openstack
/
puppet-ceph
Code Issues Proposed changes

Deprecate keystone v2.0 functionality 

This deprecates the rgw_keystone_version and
rgw_keystone_admin_token parameters which now
has no effect.

It makes the following parameter required as
it's now only using Keystone V3.

* rgw_keystone_admin_domain
* rgw_keystone_admin_project
* rgw_keystone_admin_user
* rgw_keystone_admin_password

Also does cleanup on documentation of parameters and
the spec testing.

Change-Id: Id4c6b564a47e583c4f6af587d9a3c97f419e90a9
This commit is contained in:
Tobias Urdin 2019-02-24 02:15:44 +01:00
parent e39f7d2320
commit 85b9d61c40
3 changed files with 123 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
manifests/rgw/keystone.pp
View File

@ -23,63 +23,76 @@
#
### == Parameters
#
# [*rgw_keystone_admin_token*] The keystone admin token.
# Required if rgw_keystone_version is v2.0.
# [*rgw_keystone_admin_domain*]
# (Required) The name of OpenStack domain with admin
# privilege when using OpenStack Identity API v3.
#
# [*rgw_keystone_url*] The internal or admin url for keystone.
# Optional. Default is 'http://127.0.0.1:5000'
# [*rgw_keystone_admin_project*]
# (Optional) The name of OpenStack project with admin
# privilege when using OpenStack Identity API v3
#
# [*rgw_keystone_version*] The api version for keystone.
# Possible values 'v2.0', 'v3'
# Optional. Default is 'v2.0'
# [*rgw_keystone_admin_user*]
# (Required) The user name of OpenStack tenant with admin
# privilege (Service Tenant).
#
# [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
# Optional. Default is 'Member'.
# [*rgw_keystone_admin_password*]
# (Required) The password for OpenStack admin user.
#
# [*rgw_keystone_url*]
# (Optional) The internal or admin url for keystone.
# Defaults to 'http://127.0.0.1:5000'
#
# [*rgw_keystone_accepted_roles*]
# (Optional) Roles to accept from keystone.
# Comma separated list of roles.
# Defaults to 'Member'
#
# [*rgw_keystone_token_cache_size*] How many tokens to keep cached.
# Optional. Default is 500.
# [*rgw_keystone_token_cache_size*]
# (Optional) How many tokens to keep cached.
# Not useful when using PKI as every token is checked.
# Defaults to 500
#
# [*rgw_s3_auth_use_keystone*] Whether to enable keystone auth for S3.
# Optional. Default to true.
# [*rgw_s3_auth_use_keystone*]
# (Optional) Whether to enable keystone auth for S3.
# Defaults to true
#
# [*use_pki*] Whether to use PKI related configuration.
# Optional. Default to true.
# [*use_pki*]
# (Optional) Whether to use PKI related configuration.
# Defaults to true
#
# [*rgw_keystone_revocation_interval*] Interval to check for expired tokens.
# Optional. Default is 600 (seconds).
# [*rgw_keystone_revocation_interval*]
# (Optional) Interval to check for expired tokens.
# Not useful if not using PKI tokens (if not, set to high value).
# Defaults is 600 (seconds)
#
# [*nss_db_path*] Path to NSS < - > keystone tokens db files.
# Optional. Default is undef.
# [*nss_db_path*]
# (Optional) Path to NSS < - > keystone tokens db files.
# Defaults to undef
#
# [*user*] User running the web frontend.
# Optional. Default is 'www-data'.
# [*user*]
# (Optional) User running the web frontend.
# Defaults to 'www-data'
#
# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
# privilege when using OpenStack Identity API v3
# Optional. Default is undef
# [*rgw_keystone_implicit_tenants*]
# (Optional) Set 'true' for a private tenant for each user.
# Defaults to true
#
# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
# privilege when using OpenStack Identity API v3
# Optional. Default is 'openstack'
## DEPRECATED PARAMS
#
# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
# privilege (Service Tenant)
# Required if rgw_keystone_version is 'v3'.
# [*rgw_keystone_version*]
# (Optional) The api version for keystone.
# Defaults to undef
#
# [*rgw_keystone_admin_password*] The password for OpenStack admin user
# Required if rgw_keystone_version is 'v3'.
# [*rgw_keystone_admin_token*]
# (Optional) The keystone admin token.
# Defaults to undef
#
# [*rgw_keystone_implicit_tenants*] Set 'true' for a private tenant
# for each user.
# Defaults is true
define ceph::rgw::keystone (
$rgw_keystone_admin_token = undef,
$rgw_keystone_admin_domain,
$rgw_keystone_admin_project,
$rgw_keystone_admin_user,
$rgw_keystone_admin_password,
$rgw_keystone_url = 'http://127.0.0.1:5000',
$rgw_keystone_version = 'v2.0',
$rgw_keystone_accepted_roles = 'Member',
$rgw_keystone_token_cache_size = 500,
$rgw_s3_auth_use_keystone = true,
@ -87,17 +100,23 @@ define ceph::rgw::keystone (
$rgw_keystone_revocation_interval = 600,
$nss_db_path = '/var/lib/ceph/nss',
$user = $::ceph::params::user_radosgw,
$rgw_keystone_admin_domain = $::ceph::profile::params::rgw_keystone_admin_domain,
$rgw_keystone_admin_project = $::ceph::profile::params::rgw_keystone_admin_project,
$rgw_keystone_admin_user = $::ceph::profile::params::rgw_keystone_admin_user,
$rgw_keystone_admin_password = $::ceph::profile::params::rgw_keystone_admin_password,
$rgw_keystone_implicit_tenants = true,
## DEPRECATED PARAMS
$rgw_keystone_version = undef,
$rgw_keystone_admin_token = undef,
) {
unless $name =~ /^radosgw\..+/ {
fail("Define name must be started with 'radosgw.'")
}
if $rgw_keystone_version {
warning('ceph::rgw::keystone::rgw_keystone_version is deprecated')
}
if $rgw_keystone_admin_token {
warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated')
}
ceph_config {
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
"client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ',');
@ -114,33 +133,13 @@ define ceph::rgw::keystone (
}
}
if $rgw_keystone_version == 'v2.0' {
if $rgw_keystone_admin_token == undef
{
fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration')
}
ceph_config {
"client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
}
} elsif $rgw_keystone_version == 'v3' {
if $rgw_keystone_admin_domain == undef
or $rgw_keystone_admin_project == undef
or $rgw_keystone_admin_user == undef
or $rgw_keystone_admin_password == undef
{
fail( 'Incomplete parameters for Keystone V3 integration')
}
ceph_config {
"client.${name}/rgw_keystone_api_version": value => 3;
"client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain;
"client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project;
"client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user;
"client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
"client.${name}/rgw_keystone_admin_token": ensure => absent;
}
} else {
fail("Unsupported keystone version: ${rgw_keystone_version}")
ceph_config {
"client.${name}/rgw_keystone_api_version": value => 3;
"client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain;
"client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project;
"client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user;
"client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
"client.${name}/rgw_keystone_admin_token": ensure => absent;
}
if $use_pki {

18
releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml Normal file
View File

@ -0,0 +1,18 @@
---
upgrade:
- |
The ceph::rgw::keystone class now defaults to configuration it for Keystone
V3 API. The v2.0 functionality is removed.
- |
The ceph::rgw::keystone class now requires the rgw_keystone_admin_domain,
rgw_keystone_admin_project, rgw_keystone_admin_user and
rgw_keystone_admin_password parameters to be configured, these were previously
only required when configuring Keystone V3, which is now the default and v2.0
has been removed.
deprecations:
- |
The ceph::rgw::keystone::rgw_keystone_version is deprecated and now has no
effect.
- |
The ceph::rgw::keystone::rgw_keystone_admin_token is deprecated and now has
no effect.

235
spec/defines/ceph_rgw_keystone_spec.rb
View File

@ -19,15 +19,7 @@
require 'spec_helper'
describe 'ceph::rgw::keystone' do
shared_examples 'ceph::rgw::keystone on Debian' do
before do
facts.merge!( :lsbdistid => 'Ubuntu',
:lsbdistcodename => 'trusty',
:operatingsystem => 'Ubuntu',
:operatingsystemrelease => '14.04',
:lsbdistrelease => '14.04' )
end
shared_examples 'ceph::rgw::keystone' do
context 'create with default params' do
let :pre_condition do
"include ceph::params
@ -43,13 +35,19 @@ describe 'ceph::rgw::keystone' do
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_admin_token => 'defaulttoken',
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
}
end
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
@ -60,18 +58,18 @@ describe 'ceph::rgw::keystone' do
it { should contain_exec('radosgw.gateway-nssdb-ca').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => 'www-data',
:user => platform_params[:user_radosgw],
) }
it { should contain_exec('radosgw.gateway-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
",
:user => 'www-data',
:user => platform_params[:user_radosgw],
)}
end
@ -89,20 +87,28 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
let :params do
{
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_admin_token => 'mytoken',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
:rgw_s3_auth_use_keystone => false,
:use_pki => false,
:rgw_keystone_revocation_interval => 0,
:user => 'myuser',
:nss_db_path => '/some/path/to/nss',
:rgw_keystone_implicit_tenants => false,
}
end
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
@ -116,7 +122,7 @@ set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => 'www-data',
:user => 'myuser',
) }
it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
@ -124,186 +130,10 @@ set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
",
:user => 'www-data',
:user => 'myuser',
)}
end
context 'create with keystone v3 and no pki params' do
let :pre_condition do
"include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
class { 'ceph::repo': }
include ceph
ceph::rgw { 'radosgw.gateway': }"
end
let :title do
'radosgw.gateway'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_version => 'v3',
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
}
end
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
end
end
shared_examples 'ceph::rgw::keystone on RedHat' do
before do
facts.merge!( :lsbdistcodename => 'Maipo',
:osfamily => 'RedHat',
:operatingsystem => 'RedHat',
:operatingsystemrelease => '7.2',
:operatingsystemmajrelease => '7' )
end
context 'create with default params' do
let :pre_condition do
"include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
include ceph
ceph::rgw { 'radosgw.gateway': }
ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
end
let :title do
'radosgw.gateway'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_admin_token => 'defaulttoken',
}
end
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) }
it { should contain_exec('radosgw.gateway-nssdb-ca').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => 'apache',
) }
it { should contain_exec('radosgw.gateway-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
",
:user => 'apache',
) }
end
context 'create with custom params' do
let :pre_condition do
"include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
ceph::rgw { 'radosgw.custom': }
ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
end
let :title do
'radosgw.custom'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_admin_token => 'mytoken',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
:rgw_s3_auth_use_keystone => false,
:use_pki => false,
:rgw_keystone_revocation_interval => 0,
:nss_db_path => '/some/path/to/nss',
:rgw_keystone_implicit_tenants => false,
}
end
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) }
it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) }
it { should_not contain_exec('radosgw.custom-nssdb-ca').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => 'apache',
)}
it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
",
:user => 'apache',
)}
end
context 'create with keystone v3 and no pki params' do
let :pre_condition do
"include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
include ceph
ceph::rgw { 'radosgw.gateway': }
ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
end
let :title do
'radosgw.gateway'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_version => 'v3',
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
}
end
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
end
end
on_supported_os({
@ -316,7 +146,16 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
:hostname => 'myhost' ))
end
it_behaves_like "ceph::rgw::keystone on #{facts[:osfamily]}"
let (:platform_params) do
if facts[:osfamily] == 'Debian'
user_radosgw = 'www-data'
else
user_radosgw = 'apache'
end
{ :user_radosgw => user_radosgw }
end
it_behaves_like 'ceph::rgw::keystone'
end
end
end