From 76fb1fb10aa3601c8a1ca659fae556ae4b578c6b Mon Sep 17 00:00:00 2001
From: Matthew Heler <matthew.heler@hotmail.com>
Date: Mon, 3 Dec 2018 10:40:12 -0600
Subject: [PATCH] Cephx caps update for new and post deployments

The update makes sure the Openstack service's cephx
user capabilities match best practices in terms of
security permissions after a site or software update.

Change-Id: I7c241cdb5d92463ac59c557ca7847ca5688d158b
---
 gnocchi/templates/bin/_storage-init.sh.tpl | 13 ++++++---
 libvirt/templates/bin/_ceph-keyring.sh.tpl | 33 +++++++++++++---------
 libvirt/templates/bin/_libvirt.sh.tpl      |  2 +-
 3 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/gnocchi/templates/bin/_storage-init.sh.tpl b/gnocchi/templates/bin/_storage-init.sh.tpl
index 6013b0157..2d6d8a057 100644
--- a/gnocchi/templates/bin/_storage-init.sh.tpl
+++ b/gnocchi/templates/bin/_storage-init.sh.tpl
@@ -36,14 +36,19 @@ function ensure_pool () {
 ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "gnocchi-metrics"
 
 if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+  echo "Cephx user client.${RBD_POOL_USER} already exist."
+  echo "Update its cephx caps"
+  ceph auth caps client.${RBD_POOL_USER} \
+    mon "profile r" \
+    osd "profile rwx pool=${RBD_POOL_NAME}" \
+    mgr "allow r"
   KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
   echo $KEYSTR  > ${KEYRING}
 else
-  #NOTE(Portdirect): Determine proper privs to assign keyring
   ceph auth get-or-create client.${RBD_POOL_USER} \
-    mon "allow *" \
-    osd "allow *" \
-    mgr "allow *" \
+    mon "profile r" \
+    osd "profile rwx pool=${RBD_POOL_NAME}" \
+    mgr "allow r" \
     -o ${KEYRING}
 fi
 
diff --git a/libvirt/templates/bin/_ceph-keyring.sh.tpl b/libvirt/templates/bin/_ceph-keyring.sh.tpl
index 460bfcdb1..0cd536291 100644
--- a/libvirt/templates/bin/_ceph-keyring.sh.tpl
+++ b/libvirt/templates/bin/_ceph-keyring.sh.tpl
@@ -20,19 +20,26 @@ set -ex
 export HOME=/tmp
 
 KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
-{{- if .Values.conf.ceph.cinder.keyring }}
-cat > ${KEYRING} <<EOF
-[client.{{ .Values.conf.ceph.cinder.user }}]
-    key = {{ .Values.conf.ceph.cinder.keyring }}
-EOF
-{{- else }}
 if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
-  #NOTE(JCL): Restrict access to the cluster to only what is needed. MON Read only and RBD access.
-  ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "profile rbd" \
-    osd "profile rbd" \
-    -o ${KEYRING}
-
+  #
+  # If user is not client.admin, check if it already exists. If not create
+  # the user. If the cephx user does not exist make sure the caps are set
+  # according to best practices
+  #
+  if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+    echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+    echo "Update user client.${CEPH_CINDER_USER} caps"
+    ceph auth caps client.${CEPH_CINDER_USER} \
+       mon "profile rbd" \
+       osd "profile rbd"
+    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
+    echo $KEYSTR > ${KEYRING}
+  else
+    echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+    ceph auth get-or-create client.${CEPH_CINDER_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
   rm -f /etc/ceph/ceph.client.admin.keyring
 fi
-{{- end }}
diff --git a/libvirt/templates/bin/_libvirt.sh.tpl b/libvirt/templates/bin/_libvirt.sh.tpl
index 24843bff5..8c31c03cb 100644
--- a/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/libvirt/templates/bin/_libvirt.sh.tpl
@@ -127,7 +127,7 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
   done
 
   if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
-    CEPH_CINDER_KEYRING=$(sed -n 's/^[[:space:]]*key[[:blank:]]\+=[[:space:]]\(.*\)/\1/p' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+    CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
   fi
 
   cat > ${tmpsecret} <<EOF