Merge "Update cephx keys with ACLs for openstack services." into stable/newton
This commit is contained in:
commit
64a4d7c3a4
|
@ -46,6 +46,10 @@
|
|||
# (Optional) List of additional backend stanzas to activate
|
||||
# Defaults to hiera('cinder_user_enabled_backends')
|
||||
#
|
||||
# [*cinder_rbd_client_name*]
|
||||
# (Optional) Name of RBD client
|
||||
# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -59,6 +63,7 @@ class tripleo::profile::base::cinder::volume (
|
|||
$cinder_enable_nfs_backend = false,
|
||||
$cinder_enable_rbd_backend = false,
|
||||
$cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
|
||||
$cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
include ::tripleo::profile::base::cinder
|
||||
|
@ -104,6 +109,13 @@ class tripleo::profile::base::cinder::volume (
|
|||
if $cinder_enable_rbd_backend {
|
||||
include ::tripleo::profile::base::cinder::volume::rbd
|
||||
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
|
||||
|
||||
exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
|
||||
} else {
|
||||
$cinder_rbd_backend_name = undef
|
||||
}
|
||||
|
|
|
@ -38,6 +38,10 @@
|
|||
# [*rabbit_port*]
|
||||
# IP port for rabbitmq service
|
||||
# Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672)
|
||||
#
|
||||
# [*glance_rbd_client_name*]
|
||||
# Name used by the glance ceph key
|
||||
# defaults to 'openstack'
|
||||
|
||||
class tripleo::profile::base::glance::api (
|
||||
$glance_backend = downcase(hiera('glance_backend', 'swift')),
|
||||
|
@ -45,6 +49,7 @@ class tripleo::profile::base::glance::api (
|
|||
$step = hiera('step'),
|
||||
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
|
||||
$rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672),
|
||||
$glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
|
||||
) {
|
||||
|
||||
if $step >= 1 and $glance_nfs_enabled {
|
||||
|
@ -55,7 +60,15 @@ class tripleo::profile::base::glance::api (
|
|||
case $glance_backend {
|
||||
'swift': { $backend_store = 'glance.store.swift.Store' }
|
||||
'file': { $backend_store = 'glance.store.filesystem.Store' }
|
||||
'rbd': { $backend_store = 'glance.store.rbd.Store' }
|
||||
'rbd': {
|
||||
$backend_store = 'glance.store.rbd.Store'
|
||||
exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
|
||||
}
|
||||
default: { fail('Unrecognized glance_backend parameter.') }
|
||||
}
|
||||
$http_store = ['glance.store.http.Store']
|
||||
|
|
|
@ -26,6 +26,10 @@
|
|||
# (Optional) Gnocchi backend string file, swift or rbd
|
||||
# Defaults to swift
|
||||
#
|
||||
# [*gnocchi_rbd_client_name*]
|
||||
# Name used by the gnocchi cephx key
|
||||
# Defaults to 'openstack'
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -34,6 +38,7 @@
|
|||
class tripleo::profile::base::gnocchi::api (
|
||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
|
||||
$gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
|
@ -59,7 +64,15 @@ class tripleo::profile::base::gnocchi::api (
|
|||
case $gnocchi_backend {
|
||||
'swift': { include ::gnocchi::storage::swift }
|
||||
'file': { include ::gnocchi::storage::file }
|
||||
'rbd': { include ::gnocchi::storage::ceph }
|
||||
'rbd': {
|
||||
include ::gnocchi::storage::ceph
|
||||
exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
|
||||
}
|
||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,5 +30,20 @@ class tripleo::profile::base::manila::share (
|
|||
|
||||
if $step >= 4 {
|
||||
include ::manila::share
|
||||
|
||||
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
|
||||
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
|
||||
ceph_config {
|
||||
"client.${cephfs_auth_id}/keyring": value => $keyring_path;
|
||||
"client.${cephfs_auth_id}/client mount uid": value => 0;
|
||||
"client.${cephfs_auth_id}/client mount gid": value => 0;
|
||||
}
|
||||
|
||||
exec{ "exec-setfacl-${cephfs_auth_id}-manila":
|
||||
path => ['/bin', '/usr/bin' ],
|
||||
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
"dependencies": [
|
||||
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
|
||||
{ "name": "sensu/sensu" },
|
||||
{ "name": "yelp/uchiwa" }
|
||||
{ "name": "yelp/uchiwa" },
|
||||
{ "name": "openstack/ceph"}
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue