Merge "Ensure appropriate ACL mask is set on CephX keyrings"

2018-06-27 17:40:25 +00:00 · 2018-06-27 17:40:25 +00:00 · db844cf48a
parent 6f790d6241 2a59f98d78
commit db844cf48a
7 changed files with 27 additions and 0 deletions
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@ -205,6 +205,11 @@ class tripleo::profile::base::cinder::volume (
        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
      }
+      -> exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder-mask":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m m::r /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q mask::r",
+      }

      $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef)
      if $cinder_rbd_extra_pools {
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@ -190,6 +190,11 @@ class tripleo::profile::base::glance::api (
            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
          }
+          -> exec{ "exec-setfacl-${glance_rbd_client_name}-glance-mask":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m m::r /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q mask::r",
+          }
        }
        'cinder': { $backend_store = 'cinder' }
        default: { fail('Unrecognized glance_backend parameter.') }
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@ -151,6 +151,11 @@ class tripleo::profile::base::gnocchi::api (
          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
        }
+        -> exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi-mask":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m m::r /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q mask::r",
+        }
      }
      default: { fail('Unrecognized gnocchi_backend parameter.') }
    }
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@ -147,6 +147,11 @@ class tripleo::profile::base::manila::share (
        command => "setfacl -m u:manila:r-- ${keyring_path}",
        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
      }
+      -> exec{ "exec-setfacl-${cephfs_auth_id}-mask":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m m::r ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q mask::r",
+      }
    }

    # manila netapp:
--- a/manifests/profile/base/nova/compute_libvirt_shared.pp
+++ b/manifests/profile/base/nova/compute_libvirt_shared.pp
@ -42,6 +42,11 @@ class tripleo::profile::base::nova::compute_libvirt_shared (
        command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--",
      }
+      -> exec{ "exec-setfacl-${nova_rbd_client_name}-nova-mask":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m m::r /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q mask::r",
+      }
    }

    if $rbd_ephemeral_storage {
--- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
+++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb
@ -190,6 +190,7 @@ describe 'tripleo::profile::base::cinder::volume' do
            :enabled_backends => ['tripleo_ceph']
          )
          is_expected.to contain_exec('exec-setfacl-openstack-cinder')
+          is_expected.to contain_exec('exec-setfacl-openstack-cinder-mask')
        end
        context 'additional rbd pools' do
          # The list of additional rbd pools is not an input, but instead comes
--- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb
@ -113,6 +113,7 @@ describe 'tripleo::profile::base::gnocchi::api' do
        )
        is_expected.to contain_class('gnocchi::storage::ceph')
        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi')
+        is_expected.to contain_exec('exec-setfacl-openstack-gnocchi-mask')
      }
    end