Update CephX client.openstack keyring to use 'profile rbd'

The minimum set of permissions necessary to operate on the Ceph pools changed with Luminous and the 'profile rbd' setting ensures the necessary additional operations are granted. See Luminous [1] vs Jewel [2] settings. Closes-Bug: 1773449 1. http://docs.ceph.com/docs/luminous/rbd/rbd-openstack/#setup-ceph-client-authentication 2. http://docs.ceph.com/docs/jewel/rbd/rbd-openstack/#setup-ceph-client-authentication Change-Id: I9639d606bd538f6776c368a4f34aa6783ab91abb
2018-06-15 17:40:30 +02:00 · 2018-06-15 17:40:30 +02:00 · e65889dff2
parent b7dcbd8da7
commit e65889dff2
1 changed files with 3 additions and 3 deletions
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@ -254,14 +254,14 @@ resources:
            key: {get_param: CephClientKey}
            caps:
              mgr: "allow *"
-              mon: "allow r"
+              mon: "profile rbd"
              osd:
                str_replace:
-                  template: 'allow class-read object_prefix rbd_children, allow rwx pool=CEPH_CLIENT_POOLS'
+                  template: 'profile rbd pool=CEPH_CLIENT_POOLS'
                  params:
                    CEPH_CLIENT_POOLS:
                      list_join:
-                        - ', allow rwx pool='
+                        - ', profile rbd pool='
                        - list_concat_unique:
                          - - {get_param: CinderRbdPoolName}
                            - {get_param: CinderBackupRbdPoolName}