openstack/openstack-helm-infra
Code Issues Proposed changes

Restrict libvirt Ceph access scope to what is needed only.

Browse Source 
Change-Id: I78bffe6764e9cbb16b2a615be766c910ba5d4e48
This commit is contained in:
Jean-Charles Lopez 2018-10-05 15:22:23 -07:00 committed by Chris Wedgwood
parent 4835aa637a
commit 566a489bbe
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libvirt/templates/bin/_ceph-keyring.sh.tpl
View File

@ -26,12 +26,11 @@ cat > ${KEYRING} <<EOF
key = {{ .Values.conf.ceph.cinder.keyring }}
EOF
{{- else }}
if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then
#NOTE(Portdirect): Determine proper privs to assign keyring
if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
#NOTE(JCL): Restrict access to the cluster to only what is needed. MON Read only and RBD access.
ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "allow *" \
osd "allow *" \
mgr "allow *" \
mon "profile rbd" \
osd "profile rbd" \
-o ${KEYRING}
rm -f /etc/ceph/ceph.client.admin.keyring