From 7ecd756b7c5eff4ef938fced335d75123749b1f3 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente@redhat.com>
Date: Wed, 9 Oct 2019 23:19:43 +0200
Subject: [PATCH] Permit access to Ceph RGW for 'member' role

From the Rocky release, Keystone is bootstrapped by default [1]
with a 'member' role, while previously we used to create at
deployment time a role called 'Member'.

Role names are case insensitive in Keystone but Ceph RGW expects
a whitelist of role names to which access is permitted. This change
adds 'member' to the Ceph RGW whitelist, in addition to 'Member'.

1. https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

Change-Id: Ib3c70c136fa4a03b58edc370343a01d657b5b101
Closes-Bug: 1847539
(cherry picked from commit 1357a131c83e0d4c699df5b9230c382a803eb5d7)
---
 deployment/ceph-ansible/ceph-base.yaml | 2 +-
 deployment/ceph-ansible/ceph-rgw.yaml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/deployment/ceph-ansible/ceph-base.yaml b/deployment/ceph-ansible/ceph-base.yaml
index 9130450a7b..adbcb715e6 100644
--- a/deployment/ceph-ansible/ceph-base.yaml
+++ b/deployment/ceph-ansible/ceph-base.yaml
@@ -429,7 +429,7 @@ resources:
                   osd_pool_default_pgp_num: {get_param: CephPoolDefaultPgNum}
                   rgw_keystone_api_version: 3
                   rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-                  rgw_keystone_accepted_roles: 'Member, admin'
+                  rgw_keystone_accepted_roles: 'member, Member, admin'
                   rgw_keystone_accepted_admin_roles: ResellerAdmin
                   rgw_keystone_admin_domain: default
                   rgw_keystone_admin_project: service
diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml
index 1b3e1f221b..7ce744da42 100644
--- a/deployment/ceph-ansible/ceph-rgw.yaml
+++ b/deployment/ceph-ansible/ceph-rgw.yaml
@@ -103,7 +103,7 @@ outputs:
           ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
           ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
           ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
-          ceph::rgw::keystone::auth::roles: [ 'admin', 'Member' ]
+          ceph::rgw::keystone::auth::roles: [ 'admin', 'member' ]
           ceph::rgw::keystone::auth::tenant: service
           ceph::rgw::keystone::auth::user: swift
           ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}