Update cephx keys with ACLs for openstack services.

This patch will set file system ACLs on the ceph client keyring. This will help resolve (1) for OSP Ocata and before Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a Partial-Bug: #1720787 1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657 (cherry picked from commit 48c417519f)
2017-11-13 23:15:21 -05:00 · 2017-11-13 23:15:21 -05:00 · c3bc692280
parent b64f49048c
commit c3bc692280
5 changed files with 57 additions and 3 deletions
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@ -46,6 +46,10 @@
 #   (Optional) List of additional backend stanzas to activate
 #   Defaults to hiera('cinder_user_enabled_backends')
 #
+# [*cinder_rbd_client_name*]
+#   (Optional) Name of RBD client
+#   Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@ -59,6 +63,7 @@ class tripleo::profile::base::cinder::volume (
  $cinder_enable_nfs_backend    = false,
  $cinder_enable_rbd_backend    = false,
  $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
+  $cinder_rbd_client_name       = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
  $step                         = hiera('step'),
 ) {
  include ::tripleo::profile::base::cinder
@ -104,6 +109,13 @@ class tripleo::profile::base::cinder::volume (
    if $cinder_enable_rbd_backend {
      include ::tripleo::profile::base::cinder::volume::rbd
      $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
+
+      exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
+      }
+      Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
    } else {
      $cinder_rbd_backend_name = undef
    }
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@ -38,6 +38,10 @@
 # [*rabbit_port*]
 #   IP port for rabbitmq service
 #   Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672)
+#
+# [*glance_rbd_client_name*]
+# Name used by the glance ceph key
+# defaults to 'openstack'

 class tripleo::profile::base::glance::api (
  $glance_backend = downcase(hiera('glance_backend', 'swift')),
@ -45,6 +49,7 @@ class tripleo::profile::base::glance::api (
  $step           = hiera('step'),
  $rabbit_hosts   = hiera('rabbitmq_node_ips', undef),
  $rabbit_port    = hiera('glance::notify::rabbitmq::rabbit_port', 5672),
+  $glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
 ) {

  if $step >= 1 and $glance_nfs_enabled {
@ -55,7 +60,15 @@ class tripleo::profile::base::glance::api (
    case $glance_backend {
        'swift': { $backend_store = 'glance.store.swift.Store' }
        'file': { $backend_store = 'glance.store.filesystem.Store' }
-        'rbd': { $backend_store = 'glance.store.rbd.Store' }
+        'rbd': {
+          $backend_store = 'glance.store.rbd.Store'
+          exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
+          }
+          Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
+        }
        default: { fail('Unrecognized glance_backend parameter.') }
    }
    $http_store = ['glance.store.http.Store']
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@ -26,6 +26,10 @@
 #   (Optional) Gnocchi backend string file, swift or rbd
 #   Defaults to swift
 #
+# [*gnocchi_rbd_client_name*]
+#   Name used by the gnocchi cephx key
+#   Defaults to 'openstack'
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@ -34,6 +38,7 @@
 class tripleo::profile::base::gnocchi::api (
  $bootstrap_node  = hiera('bootstrap_nodeid', undef),
  $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
+  $gnocchi_rbd_client_name       = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
  $step            = hiera('step'),
 ) {
  if $::hostname == downcase($bootstrap_node) {
@ -59,7 +64,15 @@ class tripleo::profile::base::gnocchi::api (
    case $gnocchi_backend {
      'swift': { include ::gnocchi::storage::swift }
      'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
+        }
+        Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
+      }
      default: { fail('Unrecognized gnocchi_backend parameter.') }
    }
  }
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@ -30,5 +30,20 @@ class tripleo::profile::base::manila::share (

  if $step >= 4 {
    include ::manila::share
+
+      $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
+      $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
+      ceph_config {
+        "client.${cephfs_auth_id}/keyring": value => $keyring_path;
+        "client.${cephfs_auth_id}/client mount uid": value => 0;
+        "client.${cephfs_auth_id}/client mount gid": value => 0;
+      }
+
+      exec{ "exec-setfacl-${cephfs_auth_id}-manila":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m u:manila:r-- ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
+      }
+      Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
  }
 }
--- a/metadata.json
+++ b/metadata.json
@ -25,6 +25,7 @@
  "dependencies": [
    { "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
    { "name": "sensu/sensu" },
-    { "name": "yelp/uchiwa" }
+    { "name": "yelp/uchiwa" },
+    { "name": "openstack/ceph"}
  ]
 }