openstack/tripleo-heat-templates
Code Issues Proposed changes
8e88083bbc
tripleo-heat-templates/deployment/ceph-ansible/ceph-rgw.yaml
Giulio Fidente 1357a131c8 Permit access to Ceph RGW for 'member' role 
From the Rocky release, Keystone is bootstrapped by default [1]
with a 'member' role, while previously we used to create at
deployment time a role called 'Member'.

Role names are case insensitive in Keystone but Ceph RGW expects
a whitelist of role names to which access is permitted. This change
adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
Closes-Bug: 1847539
2019-10-09 23:23:51 +02:00

123 lines
4.1 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Ceph RadosGW service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
SwiftPassword:
description: The password for the swift service account
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
CephEnableDashboard:
type: boolean
default: false
description: Parameter used to trigger the dashboard deployment.
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
resources:
CephBase:
type: ./ceph-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CephRgwAnsibleVars:
type: OS::Heat::Value
properties:
type: json
value:
vars:
radosgw_keystone: true
radosgw_keystone_ssl: false
radosgw_address_block:
list_join:
- ','
- get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]
radosgw_frontend_port: {get_param: [EndpointMap, CephRgwInternal, port]}
outputs:
role_data:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
upgrade_tasks: []
puppet_config:
config_image: ''
config_volume: ''
step_config: ''
docker_config: {}
external_deploy_tasks:
list_concat:
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
- - name: ceph_rgw_external_deploy_init
when: step|int == 1
tags: ceph
block:
- name: set ceph-ansible group vars rgws
set_fact:
ceph_ansible_group_vars_rgws: {get_attr: [CephRgwAnsibleVars, value, vars]}
- name: generate ceph-ansible group vars rgws
copy:
dest: "{{playbook_dir}}/ceph-ansible/group_vars/rgws.yml"
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_rgw::firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
- {}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
ceph::rgw::keystone::auth::tenant: service
ceph::rgw::keystone::auth::user: swift
ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}
View Git Blame Copy Permalink