From 12f8b5c38ef11ea229f9a659d0a705bf983ff666 Mon Sep 17 00:00:00 2001
From: Logan V <logan2211@gmail.com>
Date: Mon, 11 Jul 2016 07:52:11 -0500
Subject: [PATCH] Add support for Keystone user authentication with RGW

Jewel added support for user/pass authentication with Keystone,
allowing deployers to disable Keystone admin token as required
for production deployments.

This implements configuration for the new RGW Keystone user/pass
authentication feature added in Jewel.

See docs here: http://docs.ceph.com/docs/master/radosgw/keystone/
---
 group_vars/all.yml.sample                | 6 ++++++
 roles/ceph-common/defaults/main.yml      | 6 ++++++
 roles/ceph-common/templates/ceph.conf.j2 | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 9c965e44a..d4e26367a 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -285,7 +285,13 @@ dummy:
 #radosgw_civetweb_num_threads: 50
 #radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+#radosgw_keystone_auth_method: admin_token
 #radosgw_keystone_admin_token: password
+#radosgw_keystone_admin_user: username
+#radosgw_keystone_admin_password: password
+#radosgw_keystone_admin_tenant: tenant
 #radosgw_keystone_accepted_roles: Member, _member_, admin
 #radosgw_keystone_token_cache_size: 10000
 #radosgw_keystone_revocation_internal: 900
diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml
index a27050f0c..acc3c2653 100644
--- a/roles/ceph-common/defaults/main.yml
+++ b/roles/ceph-common/defaults/main.yml
@@ -277,7 +277,13 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+radosgw_keystone_auth_method: admin_token
 radosgw_keystone_admin_token: password
+radosgw_keystone_admin_user: username
+radosgw_keystone_admin_password: password
+radosgw_keystone_admin_tenant: tenant
 radosgw_keystone_accepted_roles: Member, _member_, admin
 radosgw_keystone_token_cache_size: 10000
 radosgw_keystone_revocation_internal: 900
diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2
index 19092662a..be1f38514 100644
--- a/roles/ceph-common/templates/ceph.conf.j2
+++ b/roles/ceph-common/templates/ceph.conf.j2
@@ -114,7 +114,13 @@ rgw data = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ hostvars[host]['ansible_ho
 rgw frontends = civetweb port={{ radosgw_civetweb_bind_ip }}:{{ radosgw_civetweb_port }} num_threads={{ radosgw_civetweb_num_threads }}
 {% if radosgw_keystone %}
 rgw keystone url = {{ radosgw_keystone_url }}
+{% if radosgw_keystone_auth_method == 'admin_token' %}
 rgw keystone admin token = {{ radosgw_keystone_admin_token }}
+{% elif radosgw_keystone_auth_method == 'auth_token' %}
+rgw keystone admin user = {{ radosgw_keystone_admin_user }}
+rgw keystone admin password = {{ radosgw_keystone_admin_password }}
+rgw keystone admin tenant = {{ radosgw_keystone_admin_tenant }}
+{% endif %}
 rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}