Allow ceph client keyring files to have custom owner/group/mode
This is required for a future patch enabling the ceph immutable object cache. Change-Id: Ifd78224acf389200a79aea25461b499a7c0da5d1
This commit is contained in:
parent
3502645d5a
commit
fdd2aaa00b
|
@ -21,7 +21,7 @@
|
||||||
{% set _keys = {} %}
|
{% set _keys = {} %}
|
||||||
{% for client in ceph_client_filtered_clients %}
|
{% for client in ceph_client_filtered_clients %}
|
||||||
{% set _ = _keys.update({
|
{% set _ = _keys.update({
|
||||||
client: lookup('file', ceph_keyrings_dir ~ '/' ~ client ~ '.keyring')
|
client: lookup('file', ceph_keyrings_dir ~ '/' ~ client['name'] ~ '.keyring')
|
||||||
})
|
})
|
||||||
%}
|
%}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -35,16 +35,17 @@
|
||||||
|
|
||||||
- name: From files | Provision ceph client keyrings
|
- name: From files | Provision ceph client keyrings
|
||||||
copy:
|
copy:
|
||||||
dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item }}.keyring"
|
dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item['name'] }}.keyring"
|
||||||
content: "{{ ceph_client_keys[item] }}\n" # noqa 206
|
content: "{{ ceph_client_keys[item['name']] }}\n" # noqa 206
|
||||||
group: "{{ cephkeys_access_group }}"
|
owner: "{{ client['owner'] | default('root') }}"
|
||||||
|
group: "{{ client['group'] | default(cephkeys_access_group) }}"
|
||||||
# ideally the permission will be: 0600 and the owner/group will be either
|
# ideally the permission will be: 0600 and the owner/group will be either
|
||||||
# glance , nova or cinder. For keys that require access by different users
|
# glance , nova or cinder. For keys that require access by different users
|
||||||
# (the cinder one) we should probably create a group 'cephkeys' and add
|
# (the cinder one) we should probably create a group 'cephkeys' and add
|
||||||
# nova/cinder to it.
|
# nova/cinder to it.
|
||||||
# If I'm correct, the use case for multiple users is on the computre nodes,
|
# If I'm correct, the use case for multiple users is on the computre nodes,
|
||||||
# access needed by users libvirt-qemu and nova
|
# access needed by users libvirt-qemu and nova
|
||||||
mode: 0640
|
mode: "{{ client['mode'] | default ('0640') }}"
|
||||||
with_items: "{{ ceph_client_filtered_clients }}"
|
with_items: "{{ ceph_client_filtered_clients }}"
|
||||||
notify:
|
notify:
|
||||||
- Restart os services
|
- Restart os services
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
# the first get makes sure the client exists, so the second only runs when it
|
# the first get makes sure the client exists, so the second only runs when it
|
||||||
# exists, the trick is the different output of both, the second has the right
|
# exists, the trick is the different output of both, the second has the right
|
||||||
# output to put in a keyring; ceph admin should have already created the user
|
# output to put in a keyring; ceph admin should have already created the user
|
||||||
shell: "ceph auth get client.{{ item }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item }} --cluster {{ ceph_cluster_name }}"
|
shell: "ceph auth get client.{{ item['name'] }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item['name'] }} --cluster {{ ceph_cluster_name }}"
|
||||||
with_items: "{{ ceph_client_filtered_clients }}"
|
with_items: "{{ ceph_client_filtered_clients }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
delegate_to: '{{ ceph_mon_host }}'
|
delegate_to: '{{ ceph_mon_host }}'
|
||||||
|
@ -36,18 +36,18 @@
|
||||||
# ceph get-or-create ... ... -o file?
|
# ceph get-or-create ... ... -o file?
|
||||||
template:
|
template:
|
||||||
src: ceph.client.keyring.j2
|
src: ceph.client.keyring.j2
|
||||||
dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item }}.keyring"
|
dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item['name'] }}.keyring"
|
||||||
backup: true
|
backup: true
|
||||||
owner: root
|
owner: "{{ item.item.owner | default('root') }}"
|
||||||
# TODO
|
# TODO
|
||||||
group: "{{ cephkeys_access_group }}"
|
group: "{{ item.item.group | default(cephkeys_access_group) }}"
|
||||||
# ideally the permission will be: 0600 and the owner/group will be either
|
# ideally the permission will be: 0600 and the owner/group will be either
|
||||||
# glance , nova or cinder. For keys that require access by different users
|
# glance , nova or cinder. For keys that require access by different users
|
||||||
# (the cinder one) we should probably create a group 'cephkeys' and add
|
# (the cinder one) we should probably create a group 'cephkeys' and add
|
||||||
# nova/cinder to it.
|
# nova/cinder to it.
|
||||||
# If I'm correct, the use case for multiple users is on the computre nodes,
|
# If I'm correct, the use case for multiple users is on the computre nodes,
|
||||||
# access needed by users libvirt-qemu and nova
|
# access needed by users libvirt-qemu and nova
|
||||||
mode: 0640
|
mode: "{{ item.item.mode | default('0640') }}"
|
||||||
with_items: "{{ ceph_client_keyrings.results }}"
|
with_items: "{{ ceph_client_keyrings.results }}"
|
||||||
when:
|
when:
|
||||||
- not item is skipped
|
- not item is skipped
|
||||||
|
|
|
@ -20,27 +20,27 @@ ceph_components:
|
||||||
- component: glance_api
|
- component: glance_api
|
||||||
package: "{{ python_ceph_packages }}"
|
package: "{{ python_ceph_packages }}"
|
||||||
client:
|
client:
|
||||||
- '{{ glance_ceph_client }}'
|
- name: '{{ glance_ceph_client }}'
|
||||||
service: '{{ ceph_glance_service_names }}'
|
service: '{{ ceph_glance_service_names }}'
|
||||||
- component: cinder_volume
|
- component: cinder_volume
|
||||||
package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
|
package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
|
||||||
client:
|
client:
|
||||||
- '{{ cinder_ceph_client }}'
|
- name: '{{ cinder_ceph_client }}'
|
||||||
service: '{{ ceph_cinder_service_names }}'
|
service: '{{ ceph_cinder_service_names }}'
|
||||||
- component: cinder_backup
|
- component: cinder_backup
|
||||||
package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
|
package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
|
||||||
client:
|
client:
|
||||||
- '{{ cinder_backup_ceph_client }}'
|
- name: '{{ cinder_backup_ceph_client }}'
|
||||||
service: '{{ ceph_cinder_service_names }}'
|
service: '{{ ceph_cinder_service_names }}'
|
||||||
- component: nova_compute
|
- component: nova_compute
|
||||||
package: "{{ libvirt_packages + [ 'ceph-common' ] + python_ceph_packages }}"
|
package: "{{ libvirt_packages + [ 'ceph-common' ] + python_ceph_packages }}"
|
||||||
client:
|
client:
|
||||||
- '{{ nova_ceph_client }}'
|
- name: "{{ nova_ceph_client }}"
|
||||||
service: '{{ ceph_nova_service_names }}'
|
service: '{{ ceph_nova_service_names }}'
|
||||||
- component: manila_share
|
- component: manila_share
|
||||||
package: "{{ ['ceph-common'] + python_ceph_packages }}"
|
package: "{{ ['ceph-common'] + python_ceph_packages }}"
|
||||||
client:
|
client:
|
||||||
- "{{ manila_ceph_client }}"
|
- name: "{{ manila_ceph_client }}"
|
||||||
service: "{{ ceph_manila_service_names }}"
|
service: "{{ ceph_manila_service_names }}"
|
||||||
|
|
||||||
ceph_extra_components: []
|
ceph_extra_components: []
|
||||||
|
|
Loading…
Reference in New Issue