openstack
/
puppet-tripleo
Code Issues Proposed changes

Merge "Update cephx keys with ACLs for openstack services." into stable/newton

This commit is contained in:
Zuul 2018-01-16 18:08:22 +00:00 committed by Gerrit Code Review
parent e807e860fd c3bc692280
commit 64a4d7c3a4
5 changed files with 57 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/profile/base/cinder/volume.pp
View File

@ -46,6 +46,10 @@
# (Optional) List of additional backend stanzas to activate
# Defaults to hiera('cinder_user_enabled_backends')
#
# [*cinder_rbd_client_name*]
# (Optional) Name of RBD client
# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -59,6 +63,7 @@ class tripleo::profile::base::cinder::volume (
$cinder_enable_nfs_backend = false,
$cinder_enable_rbd_backend = false,
$cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
$cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
$step = hiera('step'),
) {
include ::tripleo::profile::base::cinder
@ -104,6 +109,13 @@ class tripleo::profile::base::cinder::volume (
if $cinder_enable_rbd_backend {
include ::tripleo::profile::base::cinder::volume::rbd
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
}
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
} else {
$cinder_rbd_backend_name = undef
}

15
manifests/profile/base/glance/api.pp
View File

@ -38,6 +38,10 @@
# [*rabbit_port*]
# IP port for rabbitmq service
# Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672)
#
# [*glance_rbd_client_name*]
# Name used by the glance ceph key
# defaults to 'openstack'
class tripleo::profile::base::glance::api (
$glance_backend = downcase(hiera('glance_backend', 'swift')),
@ -45,6 +49,7 @@ class tripleo::profile::base::glance::api (
$step = hiera('step'),
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
$rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672),
$glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
) {
if $step >= 1 and $glance_nfs_enabled {
@ -55,7 +60,15 @@ class tripleo::profile::base::glance::api (
case $glance_backend {
'swift': { $backend_store = 'glance.store.swift.Store' }
'file': { $backend_store = 'glance.store.filesystem.Store' }
'rbd': { $backend_store = 'glance.store.rbd.Store' }
'rbd': {
$backend_store = 'glance.store.rbd.Store'
exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
}
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
}
default: { fail('Unrecognized glance_backend parameter.') }
}
$http_store = ['glance.store.http.Store']

15
manifests/profile/base/gnocchi/api.pp
View File

@ -26,6 +26,10 @@
# (Optional) Gnocchi backend string file, swift or rbd
# Defaults to swift
#
# [*gnocchi_rbd_client_name*]
# Name used by the gnocchi cephx key
# Defaults to 'openstack'
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -34,6 +38,7 @@
class tripleo::profile::base::gnocchi::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
$gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
$step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
@ -59,7 +64,15 @@ class tripleo::profile::base::gnocchi::api (
case $gnocchi_backend {
'swift': { include ::gnocchi::storage::swift }
'file': { include ::gnocchi::storage::file }
'rbd': { include ::gnocchi::storage::ceph }
'rbd': {
include ::gnocchi::storage::ceph
exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
path => ['/bin', '/usr/bin'],
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
}
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
}
default: { fail('Unrecognized gnocchi_backend parameter.') }
}
}

15
manifests/profile/base/manila/share.pp
View File

@ -30,5 +30,20 @@ class tripleo::profile::base::manila::share (
if $step >= 4 {
include ::manila::share
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
ceph_config {
"client.${cephfs_auth_id}/keyring": value => $keyring_path;
"client.${cephfs_auth_id}/client mount uid": value => 0;
"client.${cephfs_auth_id}/client mount gid": value => 0;
}
exec{ "exec-setfacl-${cephfs_auth_id}-manila":
path => ['/bin', '/usr/bin' ],
command => "setfacl -m u:manila:r-- ${keyring_path}",
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
}
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
}
}

3
metadata.json
View File

@ -25,6 +25,7 @@
"dependencies": [
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
{ "name": "sensu/sensu" },
{ "name": "yelp/uchiwa" }
{ "name": "yelp/uchiwa" },
{ "name": "openstack/ceph"}
]
}