Cephx caps update for new and post deployments

The update makes sure the Openstack service's cephx
user capabilities match best practices in terms of
security permissions after a site or software update.

Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
This commit is contained in:
Jean-Charles Lopez 2018-11-08 14:11:32 -08:00 committed by Pete Birley
parent 1b7f673d8f
commit e40d114d80
4 changed files with 37 additions and 17 deletions

View File

@ -47,11 +47,13 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-backup"
if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
echo $KEYSTR > ${KEYRING}
echo "Cephx user client.${RBD_POOL_USER} already exists"
echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Adjusted permissions for cinder backup.
ceph auth get-or-create client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}" \

View File

@ -44,10 +44,13 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-volume"
if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
echo $KEYSTR > ${KEYRING}
echo "Cephx user client.${RBD_POOL_USER} already exist."
echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
ceph auth get-or-create client.${RBD_POOL_USER} \
mon "profile rbd" \

View File

@ -51,10 +51,13 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"
if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/')
echo "${KEYSTR}" > "${KEYRING}"
echo "Cephx user client.${RBD_POOL_USER} already exist."
echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
ceph auth get-or-create "client.${RBD_POOL_USER}" \
mon "profile rbd" \

View File

@ -27,13 +27,25 @@ cat > ${KEYRING} <<EOF
EOF
{{- else }}
if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "profile rbd" \
osd "profile rbd" \
-o ${KEYRING}
#
# If user is not client.admin, check if it already exists. If not create
# the user. If the cephx user does not exist make sure the caps are set
# according to best practices
#
if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
echo "Cephx user client.${CEPH_CINDER_USER} already exist"
echo "Update user client.${CEPH_CINDER_USER} caps"
ceph auth caps client.${CEPH_CINDER_USER} \
mon "profile rbd" \
osd "profile rbd"
ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
else
echo "Creating Cephx user client.${CEPH_CINDER_USER}"
ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "profile rbd" \
osd "profile rbd" \
-o ${KEYRING}
fi
rm -f /etc/ceph/ceph.client.admin.keyring
fi
{{- end }}