Add a switch to disable nss PKI database initialization

The PKI keys are used to decrypt the Keystone revocation list when
PKI tokens are used. When UUID or Fernet token providers are used in
Keystone, PKI certs may not exist, so we now accommodate this scenario
by allowing the operator to disable the PKI tasks.

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index d4e26367afb4b38a77c9392a0591ebe1cfe2f950..ba5b37772917e6df551b2ad545fd1d9eaef4c5a3 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -285,6 +285,7 @@ dummy:
 #radosgw_civetweb_num_threads: 50
 #radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+#radosgw_keystone_ssl: true # Can be used to disable PKI revocation checks when other token types are used.
 # for admin_token method, define radosgw_keystone_admin_token
 # for auth_token method, define _user, _password, and _tenant
 #radosgw_keystone_auth_method: admin_token

diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml
index acc3c2653940a761d3556bc32f7fdd07af04d8af..e1216e70921e6db05a1726e46e48d37ed7ad9d28 100644 (file)
--- a/roles/ceph-common/defaults/main.yml
+++ b/roles/ceph-common/defaults/main.yml
@@ -277,6 +277,7 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+radosgw_keystone_ssl: true # Can be used to disable PKI revocation checks when other token types are used.
 # for admin_token method, define radosgw_keystone_admin_token
 # for auth_token method, define _user, _password, and _tenant
 radosgw_keystone_auth_method: admin_token

diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2
index be1f385140fad05f8661ef0528947909771a6110..c45dd2b9bb4d0e70715b540d9ec887abc922e27f 100644 (file)
--- a/roles/ceph-common/templates/ceph.conf.j2
+++ b/roles/ceph-common/templates/ceph.conf.j2
@@ -125,9 +125,11 @@ rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}
 rgw s3 auth use keystone = {{ radosgw_s3_auth_use_keystone }}
+{% if radosgw_keystone_ssl | bool %}
 nss db path = {{ radosgw_nss_db_path }}
 {% endif %}
 {% endif %}
+{% endif %}
 {% endfor %}
 {% endif %}
 

diff --git a/roles/ceph-rgw/tasks/main.yml b/roles/ceph-rgw/tasks/main.yml
index 5fb5699cd218b13becf0b1e76017f0dc55500a46..a89f8416713914645096dd402a1487c9401e7cc6 100644 (file)
--- a/roles/ceph-rgw/tasks/main.yml
+++ b/roles/ceph-rgw/tasks/main.yml
@@ -5,7 +5,9 @@
   static: False
 
 - include: openstack-keystone.yml
-  when: radosgw_keystone
+  when:
+    - radosgw_keystone|bool
+    - radosgw_keystone_ssl|bool
   # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
   static: False