diff --git a/group_vars/all b/group_vars/all index 0a62d7bcb..8746d1ca3 100644 --- a/group_vars/all +++ b/group_vars/all @@ -112,6 +112,14 @@ dummy: #radosgw_dns_name: your.subdomain.tld # subdomains used by radosgw. See http://ceph.com/docs/master/radosgw/config/#enabling-subdomain-s3-calls #radosgw_frontend: civetweb # supported options are 'apache' or 'civetweb', also edit roles/ceph-radosgw/defaults/main.yml #radosgw_civetweb_port: 80 +#radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/ +#radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357 +#radosgw_keystone_admin_token: password +#radosgw_keystone_accepted_roles: Member, _member_, admin +#radosgw_keystone_token_cache_size: 10000 +#radosgw_keystone_revocation_internal: 900 +#radosgw_s3_auth_use_keystone: "true" +#radosgw_nss_db_path: /var/lib/ceph/radosgw/ceph-radosgw.{{ ansible_hostname }}/nss ## REST API options # diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml index 49b0270db..c0f21cf8d 100644 --- a/roles/ceph-common/defaults/main.yml +++ b/roles/ceph-common/defaults/main.yml @@ -127,6 +127,14 @@ radosgw: false # referenced in monitor role too. #radosgw_dns_name: your.subdomain.tld # subdomains used by radosgw. See http://ceph.com/docs/master/radosgw/config/#enabling-subdomain-s3-calls radosgw_frontend: civetweb # supported options are 'apache' or 'civetweb', also edit roles/ceph-radosgw/defaults/main.yml radosgw_civetweb_port: 80 +radosgw_keystone: false # activate OpenStack Keystone options full detail here: http://ceph.com/docs/master/radosgw/keystone/ +#radosgw_keystone_url: # url:admin_port ie: http://192.168.0.1:35357 +radosgw_keystone_admin_token: password +radosgw_keystone_accepted_roles: Member, _member_, admin +radosgw_keystone_token_cache_size: 10000 +radosgw_keystone_revocation_internal: 900 +radosgw_s3_auth_use_keystone: "true" +radosgw_nss_db_path: /var/lib/ceph/radosgw/ceph-radosgw.{{ ansible_hostname }}/nss ## REST API options # diff --git a/roles/ceph-common/templates/ceph.conf.j2 b/roles/ceph-common/templates/ceph.conf.j2 index 0e0f7f391..f576e3968 100644 --- a/roles/ceph-common/templates/ceph.conf.j2 +++ b/roles/ceph-common/templates/ceph.conf.j2 @@ -149,6 +149,15 @@ {% if radosgw_frontend == 'civetweb' %} rgw frontends = civetweb port={{ radosgw_civetweb_port }} {% endif %} + {% if radosgw_keystone %} + rgw keystone url = {{ radosgw_keystone_url }} + rgw keystone admin token = {{ radosgw_keystone_admin_token }} + rgw keystone accepted roles = {{ radosgw_keystone_accepted_roles }} + rgw keystone token cache size = {{ radosgw_keystone_token_cache_size }} + rgw keystone revocation interval = {{ radosgw_keystone_revocation_internal }} + rgw s3 auth use keystone = {{ radosgw_s3_auth_use_keystone }} + nss db path = {{ radosgw_nss_db_path }} + {% endif %} {% endif %} {% endfor %} {% endif %} diff --git a/roles/ceph-radosgw/tasks/main.yml b/roles/ceph-radosgw/tasks/main.yml index 2de430f10..eddbe05ac 100644 --- a/roles/ceph-radosgw/tasks/main.yml +++ b/roles/ceph-radosgw/tasks/main.yml @@ -21,6 +21,9 @@ state=present when: ansible_os_family == 'RedHat' and not ceph_containerized_deployment +- include: openstack-keystone.yml + when: radosgw_keystone + - include: start_radosgw.yml when: not ceph_containerized_deployment diff --git a/roles/ceph-radosgw/tasks/openstack-keystone.yml b/roles/ceph-radosgw/tasks/openstack-keystone.yml new file mode 100644 index 000000000..09887f222 --- /dev/null +++ b/roles/ceph-radosgw/tasks/openstack-keystone.yml @@ -0,0 +1,14 @@ +--- +- name: create nss directory for Keystone certificates + file: > + path={{ radosgw_nss_db_path }} + state=directory + owner=root + group=root + mode=0644 + +- name: create nss entries for Keystone certificates + shell: "{{ item }}" + with_items: + - "openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey |certutil -d {{ radosgw_nss_db_path }} -A -n ca -t 'TCu,Cu,Tuw'" + - "openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d {{ radosgw_nss_db_path }} -n signing_cert -t 'P,P,P'"