Merge "Update cephx keys with ACLs for openstack services." into stable/ocata
This commit is contained in:
commit
6791537deb
|
@ -58,6 +58,10 @@
|
|||
# (Optional) List of additional backend stanzas to activate
|
||||
# Defaults to hiera('cinder_user_enabled_backends')
|
||||
#
|
||||
# [*cinder_rbd_client_name*]
|
||||
# (Optional) Name of RBD client
|
||||
# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -74,6 +78,7 @@ class tripleo::profile::base::cinder::volume (
|
|||
$cinder_enable_rbd_backend = false,
|
||||
$cinder_enable_scaleio_backend = false,
|
||||
$cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
|
||||
$cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
include ::tripleo::profile::base::cinder
|
||||
|
@ -134,6 +139,12 @@ class tripleo::profile::base::cinder::volume (
|
|||
if $cinder_enable_rbd_backend {
|
||||
include ::tripleo::profile::base::cinder::volume::rbd
|
||||
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
|
||||
exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
|
||||
} else {
|
||||
$cinder_rbd_backend_name = undef
|
||||
}
|
||||
|
|
|
@ -87,6 +87,9 @@
|
|||
# enable_internal_tls is set.
|
||||
# defaults to 9292
|
||||
#
|
||||
# [*glance_rbd_client_name*]
|
||||
# RBD client naem
|
||||
# (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user')
|
||||
class tripleo::profile::base::glance::api (
|
||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||
|
@ -101,6 +104,7 @@ class tripleo::profile::base::glance::api (
|
|||
$tls_proxy_bind_ip = undef,
|
||||
$tls_proxy_fqdn = undef,
|
||||
$tls_proxy_port = 9292,
|
||||
$glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
|
||||
) {
|
||||
if $enable_internal_tls and $generate_service_certificates {
|
||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
||||
|
@ -142,7 +146,15 @@ class tripleo::profile::base::glance::api (
|
|||
case $glance_backend {
|
||||
'swift': { $backend_store = 'glance.store.swift.Store' }
|
||||
'file': { $backend_store = 'glance.store.filesystem.Store' }
|
||||
'rbd': { $backend_store = 'glance.store.rbd.Store' }
|
||||
'rbd': {
|
||||
$backend_store = 'glance.store.rbd.Store'
|
||||
exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
|
||||
}
|
||||
default: { fail('Unrecognized glance_backend parameter.') }
|
||||
}
|
||||
$http_store = ['glance.store.http.Store']
|
||||
|
|
|
@ -63,6 +63,10 @@
|
|||
# (Required) Redis ip address for the coordination url
|
||||
# Defaults to hiera('redis_vip')
|
||||
#
|
||||
# [*gnocchi_rbd_client_name*]
|
||||
# (Optional) RBD Client username.
|
||||
# Defaults to hiera('gnocchi::storage::ceph::ceph_username')
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -77,6 +81,7 @@ class tripleo::profile::base::gnocchi::api (
|
|||
$gnocchi_network = hiera('gnocchi_api_network', undef),
|
||||
$gnocchi_redis_password = hiera('gnocchi_redis_password'),
|
||||
$redis_vip = hiera('redis_vip'),
|
||||
$gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
|
@ -139,7 +144,15 @@ class tripleo::profile::base::gnocchi::api (
|
|||
}
|
||||
}
|
||||
'file': { include ::gnocchi::storage::file }
|
||||
'rbd': { include ::gnocchi::storage::ceph }
|
||||
'rbd': {
|
||||
include ::gnocchi::storage::ceph
|
||||
exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
|
||||
}
|
||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,5 +30,14 @@ class tripleo::profile::base::manila::share (
|
|||
|
||||
if $step >= 4 {
|
||||
include ::manila::share
|
||||
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
|
||||
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
|
||||
exec{ "exec-setfacl-${cephfs_auth_id}":
|
||||
path => ['/bin', '/usr/bin' ],
|
||||
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}"]
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
"dependencies": [
|
||||
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
|
||||
{ "name": "sensu/sensu" },
|
||||
{ "name": "yelp/uchiwa" }
|
||||
{ "name": "yelp/uchiwa" },
|
||||
{ "name": "openstack/ceph"}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -136,6 +136,7 @@ describe 'tripleo::profile::base::cinder::volume' do
|
|||
params.merge!({
|
||||
:cinder_enable_rbd_backend => true,
|
||||
:cinder_enable_iscsi_backend => false,
|
||||
:cinder_rbd_client_name => 'openstack'
|
||||
})
|
||||
end
|
||||
it 'should configure only ceph' do
|
||||
|
@ -147,6 +148,7 @@ describe 'tripleo::profile::base::cinder::volume' do
|
|||
is_expected.to contain_class('cinder::backends').with(
|
||||
:enabled_backends => ['tripleo_ceph']
|
||||
)
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-cinder')
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -19,7 +19,9 @@ require 'spec_helper'
|
|||
describe 'tripleo::profile::base::gnocchi::api' do
|
||||
shared_examples_for 'tripleo::profile::base::gnocchi::api' do
|
||||
let(:pre_condition) do
|
||||
"class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }"
|
||||
"
|
||||
class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }
|
||||
"
|
||||
end
|
||||
|
||||
context 'with step less than 3' do
|
||||
|
@ -91,7 +93,8 @@ describe 'tripleo::profile::base::gnocchi::api' do
|
|||
:step => 4,
|
||||
:gnocchi_backend => 'rbd',
|
||||
:gnocchi_redis_password => 'gnocchi',
|
||||
:redis_vip => '127.0.0.1'
|
||||
:redis_vip => '127.0.0.1',
|
||||
:gnocchi_rbd_client_name => 'openstack'
|
||||
} }
|
||||
|
||||
it {
|
||||
|
@ -101,6 +104,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
|
|||
:coordination_url => 'redis://:gnocchi@127.0.0.1:6379/'
|
||||
)
|
||||
is_expected.to contain_class('gnocchi::storage::ceph')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
|
||||
}
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue