Deprecate keystone v2.0 functionality

This deprecates the rgw_keystone_version and rgw_keystone_admin_token parameters which now has no effect. It makes the following parameter required as it's now only using Keystone V3. * rgw_keystone_admin_domain * rgw_keystone_admin_project * rgw_keystone_admin_user * rgw_keystone_admin_password Also does cleanup on documentation of parameters and the spec testing. Change-Id: Id4c6b564a47e583c4f6af587d9a3c97f419e90a9
2019-02-24 02:15:44 +01:00
parent e39f7d2320
commit 85b9d61c40
3 changed files with 123 additions and 267 deletions
--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@@ -23,63 +23,76 @@
 #
 ### == Parameters
 #
-# [*rgw_keystone_admin_token*] The keystone admin token.
+# [*rgw_keystone_admin_domain*]
-#   Required if rgw_keystone_version is v2.0.
+#   (Required) The name of OpenStack domain with admin
 #   privilege when using OpenStack Identity API v3.
 #
-# [*rgw_keystone_url*] The internal or admin url for keystone.
+# [*rgw_keystone_admin_project*]
-#   Optional. Default is 'http://127.0.0.1:5000'
+#   (Optional) The name of OpenStack project with admin
 #   privilege when using OpenStack Identity API v3
 #
-# [*rgw_keystone_version*] The api version for keystone.
+# [*rgw_keystone_admin_user*]
-#   Possible values 'v2.0', 'v3'
+#   (Required) The user name of OpenStack tenant with admin
-#   Optional. Default is 'v2.0'
+#   privilege (Service Tenant).
 #
-# [*rgw_keystone_accepted_roles*] Roles to accept from keystone.
+# [*rgw_keystone_admin_password*]
-#   Optional. Default is 'Member'.
+#   (Required) The password for OpenStack admin user.
 #
 # [*rgw_keystone_url*]
 #   (Optional) The internal or admin url for keystone.
 #   Defaults to 'http://127.0.0.1:5000'
 #
 # [*rgw_keystone_accepted_roles*]
 #   (Optional) Roles to accept from keystone.
 #   Comma separated list of roles.
 #   Defaults to 'Member'
 #
-# [*rgw_keystone_token_cache_size*] How many tokens to keep cached.
+# [*rgw_keystone_token_cache_size*]
-#   Optional. Default is 500.
+#   (Optional) How many tokens to keep cached.
 #   Not useful when using PKI as every token is checked.
 #   Defaults to 500
 #
-# [*rgw_s3_auth_use_keystone*] Whether to enable keystone auth for S3.
+# [*rgw_s3_auth_use_keystone*]
-#   Optional. Default to true.
+#   (Optional) Whether to enable keystone auth for S3.
 #   Defaults to true
 #
-# [*use_pki*] Whether to use PKI related configuration.
+# [*use_pki*]
-#   Optional. Default to true.
+#   (Optional) Whether to use PKI related configuration.
 #   Defaults to true
 #
-# [*rgw_keystone_revocation_interval*] Interval to check for expired tokens.
+# [*rgw_keystone_revocation_interval*]
-#   Optional. Default is 600 (seconds).
+#   (Optional) Interval to check for expired tokens.
 #   Not useful if not using PKI tokens (if not, set to high value).
 #   Defaults is 600 (seconds)
 #
-# [*nss_db_path*] Path to NSS < - > keystone tokens db files.
+# [*nss_db_path*]
-#   Optional. Default is undef.
+#   (Optional) Path to NSS < - > keystone tokens db files.
 #   Defaults to undef
 #
-# [*user*] User running the web frontend.
+# [*user*]
-#   Optional. Default is 'www-data'.
+#   (Optional) User running the web frontend.
 #   Defaults to 'www-data'
 #
-# [*rgw_keystone_admin_domain*] The name of OpenStack domain with admin
+# [*rgw_keystone_implicit_tenants*]
-#   privilege when using OpenStack Identity API v3
+#   (Optional) Set 'true' for a private tenant for each user.
-#   Optional. Default is undef
+#   Defaults to true
 #
-# [*rgw_keystone_admin_project*] The name of OpenStack project with admin
+## DEPRECATED PARAMS
 #   privilege when using OpenStack Identity API v3
 #   Optional. Default is 'openstack'
 #
-# [*rgw_keystone_admin_user*] The user name of OpenStack tenant with admin
+# [*rgw_keystone_version*]
-#   privilege (Service Tenant)
+#   (Optional) The api version for keystone.
-#   Required if rgw_keystone_version is 'v3'.
+#   Defaults to undef
 #
-# [*rgw_keystone_admin_password*] The password for OpenStack admin user
+# [*rgw_keystone_admin_token*]
-#   Required if rgw_keystone_version is 'v3'.
+#   (Optional) The keystone admin token.
 #   Defaults to undef
 #
 # [*rgw_keystone_implicit_tenants*] Set 'true' for a private tenant
 #   for each user.
 #   Defaults is true
 define ceph::rgw::keystone (
-  $rgw_keystone_admin_token         = undef,
+  $rgw_keystone_admin_domain,
  $rgw_keystone_admin_project,
  $rgw_keystone_admin_user,
  $rgw_keystone_admin_password,
  $rgw_keystone_url                 = 'http://127.0.0.1:5000',
  $rgw_keystone_version             = 'v2.0',
  $rgw_keystone_accepted_roles      = 'Member',
  $rgw_keystone_token_cache_size    = 500,
  $rgw_s3_auth_use_keystone         = true,
@@ -87,17 +100,23 @@ define ceph::rgw::keystone (
  $rgw_keystone_revocation_interval = 600,
  $nss_db_path                      = '/var/lib/ceph/nss',
  $user                             = $::ceph::params::user_radosgw,
  $rgw_keystone_admin_domain        = $::ceph::profile::params::rgw_keystone_admin_domain,
  $rgw_keystone_admin_project       = $::ceph::profile::params::rgw_keystone_admin_project,
  $rgw_keystone_admin_user          = $::ceph::profile::params::rgw_keystone_admin_user,
  $rgw_keystone_admin_password      = $::ceph::profile::params::rgw_keystone_admin_password,
  $rgw_keystone_implicit_tenants    = true,
  ## DEPRECATED PARAMS
  $rgw_keystone_version             = undef,
  $rgw_keystone_admin_token         = undef,
 ) {
  unless $name =~ /^radosgw\..+/ {
    fail("Define name must be started with 'radosgw.'")
  }
  if $rgw_keystone_version {
    warning('ceph::rgw::keystone::rgw_keystone_version is deprecated')
  }
  if $rgw_keystone_admin_token {
    warning('ceph::rgw::keystone::rgw_keystone_admin_token is deprecated')
  }
  ceph_config {
    "client.${name}/rgw_keystone_url":                 value => $rgw_keystone_url;
    "client.${name}/rgw_keystone_accepted_roles":      value => join(any2array($rgw_keystone_accepted_roles), ',');
@@ -114,22 +133,6 @@ define ceph::rgw::keystone (
    }
  }
  if $rgw_keystone_version == 'v2.0' {
    if $rgw_keystone_admin_token == undef
    {
      fail( 'Missing rgw_keystone_admin_token for Keystone V2 integration')
    }
    ceph_config {
      "client.${name}/rgw_keystone_admin_token": value => $rgw_keystone_admin_token;
    }
  } elsif $rgw_keystone_version == 'v3' {
    if $rgw_keystone_admin_domain == undef
      or $rgw_keystone_admin_project == undef
      or $rgw_keystone_admin_user == undef
      or $rgw_keystone_admin_password == undef
    {
      fail( 'Incomplete parameters for Keystone V3 integration')
    }
  ceph_config {
    "client.${name}/rgw_keystone_api_version":    value => 3;
    "client.${name}/rgw_keystone_admin_domain":   value => $rgw_keystone_admin_domain;
@@ -139,10 +142,6 @@ define ceph::rgw::keystone (
    "client.${name}/rgw_keystone_admin_token":    ensure => absent;
  }
  } else {
    fail("Unsupported keystone version: ${rgw_keystone_version}")
  }
  if $use_pki {
    # fetch the keystone signing cert, add to nss db
    $pkg_nsstools = $::ceph::params::pkg_nsstools
--- a/releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml
+++ b/releasenotes/notes/rgw-keystone-deprecate-14288623c16b4561.yaml
@@ -0,0 +1,18 @@
 ---
 upgrade:
  - |
    The ceph::rgw::keystone class now defaults to configuration it for Keystone
    V3 API. The v2.0 functionality is removed.
  - |
    The ceph::rgw::keystone class now requires the rgw_keystone_admin_domain,
    rgw_keystone_admin_project, rgw_keystone_admin_user and
    rgw_keystone_admin_password parameters to be configured, these were previously
    only required when configuring Keystone V3, which is now the default and v2.0
    has been removed.
 deprecations:
  - |
    The ceph::rgw::keystone::rgw_keystone_version is deprecated and now has no
    effect.
  - |
    The ceph::rgw::keystone::rgw_keystone_admin_token is deprecated and now has
    no effect.
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@@ -19,15 +19,7 @@
 require 'spec_helper'
 describe 'ceph::rgw::keystone' do
-  shared_examples 'ceph::rgw::keystone on Debian' do
+  shared_examples 'ceph::rgw::keystone' do
    before do
      facts.merge!( :lsbdistid              => 'Ubuntu',
                    :lsbdistcodename        => 'trusty',
                    :operatingsystem        => 'Ubuntu',
                    :operatingsystemrelease => '14.04',
                    :lsbdistrelease         => '14.04' )
    end
    context 'create with default params' do
      let :pre_condition do
        "include ceph::params
@@ -43,13 +35,19 @@ describe 'ceph::rgw::keystone' do
      let :params do
        {
-          :rgw_keystone_url         => 'http://keystone.default:5000',
+          :rgw_keystone_admin_domain   => 'default',
-          :rgw_keystone_admin_token => 'defaulttoken',
+          :rgw_keystone_admin_project  => 'openstack',
          :rgw_keystone_admin_user     => 'rgwuser',
          :rgw_keystone_admin_password => '123456',
        }
      end
-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
@@ -60,18 +58,18 @@ describe 'ceph::rgw::keystone' do
      it { should contain_exec('radosgw.gateway-nssdb-ca').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
-wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
+wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
 ",
-         :user    => 'www-data',
+         :user    => platform_params[:user_radosgw],
      ) }
      it { should contain_exec('radosgw.gateway-nssdb-signing').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
-wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
+wget --no-check-certificate http://127.0.0.1:5000/v2.0/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
 ",
-         :user    => 'www-data',
+         :user    => platform_params[:user_radosgw],
      )}
    end
@@ -89,20 +87,28 @@ wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signi
      let :params do
        {
          :rgw_keystone_admin_domain        => 'default',
          :rgw_keystone_admin_project       => 'openstack',
          :rgw_keystone_admin_user          => 'rgwuser',
          :rgw_keystone_admin_password      => '123456',
          :rgw_keystone_url                 => 'http://keystone.custom:5000',
          :rgw_keystone_admin_token         => 'mytoken',
          :rgw_keystone_accepted_roles      => '_role1_,role2',
          :rgw_keystone_token_cache_size    => 100,
          :rgw_s3_auth_use_keystone         => false,
          :use_pki                          => false,
          :rgw_keystone_revocation_interval => 0,
          :user                             => 'myuser',
          :nss_db_path                      => '/some/path/to/nss',
          :rgw_keystone_implicit_tenants    => false,
        }
      end
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_ensure('absent') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
@@ -116,7 +122,7 @@ set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
 ",
-         :user    => 'www-data',
+         :user    => 'myuser',
      ) }
      it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
@@ -124,186 +130,10 @@ set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
 ",
-         :user    => 'www-data',
+         :user    => 'myuser',
      )}
    end
    context 'create with keystone v3 and no pki params' do
      let :pre_condition do
        "include ceph::params
         class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
         class { 'ceph::repo': }
         include ceph
         ceph::rgw { 'radosgw.gateway': }"
      end
      let :title do
        'radosgw.gateway'
      end
      let :params do
        {
          :rgw_keystone_url            => 'http://keystone.default:5000',
          :rgw_keystone_version        => 'v3',
          :rgw_keystone_admin_domain   => 'default',
          :rgw_keystone_admin_project  => 'openstack',
          :rgw_keystone_admin_user     => 'rgwuser',
          :rgw_keystone_admin_password => '123456',
        }
      end
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
    end
  end
  shared_examples 'ceph::rgw::keystone on RedHat' do
    before do
      facts.merge!( :lsbdistcodename           => 'Maipo',
                    :osfamily                  => 'RedHat',
                    :operatingsystem           => 'RedHat',
                    :operatingsystemrelease    => '7.2',
                    :operatingsystemmajrelease => '7' )
    end
    context 'create with default params' do
      let :pre_condition do
        "include ceph::params
         class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
         include ceph
         ceph::rgw { 'radosgw.gateway': }
         ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
      end
      let :title do
        'radosgw.gateway'
      end
      let :params do
        {
          :rgw_keystone_url         => 'http://keystone.default:5000',
          :rgw_keystone_admin_token => 'defaulttoken',
        }
      end
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_value('defaulttoken') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('Member') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_revocation_interval').with_value(600) }
      it { should contain_ceph_config('client.radosgw.gateway/nss_db_path').with_value('/var/lib/ceph/nss') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) }
      it { should contain_exec('radosgw.gateway-nssdb-ca').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n ca -t \"TCu,Cu,Tuw\"
 ",
         :user    => 'apache',
      ) }
      it { should contain_exec('radosgw.gateway-nssdb-signing').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.default:5000/v2.0/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t \"P,P,P\"
 ",
         :user    => 'apache',
      ) }
    end
    context 'create with custom params' do
      let :pre_condition do
        "include ceph::params
         class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
         ceph::rgw { 'radosgw.custom': }
         ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
      end
      let :title do
        'radosgw.custom'
      end
      let :params do
        {
          :rgw_keystone_url                 => 'http://keystone.custom:5000',
          :rgw_keystone_admin_token         => 'mytoken',
          :rgw_keystone_accepted_roles      => '_role1_,role2',
          :rgw_keystone_token_cache_size    => 100,
          :rgw_s3_auth_use_keystone         => false,
          :use_pki                          => false,
          :rgw_keystone_revocation_interval => 0,
          :nss_db_path                      => '/some/path/to/nss',
          :rgw_keystone_implicit_tenants    => false,
        }
      end
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_token').with_value('mytoken') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_revocation_interval').with_value(0) }
      it { should contain_ceph_config('client.radosgw.custom/nss_db_path').with_ensure('absent') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) }
      it { should_not contain_exec('radosgw.custom-nssdb-ca').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/ca -O - |
  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n ca -t \"TCu,Cu,Tuw\"
 ",
         :user    => 'apache',
      )}
      it { should_not contain_exec('radosgw.custom-nssdb-signing').with(
         :command => "/bin/true  # comment to satisfy puppet syntax requirements
 set -ex
 wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signing -O - |
  openssl x509 -pubkey | certutil -A -d /some/path/to/nss -n signing_cert -t \"P,P,P\"
 ",
         :user    => 'apache',
      )}
    end
    context 'create with keystone v3 and no pki params' do
      let :pre_condition do
        "include ceph::params
         class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' }
         include ceph
         ceph::rgw { 'radosgw.gateway': }
         ceph::rgw::apache_proxy_fcgi { 'radosgw.gateway': }"
      end
      let :title do
        'radosgw.gateway'
      end
      let :params do
        {
          :rgw_keystone_url            => 'http://keystone.default:5000',
          :rgw_keystone_version        => 'v3',
          :rgw_keystone_admin_domain   => 'default',
          :rgw_keystone_admin_project  => 'openstack',
          :rgw_keystone_admin_user     => 'rgwuser',
          :rgw_keystone_admin_password => '123456',
        }
      end
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://keystone.default:5000') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_token').with_ensure('absent') }
    end
  end
  on_supported_os({
@@ -316,7 +146,16 @@ wget --no-check-certificate http://keystone.custom:5000/v2.0/certificates/signin
                                           :hostname       => 'myhost' ))
      end
-      it_behaves_like "ceph::rgw::keystone on #{facts[:osfamily]}"
+      let (:platform_params) do
        if facts[:osfamily] == 'Debian'
          user_radosgw = 'www-data'
        else
          user_radosgw = 'apache'
        end
        { :user_radosgw => user_radosgw }
      end
      it_behaves_like 'ceph::rgw::keystone'
    end
  end
 end