Add a switch to disable nss PKI database initialization

The PKI keys are used to decrypt the Keystone revocation list when
PKI tokens are used. When UUID or Fernet token providers are used in
Keystone, PKI certs may not exist, so we now accommodate this scenario
by allowing the operator to disable the PKI tasks.

diff --git a/defaults/main.yml b/defaults/main.yml
index acc3c2653940a761d3556bc32f7fdd07af04d8af..e1216e70921e6db05a1726e46e48d37ed7ad9d28 100644 (file)
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -277,6 +277,7 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+radosgw_keystone_ssl: true # Can be used to disable PKI revocation checks when other token types are used.
 # for admin_token method, define radosgw_keystone_admin_token
 # for auth_token method, define _user, _password, and _tenant
 radosgw_keystone_auth_method: admin_token

diff --git a/templates/ceph.conf.j2 b/templates/ceph.conf.j2
index be1f385140fad05f8661ef0528947909771a6110..c45dd2b9bb4d0e70715b540d9ec887abc922e27f 100644 (file)
--- a/templates/ceph.conf.j2
+++ b/templates/ceph.conf.j2
@@ -125,9 +125,11 @@ rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}
 rgw s3 auth use keystone = {{ radosgw_s3_auth_use_keystone }}
+{% if radosgw_keystone_ssl | bool %}
 nss db path = {{ radosgw_nss_db_path }}
 {% endif %}
 {% endif %}
+{% endif %}
 {% endfor %}
 {% endif %}