Cephx caps update for new and post deployments

The update makes sure the Openstack service's cephx user capabilities match best practices in terms of security permissions after a site or software update. Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
2018-11-08 14:11:32 -08:00 · 2018-11-08 14:11:32 -08:00 · e40d114d80
commit e40d114d80
parent 1b7f673d8f
4 changed files with 37 additions and 17 deletions
--- a/cinder/templates/bin/_backup-storage-init.sh.tpl
+++ b/cinder/templates/bin/_backup-storage-init.sh.tpl
@ -47,11 +47,13 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-backup"

  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
-    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
-    echo $KEYSTR  > ${KEYRING}
+    echo "Cephx user client.${RBD_POOL_USER} already exists"
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
  else
-    #NOTE(Portdirect): Determine proper privs to assign keyring
-    #NOTE(JCL): Adjusted permissions for cinder backup.
    ceph auth get-or-create client.${RBD_POOL_USER} \
      mon "profile rbd" \
      osd "profile rbd pool=${RBD_POOL_NAME}" \
--- a/cinder/templates/bin/_storage-init.sh.tpl
+++ b/cinder/templates/bin/_storage-init.sh.tpl
@ -44,10 +44,13 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "cinder-volume"

  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
-    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
-    echo $KEYSTR  > ${KEYRING}
+    echo "Cephx user client.${RBD_POOL_USER} already exist."
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
  else
-    #NOTE(Portdirect): Determine proper privs to assign keyring
    #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
    ceph auth get-or-create client.${RBD_POOL_USER} \
      mon "profile rbd" \
--- a/glance/templates/bin/_storage-init.sh.tpl
+++ b/glance/templates/bin/_storage-init.sh.tpl
@ -51,10 +51,13 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
  ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"

  if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
-    KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/')
-    echo "${KEYSTR}" > "${KEYRING}"
+    echo "Cephx user client.${RBD_POOL_USER} already exist."
+    echo "Update its cephx caps"
+    ceph auth caps client.${RBD_POOL_USER} \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}"
+    ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
  else
-    #NOTE(Portdirect): Determine proper privs to assign keyring
    #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
    ceph auth get-or-create "client.${RBD_POOL_USER}" \
      mon "profile rbd" \
--- a/nova/templates/bin/_ceph-keyring.sh.tpl
+++ b/nova/templates/bin/_ceph-keyring.sh.tpl
@ -27,13 +27,25 @@ cat > ${KEYRING} <<EOF
 EOF
 {{- else }}
 if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
-  #NOTE(Portdirect): Determine proper privs to assign keyring
-  #NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
-  ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "profile rbd" \
-    osd "profile rbd" \
-    -o ${KEYRING}
-
+  #
+  # If user is not client.admin, check if it already exists. If not create
+  # the user. If the cephx user does not exist make sure the caps are set
+  # according to best practices
+  #
+  if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+    echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+    echo "Update user client.${CEPH_CINDER_USER} caps"
+    ceph auth caps client.${CEPH_CINDER_USER} \
+       mon "profile rbd" \
+       osd "profile rbd"
+    ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
+  else
+    echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+    ceph auth get-or-create client.${CEPH_CINDER_USER} \
+      mon "profile rbd" \
+      osd "profile rbd" \
+      -o ${KEYRING}
+  fi
  rm -f /etc/ceph/ceph.client.admin.keyring
 fi
 {{- end }}