From: Logan V <logan2211@gmail.com>
Date: Thu, 14 Jul 2016 19:09:31 +0000 (-0500)
Subject: Add a switch to disable nss PKI database initialization
X-Git-Tag: v2.1.0~1^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=aa0bfaa89a1303bee53f371c39d11ef9bcddc36e;p=ceph-ansible.git

Add a switch to disable nss PKI database initialization

The PKI keys are used to decrypt the Keystone revocation list when
PKI tokens are used. When UUID or Fernet token providers are used in
Keystone, PKI certs may not exist, so we now accommodate this scenario
by allowing the operator to disable the PKI tasks.
---

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index d4e26367a..ba5b37772 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -285,6 +285,7 @@ dummy:
 #radosgw_civetweb_num_threads: 50
 #radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+#radosgw_keystone_ssl: true # Can be used to disable PKI revocation checks when other token types are used.
 # for admin_token method, define radosgw_keystone_admin_token
 # for auth_token method, define _user, _password, and _tenant
 #radosgw_keystone_auth_method: admin_token
diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml
index acc3c2653..e1216e709 100644
--- a/roles/ceph-common/defaults/main.yml
+++ b/roles/ceph-common/defaults/main.yml
@@ -277,6 +277,7 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+radosgw_keystone_ssl: true # Can be used to disable PKI revocation checks when other token types are used.
 # for admin_token method, define radosgw_keystone_admin_token
 # for auth_token method, define _user, _password, and _tenant
 radosgw_keystone_auth_method: admin_token
diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2
index be1f38514..c45dd2b9b 100644
--- a/roles/ceph-common/templates/ceph.conf.j2
+++ b/roles/ceph-common/templates/ceph.conf.j2
@@ -125,9 +125,11 @@ rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}
 rgw s3 auth use keystone = {{ radosgw_s3_auth_use_keystone }}
+{% if radosgw_keystone_ssl | bool %}
 nss db path = {{ radosgw_nss_db_path }}
 {% endif %}
 {% endif %}
+{% endif %}
 {% endfor %}
 {% endif %}
 
diff --git a/roles/ceph-rgw/tasks/main.yml b/roles/ceph-rgw/tasks/main.yml
index 5fb5699cd..a89f84167 100644
--- a/roles/ceph-rgw/tasks/main.yml
+++ b/roles/ceph-rgw/tasks/main.yml
@@ -5,7 +5,9 @@
   static: False
 
 - include: openstack-keystone.yml
-  when: radosgw_keystone
+  when:
+    - radosgw_keystone|bool
+    - radosgw_keystone_ssl|bool
   # Hard code this so we will skip the entire file instead of individual tasks (Default isn't Consistent)
   static: False