From 48c417519f88472d035c3ad6a92edcc2e6039d9b Mon Sep 17 00:00:00 2001 From: Keith Schincke Date: Mon, 13 Nov 2017 23:15:21 -0500 Subject: [PATCH] Update cephx keys with ACLs for openstack services. This patch will set file system ACLs on the ceph client keyring. This will help resolve (1) for OSP Ocata and before Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a Partial-Bug: #1720787 1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657 --- manifests/profile/base/cinder/volume.pp | 12 ++++++++++++ manifests/profile/base/glance/api.pp | 14 +++++++++++++- manifests/profile/base/gnocchi/api.pp | 15 ++++++++++++++- manifests/profile/base/manila/share.pp | 7 +++++++ .../profile/base/nova/compute_libvirt_shared.pp | 13 ++++++++++++- metadata.json | 3 ++- .../tripleo_profile_base_cinder_volume_spec.rb | 6 +++++- .../tripleo_profile_base_gnocchi_api_spec.rb | 8 ++++++-- 8 files changed, 71 insertions(+), 7 deletions(-) diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index 503b3f922..21319a0a6 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -70,6 +70,10 @@ # (Optional) List of additional backend stanzas to activate # Defaults to hiera('cinder_user_enabled_backends') # +# [*cinder_rbd_client_name*] +# (Optional) Name of RBD client +# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -89,6 +93,7 @@ class tripleo::profile::base::cinder::volume ( $cinder_enable_scaleio_backend = false, $cinder_enable_vrts_hs_backend = false, $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef), + $cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'), $step = Integer(hiera('step')), ) { include ::tripleo::profile::base::cinder @@ -164,6 +169,13 @@ class tripleo::profile::base::cinder::volume ( include ::tripleo::profile::base::cinder::volume::rbd $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph') + exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder": + path => ['/bin', '/usr/bin'], + command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--", + } + Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"] + $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef) if $cinder_rbd_extra_pools { $base_name = $cinder_rbd_backend_name diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index c7f4cb293..4140752fc 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -79,6 +79,9 @@ # enable_internal_tls is set. # defaults to 9292 # +# [*glance_rbd_client_name*] +# RBD client naem +# (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user') class tripleo::profile::base::glance::api ( $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), @@ -92,6 +95,7 @@ class tripleo::profile::base::glance::api ( $tls_proxy_bind_ip = undef, $tls_proxy_fqdn = undef, $tls_proxy_port = 9292, + $glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -129,7 +133,15 @@ class tripleo::profile::base::glance::api ( case $glance_backend { 'swift': { $backend_store = 'swift' } 'file': { $backend_store = 'file' } - 'rbd': { $backend_store = 'rbd' } + 'rbd': { + $backend_store = 'rbd' + exec{ "exec-setfacl-${glance_rbd_client_name}-glance": + path => ['/bin', '/usr/bin'], + command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--", + } + Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"] + } 'cinder': { $backend_store = 'cinder' } default: { fail('Unrecognized glance_backend parameter.') } } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index fdd051775..adc3b7462 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -55,6 +55,10 @@ # (Required) Redis ip address for the coordination url # Defaults to hiera('redis_vip') # +# [*gnocchi_rbd_client_name*] +# (Optional) RBD Client username. +# Defaults to hiera('gnocchi::storage::ceph::ceph_username') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -68,6 +72,7 @@ class tripleo::profile::base::gnocchi::api ( $gnocchi_network = hiera('gnocchi_api_network', undef), $gnocchi_redis_password = hiera('gnocchi_redis_password'), $redis_vip = hiera('redis_vip'), + $gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'), $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { @@ -124,7 +129,15 @@ class tripleo::profile::base::gnocchi::api ( } } 'file': { include ::gnocchi::storage::file } - 'rbd': { include ::gnocchi::storage::ceph } + 'rbd': { + include ::gnocchi::storage::ceph + exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi": + path => ['/bin', '/usr/bin'], + command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--", + } + Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"] + } default: { fail('Unrecognized gnocchi_backend parameter.') } } } diff --git a/manifests/profile/base/manila/share.pp b/manifests/profile/base/manila/share.pp index 452ff1f50..e40a666bc 100644 --- a/manifests/profile/base/manila/share.pp +++ b/manifests/profile/base/manila/share.pp @@ -141,6 +141,13 @@ class tripleo::profile::base::manila::share ( "client.${cephfs_auth_id}/client mount uid": value => 0; "client.${cephfs_auth_id}/client mount gid": value => 0; } + + exec{ "exec-setfacl-${cephfs_auth_id}}": + path => ['/bin', '/usr/bin' ], + command => "setfacl -m u:manila:r-- ${keyring_path}", + unless => "getfacl ${keyring_path} | grep -q user:manila:r--", + } + Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"] } # manila netapp: diff --git a/manifests/profile/base/nova/compute_libvirt_shared.pp b/manifests/profile/base/nova/compute_libvirt_shared.pp index 36235cde9..37fe1bd1e 100644 --- a/manifests/profile/base/nova/compute_libvirt_shared.pp +++ b/manifests/profile/base/nova/compute_libvirt_shared.pp @@ -18,13 +18,18 @@ # # === Parameters # +# [*nova_rbd_client_name*] +# (optional) name of RBD client +# defaults to hiera('nova::compute::rbd::libvirt_rbd_user') +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::nova::compute_libvirt_shared ( - $step = Integer(hiera('step')), + $nova_rbd_client_name = hiera('nova::compute::rbd::libvirt_rbd_user','openstack'), + $step = Integer(hiera('step')), ) { if $step >= 4 { # Ceph + Libvirt @@ -32,6 +37,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared ( $rbd_persistent_storage = hiera('rbd_persistent_storage', false) if $rbd_ephemeral_storage or $rbd_persistent_storage { include ::nova::compute::rbd + exec{ "exec-setfacl-${nova_rbd_client_name}-nova": + path => ['/bin', '/usr/bin'], + command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--", + } + Ceph::Key<| title == "client.${nova_rbd_client_name}" |> -> Exec["exec-setfacl-${nova_rbd_client_name}-nova"] } if $rbd_ephemeral_storage { diff --git a/metadata.json b/metadata.json index 48fb30352..c0876bd8b 100644 --- a/metadata.json +++ b/metadata.json @@ -25,6 +25,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.12.0 < 5.0.0" }, { "name": "sensu/sensu" }, - { "name": "yelp/uchiwa" } + { "name": "yelp/uchiwa" }, + { "name": "openstack/ceph"} ] } diff --git a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb index fab47cfa1..371fc9d0d 100644 --- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb +++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb @@ -28,7 +28,9 @@ describe 'tripleo::profile::base::cinder::volume' do end let(:pre_condition) do - "class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }" + " + class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] } + " end context 'with step less than 4' do @@ -175,6 +177,7 @@ describe 'tripleo::profile::base::cinder::volume' do params.merge!({ :cinder_enable_rbd_backend => true, :cinder_enable_iscsi_backend => false, + :cinder_rbd_client_name => 'openstack' }) end it 'should configure only ceph' do @@ -186,6 +189,7 @@ describe 'tripleo::profile::base::cinder::volume' do is_expected.to contain_class('cinder::backends').with( :enabled_backends => ['tripleo_ceph'] ) + is_expected.to contain_exec('exec-setfacl-openstack-cinder') end context 'additional rbd pools' do # The list of additional rbd pools is not an input, but instead comes diff --git a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb index 60e82b384..4f4c74943 100644 --- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb +++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb @@ -19,7 +19,9 @@ require 'spec_helper' describe 'tripleo::profile::base::gnocchi::api' do shared_examples_for 'tripleo::profile::base::gnocchi::api' do let(:pre_condition) do - "class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }" + " + class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, } + " end context 'with step less than 3' do @@ -94,7 +96,8 @@ describe 'tripleo::profile::base::gnocchi::api' do :step => 4, :gnocchi_backend => 'rbd', :gnocchi_redis_password => 'gnocchi', - :redis_vip => '127.0.0.1' + :redis_vip => '127.0.0.1', + :gnocchi_rbd_client_name => 'openstack' } } it { @@ -107,6 +110,7 @@ describe 'tripleo::profile::base::gnocchi::api' do :redis_url => 'redis://:gnocchi@127.0.0.1:6379/' ) is_expected.to contain_class('gnocchi::storage::ceph') + is_expected.to contain_exec('exec-setfacl-openstack-gnocchi') } end