diff --git a/manifests/params.pp b/manifests/params.pp index 6ce1fcac..f27feb03 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -54,7 +54,6 @@ class ceph::params ( $pkg_radosgw = 'radosgw' $user_radosgw = 'www-data' $pkg_fastcgi = 'libapache2-mod-fastcgi' - $pkg_nsstools = ['libnss3-tools', 'wget'] $pkg_policycoreutils = 'policycoreutils' } @@ -62,7 +61,6 @@ class ceph::params ( $pkg_radosgw = 'ceph-radosgw' $user_radosgw = 'apache' $pkg_fastcgi = 'mod_fastcgi' - $pkg_nsstools = ['nss-tools', 'wget'] $pkg_policycoreutils = 'policycoreutils-python' } diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp index 6edda22f..a93e5f9d 100644 --- a/manifests/rgw/keystone.pp +++ b/manifests/rgw/keystone.pp @@ -49,30 +49,12 @@ # # [*rgw_keystone_token_cache_size*] # (Optional) How many tokens to keep cached. -# Not useful when using PKI as every token is checked. # Defaults to 500 # # [*rgw_s3_auth_use_keystone*] # (Optional) Whether to enable keystone auth for S3. # Defaults to true # -# [*use_pki*] -# (Optional) Whether to use PKI related configuration. -# Defaults to true -# -# [*rgw_keystone_revocation_interval*] -# (Optional) Interval to check for expired tokens. -# Not useful if not using PKI tokens (if not, set to high value). -# Defaults is 600 (seconds) -# -# [*nss_db_path*] -# (Optional) Path to NSS < - > keystone tokens db files. -# Defaults to undef -# -# [*user*] -# (Optional) User running the web frontend. -# Defaults to 'www-data' -# # [*rgw_keystone_implicit_tenants*] # (Optional) Set 'true' for a private tenant for each user. # Defaults to true @@ -87,6 +69,23 @@ # (Optional) The keystone admin token. # Defaults to undef # +# [*use_pki*] +# (Optional) Whether to use PKI related configuration. +# Defaults to undef +# +# [*rgw_keystone_revocation_interval*] +# (Optional) Interval to check for expired tokens. +# Not useful if not using PKI tokens (if not, set to high value). +# Defaults to undef +# +# [*nss_db_path*] +# (Optional) Path to NSS < - > keystone tokens db files. +# Defaults to undef +# +# [*user*] +# (Optional) User running the web frontend. +# Defaults to undef +# define ceph::rgw::keystone ( $rgw_keystone_admin_domain, $rgw_keystone_admin_project, @@ -96,14 +95,14 @@ define ceph::rgw::keystone ( $rgw_keystone_accepted_roles = 'Member', $rgw_keystone_token_cache_size = 500, $rgw_s3_auth_use_keystone = true, - $use_pki = true, - $rgw_keystone_revocation_interval = 600, - $nss_db_path = '/var/lib/ceph/nss', - $user = $::ceph::params::user_radosgw, $rgw_keystone_implicit_tenants = true, ## DEPRECATED PARAMS $rgw_keystone_version = undef, $rgw_keystone_admin_token = undef, + $use_pki = undef, + $rgw_keystone_revocation_interval = undef, + $nss_db_path = undef, + $user = undef, ) { unless $name =~ /^radosgw\..+/ { @@ -116,13 +115,25 @@ define ceph::rgw::keystone ( if $rgw_keystone_admin_token { warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated') } + if $use_pki { + warning('ceph::rgw::keystone::use_pki is deprecated') + } + if $rgw_keystone_revocation_interval { + warning('ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated') + } + if $nss_db_path { + warning('ceph::rgw::keystone::nss_db_path is deprecated') + } + if $user { + warning('ceph::rgw::keystone::user is deprecated') + } ceph_config { - "client.${name}/rgw_keystone_url": value => $rgw_keystone_url; - "client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ','); - "client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size; - "client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone; - "client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants; + "client.${name}/rgw_keystone_url": value => $rgw_keystone_url; + "client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ','); + "client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size; + "client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone; + "client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants; } # FIXME(ykarel) Cleanup once https://tracker.ceph.com/issues/24228 is fixed for luminous @@ -142,58 +153,8 @@ define ceph::rgw::keystone ( "client.${name}/rgw_keystone_admin_token": ensure => absent; } - if $use_pki { - # fetch the keystone signing cert, add to nss db - $pkg_nsstools = $::ceph::params::pkg_nsstools - ensure_packages($pkg_nsstools, {'ensure' => 'present'}) - - file { $nss_db_path: - ensure => directory, - owner => $user, - group => 'root', - } - - ceph_config { - "client.${name}/nss_db_path": value => $nss_db_path; - "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval; - } - - exec { "${name}-nssdb-ca": - command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - | - openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\" -", - unless => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -certutil -d ${nss_db_path} -L | grep ^ca -", - user => $user, - } - - exec { "${name}-nssdb-signing": - command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - | - openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\" -", - unless => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -certutil -d ${nss_db_path} -L | grep ^signing_cert -", - user => $user, - } - - Package[$pkg_nsstools] - -> Package[$::ceph::params::packages] - -> File[$nss_db_path] - -> Exec["${name}-nssdb-ca"] - -> Exec["${name}-nssdb-signing"] - ~> Service<| tag == 'ceph-radosgw' |> - } else { - ceph_config { - "client.${name}/nss_db_path": ensure => absent; - "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval; - } + ceph_config { + "client.${name}/nss_db_path": ensure => absent; + "client.${name}/rgw_keystone_revocation_interval": ensure => absent; } } diff --git a/releasenotes/notes/deprecate-rgw-keystone-pki-d8d5862f18c1e196.yaml b/releasenotes/notes/deprecate-rgw-keystone-pki-d8d5862f18c1e196.yaml new file mode 100644 index 00000000..aa8df488 --- /dev/null +++ b/releasenotes/notes/deprecate-rgw-keystone-pki-d8d5862f18c1e196.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + The PKI functionality in the ceph::rgw::keystone class is now deprecated + and the functionality is removed since Keystone v2.0 API is not available + anymore and PKI tokens is removed. +deprecations: + - | + ceph::rgw::keystone::use_pki is deprecated and has no effect. + - | + ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated and + has no effect. + - | + ceph::rgw::keystone::nss_db_path is deprecated and has no effect. + - | + ceph::rgw::keystone::user is deprecated and has no effect. diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb index e1af09d2..a8291a91 100644 --- a/spec/defines/ceph_rgw_keystone_spec.rb +++ b/spec/defines/ceph_rgw_keystone_spec.rb @@ -42,35 +42,19 @@ describe 'ceph::rgw::keystone' do } end - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_api_version').with_value(3) } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) } it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) } - it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) } - - it { should contain_exec('radosgw.gateway-nssdb-ca').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - | - openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" -", - :user => platform_params[:user_radosgw], - ) } - it { should contain_exec('radosgw.gateway-nssdb-signing').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - | - openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" -", - :user => platform_params[:user_radosgw], - )} + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_ensure('absent') } + it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_ensure('absent') } end context 'create with custom params' do @@ -87,22 +71,19 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - let :params do { - :rgw_keystone_admin_domain => 'default', - :rgw_keystone_admin_project => 'openstack', - :rgw_keystone_admin_user => 'rgwuser', - :rgw_keystone_admin_password => '123456', - :rgw_keystone_url => 'http://keystone.custom:5000', - :rgw_keystone_accepted_roles => '_role1_,role2', - :rgw_keystone_token_cache_size => 100, - :rgw_s3_auth_use_keystone => false, - :use_pki => false, - :rgw_keystone_revocation_interval => 0, - :user => 'myuser', - :nss_db_path => '/some/path/to/nss', - :rgw_keystone_implicit_tenants => false, + :rgw_keystone_admin_domain => 'default', + :rgw_keystone_admin_project => 'openstack', + :rgw_keystone_admin_user => 'rgwuser', + :rgw_keystone_admin_password => '123456', + :rgw_keystone_url => 'http://keystone.custom:5000', + :rgw_keystone_accepted_roles => '_role1_,role2', + :rgw_keystone_token_cache_size => 100, + :rgw_s3_auth_use_keystone => false, + :rgw_keystone_implicit_tenants => false, } end + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_api_version').with_value(3) } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') } @@ -112,27 +93,9 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) } it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) } - it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) } - - it { should_not contain_exec('radosgw.custom-nssdb-ca').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - | - openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" -", - :user => 'myuser', - ) } - it { should_not contain_exec('radosgw.custom-nssdb-signing').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - | - openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" -", - :user => 'myuser', - )} - + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') } + it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') } end end @@ -141,18 +104,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin }).each do |os,facts| context "on #{os}" do let (:facts) do - facts.merge!(OSDefaults.get_facts( :concat_basedir => '/var/lib/puppet/concat', - :fqdn => 'myhost.domain', - :hostname => 'myhost' )) - end - - let (:platform_params) do - if facts[:osfamily] == 'Debian' - user_radosgw = 'www-data' - else - user_radosgw = 'apache' - end - { :user_radosgw => user_radosgw } + facts.merge!(OSDefaults.get_facts()) end it_behaves_like 'ceph::rgw::keystone'