From 1357a131c83e0d4c699df5b9230c382a803eb5d7 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente@redhat.com>
Date: Wed, 9 Oct 2019 23:19:43 +0200
Subject: [PATCH] Permit access to Ceph RGW for 'member' role

From the Rocky release, Keystone is bootstrapped by default [1]
with a 'member' role, while previously we used to create at
deployment time a role called 'Member'.

Role names are case insensitive in Keystone but Ceph RGW expects
a whitelist of role names to which access is permitted. This change
adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
Closes-Bug: 1847539
---
 deployment/ceph-ansible/ceph-base.yaml | 2 +-
 deployment/ceph-ansible/ceph-rgw.yaml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/deployment/ceph-ansible/ceph-base.yaml b/deployment/ceph-ansible/ceph-base.yaml
index 848ee7b546..fbfd8b3fc7 100644
--- a/deployment/ceph-ansible/ceph-base.yaml
+++ b/deployment/ceph-ansible/ceph-base.yaml
@@ -309,7 +309,7 @@ resources:
           osd_pool_default_pgp_num: {get_param: CephPoolDefaultPgNum}
           rgw_keystone_api_version: 3
           rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-          rgw_keystone_accepted_roles: 'Member, admin'
+          rgw_keystone_accepted_roles: 'member, Member, admin'
           rgw_keystone_accepted_admin_roles: ResellerAdmin
           rgw_keystone_admin_domain: default
           rgw_keystone_admin_project: service
diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml
index 5804e1897a..ffc999c319 100644
--- a/deployment/ceph-ansible/ceph-rgw.yaml
+++ b/deployment/ceph-ansible/ceph-rgw.yaml
@@ -116,7 +116,7 @@ outputs:
           ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
           ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
           ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
-          ceph::rgw::keystone::auth::roles: [ 'admin', 'Member' ]
+          ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
           ceph::rgw::keystone::auth::tenant: service
           ceph::rgw::keystone::auth::user: swift
           ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}