Change ceph_client caps to use profile rbd

Using profiles in cephx is the recommended way since Mimic, this also adds support for blacklist ops. Change-Id: Ib9f65644637a5761c6cd7ca8925afc6bb2b8d5f5 Closes-Bug: #1760065
2019-10-09 14:17:03 +02:00 · 2019-10-09 14:17:03 +02:00 · bdc8df0c90
commit bdc8df0c90
parent 19bdba2b85
4 changed files with 23 additions and 28 deletions
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@ -70,22 +70,20 @@ cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}"
 cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 ceph_client_cinder_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
  osd: >-
-    allow class-read object_prefix rbd_children,
+    profile rbd pool={{ ceph_cinder_pool_name }},
-    allow rwx pool={{ ceph_cinder_pool_name }},
+    profile rbd pool={{ ceph_nova_pool_name }},
-    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
+    profile rbd pool={{ ceph_glance_pool_name }},
-    allow rwx pool={{ ceph_nova_pool_name }},
+    profile rbd pool={{ ceph_cinder_pool_name }}-cache,
-    allow rwx pool={{ ceph_nova_pool_name }}-cache,
+    profile rbd pool={{ ceph_nova_pool_name }}-cache,
-    allow rx pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
    allow rx pool={{ ceph_glance_pool_name }}-cache
 ceph_client_cinder_backup_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
  osd: >-
-    allow class-read object_prefix rbd_children,
+    profile rbd pool={{ ceph_cinder_backup_pool_name }},
-    allow rwx pool={{ ceph_cinder_backup_pool_name }},
+    profile rbd pool={{ ceph_cinder_backup_pool_name }}-cache
    allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache
 ####################
--- a/ansible/roles/glance/defaults/main.yml
+++ b/ansible/roles/glance/defaults/main.yml
@ -81,11 +81,10 @@ glance_pool_pg_num: "{{ ceph_pool_pg_num }}"
 glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 ceph_client_glance_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
  osd: >-
-    allow class-read object_prefix rbd_children,
+    profile rbd pool={{ ceph_glance_pool_name }},
-    allow rwx pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
    allow rwx pool={{ ceph_glance_pool_name }}-cache
 ####################
--- a/ansible/roles/gnocchi/defaults/main.yml
+++ b/ansible/roles/gnocchi/defaults/main.yml
@ -51,11 +51,10 @@ gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}"
 gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 ceph_client_gnocchi_keyring_caps:
-  mon: 'allow r'
+  mon: 'profile rbd'
  osd: >-
-    allow class-read object_prefix rbd_children,
+    profile rbd pool={{ ceph_gnocchi_pool_name }},
-    allow rwx pool={{ ceph_gnocchi_pool_name }},
+    profile rbd pool={{ ceph_gnocchi_pool_name }}-cache
    allow rwx pool={{ ceph_gnocchi_pool_name }}-cache
 ####################
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@ -175,15 +175,14 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 nova_hw_disk_discard: "unmap"
 ceph_client_nova_keyring_caps:
-  mon: 'allow r, allow command "osd blacklist"'
+  mon: 'profile rbd'
  osd: >-
-    allow class-read object_prefix rbd_children,
+    profile rbd pool={{ ceph_cinder_pool_name }},
-    allow rwx pool={{ ceph_cinder_pool_name }},
+    profile rbd pool={{ ceph_cinder_pool_name }}-cache,
-    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
+    profile rbd pool={{ ceph_nova_pool_name }},
-    allow rwx pool={{ ceph_nova_pool_name }},
+    profile rbd pool={{ ceph_nova_pool_name }}-cache,
-    allow rwx pool={{ ceph_nova_pool_name }}-cache,
+    profile rbd pool={{ ceph_glance_pool_name }},
-    allow rwx pool={{ ceph_glance_pool_name }},
+    profile rbd pool={{ ceph_glance_pool_name }}-cache
    allow rwx pool={{ ceph_glance_pool_name }}-cache
 ####################