Add support for Rados Gateway configuration with Keystone

author Sébastien Han <sebastien.han@enovance.com>

Wed, 3 Jun 2015 17:01:23 +0000 (19:01 +0200)

committer Sébastien Han <seb@redhat.com>

Wed, 3 Jun 2015 19:42:16 +0000 (21:42 +0200)
author Sébastien Han <sebastien.han@enovance.com>
Wed, 3 Jun 2015 17:01:23 +0000 (19:01 +0200)
committer Sébastien Han <seb@redhat.com>
Wed, 3 Jun 2015 19:42:16 +0000 (21:42 +0200)
diff --git a/group_vars/all b/group_vars/all

index 0a62d7bcbec37bc48a26cb47e39e19b669f21fd2..8746d1ca3ee7414d9363d6eed6f3014aad888fe0 100644 (file)
--- a/group_vars/all
+++ b/group_vars/all
@@ -112,6 +112,14 @@ dummy:
  #radosgw_dns_name: your.subdomain.tld # subdomains used by radosgw. See http://ceph.com/docs/master/radosgw/config/#enabling-subdomain-s3-calls
  #radosgw_frontend: civetweb # supported options are 'apache' or 'civetweb', also edit roles/ceph-radosgw/defaults/main.yml
  #radosgw_civetweb_port: 80
+#radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
+#radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+#radosgw_keystone_admin_token: password
+#radosgw_keystone_accepted_roles: Member, _member_, admin
+#radosgw_keystone_token_cache_size: 10000
+#radosgw_keystone_revocation_internal: 900
+#radosgw_s3_auth_use_keystone: "true"
+#radosgw_nss_db_path: /var/lib/ceph/radosgw/ceph-radosgw.{{ ansible_hostname }}/nss
  
  ## REST API options
  #
diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml

index 49b0270db114b5af0a522fa72b1fd649db150134..c0f21cf8d484e76341bf7e86dd236b97b4fcf83d 100644 (file)
--- a/roles/ceph-common/defaults/main.yml
+++ b/roles/ceph-common/defaults/main.yml
@@ -127,6 +127,14 @@ radosgw: false # referenced in monitor role too.
  #radosgw_dns_name: your.subdomain.tld # subdomains used by radosgw. See http://ceph.com/docs/master/radosgw/config/#enabling-subdomain-s3-calls\r
  radosgw_frontend: civetweb # supported options are 'apache' or 'civetweb', also edit roles/ceph-radosgw/defaults/main.yml\r
  radosgw_civetweb_port: 80\r
+radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/\r
+#radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357\r
+radosgw_keystone_admin_token: password\r
+radosgw_keystone_accepted_roles: Member, _member_, admin\r
+radosgw_keystone_token_cache_size: 10000\r
+radosgw_keystone_revocation_internal: 900\r
+radosgw_s3_auth_use_keystone: "true"\r
+radosgw_nss_db_path: /var/lib/ceph/radosgw/ceph-radosgw.{{ ansible_hostname }}/nss\r
  \r
  ## REST API options\r
  #\r
diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2

index 0e0f7f391028bd10e04d79704b81e4738ec7fcce..f576e396885796a846fa4a1c869b0b49d06c2bd6 100644 (file)
--- a/roles/ceph-common/templates/ceph.conf.j2
+++ b/roles/ceph-common/templates/ceph.conf.j2
@@ -149,6 +149,15 @@
    {% if radosgw_frontend  == 'civetweb' %}
    rgw frontends = civetweb port={{ radosgw_civetweb_port }}
    {% endif %}
+  {% if radosgw_keystone %}
+  rgw keystone url = {{ radosgw_keystone_url }}
+  rgw keystone admin token = {{ radosgw_keystone_admin_token }}
+  rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
+  rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
+  rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}
+  rgw s3 auth use keystone = {{ radosgw_s3_auth_use_keystone }}
+  nss db path = {{ radosgw_nss_db_path }}
+  {% endif %}
  {% endif %}
  {% endfor %}
  {% endif %}
diff --git a/roles/ceph-radosgw/tasks/main.yml b/roles/ceph-radosgw/tasks/main.yml

index 2de430f1026a5faf2f240da1e8a8f8afeff8e515..eddbe05ac6ef92a592905852f9fec744923e5989 100644 (file)
--- a/roles/ceph-radosgw/tasks/main.yml
+++ b/roles/ceph-radosgw/tasks/main.yml
@@ -21,6 +21,9 @@
      state=present
    when: ansible_os_family == 'RedHat' and not ceph_containerized_deployment
  
+- include: openstack-keystone.yml
+  when: radosgw_keystone
+
  - include: start_radosgw.yml
    when: not ceph_containerized_deployment
  
diff --git a/roles/ceph-radosgw/tasks/openstack-keystone.yml b/roles/ceph-radosgw/tasks/openstack-keystone.yml

new file mode 100644 (file)

index 0000000..09887f2
--- /dev/null
+++ b/roles/ceph-radosgw/tasks/openstack-keystone.yml
@@ -0,0 +1,14 @@
+---
+- name: create nss directory for Keystone certificates
+  file: >
+    path={{ radosgw_nss_db_path }}
+    state=directory
+    owner=root
+    group=root
+    mode=0644
+
+- name: create nss entries for Keystone certificates
+  shell: "{{ item }}"
+  with_items:
+    - "openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey |certutil -d {{ radosgw_nss_db_path }} -A -n ca -t 'TCu,Cu,Tuw'"
+    - "openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d {{ radosgw_nss_db_path }} -n signing_cert -t 'P,P,P'"
author	Sébastien Han <sebastien.han@enovance.com>
	Wed, 3 Jun 2015 17:01:23 +0000 (19:01 +0200)
committer	Sébastien Han <seb@redhat.com>
	Wed, 3 Jun 2015 19:42:16 +0000 (21:42 +0200)
group_vars/all		patch \| blob \| history
roles/ceph-common/defaults/main.yml		patch \| blob \| history
roles/ceph-common/templates/ceph.conf.j2		patch \| blob \| history
roles/ceph-radosgw/tasks/main.yml		patch \| blob \| history
roles/ceph-radosgw/tasks/openstack-keystone.yml	[new file with mode: 0644]	patch \| blob