Add support for Keystone user authentication with RGW

Jewel added support for user/pass authentication with Keystone,
allowing deployers to disable Keystone admin token as required
for production deployments.

This implements configuration for the new RGW Keystone user/pass
authentication feature added in Jewel.

See docs here: http://docs.ceph.com/docs/master/radosgw/keystone/

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 9c965e44a7a52e8fbc20215e4be798ad24339bfb..d4e26367afb4b38a77c9392a0591ebe1cfe2f950 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -285,7 +285,13 @@ dummy:
 #radosgw_civetweb_num_threads: 50
 #radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+#radosgw_keystone_auth_method: admin_token
 #radosgw_keystone_admin_token: password
+#radosgw_keystone_admin_user: username
+#radosgw_keystone_admin_password: password
+#radosgw_keystone_admin_tenant: tenant
 #radosgw_keystone_accepted_roles: Member, _member_, admin
 #radosgw_keystone_token_cache_size: 10000
 #radosgw_keystone_revocation_internal: 900

diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml
index a27050f0c9fcaf642110bf71c52e5f70e276f94f..acc3c2653940a761d3556bc32f7fdd07af04d8af 100644 (file)
--- a/roles/ceph-common/defaults/main.yml
+++ b/roles/ceph-common/defaults/main.yml
@@ -277,7 +277,13 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+radosgw_keystone_auth_method: admin_token
 radosgw_keystone_admin_token: password
+radosgw_keystone_admin_user: username
+radosgw_keystone_admin_password: password
+radosgw_keystone_admin_tenant: tenant
 radosgw_keystone_accepted_roles: Member, _member_, admin
 radosgw_keystone_token_cache_size: 10000
 radosgw_keystone_revocation_internal: 900

diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2
index 19092662a1f03dba0cb37d8d3076006f6b6fe8ef..be1f385140fad05f8661ef0528947909771a6110 100644 (file)
--- a/roles/ceph-common/templates/ceph.conf.j2
+++ b/roles/ceph-common/templates/ceph.conf.j2
@@ -114,7 +114,13 @@ rgw data = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ hostvars[host]['ansible_ho
 rgw frontends = civetweb port={{ radosgw_civetweb_bind_ip }}:{{ radosgw_civetweb_port }} num_threads={{ radosgw_civetweb_num_threads }}
 {% if radosgw_keystone %}
 rgw keystone url = {{ radosgw_keystone_url }}
+{% if radosgw_keystone_auth_method == 'admin_token' %}
 rgw keystone admin token = {{ radosgw_keystone_admin_token }}
+{% elif radosgw_keystone_auth_method == 'auth_token' %}
+rgw keystone admin user = {{ radosgw_keystone_admin_user }}
+rgw keystone admin password = {{ radosgw_keystone_admin_password }}
+rgw keystone admin tenant = {{ radosgw_keystone_admin_tenant }}
+{% endif %}
 rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}