From 2ad4f6b91ba86a2fefa8a35d34c1d24273f0f61e Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Mon, 24 Jul 2017 00:03:43 +0800
Subject: [PATCH] Use a separate user for ceph-rgw rather than keystone admin
 user

If not, change admin user password will break ceph rgw service.

Change-Id: Ia872f6f1aa2d9917d3f5851e0edcffed61e71355
Closes-Bug: #1705929
(cherry picked from commit 1cf116cd6c9448794d794aad4240807abf2e2314)
---
 ansible/roles/ceph/defaults/main.yml                |  2 ++
 ansible/roles/ceph/tasks/start_rgw_keystone.yml     | 13 +++++++++++++
 ansible/roles/ceph/templates/ceph.conf.j2           |  6 +++---
 etc/kolla/passwords.yml                             |  1 +
 .../ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml    |  5 +++++
 5 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml

diff --git a/ansible/roles/ceph/defaults/main.yml b/ansible/roles/ceph/defaults/main.yml
index 456cf43560..9c09dab17d 100644
--- a/ansible/roles/ceph/defaults/main.yml
+++ b/ansible/roles/ceph/defaults/main.yml
@@ -29,6 +29,8 @@ swift_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ rgw_p
 swift_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ rgw_port }}/swift/v1"
 swift_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn }}:{{ rgw_port }}/swift/v1"
 
+ceph_rgw_keystone_user: "ceph_rgw"
+
 openstack_swift_auth: "{{ openstack_auth }}"
 
 ####################
diff --git a/ansible/roles/ceph/tasks/start_rgw_keystone.yml b/ansible/roles/ceph/tasks/start_rgw_keystone.yml
index 5409644a19..887f9f3779 100644
--- a/ansible/roles/ceph/tasks/start_rgw_keystone.yml
+++ b/ansible/roles/ceph/tasks/start_rgw_keystone.yml
@@ -22,3 +22,16 @@
     - {'interface': 'admin', 'url': '{{ swift_admin_endpoint }}'}
     - {'interface': 'internal', 'url': '{{ swift_internal_endpoint }}'}
     - {'interface': 'public', 'url': '{{ swift_public_endpoint }}'}
+
+- name: Registering keystone ceph_rgw user
+  kolla_toolbox:
+    module_name: kolla_keystone_user
+    module_args:
+      project: "service"
+      user: "{{ ceph_rgw_keystone_user }}"
+      password: "{{ ceph_rgw_keystone_password }}"
+      role: "admin"
+      region_name: "{{ openstack_region_name }}"
+      auth: "{{ '{{ openstack_ceph_rgw_auth }}' }}"
+    module_extra_vars:
+      openstack_ceph_rgw_auth: "{{ openstack_swift_auth }}"
diff --git a/ansible/roles/ceph/templates/ceph.conf.j2 b/ansible/roles/ceph/templates/ceph.conf.j2
index d355f6c09e..6f0371343a 100644
--- a/ansible/roles/ceph/templates/ceph.conf.j2
+++ b/ansible/roles/ceph/templates/ceph.conf.j2
@@ -38,9 +38,9 @@ rgw frontends = civetweb port={{ hostvars[inventory_hostname]['ansible_' + api_i
 {% endif %}
 {% if enable_ceph_rgw_keystone | bool %}
 rgw_keystone_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
-rgw_keystone_admin_user = {{ openstack_auth.username }}
-rgw_keystone_admin_password = {{ openstack_auth.password }}
-rgw_keystone_admin_project = {{ openstack_auth.project_name }}
+rgw_keystone_admin_user = {{ ceph_rgw_keystone_user }}
+rgw_keystone_admin_password = {{ ceph_rgw_keystone_password }}
+rgw_keystone_admin_project = service
 rgw_keystone_admin_domain = default
 rgw_keystone_api_version = 3
 rgw_keystone_accepted_roles = admin, {{ keystone_default_user_role }}
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index f6293d563c..df896d20d4 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -5,6 +5,7 @@
 # These options must be UUID4 values in string format
 # XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
 ceph_cluster_fsid:
+ceph_rgw_keystone_password:
 # for backward compatible consideration, rbd_secret_uuid is only used for nova,
 # cinder_rbd_secret_uuid is used for cinder
 rbd_secret_uuid:
diff --git a/releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml b/releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml
new file mode 100644
index 0000000000..9bc8a2a192
--- /dev/null
+++ b/releasenotes/notes/ceph-rgw-keystone-user-d084c3ebdc9528c7.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    ceph_rgw_keystone_password is required in passwords.yml file. And ceph-rgw
+    depends on a separate user rather than keystone admin user now.