From fdf3729f83770464a093e8d6f624565abc7b6347 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Tue, 10 Dec 2019 18:28:50 +0100
Subject: [PATCH] External Ceph: add ceph_*_user variables

To make the configuration easier for the user, and to allow non-standard
ceph authentication ids - introduce ceph_*_user variables.

Change-Id: I24e01c43c826b62b6748d93a498f4b7d8ce9e309
---
 ansible/group_vars/all.yml                    |   7 ++
 ansible/roles/cinder/templates/cinder.conf.j2 |   4 +-
 .../roles/glance/templates/glance-api.conf.j2 |   2 +-
 .../roles/gnocchi/templates/gnocchi.conf.j2   |   4 +-
 .../manila/templates/manila-share.conf.j2     |   4 +-
 .../templates/nova.conf.d/libvirt.conf.j2     |   4 +-
 .../reference/storage/external-ceph-guide.rst | 101 ++++--------------
 .../external-ceph-users-2715eebf8a8df1af.yaml |  12 +++
 tests/templates/globals-default.j2            |   1 +
 9 files changed, 50 insertions(+), 89 deletions(-)
 create mode 100644 releasenotes/notes/external-ceph-users-2715eebf8a8df1af.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 4e53d496a6..cfd08a40d4 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -1007,6 +1007,13 @@ ceph_glance_pool_name: "images"
 ceph_gnocchi_pool_name: "gnocchi"
 ceph_nova_pool_name: "vms"
 
+ceph_cinder_backup_user: "cinder-backup"
+ceph_cinder_volume_user: "cinder"
+ceph_glance_user: "glance"
+ceph_gnocchi_user: "gnocchi"
+ceph_manila_user: "manila"
+ceph_nova_user: "nova"
+
 ceph_erasure_profile: "k=4 m=2 ruleset-failure-domain=host"
 ceph_rule: "default host {{ 'indep' if ceph_pool_type == 'erasure' else 'firstn' }}"
 ceph_cache_rule: "cache host firstn"
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 751ec806d6..4881d8c25c 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -28,7 +28,7 @@ enabled_backends = {{ cinder_enabled_backends|map(attribute='name')|join(',') }}
 {% if cinder_backup_driver == "ceph" %}
 backup_driver = cinder.backup.drivers.ceph.CephBackupDriver
 backup_ceph_conf = /etc/ceph/ceph.conf
-backup_ceph_user = cinder-backup
+backup_ceph_user = {{ ceph_cinder_backup_user }}
 backup_ceph_chunk_size = 134217728
 backup_ceph_pool = {{ ceph_cinder_backup_pool_name }}
 backup_ceph_stripe_unit = 0
@@ -131,7 +131,7 @@ rbd_flatten_volume_from_snapshot = false
 rbd_max_clone_depth = 5
 rbd_store_chunk_size = 4
 rados_connect_timeout = 5
-rbd_user = cinder
+rbd_user = {{ ceph_cinder_volume_user }}
 rbd_secret_uuid = {{ cinder_rbd_secret_uuid }}
 report_discard_supported = True
 image_upload_use_cinder_backend = True
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index ba7ea07178..29e7ff4e07 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -61,7 +61,7 @@ stores = {{ glance_store_backends|map(attribute='name')|join(',') }}
 {% endif %}
 
 {% if glance_backend_ceph | bool %}
-rbd_store_user = glance
+rbd_store_user = {{ ceph_glance_user }}
 rbd_store_pool = {{ ceph_glance_pool_name }}
 rbd_store_chunk_size = 8
 {% endif %}
diff --git a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
index 76906f8de1..4856185752 100644
--- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
@@ -74,8 +74,8 @@ file_basepath = /var/lib/gnocchi
 {% elif gnocchi_backend_storage == 'ceph' %}
 driver = ceph
 ceph_pool = {{ gnocchi_pool_name }}
-ceph_username = gnocchi
-ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring
+ceph_username = {{ ceph_gnocchi_user }}
+ceph_keyring = {{ ceph_gnocchi_keyring }}
 ceph_conffile = /etc/ceph/ceph.conf
 {% elif gnocchi_backend_storage == 'swift' %}
 driver = swift
diff --git a/ansible/roles/manila/templates/manila-share.conf.j2 b/ansible/roles/manila/templates/manila-share.conf.j2
index 9a837d5b99..9c4c51d5e9 100644
--- a/ansible/roles/manila/templates/manila-share.conf.j2
+++ b/ansible/roles/manila/templates/manila-share.conf.j2
@@ -99,7 +99,7 @@ driver_handles_share_servers = False
 share_backend_name = CEPHFS1
 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver
 cephfs_conf_path = /etc/ceph/ceph.conf
-cephfs_auth_id = manila
+cephfs_auth_id = {{ ceph_manila_user }}
 cephfs_cluster_name = ceph
 cephfs_enable_snapshots = False
 {% endif %}
@@ -111,7 +111,7 @@ share_backend_name = CEPHFSNFS1
 share_driver = manila.share.drivers.cephfs.driver.CephFSDriver
 cephfs_protocol_helper_type = NFS
 cephfs_conf_path = /etc/ceph/ceph.conf
-cephfs_auth_id = manila
+cephfs_auth_id = {{ ceph_manila_user }}
 cephfs_cluster_name = ceph
 cephfs_enable_snapshots = False
 cephfs_ganesha_server_is_remote= False
diff --git a/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
index 1f75a00ba0..e72ceb2745 100644
--- a/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.d/libvirt.conf.j2
@@ -5,11 +5,11 @@ live_migration_uri = "qemu+tls://%s/system"
 {% else %}
 connection_uri = "qemu+tcp://{{ migration_interface_address | put_address_in_context('url') }}/system"
 {% endif %}
-{% if enable_ceph | bool and nova_backend == "rbd" %}
+{% if nova_backend == "rbd" %}
 images_type = rbd
 images_rbd_pool = {{ ceph_nova_pool_name }}
 images_rbd_ceph_conf = /etc/ceph/ceph.conf
-rbd_user = nova
+rbd_user = {{ ceph_nova_user }}
 disk_cachemodes="network=writeback"
 {% if nova_hw_disk_discard != '' %}
 hw_disk_discard = {{ nova_hw_disk_discard }}
diff --git a/doc/source/reference/storage/external-ceph-guide.rst b/doc/source/reference/storage/external-ceph-guide.rst
index 6cbb1fedef..8993d9b4d7 100644
--- a/doc/source/reference/storage/external-ceph-guide.rst
+++ b/doc/source/reference/storage/external-ceph-guide.rst
@@ -66,17 +66,11 @@ Glance
 
 Configuring Glance for Ceph includes the following steps:
 
-#. Configure RBD back end in ``glance-api.conf``
+#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
 
-   .. path /etc/kolla/config/glance/glance-api.conf
-   .. code-block:: ini
-
-      [glance_store]
-      stores = rbd
-      default_store = rbd
-      rbd_store_pool = images
-      rbd_store_user = glance
-      rbd_store_ceph_conf = /etc/ceph/ceph.conf
+   * ``ceph_glance_keyring`` (default: ``ceph.client.glance.keyring``)
+   * ``ceph_glance_user`` (default: ``glance``)
+   * ``ceph_glance_pool_name`` (default: ``images``)
 
 #. Copy Ceph configuration file to ``/etc/kolla/config/glance/ceph.conf``
 
@@ -91,10 +85,6 @@ Configuring Glance for Ceph includes the following steps:
       auth_service_required = cephx
       auth_client_required = cephx
 
-#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
-
-   * ``ceph_glance_keyring`` (default: ``ceph.client.glance.keyring``)
-
 #. Copy Ceph keyring to ``/etc/kolla/config/glance/<ceph_glance_keyring>``
 
 Cinder
@@ -102,43 +92,14 @@ Cinder
 
 Configuring Cinder for Ceph includes following steps:
 
-#. Configure RBD backend in ``cinder-volume.conf`` and ``cinder-backup.conf``
-
-   .. path /etc/kolla/config/cinder/cinder-volume.conf
-   .. code-block:: ini
-
-      [DEFAULT]
-      enabled_backends=rbd-1
-
-      [rbd-1]
-      rbd_ceph_conf=/etc/ceph/ceph.conf
-      rbd_user=cinder
-      backend_host=rbd:volumes
-      rbd_pool=volumes
-      volume_backend_name=rbd-1
-      volume_driver=cinder.volume.drivers.rbd.RBDDriver
-      rbd_secret_uuid = {{ cinder_rbd_secret_uuid }}
-
-   .. note::
-
-      ``cinder_rbd_secret_uuid`` can be found in ``/etc/kolla/passwords.yml``.
-
-   .. path /etc/kolla/config/cinder/cinder-backup.conf
-   .. code-block:: ini
-
-      [DEFAULT]
-      backup_ceph_conf=/etc/ceph/ceph.conf
-      backup_ceph_user=cinder-backup
-      backup_ceph_chunk_size = 134217728
-      backup_ceph_pool=backups
-      backup_driver = cinder.backup.drivers.ceph.CephBackupDriver
-      backup_ceph_stripe_unit = 0
-      backup_ceph_stripe_count = 0
-      restore_discard_excess_bytes = true
-
-   For more information about the Cinder backup configuration, see
-   :cinder-doc:`Ceph backup driver
-   <configuration/block-storage/backup/ceph-backup-driver.html>`.
+#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
+   * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``)
+   * ``ceph_cinder_user`` (default: ``cinder``)
+   * ``ceph_cinder_pool_name`` (default: ``volumes``)
+   * ``ceph_cinder_backup_keyring``
+   (default: ``ceph.client.cinder-backup.keyring``)
+   * ``ceph_cinder_backup_user`` (default: ``cinder-backup``)
+   * ``ceph_cinder_backup_pool_name`` (default: ``backups``)
 
 #. Copy Ceph configuration file to ``/etc/kolla/config/cinder/ceph.conf``
 
@@ -148,11 +109,6 @@ Configuring Cinder for Ceph includes following steps:
    ``/etc/kolla/config/cinder/cinder-backup`` respectively. They
    will be merged with ``/etc/kolla/config/cinder/ceph.conf``.
 
-#. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
-   * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``)
-   * ``ceph_cinder_backup_keyring``
-   (default: ``ceph.client.cinder-backup.keyring``)
-
 #. Copy Ceph keyring files to:
    * ``/etc/kolla/config/cinder/cinder-volume/<ceph_cinder_keyring>``
    * ``/etc/kolla/config/cinder/cinder-backup/<ceph_cinder_keyring>``
@@ -168,12 +124,14 @@ Nova
 
 Configuring Nova for Ceph includes following steps:
 
-#. Copy Ceph configuration file to ``/etc/kolla/config/nova/ceph.conf``
 #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
 
    * ``ceph_cinder_keyring`` (default: ``ceph.client.cinder.keyring``)
    * ``ceph_nova_keyring`` (by default it's the same as ceph_cinder_keyring)
+   * ``ceph_nova_user`` (default: ``nova``)
+   * ``ceph_nova_pool_name`` (default: ``vms``)
 
+#. Copy Ceph configuration file to ``/etc/kolla/config/nova/ceph.conf``
 #. Copy Ceph keyring file(s) to:
 
    * ``/etc/kolla/config/nova/<ceph_cinder_keyring>``
@@ -183,41 +141,23 @@ Configuring Nova for Ceph includes following steps:
    .. warning::
 
       If you are using ceph-ansible or another deployment tool that doesn't
-      create separate key for Nova just copy the Cinder key.
-
-#. Configure nova-compute to use Ceph as the ephemeral back end by creating
-   ``/etc/kolla/config/nova/nova-compute.conf`` and adding the following
-   configurations:
-
-   .. code-block:: ini
-
-      [libvirt]
-      images_rbd_pool=vms
-      images_type=rbd
-      images_rbd_ceph_conf=/etc/ceph/ceph.conf
+      create separate key for Nova just copy the Cinder key and configure
+      ``ceph_nova_user`` to the same value as ``ceph_cinder_user``.
 
 Gnocchi
 -------
 
 Configuring Gnocchi for Ceph includes following steps:
 
-#. Copy Ceph configuration file to ``/etc/kolla/config/gnocchi/ceph.conf``
 #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
 
    * ``ceph_gnocchi_keyring``
      (default: ``ceph.client.gnocchi.keyring``)
+   * ``ceph_gnocchi_user`` (default: ``gnocchi``)
+   * ``ceph_gnocchi_pool_name`` (default: ``gnocchi``)
 
+#. Copy Ceph configuration file to ``/etc/kolla/config/gnocchi/ceph.conf``
 #. Copy Ceph keyring to ``/etc/kolla/config/gnocchi/<ceph_gnocchi_keyring>``
-#. Modify ``/etc/kolla/config/gnocchi.conf`` file according to the following
-   configuration:
-
-   .. code-block:: ini
-
-      [storage]
-      driver = ceph
-      ceph_username = gnocchi
-      ceph_keyring = /etc/ceph/ceph.client.gnocchi.keyring
-      ceph_conffile = /etc/ceph/ceph.conf
 
 Manila
 ------
@@ -229,6 +169,7 @@ Configuring Manila for Ceph includes following steps:
 #. Configure Ceph authentication details in ``/etc/kolla/globals.yml``:
 
    * ``ceph_manila_keyring`` (default: ``ceph.client.manila.keyring``)
+   * ``ceph_manila_user`` (default: ``manila``)
 
 #. Copy Ceph configuration file to ``/etc/kolla/config/manila/ceph.conf``
 #. Copy Ceph keyring to ``/etc/kolla/config/manila/<ceph_manila_keyring>``
diff --git a/releasenotes/notes/external-ceph-users-2715eebf8a8df1af.yaml b/releasenotes/notes/external-ceph-users-2715eebf8a8df1af.yaml
new file mode 100644
index 0000000000..23d102e486
--- /dev/null
+++ b/releasenotes/notes/external-ceph-users-2715eebf8a8df1af.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Introduce External Ceph user ids as variables to allow non-standard ceph
+    authentication ids in OpenStack services configuration without the need to
+    override configuration files.
+upgrade:
+  - |
+    Now the rbd part of ``nova.conf`` in ``nova-compute`` is being generated
+    when ``nova_backend`` is set to ``"rbd"`` (previously it was generated when
+    both ``enable_ceph`` was ``"yes"`` and ``nova_backend`` was set to
+    ``"rbd"``).
diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index 4988397a7c..78cde87e1d 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -133,4 +133,5 @@ enable_cinder: "yes"
 glance_backend_ceph: "yes"
 cinder_backend_ceph: "yes"
 nova_backend_ceph: "yes"
+ceph_nova_user: "cinder"
 {% endif %}