From a4d12e02a7a44116aa8c7a327e14a09522a54b57 Mon Sep 17 00:00:00 2001
From: Keith Schincke <keith.schincke@gmail.com>
Date: Thu, 2 Nov 2017 11:19:31 -0400
Subject: [PATCH] Set ACLs on ceph client keyrings

This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before

Change-Id: I353b19a5a3f9a9af110587bd0996f08700335a44
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
---
 manifests/profile/base/cinder/volume.pp               |  7 +++++++
 manifests/profile/base/glance/api.pp                  | 11 ++++++++++-
 manifests/profile/base/gnocchi/api.pp                 | 10 +++++++++-
 manifests/profile/base/manila/share.pp                |  9 ++++++++-
 manifests/profile/base/nova/compute_libvirt_shared.pp |  6 ++++++
 .../tripleo_profile_base_cinder_volume_spec.rb        |  3 +++
 spec/classes/tripleo_profile_base_gnocchi_api_spec.rb |  3 +++
 7 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 503b3f922..a508c2eb0 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -164,6 +164,13 @@ class tripleo::profile::base::cinder::volume (
       include ::tripleo::profile::base::cinder::volume::rbd
       $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
 
+      exec{ 'exec-setfacl-openstack-cinder':
+        path    => ['/bin', '/usr/bin'],
+        command => 'setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring',
+        unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:cinder:r--"',
+      }
+      Ceph::Key<||> -> Exec['exec-setfacl-openstack-cinder']
+
       $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
       if $cinder_rbd_extra_pools {
           $base_name = $cinder_rbd_backend_name
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index c7f4cb293..7909f2ca1 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -129,7 +129,16 @@ class tripleo::profile::base::glance::api (
     case $glance_backend {
         'swift': { $backend_store = 'swift' }
         'file': { $backend_store = 'file' }
-        'rbd': { $backend_store = 'rbd' }
+        'rbd': {
+          $backend_store = 'rbd'
+          exec{ 'exec-setfacl-openstack-glance':
+            path    => ['/bin', '/usr/bin'],
+            command => 'setfacl -m u:glance:r-- /etc/ceph/ceph.client.openstack.keyring',
+            unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:glance:r--"',
+          }
+          Class['glance']->Exec['exec-setfacl-openstack-glance']
+          Ceph::Key<||> -> Exec['exec-setfacl-openstack-glance']
+        }
         'cinder': { $backend_store = 'cinder' }
         default: { fail('Unrecognized glance_backend parameter.') }
     }
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index c958359c1..23acec6de 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -124,7 +124,15 @@ class tripleo::profile::base::gnocchi::api (
         }
       }
       'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ 'exec-setfacl-openstack-gnocchi':
+          path    => ['/bin', '/usr/bin'],
+          command => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring',
+          unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:gnocchi:r--"',
+        }
+        Ceph::Key<||> -> Exec['exec-satfacl-openstack-gnocchi']
+      }
       default: { fail('Unrecognized gnocchi_backend parameter.') }
     }
   }
diff --git a/manifests/profile/base/manila/share.pp b/manifests/profile/base/manila/share.pp
index 1c279993d..9e6cbbbee 100644
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@@ -100,7 +100,14 @@ class tripleo::profile::base::manila::share (
       $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
       $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
 
-      manila::backend::cephfsnative { $manila_cephfsnative_backend :
+      exec{ "exec-setfacl-${cephfs_auth_id}}":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m u:manila:r-- ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q \"user:manila:r--\"",
+      }
+      Ceph::Key<||> -> Exec["exec-satfacl-openstack-${cephfs_auth_id}"]
+
+      manila::backend::cephfs { $manila_cephfsnative_backend :
         driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
         share_backend_name           => hiera('manila::backend::cephfsnative::share_backend_name'),
         cephfs_conf_path             => hiera('manila::backend::cephfsnative::cephfs_conf_path'),
diff --git a/manifests/profile/base/nova/compute_libvirt_shared.pp b/manifests/profile/base/nova/compute_libvirt_shared.pp
index 36235cde9..8fc8d453f 100644
--- a/manifests/profile/base/nova/compute_libvirt_shared.pp
+++ b/manifests/profile/base/nova/compute_libvirt_shared.pp
@@ -32,6 +32,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
     $rbd_persistent_storage = hiera('rbd_persistent_storage', false)
     if $rbd_ephemeral_storage or $rbd_persistent_storage {
       include ::nova::compute::rbd
+      exec{ 'exec-setfacl-openstack-nova':
+        path    => ['/bin', '/usr/bin'],
+        command => 'setfacl -m u:nova:r-- /etc/ceph/ceph.client.openstack.keyring',
+        unless  => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:nova:r--"',
+      }
+      Ceph::Key<||> -> Exec['exec-satfacl-openstack-nova']
     }
 
     if $rbd_ephemeral_storage {
diff --git a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
index fab47cfa1..5cf79ff15 100644
--- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
+++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
@@ -186,6 +186,9 @@ describe 'tripleo::profile::base::cinder::volume' do
           is_expected.to contain_class('cinder::backends').with(
             :enabled_backends => ['tripleo_ceph']
           )
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder').with(
+             'command' => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring"
+          )
         end
         context 'additional rbd pools' do
           # The list of additional rbd pools is not an input, but instead comes
diff --git a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
index 60e82b384..d6035d5f4 100644
--- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
@@ -107,6 +107,9 @@ describe 'tripleo::profile::base::gnocchi::api' do
           :redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
         )
         is_expected.to contain_class('gnocchi::storage::ceph')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi').with(
+          'command' => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring'
+        )
       }
     end