Merge "Update cephx keys with ACLs for openstack services." into stable/ocata

manifests/profile/base/cinder/volume.pp

@@ -58,6 +58,10 @@
 #   (Optional) List of additional backend stanzas to activate
 #   Defaults to hiera('cinder_user_enabled_backends')
 #
+# [*cinder_rbd_client_name*]
+#   (Optional) Name of RBD client
+#   Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -74,6 +78,7 @@ class tripleo::profile::base::cinder::volume (
   $cinder_enable_rbd_backend         = false,
   $cinder_enable_scaleio_backend     = false,
   $cinder_user_enabled_backends      = hiera('cinder_user_enabled_backends', undef),
+  $cinder_rbd_client_name            = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
   $step                              = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder
@@ -134,6 +139,12 @@ class tripleo::profile::base::cinder::volume (
     if $cinder_enable_rbd_backend {
       include ::tripleo::profile::base::cinder::volume::rbd
       $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
+      exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
+      }
+      Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
     } else {
       $cinder_rbd_backend_name = undef
     }

manifests/profile/base/glance/api.pp

@@ -87,6 +87,9 @@
 #   enable_internal_tls is set.
 #   defaults to 9292
 #
+# [*glance_rbd_client_name*]
+#   RBD client naem
+#   (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user')
 class tripleo::profile::base::glance::api (
   $bootstrap_node                = hiera('bootstrap_nodeid', undef),
   $certificates_specs            = hiera('apache_certificates_specs', {}),
@@ -101,6 +104,7 @@ class tripleo::profile::base::glance::api (
   $tls_proxy_bind_ip             = undef,
   $tls_proxy_fqdn                = undef,
   $tls_proxy_port                = 9292,
+  $glance_rbd_client_name        = hiera('glance::backend::rbd::rbd_store_user','openstack'),
 ) {
   if $enable_internal_tls and $generate_service_certificates {
     ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
@@ -142,7 +146,15 @@ class tripleo::profile::base::glance::api (
     case $glance_backend {
         'swift': { $backend_store = 'glance.store.swift.Store' }
         'file': { $backend_store = 'glance.store.filesystem.Store' }
-        'rbd': { $backend_store = 'glance.store.rbd.Store' }
+        'rbd': {
+          $backend_store = 'glance.store.rbd.Store'
+          exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
+          }
+          Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
+        }
         default: { fail('Unrecognized glance_backend parameter.') }
     }
     $http_store = ['glance.store.http.Store']

manifests/profile/base/gnocchi/api.pp

@@ -63,6 +63,10 @@
 #  (Required) Redis ip address for the coordination url
 #  Defaults to hiera('redis_vip')
 #
+# [*gnocchi_rbd_client_name*]
+#   (Optional) RBD Client username.
+#   Defaults to hiera('gnocchi::storage::ceph::ceph_username')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -77,6 +81,7 @@ class tripleo::profile::base::gnocchi::api (
   $gnocchi_network               = hiera('gnocchi_api_network', undef),
   $gnocchi_redis_password        = hiera('gnocchi_redis_password'),
   $redis_vip                     = hiera('redis_vip'),
+  $gnocchi_rbd_client_name       = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
   $step                          = hiera('step'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
@@ -139,7 +144,15 @@ class tripleo::profile::base::gnocchi::api (
         }
       }
       'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
+        }
+        Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
+      }
       default: { fail('Unrecognized gnocchi_backend parameter.') }
     }
   }

manifests/profile/base/manila/share.pp

@@ -30,5 +30,14 @@ class tripleo::profile::base::manila::share (
 
   if $step >= 4 {
     include ::manila::share
+    $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
+    $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
+    exec{ "exec-setfacl-${cephfs_auth_id}":
+      path    => ['/bin', '/usr/bin' ],
+      command => "setfacl -m u:manila:r-- ${keyring_path}",
+      unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
+    }
+    Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}"]
+
   }
 }

metadata.json

@@ -25,6 +25,7 @@
   "dependencies": [
     { "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
     { "name": "sensu/sensu" },
-    { "name": "yelp/uchiwa" }
+    { "name": "yelp/uchiwa" },
+    { "name": "openstack/ceph"}
   ]
 }

spec/classes/tripleo_profile_base_cinder_volume_spec.rb

@@ -136,6 +136,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           params.merge!({
             :cinder_enable_rbd_backend => true,
             :cinder_enable_iscsi_backend  => false,
+            :cinder_rbd_client_name      => 'openstack'
           })
         end
         it 'should configure only ceph' do
@@ -147,6 +148,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           is_expected.to contain_class('cinder::backends').with(
             :enabled_backends => ['tripleo_ceph']
           )
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder')
         end
       end
 

spec/classes/tripleo_profile_base_gnocchi_api_spec.rb

@@ -19,7 +19,9 @@ require 'spec_helper'
 describe 'tripleo::profile::base::gnocchi::api' do
   shared_examples_for 'tripleo::profile::base::gnocchi::api' do
     let(:pre_condition) do
-      "class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }"
+      "
+        class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }
+      "
     end
 
     context 'with step less than 3' do
@@ -91,7 +93,8 @@ describe 'tripleo::profile::base::gnocchi::api' do
         :step => 4,
         :gnocchi_backend => 'rbd',
         :gnocchi_redis_password => 'gnocchi',
-        :redis_vip => '127.0.0.1'
+        :redis_vip => '127.0.0.1',
+        :gnocchi_rbd_client_name => 'openstack'
       } }
 
       it {
@@ -101,6 +104,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
           :coordination_url => 'redis://:gnocchi@127.0.0.1:6379/'
         )
         is_expected.to contain_class('gnocchi::storage::ceph')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
       }
     end