This patch updates cinder's kolla permissions so that cinder can
access any cephx keyring associated with CephExternalMultiConfig
ceph clusters. The new approach parses the cluster names out of the
CephExternalMultiConfig array, and uses a wildcard to grant access
to all keys (regardless of the key name) defined for each cluster.
There is no risk of the wildcard granting improper access to a
privileged key (e.g. the admin key), because CephExternalMultiConfig
doesn't include privileged keys.
This patch replaces similar (but more restrictive) code added in
I73af5b868de629870a35d38f8436e7025aae791e. That patch allowed cinder
to access cephx keyrings associated with a new CinderRbdMultiConfig
parameter, but it didn't cover all potential use cases. For example,
in a DCN/Edge deployment, cinder services running at the edge need
access to the central site's client key in order to perform operations
like offline volume migration.
NOTE (pre-Wallaby):
The >= Wallaby versions of this patch tweaks code that was introduced
in Wallaby by I73af5b868de629870a35d38f8436e7025aae791e. Pre-Wallaby
versions of this patch _adds_ the tweaked code.
Closes-Bug: #1930620
Resolves: rhbz#1962304
Change-Id: I4423fcbd62b09ef323590fc740dd29e1a17777f5
(cherry picked from commit f1cd8006fe)
(cherry picked from commit 74e3884b4a)
Conflicts:
deployment/cinder/cinder-common-container-puppet.yaml