Merge "Revert "Set ACLs on ceph client keyrings""

2017-11-12 13:32:45 +00:00 · 2017-11-12 13:32:45 +00:00 · 69b4c0a663
commit 69b4c0a663
parent 11521f29c4 f3dd32b771
7 changed files with 3 additions and 46 deletions
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@ -164,13 +164,6 @@ class tripleo::profile::base::cinder::volume (
      include ::tripleo::profile::base::cinder::volume::rbd
      $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')

-      exec{ 'exec-setfacl-openstack-cinder':
-        path    => ['/bin', '/usr/bin'],
-        command => 'setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring',
-        unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:cinder:r--"',
-      }
-      Ceph::Key<||> -> Exec['exec-setfacl-openstack-cinder']
-
      $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
      if $cinder_rbd_extra_pools {
          $base_name = $cinder_rbd_backend_name
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@ -129,16 +129,7 @@ class tripleo::profile::base::glance::api (
    case $glance_backend {
        'swift': { $backend_store = 'swift' }
        'file': { $backend_store = 'file' }
-        'rbd': {
-          $backend_store = 'rbd'
-          exec{ 'exec-setfacl-openstack-glance':
-            path    => ['/bin', '/usr/bin'],
-            command => 'setfacl -m u:glance:r-- /etc/ceph/ceph.client.openstack.keyring',
-            unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:glance:r--"',
-          }
-          Class['glance']->Exec['exec-setfacl-openstack-glance']
-          Ceph::Key<||> -> Exec['exec-setfacl-openstack-glance']
-        }
+        'rbd': { $backend_store = 'rbd' }
        'cinder': { $backend_store = 'cinder' }
        default: { fail('Unrecognized glance_backend parameter.') }
    }
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@ -124,15 +124,7 @@ class tripleo::profile::base::gnocchi::api (
        }
      }
      'file': { include ::gnocchi::storage::file }
-      'rbd': {
-        include ::gnocchi::storage::ceph
-        exec{ 'exec-setfacl-openstack-gnocchi':
-          path    => ['/bin', '/usr/bin'],
-          command => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring',
-          unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:gnocchi:r--"',
-        }
-        Ceph::Key<||> -> Exec['exec-satfacl-openstack-gnocchi']
-      }
+      'rbd': { include ::gnocchi::storage::ceph }
      default: { fail('Unrecognized gnocchi_backend parameter.') }
    }
  }
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@ -100,14 +100,7 @@ class tripleo::profile::base::manila::share (
      $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
      $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"

-      exec{ "exec-setfacl-${cephfs_auth_id}}":
-        path    => ['/bin', '/usr/bin' ],
-        command => "setfacl -m u:manila:r-- ${keyring_path}",
-        unless  => "getfacl ${keyring_path} | grep -q \"user:manila:r--\"",
-      }
-      Ceph::Key<||> -> Exec["exec-satfacl-openstack-${cephfs_auth_id}"]
-
-      manila::backend::cephfs { $manila_cephfsnative_backend :
+      manila::backend::cephfsnative { $manila_cephfsnative_backend :
        driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
        share_backend_name           => hiera('manila::backend::cephfsnative::share_backend_name'),
        cephfs_conf_path             => hiera('manila::backend::cephfsnative::cephfs_conf_path'),
--- a/manifests/profile/base/nova/compute_libvirt_shared.pp
+++ b/manifests/profile/base/nova/compute_libvirt_shared.pp
@ -32,12 +32,6 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
    $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
    if $rbd_ephemeral_storage or $rbd_persistent_storage {
      include ::nova::compute::rbd
-      exec{ 'exec-setfacl-openstack-nova':
-        path    => ['/bin', '/usr/bin'],
-        command => 'setfacl -m u:nova:r-- /etc/ceph/ceph.client.openstack.keyring',
-        unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:nova:r--"',
-      }
-      Ceph::Key<||> -> Exec['exec-satfacl-openstack-nova']
    }

    if $rbd_ephemeral_storage {
--- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
+++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
@ -186,9 +186,6 @@ describe 'tripleo::profile::base::cinder::volume' do
          is_expected.to contain_class('cinder::backends').with(
            :enabled_backends => ['tripleo_ceph']
          )
-          is_expected.to contain_exec('exec-setfacl-openstack-cinder').with(
-             'command' => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring"
-          )
        end
        context 'additional rbd pools' do
          # The list of additional rbd pools is not an input, but instead comes
--- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
@ -107,9 +107,6 @@ describe 'tripleo::profile::base::gnocchi::api' do
          :redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
        )
        is_expected.to contain_class('gnocchi::storage::ceph')
-        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi').with(
-          'command' => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring'
-        )
      }
    end