Ensure appropriate ACL mask is set on CephX keyrings

Changing group permissions alters the ACL mask, causing the "read" permission we set explicitly for the openstack users to be ignored. This change ensures "read" is set for the ACLs mask. Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b Closes-Bug: 1775549
2018-06-07 11:08:59 +02:00 · 2018-06-07 11:08:59 +02:00 · 2a59f98d78
commit 2a59f98d78
parent aa9d35e867
7 changed files with 27 additions and 0 deletions
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@ -205,6 +205,11 @@ class tripleo::profile::base::cinder::volume (
        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
      }
+      -> exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder-mask":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m m::r /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q mask::r",
+      }

      $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
      if $cinder_rbd_extra_pools {
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@ -190,6 +190,11 @@ class tripleo::profile::base::glance::api (
            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
          }
+          -> exec{ "exec-setfacl-${glance_rbd_client_name}-glance-mask":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m m::r /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q mask::r",
+          }
        }
        'cinder': { $backend_store = 'cinder' }
        default: { fail('Unrecognized glance_backend parameter.') }
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@ -151,6 +151,11 @@ class tripleo::profile::base::gnocchi::api (
          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
        }
+        -> exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi-mask":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m m::r /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q mask::r",
+        }
      }
      default: { fail('Unrecognized gnocchi_backend parameter.') }
    }
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@ -147,6 +147,11 @@ class tripleo::profile::base::manila::share (
        command => "setfacl -m u:manila:r-- ${keyring_path}",
        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
      }
+      -> exec{ "exec-setfacl-${cephfs_auth_id}-mask":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m m::r ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q mask::r",
+      }
    }

    # manila netapp:
--- a/manifests/profile/base/nova/compute_libvirt_shared.pp
+++ b/manifests/profile/base/nova/compute_libvirt_shared.pp
@ -42,6 +42,11 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
        command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
      }
+      -> exec{ "exec-setfacl-${nova_rbd_client_name}-nova-mask":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m m::r /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q mask::r",
+      }
    }

    if $rbd_ephemeral_storage {
--- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
+++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
@ -190,6 +190,7 @@ describe 'tripleo::profile::base::cinder::volume' do
            :enabled_backends => ['tripleo_ceph']
          )
          is_expected.to contain_exec('exec-setfacl-openstack-cinder')
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder-mask')
        end
        context 'additional rbd pools' do
          # The list of additional rbd pools is not an input, but instead comes
--- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
@ -113,6 +113,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
        )
        is_expected.to contain_class('gnocchi::storage::ceph')
        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi-mask')
      }
    end