s3_auth_use_keystone;
  }

-  # fetch the keystone signing cert, add to nss db
-  $pkg_nsstools = $::ceph::params::pkg_nsstools
-  ensure_resource('package', $pkg_nsstools, {'ensure' => 'present'})
+  if $use_pki {
+    # fetch the keystone signing cert, add to nss db
+    $pkg_nsstools = $::ceph::params::pkg_nsstools
+    ensure_resource('package', $pkg_nsstools, {'ensure' => 'present'})

-  file { $nss_db_path:
-    ensure => directory,
-    owner  => $user,
-    group  => 'root',
-  }
+    file { $nss_db_path:
+      ensure => directory,
+      owner  => $user,
+      group  => 'root',
+    }

-  exec { "${name}-nssdb-ca":
-    command => "/bin/true  # comment to satisfy puppet syntax requirements
+    ceph_config {
+      "client.${name}/nss_db_path":                      value => $nss_db_path;
+      "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
+    }
+
+    exec { "${name}-nssdb-ca":
+      command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
 ",
-    unless  => "/bin/true  # comment to satisfy puppet syntax requirements
+      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 certutil -d ${nss_db_path} -L | grep ^ca
 ",
-    user    => $user,
-  }
+      user    => $user,
+    }

-  exec { "${name}-nssdb-signing":
-    command => "/bin/true  # comment to satisfy puppet syntax requirements
+    exec { "${name}-nssdb-signing":
+      command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
 ",
-    unless  => "/bin/true  # comment to satisfy puppet syntax requirements
+      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 certutil -d ${nss_db_path} -L | grep ^signing_cert
 ",
-    user    => $user,
+      user    => $user,
+    }
+
+    Package[$pkg_nsstools]
+    -> Package[$::ceph::params::packages]
+    -> File[$nss_db_path]
+    -> Exec["${name}-nssdb-ca"]
+    -> Exec["${name}-nssdb-signing"]
+    ~> Service["radosgw-${name}"]
+  } else {
+    ceph_config {
+      "client.${name}/nss_db_path":                      ensure => absent;
+      "client.${name}/rgw_keystone_revocation_interval": ensure => absent;
+    }
  }
-
-  Package[$pkg_nsstools]
-  -> Package[$::ceph::params::packages]
-  -> File[$nss_db_path]
-  -> Exec["${name}-nssdb-ca"]
-  -> Exec["${name}-nssdb-signing"]
-  ~> Service["radosgw-${name}"]
-
 }
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@ -63,6 +63,7 @@ describe 'ceph::rgw::keystone' do
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('_member_, Member') }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }

@ -107,6 +108,8 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
          :rgw_keystone_admin_token         => 'mytoken',
          :rgw_keystone_accepted_roles      => '_role1_,role2',
          :rgw_keystone_token_cache_size    => 100,
+          :rgw_s3_auth_use_keystone         => false,
+          :use_pki                          => false,
          :rgw_keystone_revocation_interval => 200,
          :nss_db_path                      => '/some/path/to/nss',
        }
@ -116,10 +119,11 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
-      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(200) }
-      it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_value('/some/path/to/nss') }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }

-      it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with(
+      it { is_expected.to_not contain_exec('radosgw.custom-nssdb-ca').with(
         'command' => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
@ -127,7 +131,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O
 ",
         'user'    => 'www-data',
      ) }
-      it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with(
+      it { is_expected.to_not contain_exec('radosgw.custom-nssdb-signing').with(
         'command' => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
@ -181,6 +185,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('_member_, Member') }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
+      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
      it { is_expected.to contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }

@ -225,6 +230,8 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
          :rgw_keystone_admin_token         => 'mytoken',
          :rgw_keystone_accepted_roles      => '_role1_,role2',
          :rgw_keystone_token_cache_size    => 100,
+          :rgw_s3_auth_use_keystone         => false,
+          :use_pki                          => false,
          :rgw_keystone_revocation_interval => 200,
          :nss_db_path                      => '/some/path/to/nss',
        }
@ -234,10 +241,11 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
-      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(200) }
-      it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_value('/some/path/to/nss') }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
+      it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }

-      it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with(
+      it { is_expected.to_not contain_exec('radosgw.custom-nssdb-ca').with(
         'command' => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
@ -245,7 +253,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O
 ",
         'user'    => 'apache',
      ) }
-      it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with(
+      it { is_expected.to_not contain_exec('radosgw.custom-nssdb-signing').with(
         'command' => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |