From bdc8df0c9066aadd442b6f63db5daec6dcda96f1 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Wed, 9 Oct 2019 14:17:03 +0200
Subject: [PATCH] Change ceph_client caps to use profile rbd

Using profiles in cephx is the recommended way since Mimic,
this also adds support for blacklist ops.

Change-Id: Ib9f65644637a5761c6cd7ca8925afc6bb2b8d5f5
Closes-Bug: #1760065
---
 ansible/roles/cinder/defaults/main.yml  | 22 ++++++++++------------
 ansible/roles/glance/defaults/main.yml  |  7 +++----
 ansible/roles/gnocchi/defaults/main.yml |  7 +++----
 ansible/roles/nova/defaults/main.yml    | 15 +++++++--------
 4 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 5803f4d5d8..44f01eedac 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -70,22 +70,20 @@ cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}"
 cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
 ceph_client_cinder_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
   osd: >-
-    allow class-read object_prefix rbd_children,
-    allow rwx pool={{ ceph_cinder_pool_name }},
-    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
-    allow rwx pool={{ ceph_nova_pool_name }},
-    allow rwx pool={{ ceph_nova_pool_name }}-cache,
-    allow rx pool={{ ceph_glance_pool_name }},
-    allow rx pool={{ ceph_glance_pool_name }}-cache
+    profile rbd pool={{ ceph_cinder_pool_name }},
+    profile rbd pool={{ ceph_nova_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_cinder_pool_name }}-cache,
+    profile rbd pool={{ ceph_nova_pool_name }}-cache,
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
 
 ceph_client_cinder_backup_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
   osd: >-
-    allow class-read object_prefix rbd_children,
-    allow rwx pool={{ ceph_cinder_backup_pool_name }},
-    allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache
+    profile rbd pool={{ ceph_cinder_backup_pool_name }},
+    profile rbd pool={{ ceph_cinder_backup_pool_name }}-cache
 
 
 ####################
diff --git a/ansible/roles/glance/defaults/main.yml b/ansible/roles/glance/defaults/main.yml
index 1bd18accb7..c71f793874 100644
--- a/ansible/roles/glance/defaults/main.yml
+++ b/ansible/roles/glance/defaults/main.yml
@@ -81,11 +81,10 @@ glance_pool_pg_num: "{{ ceph_pool_pg_num }}"
 glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
 ceph_client_glance_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
   osd: >-
-    allow class-read object_prefix rbd_children,
-    allow rwx pool={{ ceph_glance_pool_name }},
-    allow rwx pool={{ ceph_glance_pool_name }}-cache
+    profile rbd pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
 
 
 ####################
diff --git a/ansible/roles/gnocchi/defaults/main.yml b/ansible/roles/gnocchi/defaults/main.yml
index e8ebc13501..0a1cb29ed6 100644
--- a/ansible/roles/gnocchi/defaults/main.yml
+++ b/ansible/roles/gnocchi/defaults/main.yml
@@ -51,11 +51,10 @@ gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}"
 gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
 ceph_client_gnocchi_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
   osd: >-
-    allow class-read object_prefix rbd_children,
-    allow rwx pool={{ ceph_gnocchi_pool_name }},
-    allow rwx pool={{ ceph_gnocchi_pool_name }}-cache
+    profile rbd pool={{ ceph_gnocchi_pool_name }},
+    profile rbd pool={{ ceph_gnocchi_pool_name }}-cache
 
 
 ####################
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index 8517eb8ec1..71cf51614c 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -175,15 +175,14 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 nova_hw_disk_discard: "unmap"
 
 ceph_client_nova_keyring_caps:
-  mon: 'allow r, allow command "osd blacklist"'
+  mon: 'profile rbd'
   osd: >-
-    allow class-read object_prefix rbd_children,
-    allow rwx pool={{ ceph_cinder_pool_name }},
-    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
-    allow rwx pool={{ ceph_nova_pool_name }},
-    allow rwx pool={{ ceph_nova_pool_name }}-cache,
-    allow rwx pool={{ ceph_glance_pool_name }},
-    allow rwx pool={{ ceph_glance_pool_name }}-cache
+    profile rbd pool={{ ceph_cinder_pool_name }},
+    profile rbd pool={{ ceph_cinder_pool_name }}-cache,
+    profile rbd pool={{ ceph_nova_pool_name }},
+    profile rbd pool={{ ceph_nova_pool_name }}-cache,
+    profile rbd pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
 
 
 ####################