Restrict Cinder, Glance and libvirt Ceph access scope.
Depends-On: I78bffe6764e9cbb16b2a615be766c910ba5d4e48 Change-Id: I112f2d9137f00ab2d0c246b6c0b52e4a546d648a
This commit is contained in:
parent
9d72fe1a50
commit
1cb646e7d1
@ -51,10 +51,10 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
|
||||
echo $KEYSTR > ${KEYRING}
|
||||
else
|
||||
#NOTE(Portdirect): Determine proper privs to assign keyring
|
||||
#NOTE(JCL): Adjusted permissions for cinder backup.
|
||||
ceph auth get-or-create client.${RBD_POOL_USER} \
|
||||
mon "allow *" \
|
||||
osd "allow *" \
|
||||
mgr "allow *" \
|
||||
mon "profile rbd" \
|
||||
osd "profile rbd pool=${RBD_POOL_NAME}" \
|
||||
-o ${KEYRING}
|
||||
fi
|
||||
|
||||
|
@ -48,10 +48,10 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
|
||||
echo $KEYSTR > ${KEYRING}
|
||||
else
|
||||
#NOTE(Portdirect): Determine proper privs to assign keyring
|
||||
#NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
|
||||
ceph auth get-or-create client.${RBD_POOL_USER} \
|
||||
mon "allow *" \
|
||||
osd "allow *" \
|
||||
mgr "allow *" \
|
||||
mon "profile rbd" \
|
||||
osd "profile rbd" \
|
||||
-o ${KEYRING}
|
||||
fi
|
||||
|
||||
|
@ -55,10 +55,10 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
|
||||
echo "${KEYSTR}" > "${KEYRING}"
|
||||
else
|
||||
#NOTE(Portdirect): Determine proper privs to assign keyring
|
||||
#NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
|
||||
ceph auth get-or-create "client.${RBD_POOL_USER}" \
|
||||
mon "allow *" \
|
||||
osd "allow *" \
|
||||
mgr "allow *" \
|
||||
mon "profile rbd" \
|
||||
osd "profile rbd pool=${RBD_POOL_NAME}" \
|
||||
-o "${KEYRING}"
|
||||
fi
|
||||
|
||||
|
@ -28,10 +28,10 @@ EOF
|
||||
{{- else }}
|
||||
if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
|
||||
#NOTE(Portdirect): Determine proper privs to assign keyring
|
||||
#NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
|
||||
ceph auth get-or-create client.${CEPH_CINDER_USER} \
|
||||
mon "allow *" \
|
||||
osd "allow *" \
|
||||
mgr "allow *" \
|
||||
mon "profile rbd" \
|
||||
osd "profile rbd" \
|
||||
-o ${KEYRING}
|
||||
|
||||
rm -f /etc/ceph/ceph.client.admin.keyring
|
||||
|
Loading…
Reference in New Issue
Block a user