From 2a59f98d78a046516d2013308e1be4fa0cf7f068 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Thu, 7 Jun 2018 11:08:59 +0200 Subject: [PATCH] Ensure appropriate ACL mask is set on CephX keyrings Changing group permissions alters the ACL mask, causing the "read" permission we set explicitly for the openstack users to be ignored. This change ensures "read" is set for the ACLs mask. Change-Id: I4f94a3f7ab2c55a8c45363b8354be99d52980a7b Closes-Bug: 1775549 --- manifests/profile/base/cinder/volume.pp | 5 +++++ manifests/profile/base/glance/api.pp | 5 +++++ manifests/profile/base/gnocchi/api.pp | 5 +++++ manifests/profile/base/manila/share.pp | 5 +++++ manifests/profile/base/nova/compute_libvirt_shared.pp | 5 +++++ spec/classes/tripleo_profile_base_cinder_volume_spec.rb | 1 + spec/classes/tripleo_profile_base_gnocchi_api_spec.rb | 1 + 7 files changed, 27 insertions(+) diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp index bc5054543..2c8ea05c3 100644 --- a/manifests/profile/base/cinder/volume.pp +++ b/manifests/profile/base/cinder/volume.pp @@ -205,6 +205,11 @@ class tripleo::profile::base::cinder::volume ( command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring", unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--", } + -> exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder-mask": + path => ['/bin', '/usr/bin'], + command => "setfacl -m m::r /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q mask::r", + } $cinder_rbd_extra_pools = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_extra_pools', undef) if $cinder_rbd_extra_pools { diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index 4c9d566d2..8be67d16d 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -190,6 +190,11 @@ class tripleo::profile::base::glance::api ( command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring", unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--", } + -> exec{ "exec-setfacl-${glance_rbd_client_name}-glance-mask": + path => ['/bin', '/usr/bin'], + command => "setfacl -m m::r /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q mask::r", + } } 'cinder': { $backend_store = 'cinder' } default: { fail('Unrecognized glance_backend parameter.') } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 687911b60..5c33a3fb5 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -151,6 +151,11 @@ class tripleo::profile::base::gnocchi::api ( command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring", unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--", } + -> exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi-mask": + path => ['/bin', '/usr/bin'], + command => "setfacl -m m::r /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q mask::r", + } } default: { fail('Unrecognized gnocchi_backend parameter.') } } diff --git a/manifests/profile/base/manila/share.pp b/manifests/profile/base/manila/share.pp index 9731345f2..90fc2354a 100644 --- a/manifests/profile/base/manila/share.pp +++ b/manifests/profile/base/manila/share.pp @@ -147,6 +147,11 @@ class tripleo::profile::base::manila::share ( command => "setfacl -m u:manila:r-- ${keyring_path}", unless => "getfacl ${keyring_path} | grep -q user:manila:r--", } + -> exec{ "exec-setfacl-${cephfs_auth_id}-mask": + path => ['/bin', '/usr/bin' ], + command => "setfacl -m m::r ${keyring_path}", + unless => "getfacl ${keyring_path} | grep -q mask::r", + } } # manila netapp: diff --git a/manifests/profile/base/nova/compute_libvirt_shared.pp b/manifests/profile/base/nova/compute_libvirt_shared.pp index e9bb932ed..23378112e 100644 --- a/manifests/profile/base/nova/compute_libvirt_shared.pp +++ b/manifests/profile/base/nova/compute_libvirt_shared.pp @@ -42,6 +42,11 @@ class tripleo::profile::base::nova::compute_libvirt_shared ( command => "setfacl -m u:nova:r-- /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring", unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q user:nova:r--", } + -> exec{ "exec-setfacl-${nova_rbd_client_name}-nova-mask": + path => ['/bin', '/usr/bin'], + command => "setfacl -m m::r /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring", + unless => "getfacl /etc/ceph/ceph.client.${nova_rbd_client_name}.keyring | grep -q mask::r", + } } if $rbd_ephemeral_storage { diff --git a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb index 371fc9d0d..6a842fdaa 100644 --- a/spec/classes/tripleo_profile_base_cinder_volume_spec.rb +++ b/spec/classes/tripleo_profile_base_cinder_volume_spec.rb @@ -190,6 +190,7 @@ describe 'tripleo::profile::base::cinder::volume' do :enabled_backends => ['tripleo_ceph'] ) is_expected.to contain_exec('exec-setfacl-openstack-cinder') + is_expected.to contain_exec('exec-setfacl-openstack-cinder-mask') end context 'additional rbd pools' do # The list of additional rbd pools is not an input, but instead comes diff --git a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb index f85ff4578..322f015fe 100644 --- a/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb +++ b/spec/classes/tripleo_profile_base_gnocchi_api_spec.rb @@ -113,6 +113,7 @@ describe 'tripleo::profile::base::gnocchi::api' do ) is_expected.to contain_class('gnocchi::storage::ceph') is_expected.to contain_exec('exec-setfacl-openstack-gnocchi') + is_expected.to contain_exec('exec-setfacl-openstack-gnocchi-mask') } end