Update cephx keys with ACLs for openstack services.
This patch will set file system ACLs on the ceph client keyring.
This will help resolve (1) for OSP Ocata and before
Change-Id: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
1: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
(cherry picked from commit 48c417519f
)
This commit is contained in:
parent
b64f49048c
commit
c3bc692280
|
@ -46,6 +46,10 @@
|
|||
# (Optional) List of additional backend stanzas to activate
|
||||
# Defaults to hiera('cinder_user_enabled_backends')
|
||||
#
|
||||
# [*cinder_rbd_client_name*]
|
||||
# (Optional) Name of RBD client
|
||||
# Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -59,6 +63,7 @@ class tripleo::profile::base::cinder::volume (
|
|||
$cinder_enable_nfs_backend = false,
|
||||
$cinder_enable_rbd_backend = false,
|
||||
$cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
|
||||
$cinder_rbd_client_name = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
include ::tripleo::profile::base::cinder
|
||||
|
@ -104,6 +109,13 @@ class tripleo::profile::base::cinder::volume (
|
|||
if $cinder_enable_rbd_backend {
|
||||
include ::tripleo::profile::base::cinder::volume::rbd
|
||||
$cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
|
||||
|
||||
exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
|
||||
} else {
|
||||
$cinder_rbd_backend_name = undef
|
||||
}
|
||||
|
|
|
@ -38,6 +38,10 @@
|
|||
# [*rabbit_port*]
|
||||
# IP port for rabbitmq service
|
||||
# Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672)
|
||||
#
|
||||
# [*glance_rbd_client_name*]
|
||||
# Name used by the glance ceph key
|
||||
# defaults to 'openstack'
|
||||
|
||||
class tripleo::profile::base::glance::api (
|
||||
$glance_backend = downcase(hiera('glance_backend', 'swift')),
|
||||
|
@ -45,6 +49,7 @@ class tripleo::profile::base::glance::api (
|
|||
$step = hiera('step'),
|
||||
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
|
||||
$rabbit_port = hiera('glance::notify::rabbitmq::rabbit_port', 5672),
|
||||
$glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
|
||||
) {
|
||||
|
||||
if $step >= 1 and $glance_nfs_enabled {
|
||||
|
@ -55,7 +60,15 @@ class tripleo::profile::base::glance::api (
|
|||
case $glance_backend {
|
||||
'swift': { $backend_store = 'glance.store.swift.Store' }
|
||||
'file': { $backend_store = 'glance.store.filesystem.Store' }
|
||||
'rbd': { $backend_store = 'glance.store.rbd.Store' }
|
||||
'rbd': {
|
||||
$backend_store = 'glance.store.rbd.Store'
|
||||
exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
|
||||
}
|
||||
default: { fail('Unrecognized glance_backend parameter.') }
|
||||
}
|
||||
$http_store = ['glance.store.http.Store']
|
||||
|
|
|
@ -26,6 +26,10 @@
|
|||
# (Optional) Gnocchi backend string file, swift or rbd
|
||||
# Defaults to swift
|
||||
#
|
||||
# [*gnocchi_rbd_client_name*]
|
||||
# Name used by the gnocchi cephx key
|
||||
# Defaults to 'openstack'
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -34,6 +38,7 @@
|
|||
class tripleo::profile::base::gnocchi::api (
|
||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
|
||||
$gnocchi_rbd_client_name = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
|
||||
$step = hiera('step'),
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
|
@ -59,7 +64,15 @@ class tripleo::profile::base::gnocchi::api (
|
|||
case $gnocchi_backend {
|
||||
'swift': { include ::gnocchi::storage::swift }
|
||||
'file': { include ::gnocchi::storage::file }
|
||||
'rbd': { include ::gnocchi::storage::ceph }
|
||||
'rbd': {
|
||||
include ::gnocchi::storage::ceph
|
||||
exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
|
||||
}
|
||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,5 +30,20 @@ class tripleo::profile::base::manila::share (
|
|||
|
||||
if $step >= 4 {
|
||||
include ::manila::share
|
||||
|
||||
$cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
|
||||
$keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
|
||||
ceph_config {
|
||||
"client.${cephfs_auth_id}/keyring": value => $keyring_path;
|
||||
"client.${cephfs_auth_id}/client mount uid": value => 0;
|
||||
"client.${cephfs_auth_id}/client mount gid": value => 0;
|
||||
}
|
||||
|
||||
exec{ "exec-setfacl-${cephfs_auth_id}-manila":
|
||||
path => ['/bin', '/usr/bin' ],
|
||||
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
|
||||
}
|
||||
Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
"dependencies": [
|
||||
{ "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
|
||||
{ "name": "sensu/sensu" },
|
||||
{ "name": "yelp/uchiwa" }
|
||||
{ "name": "yelp/uchiwa" },
|
||||
{ "name": "openstack/ceph"}
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue