Restrict libvirt Ceph access scope to what is needed only.

Change-Id: I78bffe6764e9cbb16b2a615be766c910ba5d4e48
This commit is contained in:
Jean-Charles Lopez 2018-10-05 15:22:23 -07:00 committed by Chris Wedgwood
parent 4835aa637a
commit 566a489bbe

View File

@ -26,12 +26,11 @@ cat > ${KEYRING} <<EOF
key = {{ .Values.conf.ceph.cinder.keyring }} key = {{ .Values.conf.ceph.cinder.keyring }}
EOF EOF
{{- else }} {{- else }}
if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
#NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(JCL): Restrict access to the cluster to only what is needed. MON Read only and RBD access.
ceph auth get-or-create client.${CEPH_CINDER_USER} \ ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "allow *" \ mon "profile rbd" \
osd "allow *" \ osd "profile rbd" \
mgr "allow *" \
-o ${KEYRING} -o ${KEYRING}
rm -f /etc/ceph/ceph.client.admin.keyring rm -f /etc/ceph/ceph.client.admin.keyring