Merge "Update cephx keys with ACLs for openstack services."

manifests/profile/base/cinder/volume.pp

@@ -70,6 +70,10 @@
 #   (Optional) List of additional backend stanzas to activate
 #   Defaults to hiera('cinder_user_enabled_backends')
 #
+# [*cinder_rbd_client_name*]
+#   (Optional) Name of RBD client
+#   Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -89,6 +93,7 @@ class tripleo::profile::base::cinder::volume (
   $cinder_enable_scaleio_backend            = false,
   $cinder_enable_vrts_hs_backend            = false,
   $cinder_user_enabled_backends             = hiera('cinder_user_enabled_backends', undef),
+  $cinder_rbd_client_name                   = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
   $step                                     = Integer(hiera('step')),
 ) {
   include ::tripleo::profile::base::cinder
@@ -164,6 +169,13 @@ class tripleo::profile::base::cinder::volume (
       include ::tripleo::profile::base::cinder::volume::rbd
       $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
 
+      exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
+      }
+      Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
+
       $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
       if $cinder_rbd_extra_pools {
           $base_name = $cinder_rbd_backend_name

manifests/profile/base/glance/api.pp

@@ -79,6 +79,9 @@
 #   enable_internal_tls is set.
 #   defaults to 9292
 #
+# [*glance_rbd_client_name*]
+#   RBD client naem
+#   (optional) Defaults to hiera('glance::backend::rbd::rbd_store_user')
 class tripleo::profile::base::glance::api (
   $bootstrap_node                = hiera('bootstrap_nodeid', undef),
   $certificates_specs            = hiera('apache_certificates_specs', {}),
@@ -92,6 +95,7 @@ class tripleo::profile::base::glance::api (
   $tls_proxy_bind_ip             = undef,
   $tls_proxy_fqdn                = undef,
   $tls_proxy_port                = 9292,
+  $glance_rbd_client_name        = hiera('glance::backend::rbd::rbd_store_user','openstack'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -129,7 +133,15 @@ class tripleo::profile::base::glance::api (
     case $glance_backend {
         'swift': { $backend_store = 'swift' }
         'file': { $backend_store = 'file' }
-        'rbd': { $backend_store = 'rbd' }
+        'rbd': {
+          $backend_store = 'rbd'
+          exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
+          }
+          Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
+        }
         'cinder': { $backend_store = 'cinder' }
         default: { fail('Unrecognized glance_backend parameter.') }
     }

manifests/profile/base/gnocchi/api.pp

@@ -55,6 +55,10 @@
 #  (Required) Redis ip address for the coordination url
 #  Defaults to hiera('redis_vip')
 #
+# [*gnocchi_rbd_client_name*]
+#   (Optional) RBD Client username.
+#   Defaults to hiera('gnocchi::storage::ceph::ceph_username')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -68,6 +72,7 @@ class tripleo::profile::base::gnocchi::api (
   $gnocchi_network               = hiera('gnocchi_api_network', undef),
   $gnocchi_redis_password        = hiera('gnocchi_redis_password'),
   $redis_vip                     = hiera('redis_vip'),
+  $gnocchi_rbd_client_name       = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
   $step                          = Integer(hiera('step')),
 ) {
   if $::hostname == downcase($bootstrap_node) {
@@ -122,7 +127,15 @@ class tripleo::profile::base::gnocchi::api (
         }
       }
       'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
+        }
+        Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
+      }
       default: { fail('Unrecognized gnocchi_backend parameter.') }
     }
   }

manifests/profile/base/manila/share.pp

@@ -141,6 +141,13 @@ class tripleo::profile::base::manila::share (
         "client.${cephfs_auth_id}/client mount uid": value => 0;
         "client.${cephfs_auth_id}/client mount gid": value => 0;
       }
+
+      exec{ "exec-setfacl-${cephfs_auth_id}}":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m u:manila:r-- ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
+      }
+      Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
     }
 
     # manila netapp:

manifests/profile/base/nova/compute_libvirt_shared.pp

@@ -18,13 +18,18 @@
 #
 # === Parameters
 #
+# [*nova_rbd_client_name*]
+#   (optional) name of RBD client
+#   defaults to hiera('nova::compute::rbd::libvirt_rbd_user')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::nova::compute_libvirt_shared (
-  $step = Integer(hiera('step')),
+  $nova_rbd_client_name = hiera('nova::compute::rbd::libvirt_rbd_user','openstack'),
+  $step                 = Integer(hiera('step')),
 ) {
   if $step >= 4 {
     # Ceph + Libvirt
@@ -32,6 +37,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
     $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
     if $rbd_ephemeral_storage or $rbd_persistent_storage {
       include ::nova::compute::rbd
+      exec{ "exec-setfacl-${nova_rbd_client_name}-nova":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
+      }
+      Ceph::Key<| title == "client.${nova_rbd_client_name}" |> -> Exec["exec-setfacl-${nova_rbd_client_name}-nova"]
     }
 
     if $rbd_ephemeral_storage {

metadata.json

@@ -25,6 +25,7 @@
   "dependencies": [
     { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.12.0 < 5.0.0" },
     { "name": "sensu/sensu" },
-    { "name": "yelp/uchiwa" }
+    { "name": "yelp/uchiwa" },
+    { "name": "openstack/ceph"}
   ]
 }

spec/classes/tripleo_profile_base_cinder_volume_spec.rb

@@ -28,7 +28,9 @@ describe 'tripleo::profile::base::cinder::volume' do
     end
 
     let(:pre_condition) do
-      "class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }"
+      "
+        class { '::tripleo::profile::base::cinder': step => #{params[:step]}, oslomsg_rpc_hosts => ['127.0.0.1'] }
+      "
     end
 
     context 'with step less than 4' do
@@ -175,6 +177,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           params.merge!({
             :cinder_enable_rbd_backend   => true,
             :cinder_enable_iscsi_backend => false,
+            :cinder_rbd_client_name      => 'openstack'
           })
         end
         it 'should configure only ceph' do
@@ -186,6 +189,7 @@ describe 'tripleo::profile::base::cinder::volume' do
           is_expected.to contain_class('cinder::backends').with(
             :enabled_backends => ['tripleo_ceph']
           )
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder')
         end
         context 'additional rbd pools' do
           # The list of additional rbd pools is not an input, but instead comes

spec/classes/tripleo_profile_base_gnocchi_api_spec.rb

@@ -19,7 +19,9 @@ require 'spec_helper'
 describe 'tripleo::profile::base::gnocchi::api' do
   shared_examples_for 'tripleo::profile::base::gnocchi::api' do
     let(:pre_condition) do
-      "class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }"
+      "
+        class { '::tripleo::profile::base::gnocchi': step => #{params[:step]}, }
+      "
     end
 
     context 'with step less than 3' do
@@ -94,7 +96,8 @@ describe 'tripleo::profile::base::gnocchi::api' do
         :step => 4,
         :gnocchi_backend => 'rbd',
         :gnocchi_redis_password => 'gnocchi',
-        :redis_vip => '127.0.0.1'
+        :redis_vip => '127.0.0.1',
+        :gnocchi_rbd_client_name => 'openstack'
       } }
 
       it {
@@ -107,6 +110,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
           :redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
         )
         is_expected.to contain_class('gnocchi::storage::ceph')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
       }
     end