Ensure appropriate ACL mask is set on CephX keyrings
Changing group permissions alters the ACL mask, causing the "read"
permission we set explicitly for the openstack users to be ignored.
This change ensures "read" is set for the ACLs mask.
Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b
Closes-Bug: 1775549
(cherry picked from commit 2a59f98d78
)
This commit is contained in:
parent
49d2326eff
commit
2268bd1a71
@ -200,6 +200,11 @@ class tripleo::profile::base::cinder::volume (
|
||||
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
|
||||
|
||||
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
|
||||
|
@ -140,6 +140,11 @@ class tripleo::profile::base::glance::api (
|
||||
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${glance_rbd_client_name}-glance-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
|
||||
}
|
||||
'cinder': { $backend_store = 'cinder' }
|
||||
|
@ -151,6 +151,11 @@ class tripleo::profile::base::gnocchi::api (
|
||||
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
|
||||
}
|
||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||
|
@ -147,6 +147,11 @@ class tripleo::profile::base::manila::share (
|
||||
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${cephfs_auth_id}-mask":
|
||||
path => ['/bin', '/usr/bin' ],
|
||||
command => "setfacl -m m::r ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q mask::r",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}"]
|
||||
}
|
||||
|
||||
|
@ -42,6 +42,11 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
|
||||
command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${nova_rbd_client_name}-nova-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
Ceph::Key<| title == "client.${nova_rbd_client_name}" |> -> Exec["exec-setfacl-${nova_rbd_client_name}-nova"]
|
||||
}
|
||||
|
||||
|
@ -190,6 +190,7 @@ describe 'tripleo::profile::base::cinder::volume' do
|
||||
:enabled_backends => ['tripleo_ceph']
|
||||
)
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-cinder')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-cinder-mask')
|
||||
end
|
||||
context 'additional rbd pools' do
|
||||
# The list of additional rbd pools is not an input, but instead comes
|
||||
|
@ -113,6 +113,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
|
||||
)
|
||||
is_expected.to contain_class('gnocchi::storage::ceph')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi-mask')
|
||||
}
|
||||
end
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user