Merge "Ensure appropriate ACL mask is set on CephX keyrings"
This commit is contained in:
commit
db844cf48a
|
@ -205,6 +205,11 @@ class tripleo::profile::base::cinder::volume (
|
|||
command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
|
||||
$cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
|
||||
if $cinder_rbd_extra_pools {
|
||||
|
|
|
@ -190,6 +190,11 @@ class tripleo::profile::base::glance::api (
|
|||
command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${glance_rbd_client_name}-glance-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
}
|
||||
'cinder': { $backend_store = 'cinder' }
|
||||
default: { fail('Unrecognized glance_backend parameter.') }
|
||||
|
|
|
@ -151,6 +151,11 @@ class tripleo::profile::base::gnocchi::api (
|
|||
command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
}
|
||||
default: { fail('Unrecognized gnocchi_backend parameter.') }
|
||||
}
|
||||
|
|
|
@ -147,6 +147,11 @@ class tripleo::profile::base::manila::share (
|
|||
command => "setfacl -m u:manila:r-- ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q user:manila:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${cephfs_auth_id}-mask":
|
||||
path => ['/bin', '/usr/bin' ],
|
||||
command => "setfacl -m m::r ${keyring_path}",
|
||||
unless => "getfacl ${keyring_path} | grep -q mask::r",
|
||||
}
|
||||
}
|
||||
|
||||
# manila netapp:
|
||||
|
|
|
@ -42,6 +42,11 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
|
|||
command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
|
||||
}
|
||||
-> exec{ "exec-setfacl-${nova_rbd_client_name}-nova-mask":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "setfacl -m m::r /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
|
||||
unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q mask::r",
|
||||
}
|
||||
}
|
||||
|
||||
if $rbd_ephemeral_storage {
|
||||
|
|
|
@ -190,6 +190,7 @@ describe 'tripleo::profile::base::cinder::volume' do
|
|||
:enabled_backends => ['tripleo_ceph']
|
||||
)
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-cinder')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-cinder-mask')
|
||||
end
|
||||
context 'additional rbd pools' do
|
||||
# The list of additional rbd pools is not an input, but instead comes
|
||||
|
|
|
@ -113,6 +113,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
|
|||
)
|
||||
is_expected.to contain_class('gnocchi::storage::ceph')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
|
||||
is_expected.to contain_exec('exec-setfacl-openstack-gnocchi-mask')
|
||||
}
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue