diff --git a/cinder/templates/bin/_backup-storage-init.sh.tpl b/cinder/templates/bin/_backup-storage-init.sh.tpl index 0223097934..37de826d02 100644 --- a/cinder/templates/bin/_backup-storage-init.sh.tpl +++ b/cinder/templates/bin/_backup-storage-init.sh.tpl @@ -47,11 +47,13 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-backup" if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then - KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/') - echo $KEYSTR > ${KEYRING} + echo "Cephx user client.${RBD_POOL_USER} already exists" + echo "Update its cephx caps" + ceph auth caps client.${RBD_POOL_USER} \ + mon "profile rbd" \ + osd "profile rbd pool=${RBD_POOL_NAME}" + ceph auth get client.${RBD_POOL_USER} -o ${KEYRING} else - #NOTE(Portdirect): Determine proper privs to assign keyring - #NOTE(JCL): Adjusted permissions for cinder backup. ceph auth get-or-create client.${RBD_POOL_USER} \ mon "profile rbd" \ osd "profile rbd pool=${RBD_POOL_NAME}" \ diff --git a/cinder/templates/bin/_storage-init.sh.tpl b/cinder/templates/bin/_storage-init.sh.tpl index 3932c98ad6..f5b3f05e67 100644 --- a/cinder/templates/bin/_storage-init.sh.tpl +++ b/cinder/templates/bin/_storage-init.sh.tpl @@ -44,10 +44,13 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-volume" if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then - KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/') - echo $KEYSTR > ${KEYRING} + echo "Cephx user client.${RBD_POOL_USER} already exist." + echo "Update its cephx caps" + ceph auth caps client.${RBD_POOL_USER} \ + mon "profile rbd" \ + osd "profile rbd" + ceph auth get client.${RBD_POOL_USER} -o ${KEYRING} else - #NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only. ceph auth get-or-create client.${RBD_POOL_USER} \ mon "profile rbd" \ diff --git a/glance/templates/bin/_storage-init.sh.tpl b/glance/templates/bin/_storage-init.sh.tpl index 119c4b3733..8315d3cd6b 100644 --- a/glance/templates/bin/_storage-init.sh.tpl +++ b/glance/templates/bin/_storage-init.sh.tpl @@ -51,10 +51,13 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image" if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then - KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/') - echo "${KEYSTR}" > "${KEYRING}" + echo "Cephx user client.${RBD_POOL_USER} already exist." + echo "Update its cephx caps" + ceph auth caps client.${RBD_POOL_USER} \ + mon "profile rbd" \ + osd "profile rbd pool=${RBD_POOL_NAME}" + ceph auth get client.${RBD_POOL_USER} -o ${KEYRING} else - #NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool ceph auth get-or-create "client.${RBD_POOL_USER}" \ mon "profile rbd" \ diff --git a/nova/templates/bin/_ceph-keyring.sh.tpl b/nova/templates/bin/_ceph-keyring.sh.tpl index cdfef24b82..d7007d566d 100644 --- a/nova/templates/bin/_ceph-keyring.sh.tpl +++ b/nova/templates/bin/_ceph-keyring.sh.tpl @@ -27,13 +27,25 @@ cat > ${KEYRING} <