Set ACLs on ceph client keyrings
This patch will set file system ACLs on the ceph client keyring. This will help resolve (1) for OSP Ocata and before Change-Id: I353b19a5a3f9a9af110587bd0996f08700335a44 Partial-Bug: #1720787 1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
This commit is contained in:
parent
df2d147401
commit
a4d12e02a7
@ -164,6 +164,13 @@ class tripleo::profile::base::cinder::volume (
|
|||||||
include ::tripleo::profile::base::cinder::volume::rbd
|
include ::tripleo::profile::base::cinder::volume::rbd
|
||||||
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
|
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
|
||||||
|
|
||||||
|
exec{ 'exec-setfacl-openstack-cinder':
|
||||||
|
path => ['/bin', '/usr/bin'],
|
||||||
|
command => 'setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring',
|
||||||
|
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:cinder:r--"',
|
||||||
|
}
|
||||||
|
Ceph::Key<||> -> Exec['exec-setfacl-openstack-cinder']
|
||||||
|
|
||||||
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
|
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
|
||||||
if $cinder_rbd_extra_pools {
|
if $cinder_rbd_extra_pools {
|
||||||
$base_name = $cinder_rbd_backend_name
|
$base_name = $cinder_rbd_backend_name
|
||||||
|
@ -129,7 +129,16 @@ class tripleo::profile::base::glance::api (
|
|||||||
case $glance_backend {
|
case $glance_backend {
|
||||||
'swift': { $backend_store = 'swift' }
|
'swift': { $backend_store = 'swift' }
|
||||||
'file': { $backend_store = 'file' }
|
'file': { $backend_store = 'file' }
|
||||||
'rbd': { $backend_store = 'rbd' }
|
'rbd': {
|
||||||
|
$backend_store = 'rbd'
|
||||||
|
exec{ 'exec-setfacl-openstack-glance':
|
||||||
|
path => ['/bin', '/usr/bin'],
|
||||||
|
command => 'setfacl -m u:glance:r-- /etc/ceph/ceph.client.openstack.keyring',
|
||||||
|
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:glance:r--"',
|
||||||
|
}
|
||||||
|
Class['glance']->Exec['exec-setfacl-openstack-glance']
|
||||||
|
Ceph::Key<||> -> Exec['exec-setfacl-openstack-glance']
|
||||||
|
}
|
||||||
'cinder': { $backend_store = 'cinder' }
|
'cinder': { $backend_store = 'cinder' }
|
||||||
default: { fail('Unrecognized glance_backend parameter.') }
|
default: { fail('Unrecognized glance_backend parameter.') }
|
||||||
}
|
}
|
||||||
|
@ -124,7 +124,15 @@ class tripleo::profile::base::gnocchi::api (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
'file': { include ::gnocchi::storage::file }
|
'file': { include ::gnocchi::storage::file }
|
||||||
'rbd': { include ::gnocchi::storage::ceph }
|
'rbd': {
|
||||||
|
include ::gnocchi::storage::ceph
|
||||||
|
exec{ 'exec-setfacl-openstack-gnocchi':
|
||||||
|
path => ['/bin', '/usr/bin'],
|
||||||
|
command => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring',
|
||||||
|
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:gnocchi:r--"',
|
||||||
|
}
|
||||||
|
Ceph::Key<||> -> Exec['exec-satfacl-openstack-gnocchi']
|
||||||
|
}
|
||||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -100,7 +100,14 @@ class tripleo::profile::base::manila::share (
|
|||||||
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
|
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
|
||||||
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
|
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
|
||||||
|
|
||||||
manila::backend::cephfsnative { $manila_cephfsnative_backend :
|
exec{ "exec-setfacl-${cephfs_auth_id}}":
|
||||||
|
path => ['/bin', '/usr/bin' ],
|
||||||
|
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||||
|
unless => "getfacl ${keyring_path} | grep -q \"user:manila:r--\"",
|
||||||
|
}
|
||||||
|
Ceph::Key<||> -> Exec["exec-satfacl-openstack-${cephfs_auth_id}"]
|
||||||
|
|
||||||
|
manila::backend::cephfs { $manila_cephfsnative_backend :
|
||||||
driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
|
driver_handles_share_servers => hiera('manila::backend::cephfsnative::driver_handles_share_servers', false),
|
||||||
share_backend_name => hiera('manila::backend::cephfsnative::share_backend_name'),
|
share_backend_name => hiera('manila::backend::cephfsnative::share_backend_name'),
|
||||||
cephfs_conf_path => hiera('manila::backend::cephfsnative::cephfs_conf_path'),
|
cephfs_conf_path => hiera('manila::backend::cephfsnative::cephfs_conf_path'),
|
||||||
|
@ -32,6 +32,12 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
|
|||||||
$rbd_persistent_storage = hiera('rbd_persistent_storage', false)
|
$rbd_persistent_storage = hiera('rbd_persistent_storage', false)
|
||||||
if $rbd_ephemeral_storage or $rbd_persistent_storage {
|
if $rbd_ephemeral_storage or $rbd_persistent_storage {
|
||||||
include ::nova::compute::rbd
|
include ::nova::compute::rbd
|
||||||
|
exec{ 'exec-setfacl-openstack-nova':
|
||||||
|
path => ['/bin', '/usr/bin'],
|
||||||
|
command => 'setfacl -m u:nova:r-- /etc/ceph/ceph.client.openstack.keyring',
|
||||||
|
unless => 'getfacl /etc/ceph/ceph.client.openstack.keyring | grep -q "user:nova:r--"',
|
||||||
|
}
|
||||||
|
Ceph::Key<||> -> Exec['exec-satfacl-openstack-nova']
|
||||||
}
|
}
|
||||||
|
|
||||||
if $rbd_ephemeral_storage {
|
if $rbd_ephemeral_storage {
|
||||||
|
@ -186,6 +186,9 @@ describe 'tripleo::profile::base::cinder::volume' do
|
|||||||
is_expected.to contain_class('cinder::backends').with(
|
is_expected.to contain_class('cinder::backends').with(
|
||||||
:enabled_backends => ['tripleo_ceph']
|
:enabled_backends => ['tripleo_ceph']
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_exec('exec-setfacl-openstack-cinder').with(
|
||||||
|
'command' => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.openstack.keyring"
|
||||||
|
)
|
||||||
end
|
end
|
||||||
context 'additional rbd pools' do
|
context 'additional rbd pools' do
|
||||||
# The list of additional rbd pools is not an input, but instead comes
|
# The list of additional rbd pools is not an input, but instead comes
|
||||||
|
@ -107,6 +107,9 @@ describe 'tripleo::profile::base::gnocchi::api' do
|
|||||||
:redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
|
:redis_url => 'redis://:gnocchi@127.0.0.1:6379/'
|
||||||
)
|
)
|
||||||
is_expected.to contain_class('gnocchi::storage::ceph')
|
is_expected.to contain_class('gnocchi::storage::ceph')
|
||||||
|
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi').with(
|
||||||
|
'command' => 'setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.openstack.keyring'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user