Add support for Keystone user authentication with RGW

Jewel added support for user/pass authentication with Keystone,
allowing deployers to disable Keystone admin token as required
for production deployments.

This implements configuration for the new RGW Keystone user/pass
authentication feature added in Jewel.

See docs here: http://docs.ceph.com/docs/master/radosgw/keystone/

group_vars/all.yml.sample

@@ -285,7 +285,13 @@ dummy:
 #radosgw_civetweb_num_threads: 50
 #radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+#radosgw_keystone_auth_method: admin_token
 #radosgw_keystone_admin_token: password
+#radosgw_keystone_admin_user: username
+#radosgw_keystone_admin_password: password
+#radosgw_keystone_admin_tenant: tenant
 #radosgw_keystone_accepted_roles: Member, _member_, admin
 #radosgw_keystone_token_cache_size: 10000
 #radosgw_keystone_revocation_internal: 900

roles/ceph-common/defaults/main.yml

@@ -277,7 +277,13 @@ radosgw_civetweb_bind_ip: "{{ ansible_default_ipv4.address }}"
 radosgw_civetweb_num_threads: 50
 radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/
 #radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357
+# for admin_token method, define radosgw_keystone_admin_token
+# for auth_token method, define _user, _password, and _tenant
+radosgw_keystone_auth_method: admin_token
 radosgw_keystone_admin_token: password
+radosgw_keystone_admin_user: username
+radosgw_keystone_admin_password: password
+radosgw_keystone_admin_tenant: tenant
 radosgw_keystone_accepted_roles: Member, _member_, admin
 radosgw_keystone_token_cache_size: 10000
 radosgw_keystone_revocation_internal: 900

roles/ceph-common/templates/ceph.conf.j2

@@ -114,7 +114,13 @@ rgw data = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ hostvars[host]['ansible_ho
 rgw frontends = civetweb port={{ radosgw_civetweb_bind_ip }}:{{ radosgw_civetweb_port }} num_threads={{ radosgw_civetweb_num_threads }}
 {% if radosgw_keystone %}
 rgw keystone url = {{ radosgw_keystone_url }}
+{% if radosgw_keystone_auth_method == 'admin_token' %}
 rgw keystone admin token = {{ radosgw_keystone_admin_token }}
+{% elif radosgw_keystone_auth_method == 'auth_token' %}
+rgw keystone admin user = {{ radosgw_keystone_admin_user }}
+rgw keystone admin password = {{ radosgw_keystone_admin_password }}
+rgw keystone admin tenant = {{ radosgw_keystone_admin_tenant }}
+{% endif %}
 rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }}
 rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }}
 rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }}