From bbf13fe1d5dd242ce370afbdb7bb13db77d53d7f Mon Sep 17 00:00:00 2001
From: Keith Schincke <keith.schincke@gmail.com>
Date: Thu, 1 Dec 2016 13:37:12 -0500
Subject: Add support for not using admin_token in Ceph/RGW

This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token

Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158
---
 manifests/profile/base/ceph/rgw.pp                 | 37 ++++++++++++++++------
 .../notes/rgw-keystone-v3-43ef17dd10f825be.yaml    |  5 +++
 spec/classes/tripleo_profile_base_ceph_rgw_spec.rb | 11 +++++++
 spec/fixtures/hieradata/default.yaml               |  7 ++++
 4 files changed, 51 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml

diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 2ecca52..8443de0 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -29,6 +29,10 @@
 # [*keystone_admin_token*]
 #   The keystone admin token
 #
+# [*rgw_keystone_version*] The api version for keystone.
+#   Possible values 'v2.0', 'v3'
+#   Optional. Default is 'v2.0'
+#
 # [*keystone_url*]
 #   The internal or admin url for keystone
 #
@@ -44,9 +48,10 @@ class tripleo::profile::base::ceph::rgw (
   $keystone_admin_token,
   $keystone_url,
   $rgw_key,
-  $civetweb_bind_ip   = '127.0.0.1',
-  $civetweb_bind_port = '8080',
-  $step               = hiera('step'),
+  $civetweb_bind_ip            = '127.0.0.1',
+  $civetweb_bind_port          = '8080',
+  $rgw_keystone_version        = 'v2.0',
+  $step                        = hiera('step'),
 ) {
 
   include ::tripleo::profile::base::ceph
@@ -58,7 +63,8 @@ class tripleo::profile::base::ceph::rgw (
     include ::ceph::profile::base
     ceph::rgw { $rgw_name:
       frontend_type => 'civetweb',
-      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}"
+      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
+      user          => 'ceph',
     }
     ceph::key { "client.${rgw_name}":
       secret  => $rgw_key,
@@ -69,11 +75,24 @@ class tripleo::profile::base::ceph::rgw (
   }
 
   if $step >= 4 {
-    ceph::rgw::keystone { $rgw_name:
-      rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
-      use_pki                     => false,
-      rgw_keystone_admin_token    => $keystone_admin_token,
-      rgw_keystone_url            => $keystone_url,
+    if $rgw_keystone_version == 'v2.0' {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_admin_token    => $keystone_admin_token,
+        rgw_keystone_url            => $keystone_url,
+        user                        => 'ceph',
+      }
+    }
+    else
+    {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_url            => $keystone_url,
+        rgw_keystone_version        => $rgw_keystone_version,
+        user                        => 'ceph',
+      }
     }
   }
 }
diff --git a/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
new file mode 100644
index 0000000..6159415
--- /dev/null
+++ b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add support for configuring Ceph RGW to use
+    keystone V3 service authentication instead
+    of admin token authentication
diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
index 88f971b..4ebf521 100644
--- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
+++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
@@ -85,6 +85,17 @@ describe 'tripleo::profile::base::ceph::rgw' do
         )
       end
     end
+
+    context 'with step 4 and keystone v3' do
+      let(:params) { default_params.merge({ :step => 4, :rgw_keystone_version => 'v3' }) }
+      it 'should include rgw configuration' do
+        is_expected.to contain_ceph__rgw__keystone('radosgw.gateway').with(
+          :rgw_keystone_accepted_roles => ["admin", "_member_", "Member"],
+          :use_pki                     => false,
+          :rgw_keystone_url            => 'url'
+        )
+      end
+    end
   end
 
   on_supported_os.each do |os, facts|
diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index d63fc76..b09e914 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -14,6 +14,13 @@ barbican::keystone::authtoken::password: 'password'
 ceilometer::keystone::authtoken::password: 'password'
 # ceph related items
 ceph::profile::params::mon_key: 'password'
+# NOTE(gfidente): we want to use keystone v3 API for RGW so the following are
+# needed to comply with the if condition:
+# https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp#L111
+ceph::profile::params::rgw_keystone_admin_domain: 'keystone_domain'
+ceph::profile::params::rgw_keystone_admin_project: 'keystone_project'
+ceph::profile::params::rgw_keystone_admin_user: 'keystone_admin_user'
+ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password'
 # cinder related items
 cinder::rabbit_password: 'password'
 cinder::keystone::authtoken::password: 'password'
-- 
cgit 1.2.3-korg