Merge "Set restrictive file permissions on Ceph keyrings for non-containerized deployment"

2017-12-13 19:27:58 +00:00 · 2017-12-13 19:27:58 +00:00 · 5c4a5d2adb
commit 5c4a5d2adb
parent f5c9b0384a bdf1ade1b9
1 changed files with 6 additions and 2 deletions
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@ -137,7 +137,9 @@ outputs:
                cap_mon: 'allow profile bootstrap-osd'
              CEPH_CLIENT_KEY:
                secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                cap_mon: 'allow r'
                cap_osd:
                  str_replace:
@ -154,7 +156,9 @@ outputs:
                          # CinderRbdExtraPools is a list (do not indent further)
                          - {get_param: CinderRbdExtraPools}
              MANILA_CLIENT_KEY:
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                secret: {get_param: CephManilaClientKey}
                cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"'
                cap_mds: 'allow *'