From 24c8bd8d3808fd5037a2e32f8124d8845aa8c972 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <ltoscano@redhat.com>
Date: Mon, 21 May 2018 17:59:44 +0200
Subject: [PATCH] rgw/keystone: disable the NSS db integration by default

The integration with keystone through the PKI tokens (which is removed
anyway since Ocata) and SSL is now disabled by default, and enabled
only if a new variable (CEPH_RGW_KEYSTONE_SSL) is explicitely set
to True.

Change-Id: I4884a8e63c04451e83eb7a104ad7eb7d520b0921
---
 devstack/lib/ceph | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/devstack/lib/ceph b/devstack/lib/ceph
index c183ae5..8d3ac33 100644
--- a/devstack/lib/ceph
+++ b/devstack/lib/ceph
@@ -107,6 +107,7 @@ CEPH_REPLICAS_SEQ=$(seq ${CEPH_REPLICAS})
 # Rados gateway
 CEPH_RGW_PORT=${CEPH_RGW_PORT:-8080}
 CEPH_RGW_IDENTITY_API_VERSION=${CEPH_RGW_IDENTITY_API_VERSION:-3}
+CEPH_RGW_KEYSTONE_SSL=$(trueorfalse False CEPH_RGW_KEYSTONE_SSL)
 
 # Ceph REST API (for containerized version only)
 # Default is 5000, but Keystone already listens on 5000
@@ -534,11 +535,21 @@ function _configure_rgw_ceph_section {
 
         rgw keystone url = http://${SERVICE_HOST}:35357
         rgw s3 auth use keystone = true
-        nss db path = ${dest}/nss
         rgw keystone admin user = radosgw
         rgw keystone admin password = $SERVICE_PASSWORD
         rgw keystone accepted roles = Member, _member_, admin, ResellerAdmin
 EOF
+
+        if [ "$CEPH_RGW_KEYSTONE_SSL" = "True" ]; then
+            cat <<EOF | sudo tee -a ${CEPH_CONF_FILE}>/dev/null
+        nss db path = ${dest}/nss
+EOF
+        else
+            cat <<EOF | sudo tee -a ${CEPH_CONF_FILE}>/dev/null
+        rgw keystone verify ssl = false
+EOF
+        fi
+
         if [[ $CEPH_RGW_IDENTITY_API_VERSION == '2.0' && \
             ! "$(grep -sq "rgw keystone admin tenant = $SERVICE_PROJECT_NAME" ${CEPH_CONF_FILE} )" ]]; then
             cat <<EOF | sudo tee -a ${CEPH_CONF_FILE}>/dev/null
@@ -616,13 +627,15 @@ function configure_ceph_embedded_rgw {
     # Create radosgw service user with admin privileges
     create_service_user "radosgw" "admin"
 
-    # radosgw needs to access keystone's revocation list
-    sudo mkdir -p ${dest}/nss
-    sudo openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
-        sudo certutil -d ${dest}/nss -A -n ca -t "TCu,Cu,Tuw"
+    if [ "$CEPH_RGW_KEYSTONE_SSL" = "True" ]; then
+        # radosgw needs to access keystone's revocation list
+        sudo mkdir -p ${dest}/nss
+        sudo openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
+            sudo certutil -d ${dest}/nss -A -n ca -t "TCu,Cu,Tuw"
 
-    sudo openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
-        sudo certutil -A -d ${dest}/nss -n signing_cert -t "P,P,P"
+        sudo openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
+            sudo certutil -A -d ${dest}/nss -n signing_cert -t "P,P,P"
+    fi
 }
 
 function start_ceph_embedded_rgw {