Update cephx keys with ACLs for openstack services.

This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before

Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657

manifests/profile/base/cinder/volume.pp

@@ -70,6 +70,10 @@
 #   (Optional) List of additional backend stanzas to activate
 #   Defaults to hiera('cinder_user_enabled_backends')
 #
+# [*cinder_rbd_client_name*]
+#   (Optional) Name of RBD client
+#   Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -89,6 +93,7 @@ class tripleo::profile::base::cinder::volume (
   $cinder_enable_scaleio_backend            = false,
   $cinder_enable_vrts_hs_backend            = false,
   $cinder_user_enabled_backends             = hiera('cinder_user_enabled_backends', undef),
+  $cinder_rbd_client_name                   = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
   $step                                     = Integer(hiera('step')),
 ) {
   include ::tripleo::profile::base::cinder
@@ -164,6 +169,13 @@ class tripleo::profile::base::cinder::volume (
       include ::tripleo::profile::base::cinder::volume::rbd
       $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
 
+      exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
+      }
+      Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
+
       $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
       if $cinder_rbd_extra_pools {
           $base_name = $cinder_rbd_backend_name

manifests/profile/base/glance/api.pp

@@ -79,6 +79,9 @@
 #   enable_internal_tls is set.
 #   defaults to 9292
 #
+# [*glance_rbd_client_name*]
+#   RBD client naem
+#   (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user')
 class tripleo::profile::base::glance::api (
   $bootstrap_node                = hiera('bootstrap_nodeid', undef),
   $certificates_specs            = hiera('apache_certificates_specs', {}),
@@ -92,6 +95,7 @@ class tripleo::profile::base::glance::api (
   $tls_proxy_bind_ip             = undef,
   $tls_proxy_fqdn                = undef,
   $tls_proxy_port                = 9292,
+  $glance_rbd_client_name        = hiera('glance::backend::rbd::rbd_store_user','openstack'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -129,7 +133,15 @@ class tripleo::profile::base::glance::api (
     case $glance_backend {
         'swift': { $backend_store = 'swift' }
         'file': { $backend_store = 'file' }
-        'rbd': { $backend_store = 'rbd' }
+        'rbd': {
+          $backend_store = 'rbd'
+          exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
+          }
+          Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
+        }
         'cinder': { $backend_store = 'cinder' }
         default: { fail('Unrecognized glance_backend parameter.') }
     }

manifests/profile/base/gnocchi/api.pp

@@ -55,6 +55,10 @@
 #  (Required) Redis ip address for the coordination url
 #  Defaults to hiera('redis_vip')
 #
+# [*gnocchi_rbd_client_name*]
+#   (Optional) RBD Client username.
+#   Defaults to hiera('gnocchi::storage::ceph::ceph_username')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -68,6 +72,7 @@ class tripleo::profile::base::gnocchi::api (
   $gnocchi_network               = hiera('gnocchi_api_network', undef),
   $gnocchi_redis_password        = hiera('gnocchi_redis_password'),
   $redis_vip                     = hiera('redis_vip'),
+  $gnocchi_rbd_client_name       = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
   $step                          = Integer(hiera('step')),
 ) {
   if $::hostname == downcase($bootstrap_node) {
@@ -124,7 +129,15 @@ class tripleo::profile::base::gnocchi::api (
         }
       }
       'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
+        }
+        Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
+      }
       default: { fail('Unrecognized gnocchi_backend parameter.') }
     }
   }

manifests/profile/base/manila/share.pp

@@ -141,6 +141,13 @@ class tripleo::profile::base::manila::share (
         "client.${cephfs_auth_id}/client mount uid": value => 0;
         "client.${cephfs_auth_id}/client mount gid": value => 0;
       }
+
+      exec{ "exec-setfacl-${cephfs_auth_id}}":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m u:manila:r-- ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
+      }
+      Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
     }
 
     # manila netapp:

manifests/profile/base/nova/compute_libvirt_shared.pp

@@ -18,13 +18,18 @@
 #
 # === Parameters
 #
+# [*nova_rbd_client_name*]
+#   (optional) name of RBD client
+#   defaults to hiera('nova::compute::rbd::libvirt_rbd_user')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::nova::compute_libvirt_shared (
-  $step = Integer(hiera('step')),
+  $nova_rbd_client_name = hiera('nova::compute::rbd::libvirt_rbd_user','openstack'),
+  $step                 = Integer(hiera('step')),
 ) {
   if $step >= 4 {
     # Ceph + Libvirt
@@ -32,6 +37,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
     $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
     if $rbd_ephemeral_storage or $rbd_persistent_storage {
       include ::nova::compute::rbd
+      exec{ "exec-setfacl-${nova_rbd_client_name}-nova":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
+      }
+      Ceph::Key<| title == "client.${nova_rbd_client_name}" |> -> Exec["exec-setfacl-${nova_rbd_client_name}-nova"]
     }
 
     if $rbd_ephemeral_storage {

metadata.json

@@ -25,6 +25,7 @@
   "dependencies": [
     { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.12.0 < 5.0.0" },
     { "name": "sensu/sensu" },
-    { "name": "yelp/uchiwa" }
+    { "name": "yelp/uchiwa" },
+    { "name": "openstack/ceph"}
   ]
 }

spec/classes/tripleo_profile_base_cinder_volume_spec.rb

@@ -28,7 +28,9 @@ describe 'tripleo::profile::base::cinder::volume' do
     end
 
     let(:pre_condition) do
-      "class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }"
+      "
+        class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }
+      "
     end
 
     context 'with step less than 4' do
@@ -175,6 +177,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           params.merge!({
             :cinder_enable_rbd_backend   => true,
             :cinder_enable_iscsi_backend => false,
+            :cinder_rbd_client_name      => 'openstack'
           })
         end
         it 'should configure only ceph' do
@@ -186,6 +189,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           is_expected.to contain_class('cinder::backends').with(
             :enabled_backends => ['tripleo_ceph']
           )
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder')
         end
         context 'additional rbd pools' do
           # The list of additional rbd pools is not an input, but instead comes

spec/classes/tripleo_profile_base_gnocchi_api_spec.rb

@@ -19,7 +19,9 @@ require 'spec_helper'
 describe 'tripleo::profile::base::gnocchi::api' do
   shared_examples_for 'tripleo::profile::base::gnocchi::api' do
     let(:pre_condition) do
-      "class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }"
+      "
+        class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }
+      "
     end
 
     context 'with step less than 3' do
@@ -94,7 +96,8 @@ describe 'tripleo::profile::base::gnocchi::api' do
         :step => 4,
         :gnocchi_backend => 'rbd',
         :gnocchi_redis_password => 'gnocchi',
-        :redis_vip => '127.0.0.1'
+        :redis_vip => '127.0.0.1',
+        :gnocchi_rbd_client_name => 'openstack'
       } }
 
       it {
@@ -107,6 +110,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
           :redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
         )
         is_expected.to contain_class('gnocchi::storage::ceph')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
       }
     end