From 85b9d61c40430de32d311cea201a2a33ec91a6b8 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Sun, 24 Feb 2019 02:15:44 +0100 Subject: [PATCH] Deprecate keystone v2.0 functionality This deprecates the rgw_keystone_version and rgw_keystone_admin_token parameters which now has no effect. It makes the following parameter required as it's now only using Keystone V3. * rgw_keystone_admin_domain * rgw_keystone_admin_project * rgw_keystone_admin_user * rgw_keystone_admin_password Also does cleanup on documentation of parameters and the spec testing. Change-Id: Id4c6b564a47e583c4f6af587d9a3c97f419e90a9 --- manifests/rgw/keystone.pp | 137 +++++----- ...w-keystone-deprecate-14288623c16b4561.yaml | 18 ++ spec/defines/ceph_rgw_keystone_spec.rb | 235 +++--------------- 3 files changed, 123 insertions(+), 267 deletions(-) create mode 100644 releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp index 2c77babd..6edda22f 100644 --- a/manifests/rgw/keystone.pp +++ b/manifests/rgw/keystone.pp @@ -23,63 +23,76 @@ # ### == Parameters # -# [*rgw_keystone_admin_token*] The keystone admin token. -# Required if rgw_keystone_version is v2.0. +# [*rgw_keystone_admin_domain*] +# (Required) The name of OpenStack domain with admin +# privilege when using OpenStack Identity API v3. # -# [*rgw_keystone_url*] The internal or admin url for keystone. -# Optional. Default is 'http://127.0.0.1:5000' +# [*rgw_keystone_admin_project*] +# (Optional) The name of OpenStack project with admin +# privilege when using OpenStack Identity API v3 # -# [*rgw_keystone_version*] The api version for keystone. -# Possible values 'v2.0', 'v3' -# Optional. Default is 'v2.0' +# [*rgw_keystone_admin_user*] +# (Required) The user name of OpenStack tenant with admin +# privilege (Service Tenant). # -# [*rgw_keystone_accepted_roles*] Roles to accept from keystone. -# Optional. Default is 'Member'. +# [*rgw_keystone_admin_password*] +# (Required) The password for OpenStack admin user. +# +# [*rgw_keystone_url*] +# (Optional) The internal or admin url for keystone. +# Defaults to 'http://127.0.0.1:5000' +# +# [*rgw_keystone_accepted_roles*] +# (Optional) Roles to accept from keystone. # Comma separated list of roles. +# Defaults to 'Member' # -# [*rgw_keystone_token_cache_size*] How many tokens to keep cached. -# Optional. Default is 500. +# [*rgw_keystone_token_cache_size*] +# (Optional) How many tokens to keep cached. # Not useful when using PKI as every token is checked. +# Defaults to 500 # -# [*rgw_s3_auth_use_keystone*] Whether to enable keystone auth for S3. -# Optional. Default to true. +# [*rgw_s3_auth_use_keystone*] +# (Optional) Whether to enable keystone auth for S3. +# Defaults to true # -# [*use_pki*] Whether to use PKI related configuration. -# Optional. Default to true. +# [*use_pki*] +# (Optional) Whether to use PKI related configuration. +# Defaults to true # -# [*rgw_keystone_revocation_interval*] Interval to check for expired tokens. -# Optional. Default is 600 (seconds). +# [*rgw_keystone_revocation_interval*] +# (Optional) Interval to check for expired tokens. # Not useful if not using PKI tokens (if not, set to high value). +# Defaults is 600 (seconds) # -# [*nss_db_path*] Path to NSS < - > keystone tokens db files. -# Optional. Default is undef. +# [*nss_db_path*] +# (Optional) Path to NSS < - > keystone tokens db files. +# Defaults to undef # -# [*user*] User running the web frontend. -# Optional. Default is 'www-data'. +# [*user*] +# (Optional) User running the web frontend. +# Defaults to 'www-data' # -# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin -# privilege when using OpenStack Identity API v3 -# Optional. Default is undef +# [*rgw_keystone_implicit_tenants*] +# (Optional) Set 'true' for a private tenant for each user. +# Defaults to true # -# [*rgw_keystone_admin_project*] The name of OpenStack project with admin -# privilege when using OpenStack Identity API v3 -# Optional. Default is 'openstack' +## DEPRECATED PARAMS # -# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin -# privilege (Service Tenant) -# Required if rgw_keystone_version is 'v3'. +# [*rgw_keystone_version*] +# (Optional) The api version for keystone. +# Defaults to undef # -# [*rgw_keystone_admin_password*] The password for OpenStack admin user -# Required if rgw_keystone_version is 'v3'. +# [*rgw_keystone_admin_token*] +# (Optional) The keystone admin token. +# Defaults to undef # -# [*rgw_keystone_implicit_tenants*] Set 'true' for a private tenant -# for each user. -# Defaults is true - define ceph::rgw::keystone ( - $rgw_keystone_admin_token = undef, + $rgw_keystone_admin_domain, + $rgw_keystone_admin_project, + $rgw_keystone_admin_user, + $rgw_keystone_admin_password, $rgw_keystone_url = 'http://127.0.0.1:5000', - $rgw_keystone_version = 'v2.0', $rgw_keystone_accepted_roles = 'Member', $rgw_keystone_token_cache_size = 500, $rgw_s3_auth_use_keystone = true, @@ -87,17 +100,23 @@ define ceph::rgw::keystone ( $rgw_keystone_revocation_interval = 600, $nss_db_path = '/var/lib/ceph/nss', $user = $::ceph::params::user_radosgw, - $rgw_keystone_admin_domain = $::ceph::profile::params::rgw_keystone_admin_domain, - $rgw_keystone_admin_project = $::ceph::profile::params::rgw_keystone_admin_project, - $rgw_keystone_admin_user = $::ceph::profile::params::rgw_keystone_admin_user, - $rgw_keystone_admin_password = $::ceph::profile::params::rgw_keystone_admin_password, $rgw_keystone_implicit_tenants = true, + ## DEPRECATED PARAMS + $rgw_keystone_version = undef, + $rgw_keystone_admin_token = undef, ) { unless $name =~ /^radosgw\..+/ { fail("Define name must be started with 'radosgw.'") } + if $rgw_keystone_version { + warning('ceph::rgw::keystone::rgw_keystone_version is deprecated') + } + if $rgw_keystone_admin_token { + warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated') + } + ceph_config { "client.${name}/rgw_keystone_url": value => $rgw_keystone_url; "client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ','); @@ -114,33 +133,13 @@ define ceph::rgw::keystone ( } } - if $rgw_keystone_version == 'v2.0' { - if $rgw_keystone_admin_token == undef - { - fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration') - } - ceph_config { - "client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token; - } - } elsif $rgw_keystone_version == 'v3' { - if $rgw_keystone_admin_domain == undef - or $rgw_keystone_admin_project == undef - or $rgw_keystone_admin_user == undef - or $rgw_keystone_admin_password == undef - { - fail( 'Incomplete parameters for Keystone V3 integration') - } - ceph_config { - "client.${name}/rgw_keystone_api_version": value => 3; - "client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain; - "client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project; - "client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user; - "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password; - "client.${name}/rgw_keystone_admin_token": ensure => absent; - } - - } else { - fail("Unsupported keystone version: ${rgw_keystone_version}") + ceph_config { + "client.${name}/rgw_keystone_api_version": value => 3; + "client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain; + "client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project; + "client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user; + "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password; + "client.${name}/rgw_keystone_admin_token": ensure => absent; } if $use_pki { diff --git a/releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml b/releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml new file mode 100644 index 00000000..e6325400 --- /dev/null +++ b/releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml @@ -0,0 +1,18 @@ +--- +upgrade: + - | + The ceph::rgw::keystone class now defaults to configuration it for Keystone + V3 API. The v2.0 functionality is removed. + - | + The ceph::rgw::keystone class now requires the rgw_keystone_admin_domain, + rgw_keystone_admin_project, rgw_keystone_admin_user and + rgw_keystone_admin_password parameters to be configured, these were previously + only required when configuring Keystone V3, which is now the default and v2.0 + has been removed. +deprecations: + - | + The ceph::rgw::keystone::rgw_keystone_version is deprecated and now has no + effect. + - | + The ceph::rgw::keystone::rgw_keystone_admin_token is deprecated and now has + no effect. diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb index cd6bfa62..e1af09d2 100644 --- a/spec/defines/ceph_rgw_keystone_spec.rb +++ b/spec/defines/ceph_rgw_keystone_spec.rb @@ -19,15 +19,7 @@ require 'spec_helper' describe 'ceph::rgw::keystone' do - shared_examples 'ceph::rgw::keystone on Debian' do - before do - facts.merge!( :lsbdistid => 'Ubuntu', - :lsbdistcodename => 'trusty', - :operatingsystem => 'Ubuntu', - :operatingsystemrelease => '14.04', - :lsbdistrelease => '14.04' ) - end - + shared_examples 'ceph::rgw::keystone' do context 'create with default params' do let :pre_condition do "include ceph::params @@ -43,13 +35,19 @@ describe 'ceph::rgw::keystone' do let :params do { - :rgw_keystone_url => 'http://keystone.default:5000', - :rgw_keystone_admin_token => 'defaulttoken', + :rgw_keystone_admin_domain => 'default', + :rgw_keystone_admin_project => 'openstack', + :rgw_keystone_admin_user => 'rgwuser', + :rgw_keystone_admin_password => '123456', } end - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) } it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) } @@ -60,18 +58,18 @@ describe 'ceph::rgw::keystone' do it { should contain_exec('radosgw.gateway-nssdb-ca').with( :command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - | +wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - | openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" ", - :user => 'www-data', + :user => platform_params[:user_radosgw], ) } it { should contain_exec('radosgw.gateway-nssdb-signing').with( :command => "/bin/true # comment to satisfy puppet syntax requirements set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - | +wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - | openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" ", - :user => 'www-data', + :user => platform_params[:user_radosgw], )} end @@ -89,20 +87,28 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi let :params do { + :rgw_keystone_admin_domain => 'default', + :rgw_keystone_admin_project => 'openstack', + :rgw_keystone_admin_user => 'rgwuser', + :rgw_keystone_admin_password => '123456', :rgw_keystone_url => 'http://keystone.custom:5000', - :rgw_keystone_admin_token => 'mytoken', :rgw_keystone_accepted_roles => '_role1_,role2', :rgw_keystone_token_cache_size => 100, :rgw_s3_auth_use_keystone => false, :use_pki => false, :rgw_keystone_revocation_interval => 0, + :user => 'myuser', :nss_db_path => '/some/path/to/nss', :rgw_keystone_implicit_tenants => false, } end + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') } + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') } + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') } + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') } + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_ensure('absent') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) } it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) } @@ -116,7 +122,7 @@ set -ex wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - | openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" ", - :user => 'www-data', + :user => 'myuser', ) } it { should_not contain_exec('radosgw.custom-nssdb-signing').with( :command => "/bin/true # comment to satisfy puppet syntax requirements @@ -124,186 +130,10 @@ set -ex wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - | openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" ", - :user => 'www-data', + :user => 'myuser', )} end - - context 'create with keystone v3 and no pki params' do - let :pre_condition do - "include ceph::params - class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } - class { 'ceph::repo': } - include ceph - ceph::rgw { 'radosgw.gateway': }" - end - - let :title do - 'radosgw.gateway' - end - - let :params do - { - :rgw_keystone_url => 'http://keystone.default:5000', - :rgw_keystone_version => 'v3', - :rgw_keystone_admin_domain => 'default', - :rgw_keystone_admin_project => 'openstack', - :rgw_keystone_admin_user => 'rgwuser', - :rgw_keystone_admin_password => '123456', - } - end - - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } - end - end - - shared_examples 'ceph::rgw::keystone on RedHat' do - before do - facts.merge!( :lsbdistcodename => 'Maipo', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '7.2', - :operatingsystemmajrelease => '7' ) - end - - context 'create with default params' do - let :pre_condition do - "include ceph::params - class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } - include ceph - ceph::rgw { 'radosgw.gateway': } - ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }" - end - - let :title do - 'radosgw.gateway' - end - - let :params do - { - :rgw_keystone_url => 'http://keystone.default:5000', - :rgw_keystone_admin_token => 'defaulttoken', - } - end - - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) } - it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) } - it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) } - - it { should contain_exec('radosgw.gateway-nssdb-ca').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - | - openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\" -", - :user => 'apache', - ) } - it { should contain_exec('radosgw.gateway-nssdb-signing').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - | - openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\" -", - :user => 'apache', - ) } - - end - - context 'create with custom params' do - let :pre_condition do - "include ceph::params - class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } - ceph::rgw { 'radosgw.custom': } - ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }" - end - - let :title do - 'radosgw.custom' - end - - let :params do - { - :rgw_keystone_url => 'http://keystone.custom:5000', - :rgw_keystone_admin_token => 'mytoken', - :rgw_keystone_accepted_roles => '_role1_,role2', - :rgw_keystone_token_cache_size => 100, - :rgw_s3_auth_use_keystone => false, - :use_pki => false, - :rgw_keystone_revocation_interval => 0, - :nss_db_path => '/some/path/to/nss', - :rgw_keystone_implicit_tenants => false, - } - end - - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) } - it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) } - it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) } - - it { should_not contain_exec('radosgw.custom-nssdb-ca').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - | - openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\" -", - :user => 'apache', - )} - - it { should_not contain_exec('radosgw.custom-nssdb-signing').with( - :command => "/bin/true # comment to satisfy puppet syntax requirements -set -ex -wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - | - openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\" -", - :user => 'apache', - )} - end - - context 'create with keystone v3 and no pki params' do - let :pre_condition do - "include ceph::params - class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } - include ceph - ceph::rgw { 'radosgw.gateway': } - ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }" - end - - let :title do - 'radosgw.gateway' - end - - let :params do - { - :rgw_keystone_url => 'http://keystone.default:5000', - :rgw_keystone_version => 'v3', - :rgw_keystone_admin_domain => 'default', - :rgw_keystone_admin_project => 'openstack', - :rgw_keystone_admin_user => 'rgwuser', - :rgw_keystone_admin_password => '123456', - } - end - - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') } - end end on_supported_os({ @@ -316,7 +146,16 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin :hostname => 'myhost' )) end - it_behaves_like "ceph::rgw::keystone on #{facts[:osfamily]}" + let (:platform_params) do + if facts[:osfamily] == 'Debian' + user_radosgw = 'www-data' + else + user_radosgw = 'apache' + end + { :user_radosgw => user_radosgw } + end + + it_behaves_like 'ceph::rgw::keystone' end end end