Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F11012676
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
18 KB
Subscribers
None
View Options
diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp
index 04a9ddb..c3d58af 100644
--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@@ -1,121 +1,138 @@
#
# Copyright (C) 2014 Catalyst IT Limited.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Author: Ricardo Rocha <ricardo@catalyst.net.nz>
#
# Configures keystone auth/authz for the ceph radosgw.
#
### == Name
# # The RGW id. An alphanumeric string uniquely identifying the RGW.
# ( example: radosgw.gateway )
#
### == Parameters
#
# [*rgw_keystone_admin_token*] The keystone admin token.
# Mandatory.
#
# [*rgw_keystone_url*] The internal or admin url for keystone.
# Optional. Default is 'http://127.0.0.1:5000'
#
# [*rgw_keystone_version*] The api version for keystone.
# Optional. Default is 'v2.0'
#
# [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
# Optional. Default is '_member_, Member'.
# Comma separated list of roles.
#
# [*rgw_keystone_token_cache_size*] How many tokens to keep cached.
# Optional. Default is 500.
# Not useful when using PKI as every token is checked.
#
+# [*rgw_s3_auth_use_keystone*] Whether to enable keystone auth for S3.
+# Optional. Default to true.
+#
+# [*use_pki*] Whether to use PKI related configuration.
+# Optional. Default to true.
+#
# [*rgw_keystone_revocation_interval*] Interval to check for expired tokens.
# Optional. Default is 600 (seconds).
# Not useful if not using PKI tokens (if not, set to high value).
#
# [*nss_db_path*] Path to NSS < - > keystone tokens db files.
# Optional. Default is undef.
#
# [*user*] User running the web frontend.
# Optional. Default is 'www-data'.
#
define ceph::rgw::keystone (
$rgw_keystone_admin_token,
- $rgw_keystone_url = 'http://127.0.0.1:5000',
- $rgw_keystone_version = 'v2.0',
- $rgw_keystone_accepted_roles = '_member_, Member',
- $rgw_keystone_token_cache_size = 500,
+ $rgw_keystone_url = 'http://127.0.0.1:5000',
+ $rgw_keystone_version = 'v2.0',
+ $rgw_keystone_accepted_roles = '_member_, Member',
+ $rgw_keystone_token_cache_size = 500,
+ $rgw_s3_auth_use_keystone = true,
+ $use_pki = true,
$rgw_keystone_revocation_interval = 600,
- $nss_db_path = '/var/lib/ceph/nss',
- $user = $::ceph::params::user_radosgw,
+ $nss_db_path = '/var/lib/ceph/nss',
+ $user = $::ceph::params::user_radosgw,
) {
unless $name =~ /^radosgw\..+/ {
fail("Define name must be started with 'radosgw.'")
}
ceph_config {
"client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
"client.${name}/rgw_keystone_url": value => $rgw_keystone_url;
"client.${name}/rgw_keystone_accepted_roles": value => $rgw_keystone_accepted_roles;
"client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size;
- "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
- "client.${name}/rgw_s3_auth_use_keystone": value => true;
- "client.${name}/nss_db_path": value => $nss_db_path;
+ "client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone;
}
- # fetch the keystone signing cert, add to nss db
- $pkg_nsstools = $::ceph::params::pkg_nsstools
- ensure_resource('package', $pkg_nsstools, {'ensure' => 'present'})
+ if $use_pki {
+ # fetch the keystone signing cert, add to nss db
+ $pkg_nsstools = $::ceph::params::pkg_nsstools
+ ensure_resource('package', $pkg_nsstools, {'ensure' => 'present'})
- file { $nss_db_path:
- ensure => directory,
- owner => $user,
- group => 'root',
- }
+ file { $nss_db_path:
+ ensure => directory,
+ owner => $user,
+ group => 'root',
+ }
+
+ ceph_config {
+ "client.${name}/nss_db_path": value => $nss_db_path;
+ "client.${name}/rgw_keystone_revocation_interval": value => $rgw_keystone_revocation_interval;
+ }
- exec { "${name}-nssdb-ca":
- command => "/bin/true # comment to satisfy puppet syntax requirements
+ exec { "${name}-nssdb-ca":
+ command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n ca -t \"TCu,Cu,Tuw\"
",
- unless => "/bin/true # comment to satisfy puppet syntax requirements
+ unless => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
certutil -d ${nss_db_path} -L | grep ^ca
",
- user => $user,
- }
+ user => $user,
+ }
- exec { "${name}-nssdb-signing":
- command => "/bin/true # comment to satisfy puppet syntax requirements
+ exec { "${name}-nssdb-signing":
+ command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate ${rgw_keystone_url}/${rgw_keystone_version}/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d ${nss_db_path} -n signing_cert -t \"P,P,P\"
",
- unless => "/bin/true # comment to satisfy puppet syntax requirements
+ unless => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
certutil -d ${nss_db_path} -L | grep ^signing_cert
",
- user => $user,
- }
-
- Package[$pkg_nsstools]
- -> Package[$::ceph::params::packages]
- -> File[$nss_db_path]
- -> Exec["${name}-nssdb-ca"]
- -> Exec["${name}-nssdb-signing"]
- ~> Service["radosgw-${name}"]
+ user => $user,
+ }
+ Package[$pkg_nsstools]
+ -> Package[$::ceph::params::packages]
+ -> File[$nss_db_path]
+ -> Exec["${name}-nssdb-ca"]
+ -> Exec["${name}-nssdb-signing"]
+ ~> Service["radosgw-${name}"]
+ } else {
+ ceph_config {
+ "client.${name}/nss_db_path": ensure => absent;
+ "client.${name}/rgw_keystone_revocation_interval": ensure => absent;
+ }
+ }
}
diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb
index 4962a33..9f91c30 100644
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@@ -1,265 +1,273 @@
#
# Copyright (C) 2014 Catalyst IT Limited.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Author: Ricardo Rocha <ricardo@catalyst.net.nz>
#
require 'spec_helper'
describe 'ceph::rgw::keystone' do
describe 'Debian Family' do
let :facts do
{
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'myhost.domain',
:hostname => 'myhost',
:lsbdistid => 'Ubuntu',
:lsbdistcodename => 'trusty',
:osfamily => 'Debian',
:operatingsystem => 'Ubuntu',
:operatingsystemrelease => '14.04',
}
end
describe "create with default params" do
let :pre_condition do
"
include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
class { 'ceph::repo': fastcgi => true, }
include ceph
ceph::rgw { 'radosgw.gateway': }
ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
"
end
let :title do
'radosgw.gateway'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_admin_token => 'defaulttoken',
}
end
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('_member_, Member') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
+ it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
it { is_expected.to contain_exec('radosgw.gateway-nssdb-ca').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
",
'user' => 'www-data',
) }
it { is_expected.to contain_exec('radosgw.gateway-nssdb-signing').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
",
'user' => 'www-data',
) }
end
describe "create with custom params" do
let :pre_condition do
"
include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
class { 'ceph::repo': fastcgi => true, }
ceph::rgw { 'radosgw.custom': }
ceph::rgw::apache_fastcgi { 'radosgw.custom': }
"
end
let :title do
'radosgw.custom'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_admin_token => 'mytoken',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
+ :rgw_s3_auth_use_keystone => false,
+ :use_pki => false,
:rgw_keystone_revocation_interval => 200,
:nss_db_path => '/some/path/to/nss',
}
end
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
- it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(200) }
- it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_value('/some/path/to/nss') }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
- it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with(
+ it { is_expected.to_not contain_exec('radosgw.custom-nssdb-ca').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
",
'user' => 'www-data',
) }
- it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with(
+ it { is_expected.to_not contain_exec('radosgw.custom-nssdb-signing').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
",
'user' => 'www-data',
) }
end end
describe 'RedHat Family' do
let :facts do
{
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'myhost.domain',
:hostname => 'myhost',
:lsbdistcodename => 'Maipo',
:osfamily => 'RedHat',
:operatingsystem => 'RedHat',
:operatingsystemrelease => '7.2',
:operatingsystemmajrelease => '7',
}
end
describe "create with default params" do
let :pre_condition do
"
include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
class { 'ceph::repo': fastcgi => true, }
include ceph
ceph::rgw { 'radosgw.gateway': }
ceph::rgw::apache_fastcgi { 'radosgw.gateway': }
"
end
let :title do
'radosgw.gateway'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.default:5000',
:rgw_keystone_admin_token => 'defaulttoken',
}
end
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('_member_, Member') }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
+ it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
it { is_expected.to contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
it { is_expected.to contain_exec('radosgw.gateway-nssdb-ca').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
",
'user' => 'apache',
) }
it { is_expected.to contain_exec('radosgw.gateway-nssdb-signing').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
",
'user' => 'apache',
) }
end
describe "create with custom params" do
let :pre_condition do
"
include ceph::params
class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
class { 'ceph::repo': fastcgi => true, }
ceph::rgw { 'radosgw.custom': }
ceph::rgw::apache_fastcgi { 'radosgw.custom': }
"
end
let :title do
'radosgw.custom'
end
let :params do
{
:rgw_keystone_url => 'http://keystone.custom:5000',
:rgw_keystone_admin_token => 'mytoken',
:rgw_keystone_accepted_roles => '_role1_,role2',
:rgw_keystone_token_cache_size => 100,
+ :rgw_s3_auth_use_keystone => false,
+ :use_pki => false,
:rgw_keystone_revocation_interval => 200,
:nss_db_path => '/some/path/to/nss',
}
end
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
- it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(200) }
- it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_value('/some/path/to/nss') }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_ensure('absent') }
+ it { is_expected.to contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
- it { is_expected.to contain_exec('radosgw.custom-nssdb-ca').with(
+ it { is_expected.to_not contain_exec('radosgw.custom-nssdb-ca').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
",
'user' => 'apache',
) }
- it { is_expected.to contain_exec('radosgw.custom-nssdb-signing').with(
+ it { is_expected.to_not contain_exec('radosgw.custom-nssdb-signing').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements
set -ex
wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
",
'user' => 'apache',
) }
end end
end
# Local Variables:
# compile-command: "cd ../.. ;
# bundle install ;
# bundle exec rake spec
# "
# End:
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Thu, Sep 18, 4:28 AM (1 d, 3 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3330476
Attached To
rSPCEPH Puppet manifests for Ceph
Event Timeline
Log In to Comment