Set ACLs on ceph client keyrings

This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before

Change-Id: I353b19a5a3f9a9af110587bd0996f08700335a44
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
This commit is contained in:
Keith Schincke 2017-11-02 11:19:31 -04:00
parent df2d147401
commit a4d12e02a7
7 changed files with 46 additions and 3 deletions

View File

@ -164,6 +164,13 @@ class tripleo::profile::base::cinder::volume (
include ::tripleo::profile::base::cinder::volume::rbd
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
exec{ 'exec-setfacl-openstack-cinder':
path => ['/bin', '/usr/bin'],
command => 'setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring',
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:cinder:r--"',
}
Ceph::Key<||> -> Exec['exec-setfacl-openstack-cinder']
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
if $cinder_rbd_extra_pools {
$base_name = $cinder_rbd_backend_name

View File

@ -129,7 +129,16 @@ class tripleo::profile::base::glance::api (
case $glance_backend {
'swift': { $backend_store = 'swift' }
'file': { $backend_store = 'file' }
'rbd': { $backend_store = 'rbd' }
'rbd': {
$backend_store = 'rbd'
exec{ 'exec-setfacl-openstack-glance':
path => ['/bin', '/usr/bin'],
command => 'setfacl -m u:glance:r-- /etc/ceph/ceph.client.openstack.keyring',
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:glance:r--"',
}
Class['glance']->Exec['exec-setfacl-openstack-glance']
Ceph::Key<||> -> Exec['exec-setfacl-openstack-glance']
}
'cinder': { $backend_store = 'cinder' }
default: { fail('Unrecognized glance_backend parameter.') }
}

View File

@ -124,7 +124,15 @@ class tripleo::profile::base::gnocchi::api (
}
}
'file': { include ::gnocchi::storage::file }
'rbd': { include ::gnocchi::storage::ceph }
'rbd': {
include ::gnocchi::storage::ceph
exec{ 'exec-setfacl-openstack-gnocchi':
path => ['/bin', '/usr/bin'],
command => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring',
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:gnocchi:r--"',
}
Ceph::Key<||> -> Exec['exec-satfacl-openstack-gnocchi']
}
default: { fail('Unrecognized gnocchi_backend parameter.') }
}
}

View File

@ -100,7 +100,14 @@ class tripleo::profile::base::manila::share (
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
manila::backend::cephfsnative { $manila_cephfsnative_backend :
exec{ "exec-setfacl-${cephfs_auth_id}}":
path => ['/bin', '/usr/bin' ],
command => "setfacl -m u:manila:r-- ${keyring_path}",
unless => "getfacl ${keyring_path} | grep -q \"user:manila:r--\"",
}
Ceph::Key<||> -> Exec["exec-satfacl-openstack-${cephfs_auth_id}"]
manila::backend::cephfs { $manila_cephfsnative_backend :
driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
share_backend_name => hiera('manila::backend::cephfsnative::share_backend_name'),
cephfs_conf_path => hiera('manila::backend::cephfsnative::cephfs_conf_path'),

View File

@ -32,6 +32,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
$rbd_persistent_storage = hiera('rbd_persistent_storage', false)
if $rbd_ephemeral_storage or $rbd_persistent_storage {
include ::nova::compute::rbd
exec{ 'exec-setfacl-openstack-nova':
path => ['/bin', '/usr/bin'],
command => 'setfacl -m u:nova:r-- /etc/ceph/ceph.client.openstack.keyring',
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:nova:r--"',
}
Ceph::Key<||> -> Exec['exec-satfacl-openstack-nova']
}
if $rbd_ephemeral_storage {

View File

@ -186,6 +186,9 @@ describe 'tripleo::profile::base::cinder::volume' do
is_expected.to contain_class('cinder::backends').with(
:enabled_backends => ['tripleo_ceph']
)
is_expected.to contain_exec('exec-setfacl-openstack-cinder').with(
'command' => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring"
)
end
context 'additional rbd pools' do
# The list of additional rbd pools is not an input, but instead comes

View File

@ -107,6 +107,9 @@ describe 'tripleo::profile::base::gnocchi::api' do
:redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
)
is_expected.to contain_class('gnocchi::storage::ceph')
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi').with(
'command' => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring'
)
}
end