Allow Swift middleware to be set via a variable

This patch allows the swift-proxy pipeline to be adjusted via a variable
"swift_middleware_list", which can be amended to add additional
middleware as required.

The default remains the same - which is to include the default pipeline
when using keystone.

Additionally the logic around whether "authtoken" or "tempauth" are
enabled was changed to check if these are set in "swift_middleware_list"
without requiring a separate variable. Variable "swift_authtoken_active"
was removed as it is no longer required.

Tempest object storage settings were adjusted to work with the default
list of enabled discoverable_apis for object storage. Container syncing
was also turned into a variable based on the object storage default.

Closes-Bug: #1453276
Co-Authored-By: Julian Montez <julian.montez@gmail.com>
Co-Authored-By: Darren Birkett <darren.birkett@gmail.com>
Change-Id: I70565296242d10327a58b02149f73eb5f31a877d

playbooks/roles/os_swift/defaults/main.yml

@@ -31,9 +31,30 @@ swift_system_comment: swift system user
 swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
 
 ## Auth token
-swift_authtoken_active: True
 swift_delay_auth_decision: true
 
+## Swift middleware
+# NB: The order is important!
+swift_middleware_list:
+  - catch_errors
+  - gatekeeper
+  - healthcheck
+  - proxy-logging
+#  - ceilometer
+  - cache
+  - container_sync
+  - bulk
+  - tempurl
+  - ratelimit
+  - authtoken
+  - keystoneauth
+  - container-quotas
+  - account-quotas
+  - slo
+  - dlo
+  - proxy-logging
+  - proxy-server
+
 ## Swift default ports
 swift_proxy_port: "8080"
 swift_object_port: "6000"

playbooks/roles/os_swift/templates/proxy-server.conf.j2

@@ -12,19 +12,8 @@ user = {{ swift_system_user_name }}
 log_facility = LOG_LOCAL1
 
 [pipeline:main]
-{% if swift_authtoken_active %}
-{% if swift_ceilometer_enabled %}
-pipeline = catch_errors gatekeeper healthcheck proxy-logging ceilometer cache container_sync bulk tempurl ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo proxy-server
-{% else %}
-pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo proxy-logging proxy-server
-{% endif %}
-{% else %}
-{% if swift_ceilometer_enabled %}
-pipeline = catch_errors gatekeeper healthcheck proxy-logging ceilometer cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-server
-{% else %}
-pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server
-{% endif %}
-{% endif %}
+pipeline = {{ swift_middleware_list | join(' ') }}
+
 [app:proxy-server]
 use = egg:swift#proxy
 log_facility = LOG_LOCAL1
@@ -43,18 +32,18 @@ write_affinity_node_count = {{ swift_proxy_vars.write_affinity_node_count }}
 {%   endif %}
 {% endif %}
 
+{% if 'tempauth' in swift_middleware_list %}
 [filter:tempauth]
 use = egg:swift#tempauth
-{% if not swift_authtoken_active %}
 user_admin_admin = admin .admin .reseller_admin
 user_test_tester = testing .admin
 user_test2_tester2 = testing2 .admin
 user_test_tester3 = testing3
+{% endif %}
 
-{% elif swift_authtoken_active %}
+{% if 'authtoken' in swift_middleware_list %}
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_plugin = {{ swift_keystone_auth_plugin }}
 auth_url = {{ keystone_service_adminuri }}
 auth_uri = {{ keystone_service_internaluri }}
@@ -66,16 +55,17 @@ password = {{ swift_service_password }}
 delay_auth_decision = {{ swift_delay_auth_decision }}
 {% endif %}
 
+{% if 'keystoneauth' in swift_middleware_list %}
 [filter:keystoneauth]
 use = egg:swift#keystoneauth
 {% if swift_allow_all_users is defined and swift_allow_all_users == True %}
-{% if swift_ceilometer_enabled %}
+{% if 'ceilometer' in swift_middleware_list %}
 operator_roles = admin, swiftoperator, _member_, ResellerAdmin
 {% else %}
 operator_roles = admin, swiftoperator, _member_
 {% endif %}
 {% else %}
-{% if swift_ceilometer_enabled %}
+{% if 'ceilometer' in swift_middleware_list %}
 operator_roles = admin, swiftoperator, ResellerAdmin
 {% else %}
 operator_roles = admin, swiftoperator
@@ -83,6 +73,7 @@ operator_roles = admin, swiftoperator
 {% endif %}
 # The reseller admin role has the ability to create and delete accounts
 reseller_admin_role = reseller_admin
+{% endif %}
 
 [filter:healthcheck]
 use = egg:swift#healthcheck
@@ -146,7 +137,7 @@ use = egg:swift#container_sync
 [filter:xprofile]
 use = egg:swift#xprofile
 
-{% if swift_ceilometer_enabled %}
+{% if 'ceilometer' in swift_middleware_list %}
 [filter:ceilometer]
 paste.filter_factory = ceilometermiddleware.swift:filter_factory
 control_exchange = swift

playbooks/roles/os_tempest/defaults/main.yml

@@ -56,7 +56,15 @@ tempest_boto_s3_url: "http://{{ external_lb_vip_address }}:3333"
 tempest_boto_ec2_url: "http://{{ external_lb_vip_address }}:8773/services/Cloud"
 
 tempest_swift_enabled: true
+tempest_swift_container_sync: True
 tempest_swift_object_versioning: True
+tempest_swift_discoverable_apis:
+  - bulk
+  - object
+  - container_quotas
+  - container_sync
+  - slo
+  - tempurl
 
 tempest_volume_backup_enabled: False
 

playbooks/roles/os_tempest/templates/tempest.conf.j2

@@ -172,9 +172,9 @@ reseller_admin_role = reseller_admin
 
 
 [object-storage-feature-enabled]
-container_sync = false
+container_sync = {{ tempest_swift_container_sync }}
 object_versioning = {{ tempest_swift_object_versioning }}
-discoverable_apis = all
+discoverable_apis = {{ tempest_swift_discoverable_apis | join(' ') }}
 
 
 [orchestration]