Merge pull request #403 from enovance/bug/402/emilien

Improve Ceph Keyring files management

manifests/compute/hypervisor.pp

@@ -141,13 +141,26 @@ Host *
     Exec <<| tag == 'get_or_set_virsh_secret' |>>
     Exec <<| tag == 'set_secret_value_virsh' |>>
 
+    # Configure Ceph keyring
     Ceph::Key <<| title == $cinder_rbd_user |>>
-    file { "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring":
+
-      owner   => 'nova',
+    # If Cinder & Nova reside on the same node, we need a group
-      group   => 'nova',
+    # where nova & cinder users have read permissions.
-      mode    => '0400',
+    ensure_resource('group', 'cephkeyring', {
-      require => Ceph::Key[$cinder_rbd_user]
+      ensure => 'present'
-    }
+    })
+
+    @user { 'nova': groups => 'cephkeyring' }
+    User <| title == nova |>
+    realize User[nova]
+
+    ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
+      owner   => 'root',
+      group   => 'cephkeyring',
+      mode    => '0440',
+      require => Ceph::Key[$cinder_rbd_user],
+    })
+
     Concat::Fragment <<| title == 'ceph-client-os' |>>
   } else {
     $libvirt_disk_cachemodes_real = []

manifests/volume/backend/rbd.pp

@@ -73,12 +73,24 @@ define cloud::volume::backend::rbd (
 
   # Configure Ceph keyring
   Ceph::Key <<| title == $rbd_user |>>
-  ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
+
-    owner   => 'cinder',
+  # If Cinder & Nova reside on the same node, we need a group
-    group   => 'cinder',
+  # where nova & cinder users have read permissions.
-    mode    => '0400',
+  ensure_resource('group', 'cephkeyring', {
-    require => "Ceph::Key[${rbd_user}]",
+    ensure => 'present'
   })
+
+  @user { 'cinder': groups => 'cephkeyring' }
+  User <| title == cinder |>
+  realize User[cinder]
+
+  ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
+    owner   => 'root',
+    group   => 'cephkeyring',
+    mode    => '0440',
+    require => Ceph::Key[$rbd_user],
+  })
+
   Concat::Fragment <<| title == 'ceph-client-os' |>>
 
   @cinder::type { $volume_backend_name:

spec/classes/cloud_compute_hypervisor_spec.rb

@@ -233,12 +233,13 @@ describe 'cloud::compute::hypervisor' do
       should contain_class('ceilometer::agent::compute')
     end
 
-    it 'configure nova-conpute to support RBD backend' do
+    it 'configure nova-compute to support RBD backend' do
       should contain_nova_config('DEFAULT/libvirt_images_type').with('value' => 'rbd')
       should contain_nova_config('DEFAULT/libvirt_images_rbd_pool').with('value' => 'nova')
       should contain_nova_config('DEFAULT/libvirt_images_rbd_ceph_conf').with('value' => '/etc/ceph/ceph.conf')
       should contain_nova_config('DEFAULT/rbd_user').with('value' => 'cinder')
       should contain_nova_config('DEFAULT/rbd_secret_uuid').with('value' => 'secrete')
+      should contain_group('cephkeyring').with(:ensure => 'present')
     end
 
     it 'configure nova-compute with extra parameters' do

spec/classes/cloud_volume_controller_spec.rb

@@ -100,7 +100,7 @@ describe 'cloud::volume::controller' do
           :default_volume_type  => nil
         )
       end
-      xit 'should raise an error and fail' do
+      it 'should raise an error and fail' do
         should compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/)
       end
     end

spec/classes/cloud_volume_storage_spec.rb

@@ -106,6 +106,7 @@ describe 'cloud::volume::storage' do
           :os_password    => 'secret',
           :os_auth_url    => 'http://keystone.host:5000/v2.0'
         )
+        should contain_group('cephkeyring').with(:ensure => 'present')
       end
     end