Deprecated Keystone v2.0 and PKI tokens in Keystone RGW

The Keystone v2.0 and PKI params in ceph::rgw::keystone is now deprecated and the functionality is removed since the v2.0 API is now available anymore and PKI tokens is also removed. Change-Id: I152da5f9a83aaca27d52b85a889f9391522e3531
2019-02-24 02:36:08 +01:00 · 2019-02-24 02:36:08 +01:00 · 8df92d51d3
commit 8df92d51d3
parent 85b9d61c40
4 changed files with 74 additions and 147 deletions
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -54,7 +54,6 @@ class ceph::params (
      $pkg_radosgw         = 'radosgw'
      $user_radosgw        = 'www-data'
      $pkg_fastcgi         = 'libapache2-mod-fastcgi'
-      $pkg_nsstools        = ['libnss3-tools', 'wget']
      $pkg_policycoreutils = 'policycoreutils'
    }

@ -62,7 +61,6 @@ class ceph::params (
      $pkg_radosgw         = 'ceph-radosgw'
      $user_radosgw        = 'apache'
      $pkg_fastcgi         = 'mod_fastcgi'
-      $pkg_nsstools        = ['nss-tools', 'wget']
      $pkg_policycoreutils = 'policycoreutils-python'
    }

--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@ -49,30 +49,12 @@
 #
 # [*rgw_keystone_token_cache_size*]
 #   (Optional) How many tokens to keep cached.
-#   Not useful when using PKI as every token is checked.
 #   Defaults to 500
 #
 # [*rgw_s3_auth_use_keystone*]
 #   (Optional) Whether to enable keystone auth for S3.
 #   Defaults to true
 #
-# [*use_pki*]
-#   (Optional) Whether to use PKI related configuration.
-#   Defaults to true
-#
-# [*rgw_keystone_revocation_interval*]
-#   (Optional) Interval to check for expired tokens.
-#   Not useful if not using PKI tokens (if not, set to high value).
-#   Defaults is 600 (seconds)
-#
-# [*nss_db_path*]
-#   (Optional) Path to NSS < - > keystone tokens db files.
-#   Defaults to undef
-#
-# [*user*]
-#   (Optional) User running the web frontend.
-#   Defaults to 'www-data'
-#
 # [*rgw_keystone_implicit_tenants*]
 #   (Optional) Set 'true' for a private tenant for each user.
 #   Defaults to true
@ -87,6 +69,23 @@
 #   (Optional) The keystone admin token.
 #   Defaults to undef
 #
+# [*use_pki*]
+#   (Optional) Whether to use PKI related configuration.
+#   Defaults to undef
+#
+# [*rgw_keystone_revocation_interval*]
+#   (Optional) Interval to check for expired tokens.
+#   Not useful if not using PKI tokens (if not, set to high value).
+#   Defaults to undef
+#
+# [*nss_db_path*]
+#   (Optional) Path to NSS < - > keystone tokens db files.
+#   Defaults to undef
+#
+# [*user*]
+#   (Optional) User running the web frontend.
+#   Defaults to undef
+#
 define ceph::rgw::keystone (
  $rgw_keystone_admin_domain,
  $rgw_keystone_admin_project,
@ -96,14 +95,14 @@ define ceph::rgw::keystone (
  $rgw_keystone_accepted_roles      = 'Member',
  $rgw_keystone_token_cache_size    = 500,
  $rgw_s3_auth_use_keystone         = true,
-  $use_pki                          = true,
-  $rgw_keystone_revocation_interval = 600,
-  $nss_db_path                      = '/var/lib/ceph/nss',
-  $user                             = $::ceph::params::user_radosgw,
  $rgw_keystone_implicit_tenants    = true,
  ## DEPRECATED PARAMS
  $rgw_keystone_version             = undef,
  $rgw_keystone_admin_token         = undef,
+  $use_pki                          = undef,
+  $rgw_keystone_revocation_interval = undef,
+  $nss_db_path                      = undef,
+  $user                             = undef,
 ) {

  unless $name =~ /^radosgw\..+/ {
@ -116,13 +115,25 @@ define ceph::rgw::keystone (
  if $rgw_keystone_admin_token {
    warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated')
  }
+  if $use_pki {
+    warning('ceph::rgw::keystone::use_pki is deprecated')
+  }
+  if $rgw_keystone_revocation_interval {
+    warning('ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated')
+  }
+  if $nss_db_path {
+    warning('ceph::rgw::keystone::nss_db_path is deprecated')
+  }
+  if $user {
+    warning('ceph::rgw::keystone::user is deprecated')
+  }

  ceph_config {
-    "client.${name}/rgw_keystone_url":                 value => $rgw_keystone_url;
-    "client.${name}/rgw_keystone_accepted_roles":      value => join(any2array($rgw_keystone_accepted_roles), ',');
-    "client.${name}/rgw_keystone_token_cache_size":    value => $rgw_keystone_token_cache_size;
-    "client.${name}/rgw_s3_auth_use_keystone":         value => $rgw_s3_auth_use_keystone;
-    "client.${name}/rgw_keystone_implicit_tenants":    value => $rgw_keystone_implicit_tenants;
+    "client.${name}/rgw_keystone_url":              value => $rgw_keystone_url;
+    "client.${name}/rgw_keystone_accepted_roles":   value => join(any2array($rgw_keystone_accepted_roles), ',');
+    "client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
+    "client.${name}/rgw_s3_auth_use_keystone":      value => $rgw_s3_auth_use_keystone;
+    "client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants;
  }

  # FIXME(ykarel) Cleanup once https://tracker.ceph.com/issues/24228 is fixed for luminous
@ -142,58 +153,8 @@ define ceph::rgw::keystone (
    "client.${name}/rgw_keystone_admin_token":    ensure => absent;
  }

-  if $use_pki {
-    # fetch the keystone signing cert, add to nss db
-    $pkg_nsstools = $::ceph::params::pkg_nsstools
-    ensure_packages($pkg_nsstools, {'ensure' => 'present'})
-
-    file { $nss_db_path:
-      ensure => directory,
-      owner  => $user,
-      group  => 'root',
-    }
-
-    ceph_config {
-      "client.${name}/nss_db_path":                      value => $nss_db_path;
-      "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
-    }
-
-    exec { "${name}-nssdb-ca":
-      command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - |
-  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
-",
-      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-certutil -d ${nss_db_path} -L | grep ^ca
-",
-      user    => $user,
-    }
-
-    exec { "${name}-nssdb-signing":
-      command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - |
-  openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
-",
-      unless  => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-certutil -d ${nss_db_path} -L | grep ^signing_cert
-",
-      user    => $user,
-    }
-
-    Package[$pkg_nsstools]
-    -> Package[$::ceph::params::packages]
-    -> File[$nss_db_path]
-    -> Exec["${name}-nssdb-ca"]
-    -> Exec["${name}-nssdb-signing"]
-    ~> Service<| tag == 'ceph-radosgw' |>
-  } else {
-    ceph_config {
-      "client.${name}/nss_db_path":                      ensure => absent;
-      "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
-    }
+  ceph_config {
+    "client.${name}/nss_db_path":                      ensure => absent;
+    "client.${name}/rgw_keystone_revocation_interval": ensure => absent;
  }
 }
--- a/releasenotes/notes/deprecate-rgw-keystone-pki-d8d5862f18c1e196.yaml
+++ b/releasenotes/notes/deprecate-rgw-keystone-pki-d8d5862f18c1e196.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The PKI functionality in the ceph::rgw::keystone class is now deprecated
+    and the functionality is removed since Keystone v2.0 API is not available
+    anymore and PKI tokens is removed.
+deprecations:
+  - |
+    ceph::rgw::keystone::use_pki is deprecated and has no effect.
+  - |
+    ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated and
+    has no effect.
+  - |
+    ceph::rgw::keystone::nss_db_path is deprecated and has no effect.
+  - |
+    ceph::rgw::keystone::user is deprecated and has no effect.
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@ -42,35 +42,19 @@ describe 'ceph::rgw::keystone' do
        }
      end

-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_api_version').with_value(3) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
-      it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) }
-
-      it { should contain_exec('radosgw.gateway-nssdb-ca').with(
-         :command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - |
-  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
-",
-         :user    => platform_params[:user_radosgw],
-      ) }
-      it { should contain_exec('radosgw.gateway-nssdb-signing').with(
-         :command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - |
-  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
-",
-         :user    => platform_params[:user_radosgw],
-      )}
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_ensure('absent') }
+      it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_ensure('absent') }
    end

    context 'create with custom params' do
@ -87,22 +71,19 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O -

      let :params do
        {
-          :rgw_keystone_admin_domain        => 'default',
-          :rgw_keystone_admin_project       => 'openstack',
-          :rgw_keystone_admin_user          => 'rgwuser',
-          :rgw_keystone_admin_password      => '123456',
-          :rgw_keystone_url                 => 'http://keystone.custom:5000',
-          :rgw_keystone_accepted_roles      => '_role1_,role2',
-          :rgw_keystone_token_cache_size    => 100,
-          :rgw_s3_auth_use_keystone         => false,
-          :use_pki                          => false,
-          :rgw_keystone_revocation_interval => 0,
-          :user                             => 'myuser',
-          :nss_db_path                      => '/some/path/to/nss',
-          :rgw_keystone_implicit_tenants    => false,
+          :rgw_keystone_admin_domain     => 'default',
+          :rgw_keystone_admin_project    => 'openstack',
+          :rgw_keystone_admin_user       => 'rgwuser',
+          :rgw_keystone_admin_password   => '123456',
+          :rgw_keystone_url              => 'http://keystone.custom:5000',
+          :rgw_keystone_accepted_roles   => '_role1_,role2',
+          :rgw_keystone_token_cache_size => 100,
+          :rgw_s3_auth_use_keystone      => false,
+          :rgw_keystone_implicit_tenants => false,
        }
      end

+      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_api_version').with_value(3) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
@ -112,27 +93,9 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O -
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
-      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) }
-      it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) }
-
-      it { should_not contain_exec('radosgw.custom-nssdb-ca').with(
-         :command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
-  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
-",
-         :user    => 'myuser',
-      ) }
-      it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
-         :command => "/bin/true  # comment to satisfy puppet syntax requirements
-set -ex
-wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
-  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
-",
-         :user    => 'myuser',
-      )}
-
+      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
+      it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
    end
  end

@ -141,18 +104,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
  }).each do |os,facts|
    context "on #{os}" do
      let (:facts) do
-        facts.merge!(OSDefaults.get_facts( :concat_basedir => '/var/lib/puppet/concat',
-                                           :fqdn           => 'myhost.domain',
-                                           :hostname       => 'myhost' ))
-      end
-
-      let (:platform_params) do
-        if facts[:osfamily] == 'Debian'
-          user_radosgw = 'www-data'
-        else
-          user_radosgw = 'apache'
-        end
-        { :user_radosgw => user_radosgw }
+        facts.merge!(OSDefaults.get_facts())
      end

      it_behaves_like 'ceph::rgw::keystone'