Restrict Cinder, Glance and libvirt Ceph access scope.

Depends-On: I78bffe6764e9cbb16b2a615be766c910ba5d4e48 Change-Id: I112f2d9137f00ab2d0c246b6c0b52e4a546d648a
2018-10-05 15:26:13 -07:00 · 2018-10-05 15:26:13 -07:00 · 1cb646e7d1
commit 1cb646e7d1
parent 9d72fe1a50
4 changed files with 13 additions and 13 deletions
--- a/cinder/templates/bin/_backup-storage-init.sh.tpl
+++ b/cinder/templates/bin/_backup-storage-init.sh.tpl
@ -51,10 +51,10 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
    echo $KEYSTR  > ${KEYRING}
  else
    #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Adjusted permissions for cinder backup.
    ceph auth get-or-create client.${RBD_POOL_USER} \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
      -o ${KEYRING}
  fi

--- a/cinder/templates/bin/_storage-init.sh.tpl
+++ b/cinder/templates/bin/_storage-init.sh.tpl
@ -48,10 +48,10 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
    echo $KEYSTR  > ${KEYRING}
  else
    #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
    ceph auth get-or-create client.${RBD_POOL_USER} \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd" \
      -o ${KEYRING}
  fi

--- a/glance/templates/bin/_storage-init.sh.tpl
+++ b/glance/templates/bin/_storage-init.sh.tpl
@ -55,10 +55,10 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
    echo "${KEYSTR}" > "${KEYRING}"
  else
    #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
    ceph auth get-or-create "client.${RBD_POOL_USER}" \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
      -o "${KEYRING}"
  fi

--- a/nova/templates/bin/_ceph-keyring.sh.tpl
+++ b/nova/templates/bin/_ceph-keyring.sh.tpl
@ -26,12 +26,12 @@ cat > ${KEYRING} <<EOF
    key = {{ .Values.conf.ceph.cinder.keyring }}
 EOF
 {{- else }}
-if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
  #NOTE(Portdirect): Determine proper privs to assign keyring
+  #NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
  ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "allow *" \
-    osd "allow *" \
-    mgr "allow *" \
+    mon "profile rbd" \
+    osd "profile rbd" \
    -o ${KEYRING}

  rm -f /etc/ceph/ceph.client.admin.keyring