Cephx caps update for new and post deployments

The update makes sure the Openstack service's cephx user capabilities match best practices in terms of security permissions after a site or software update. Change-Id: I7c241cdb5d92463ac59c557ca7847ca5688d158b
2018-12-03 10:40:12 -06:00 · 2018-12-03 10:40:12 -06:00 · 76fb1fb10a
commit 76fb1fb10a
parent 2a0b183613
3 changed files with 30 additions and 18 deletions
--- a/gnocchi/templates/bin/_storage-init.sh.tpl
+++ b/gnocchi/templates/bin/_storage-init.sh.tpl
@ -36,14 +36,19 @@ function ensure_pool () {
 ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "gnocchi-metrics"

 if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+  echo "Cephx user client.${RBD_POOL_USER} already exist."
+  echo "Update its cephx caps"
+  ceph auth caps client.${RBD_POOL_USER} \
+    mon "profile r" \
+    osd "profile rwx pool=${RBD_POOL_NAME}" \
+    mgr "allow r"
  KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
  echo $KEYSTR  > ${KEYRING}
 else
-  #NOTE(Portdirect): Determine proper privs to assign keyring
  ceph auth get-or-create client.${RBD_POOL_USER} \
-    mon "allow *" \
-    osd "allow *" \
-    mgr "allow *" \
+    mon "profile r" \
+    osd "profile rwx pool=${RBD_POOL_NAME}" \
+    mgr "allow r" \
    -o ${KEYRING}
 fi

--- a/libvirt/templates/bin/_ceph-keyring.sh.tpl
+++ b/libvirt/templates/bin/_ceph-keyring.sh.tpl
@ -20,19 +20,26 @@ set -ex
 export HOME=/tmp

 KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
-{{- if .Values.conf.ceph.cinder.keyring }}
-cat > ${KEYRING} <<EOF
-[client.{{ .Values.conf.ceph.cinder.user }}]
-    key = {{ .Values.conf.ceph.cinder.keyring }}
-EOF
-{{- else }}
 if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
-  #NOTE(JCL): Restrict access to the cluster to only what is needed. MON Read only and RBD access.
-  ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "profile rbd" \
-    osd "profile rbd" \
-    -o ${KEYRING}
-
+  #
+  # If user is not client.admin, check if it already exists. If not create
+  # the user. If the cephx user does not exist make sure the caps are set
+  # according to best practices
+  #
+  if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+    echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+    echo "Update user client.${CEPH_CINDER_USER} caps"
+    ceph auth caps client.${CEPH_CINDER_USER} \
+       mon "profile rbd" \
+       osd "profile rbd"
+    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
+    echo $KEYSTR > ${KEYRING}
+  else
+    echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+    ceph auth get-or-create client.${CEPH_CINDER_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
  rm -f /etc/ceph/ceph.client.admin.keyring
 fi
-{{- end }}
--- a/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/libvirt/templates/bin/_libvirt.sh.tpl
@ -127,7 +127,7 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
  done

  if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
-    CEPH_CINDER_KEYRING=$(sed -n 's/^[[:space:]]*key[[:blank:]]\+=[[:space:]]\(.*\)/\1/p' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+    CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
  fi

  cat > ${tmpsecret} <<EOF