Set restrictive file permissions on Ceph keyrings for non-containerized deployment

Pass mode parameter 0600 and user and group ownership to puppet-ceph for
Ceph openstack client keyrings during non-containerized deployment.

Author:    Keith Schincke <kschinck@redhat.com>
Co-Author:    John Fulton <fulton@redhat.com>
Change-Id: Iccb24f5c2ee639ad2bc0869a37cec305f32b9fd1
Depends-On: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
(cherry picked from commit bdf1ade1b9)
This commit is contained in:
John Fulton 2017-10-03 00:21:57 +00:00 committed by Giulio Fidente
parent 3d3ae25757
commit 1e52acae86
1 changed files with 6 additions and 2 deletions

View File

@ -129,7 +129,9 @@ outputs:
cap_mon: 'allow profile bootstrap-osd'
CEPH_CLIENT_KEY:
secret: {get_param: CephClientKey}
mode: '0644'
mode: '0640'
user: 'ceph'
group: 'ceph'
cap_mon: 'allow r'
cap_osd:
str_replace:
@ -141,7 +143,9 @@ outputs:
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
MANILA_CLIENT_KEY:
mode: '0644'
mode: '0640'
user: 'ceph'
group: 'ceph'
secret: {get_param: CephManilaClientKey}
cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"'
cap_mds: 'allow *'