Document ceph dashboard Safe mode feature

The Ceph dashboard is deployed using read-only privileges
for admin user, so no ceph cluster changes can be made
(e.g., pool creation).
The purpose of this new paragraph is to document the Safe
mode feature and how to alter the behaviour of the admin
user, providing fully administrative privileges.

Change-Id: Id98f49fd314ae4521fb73c26fae5bfaeea1abc4d
Signed-off-by: Francesco Pantano <fpantano@redhat.com>
This commit is contained in:
Francesco Pantano 2020-04-20 11:04:00 +02:00
parent 9814a1a906
commit f907d0af58
No known key found for this signature in database
GPG Key ID: 799868C47301D458
1 changed files with 22 additions and 4 deletions

View File

@ -644,9 +644,9 @@ When the deployment has been completed the Ceph dashboard containers,
including prometheus and grafana, will be running on the controller nodes
and will be accessible using the port 3100 for grafana and 9092 for prometheus;
since this service is only internal and doesnt listen on the public vip, users
can reach grafana on the ceph storage network vip, and access the exposed ceph
dashboard using the controller provisioning network vip on the specified port (
8444 is the default for a generic overcloud deployment).
can reach both grafana and the exposed ceph dashboard using the controller
provisioning network vip on the specified port (8444 is the default for a generic
overcloud deployment).
The resulting deployment will be composed by an external stack made by grafana,
prometheus, alertmanager, node-exporter containers and the ceph dashboard mgr
module that acts as the backend for this external stack, embedding the grafana
@ -655,7 +655,25 @@ The Ceph Dashboard frontend is fully integrated with the tls-everywhere framewor
hence providing the tls environments files will trigger the certificate request for
both grafana and the ceph dashboard: the generated crt and key files are then passed
to ceph-ansible.
This feature will also work with composable networks.
The Ceph Dashboard admin user role is set to `read-only` mode by default for safe
monitoring of the Ceph cluster. To permit an admin user to have elevated privileges
to alter elements of the Ceph cluster with the Dashboard, the operator can change the
default.
For this purpose, TripleO exposes a parameter that can be used to change the Ceph
Dashboard admin default mode.
Log in to the undercloud as `stack` user and create the `ceph_dashboard_admin.yaml`
environment file with the following content::
parameter_defaults:
CephDashboardAdminRO: false
Run the overcloud deploy command to update the existing stack and include the environment
file created with all other environment files that are already part of the existing
deployment::
openstack overcloud deploy --templates -e <existing_overcloud_environment_files> -e ceph_dashboard_admin.yml
The ceph dashboard will also work with composable networks.
In order to isolate the monitoring access for security purposes, operators can
take advantage of composable networks and access the dashboard through a separate
network vip. By doing this, it's not necessary to access the provisioning network