Deprecated Keystone v2.0 and PKI tokens in Keystone RGW

The Keystone v2.0 and PKI params in ceph::rgw::keystone
is now deprecated and the functionality is removed since
the v2.0 API is now available anymore and PKI tokens is
also removed.

Change-Id: I152da5f9a83aaca27d52b85a889f9391522e3531
This commit is contained in:
Tobias Urdin 2019-02-24 02:36:08 +01:00
parent 85b9d61c40
commit 8df92d51d3
4 changed files with 74 additions and 147 deletions

View File

@ -54,7 +54,6 @@ class ceph::params (
$pkg_radosgw = 'radosgw'
$user_radosgw = 'www-data'
$pkg_fastcgi = 'libapache2-mod-fastcgi'
$pkg_nsstools = ['libnss3-tools', 'wget']
$pkg_policycoreutils = 'policycoreutils'
}
@ -62,7 +61,6 @@ class ceph::params (
$pkg_radosgw = 'ceph-radosgw'
$user_radosgw = 'apache'
$pkg_fastcgi = 'mod_fastcgi'
$pkg_nsstools = ['nss-tools', 'wget']
$pkg_policycoreutils = 'policycoreutils-python'
}

View File

@ -49,30 +49,12 @@
#
# [*rgw_keystone_token_cache_size*]
# (Optional) How many tokens to keep cached.
# Not useful when using PKI as every token is checked.
# Defaults to 500
#
# [*rgw_s3_auth_use_keystone*]
# (Optional) Whether to enable keystone auth for S3.
# Defaults to true
#
# [*use_pki*]
# (Optional) Whether to use PKI related configuration.
# Defaults to true
#
# [*rgw_keystone_revocation_interval*]
# (Optional) Interval to check for expired tokens.
# Not useful if not using PKI tokens (if not, set to high value).
# Defaults is 600 (seconds)
#
# [*nss_db_path*]
# (Optional) Path to NSS < - > keystone tokens db files.
# Defaults to undef
#
# [*user*]
# (Optional) User running the web frontend.
# Defaults to 'www-data'
#
# [*rgw_keystone_implicit_tenants*]
# (Optional) Set 'true' for a private tenant for each user.
# Defaults to true
@ -87,6 +69,23 @@
# (Optional) The keystone admin token.
# Defaults to undef
#
# [*use_pki*]
# (Optional) Whether to use PKI related configuration.
# Defaults to undef
#
# [*rgw_keystone_revocation_interval*]
# (Optional) Interval to check for expired tokens.
# Not useful if not using PKI tokens (if not, set to high value).
# Defaults to undef
#
# [*nss_db_path*]
# (Optional) Path to NSS < - > keystone tokens db files.
# Defaults to undef
#
# [*user*]
# (Optional) User running the web frontend.
# Defaults to undef
#
define ceph::rgw::keystone (
$rgw_keystone_admin_domain,
$rgw_keystone_admin_project,
@ -96,14 +95,14 @@ define ceph::rgw::keystone (
$rgw_keystone_accepted_roles = 'Member',
$rgw_keystone_token_cache_size = 500,
$rgw_s3_auth_use_keystone = true,
$use_pki = true,
$rgw_keystone_revocation_interval = 600,
$nss_db_path = '/var/lib/ceph/nss',
$user = $::ceph::params::user_radosgw,
$rgw_keystone_implicit_tenants = true,
## DEPRECATED PARAMS
$rgw_keystone_version = undef,
$rgw_keystone_admin_token = undef,
$use_pki = undef,
$rgw_keystone_revocation_interval = undef,
$nss_db_path = undef,
$user = undef,
) {
unless $name =~ /^radosgw\..+/ {
@ -116,13 +115,25 @@ define ceph::rgw::keystone (
if $rgw_keystone_admin_token {
warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated')
}
if $use_pki {
warning('ceph::rgw::keystone::use_pki is deprecated')
}
if $rgw_keystone_revocation_interval {
warning('ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated')
}
if $nss_db_path {
warning('ceph::rgw::keystone::nss_db_path is deprecated')
}
if $user {
warning('ceph::rgw::keystone::user is deprecated')
}
ceph_config {
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
"client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ',');
"client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
"client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone;
"client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants;
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
"client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ',');
"client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
"client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone;
"client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants;
}
# FIXME(ykarel) Cleanup once https://tracker.ceph.com/issues/24228 is fixed for luminous
@ -142,58 +153,8 @@ define ceph::rgw::keystone (
"client.${name}/rgw_keystone_admin_token": ensure => absent;
}
if $use_pki {
# fetch the keystone signing cert, add to nss db
$pkg_nsstools = $::ceph::params::pkg_nsstools
ensure_packages($pkg_nsstools, {'ensure' => 'present'})
file { $nss_db_path:
ensure => directory,
owner => $user,
group => 'root',
}
ceph_config {
"client.${name}/nss_db_path": value => $nss_db_path;
"client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
}
exec { "${name}-nssdb-ca":
command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
",
unless => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
certutil -d ${nss_db_path} -L | grep ^ca
",
user => $user,
}
exec { "${name}-nssdb-signing":
command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate ${rgw_keystone_url}/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
",
unless => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
certutil -d ${nss_db_path} -L | grep ^signing_cert
",
user => $user,
}
Package[$pkg_nsstools]
-> Package[$::ceph::params::packages]
-> File[$nss_db_path]
-> Exec["${name}-nssdb-ca"]
-> Exec["${name}-nssdb-signing"]
~> Service<| tag == 'ceph-radosgw' |>
} else {
ceph_config {
"client.${name}/nss_db_path": ensure => absent;
"client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
}
ceph_config {
"client.${name}/nss_db_path": ensure => absent;
"client.${name}/rgw_keystone_revocation_interval": ensure => absent;
}
}

View File

@ -0,0 +1,16 @@
---
upgrade:
- |
The PKI functionality in the ceph::rgw::keystone class is now deprecated
and the functionality is removed since Keystone v2.0 API is not available
anymore and PKI tokens is removed.
deprecations:
- |
ceph::rgw::keystone::use_pki is deprecated and has no effect.
- |
ceph::rgw::keystone::rgw_keystone_revocation_interval is deprecated and
has no effect.
- |
ceph::rgw::keystone::nss_db_path is deprecated and has no effect.
- |
ceph::rgw::keystone::user is deprecated and has no effect.

View File

@ -42,35 +42,19 @@ describe 'ceph::rgw::keystone' do
}
end
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_api_version').with_value(3) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) }
it { should contain_exec('radosgw.gateway-nssdb-ca').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => platform_params[:user_radosgw],
) }
it { should contain_exec('radosgw.gateway-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
",
:user => platform_params[:user_radosgw],
)}
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_ensure('absent') }
end
context 'create with custom params' do
@ -87,22 +71,19 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O -
let :params do
{
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
:rgw_s3_auth_use_keystone => false,
:use_pki => false,
:rgw_keystone_revocation_interval => 0,
:user => 'myuser',
:nss_db_path => '/some/path/to/nss',
:rgw_keystone_implicit_tenants => false,
:rgw_keystone_admin_domain => 'default',
:rgw_keystone_admin_project => 'openstack',
:rgw_keystone_admin_user => 'rgwuser',
:rgw_keystone_admin_password => '123456',
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
:rgw_s3_auth_use_keystone => false,
:rgw_keystone_implicit_tenants => false,
}
end
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_api_version').with_value(3) }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
@ -112,27 +93,9 @@ wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O -
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) }
it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) }
it { should_not contain_exec('radosgw.custom-nssdb-ca').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
",
:user => 'myuser',
) }
it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
:command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
",
:user => 'myuser',
)}
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
end
end
@ -141,18 +104,7 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts( :concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'myhost.domain',
:hostname => 'myhost' ))
end
let (:platform_params) do
if facts[:osfamily] == 'Debian'
user_radosgw = 'www-data'
else
user_radosgw = 'apache'
end
{ :user_radosgw => user_radosgw }
facts.merge!(OSDefaults.get_facts())
end
it_behaves_like 'ceph::rgw::keystone'