openstack/openstack-helm
Code Issues Proposed changes

Cephx caps update for new and post deployments

Browse Source 
The update makes sure the Openstack service's cephx
user capabilities match best practices in terms of
security permissions after a site or software update.

Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
This commit is contained in:
Jean-Charles Lopez 2018-11-08 14:11:32 -08:00 committed by Pete Birley
parent 1b7f673d8f
commit e40d114d80
4 changed files with 37 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cinder/templates/bin/_backup-storage-init.sh.tpl
View File

@ -47,11 +47,13 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-backup" ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-backup"
if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/') echo "Cephx user client.${RBD_POOL_USER} already exists"
echo $KEYSTR > ${KEYRING} echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Adjusted permissions for cinder backup.
ceph auth get-or-create client.${RBD_POOL_USER} \ ceph auth get-or-create client.${RBD_POOL_USER} \
mon "profile rbd" \ mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}" \ osd "profile rbd pool=${RBD_POOL_NAME}" \

9
cinder/templates/bin/_storage-init.sh.tpl
View File

@ -44,10 +44,13 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-volume" ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-volume"
if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/') echo "Cephx user client.${RBD_POOL_USER} already exist."
echo $KEYSTR > ${KEYRING} echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only. #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
ceph auth get-or-create client.${RBD_POOL_USER} \ ceph auth get-or-create client.${RBD_POOL_USER} \
mon "profile rbd" \ mon "profile rbd" \

9
glance/templates/bin/_storage-init.sh.tpl
View File

@ -51,10 +51,13 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image" ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"
if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/') echo "Cephx user client.${RBD_POOL_USER} already exist."
echo "${KEYSTR}" > "${KEYRING}" echo "Update its cephx caps"
ceph auth caps client.${RBD_POOL_USER} \
mon "profile rbd" \
osd "profile rbd pool=${RBD_POOL_NAME}"
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
else else
#NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
ceph auth get-or-create "client.${RBD_POOL_USER}" \ ceph auth get-or-create "client.${RBD_POOL_USER}" \
mon "profile rbd" \ mon "profile rbd" \

26
nova/templates/bin/_ceph-keyring.sh.tpl
View File

@ -27,13 +27,25 @@ cat > ${KEYRING} <<EOF
EOF EOF
{{- else }} {{- else }}
if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
#NOTE(Portdirect): Determine proper privs to assign keyring #
#NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access. # If user is not client.admin, check if it already exists. If not create
ceph auth get-or-create client.${CEPH_CINDER_USER} \ # the user. If the cephx user does not exist make sure the caps are set
mon "profile rbd" \ # according to best practices
osd "profile rbd" \ #
-o ${KEYRING} if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
echo "Cephx user client.${CEPH_CINDER_USER} already exist"
echo "Update user client.${CEPH_CINDER_USER} caps"
ceph auth caps client.${CEPH_CINDER_USER} \
mon "profile rbd" \
osd "profile rbd"
ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
else
echo "Creating Cephx user client.${CEPH_CINDER_USER}"
ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "profile rbd" \
osd "profile rbd" \
-o ${KEYRING}
fi
rm -f /etc/ceph/ceph.client.admin.keyring rm -f /etc/ceph/ceph.client.admin.keyring
fi fi
{{- end }} {{- end }}