From bc39ac89d2242bfdce9094e9cb22ee63d293ce28 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Wed, 2 Jun 2021 12:52:48 -0700
Subject: [PATCH] Fix cinder's cephx keyring file permissions

This patch updates cinder's kolla permissions so that cinder can
access any cephx keyring associated with CephExternalMultiConfig
ceph clusters. The new approach parses the cluster names out of the
CephExternalMultiConfig array, and uses a wildcard to grant access
to all keys (regardless of the key name) defined for each cluster.
There is no risk of the wildcard granting improper access to a
privileged key (e.g. the admin key), because CephExternalMultiConfig
doesn't include privileged keys.

This patch replaces similar (but more restrictive) code added in
I73af5b868de629870a35d38f8436e7025aae791e. That patch allowed cinder
to access cephx keyrings associated with a new CinderRbdMultiConfig
parameter, but it didn't cover all potential use cases. For example,
in a DCN/Edge deployment, cinder services running at the edge need
access to the central site's client key in order to perform operations
like offline volume migration.

NOTE (pre-Wallaby):
The >= Wallaby versions of this patch tweaks code that was introduced
in Wallaby by I73af5b868de629870a35d38f8436e7025aae791e. Pre-Wallaby
versions of this patch _adds_ the tweaked code.

Closes-Bug: #1930620
Resolves: rhbz#1962304
Change-Id: I4423fcbd62b09ef323590fc740dd29e1a17777f5
(cherry picked from commit f1cd8006fec9f3f68cee21fc2139fb985b0b1fac)
(cherry picked from commit 74e3884b4a21a27262c48b4df8f0e369a5486f87)
Conflicts:
	deployment/cinder/cinder-common-container-puppet.yaml
---
 .../cinder-common-container-puppet.yaml       | 71 +++++++++++++++----
 1 file changed, 56 insertions(+), 15 deletions(-)

diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml
index e81b3f7c98..eb33afa2e4 100644
--- a/deployment/cinder/cinder-common-container-puppet.yaml
+++ b/deployment/cinder/cinder-common-container-puppet.yaml
@@ -85,6 +85,34 @@ parameters:
       description: >
         The Ceph cluster name must be at least 1 character and contain only
         letters and numbers.
+  CephExternalMultiConfig:
+    type: json
+    hidden: true
+    description: |
+      List of maps describing extra overrides which will be applied when configuring
+      extra external Ceph clusters. If this list is non-empty, ceph-ansible will run
+      an extra count(list) times using the same parameters as the first run except
+      each parameter within each map will override the defaults. If the following
+      were used, the second run would configure the overcloud to also use the ceph2
+      cluster with all the previous parameters except /etc/ceph/ceph2.conf would have
+      a mon_host entry containing the value of external_cluster_mon_ips below, and
+      not the default CephExternalMonHost. Subsequent ceph-ansible runs are restricted
+      to just ceph clients. CephExternalMultiConfig may not be used to deploy additional
+      internal Ceph clusters within one Heat stack. The map for each list should contain
+      not tripleo-heat-template parameters but ceph-ansible parameters.
+        - cluster: 'ceph2'
+          fsid: 'e2cba068-5f14-4b0f-b047-acf375c0004a'
+          external_cluster_mon_ips: '172.18.0.5,172.18.0.6,172.18.0.7'
+          keys:
+            - name: "client.openstack"
+              caps:
+                mgr: "allow *"
+                mon: "profile rbd"
+                osd: "osd: profile rbd pool=volumes, profile rbd pool=backups, profile rbd pool=vms, profile rbd pool=images"
+              key: "AQCwmeRcAAAAABAA6SQU/bGqFjlfLro5KxrB1Q=="
+              mode: "0600"
+          dashboard_enabled: false
+    default: []
 
 conditions:
 
@@ -159,21 +187,34 @@ outputs:
   cinder_common_kolla_permissions:
     description: Common kolla permissions for cinder-volume and cinder-backup services
     value:
-      - path: /var/log/cinder
-        owner: cinder:cinder
-        recurse: true
-      - path:
-          str_replace:
-            template: /etc/ceph/CLUSTER.client.USER.keyring
-            params:
-              CLUSTER: {get_param: CephClusterName}
-              USER: {get_param: CephClientUserName}
-        owner: cinder:cinder
-        perm: '0600'
-      - path: /etc/pki/tls/certs/etcd.crt
-        owner: cinder:cinder
-      - path: /etc/pki/tls/private/etcd.key
-        owner: cinder:cinder
+      list_concat:
+        -
+          - path: /var/log/cinder
+            owner: cinder:cinder
+            recurse: true
+          - path:
+              str_replace:
+                template: /etc/ceph/CLUSTER.client.USER.keyring
+                params:
+                  CLUSTER: {get_param: CephClusterName}
+                  USER: {get_param: CephClientUserName}
+            owner: cinder:cinder
+            perm: '0600'
+          - path: /etc/pki/tls/certs/etcd.crt
+            owner: cinder:cinder
+          - path: /etc/pki/tls/private/etcd.key
+            owner: cinder:cinder
+        - repeat:
+            template:
+              path: /etc/ceph/<%cluster%>.client.*.keyring
+              owner: cinder:cinder
+              perm: '0600'
+            for_each:
+              <%cluster%>:
+                yaql:
+                  expression: $.data.multiconfig.select($.cluster)
+                  data:
+                    multiconfig: {get_param: CephExternalMultiConfig}
 
   cinder_volume_host_prep_tasks:
     description: Host prep tasks for the cinder-volume service (HA or non-HA)