e40d114d80
The update makes sure the Openstack service's cephx user capabilities match best practices in terms of security permissions after a site or software update. Change-Id: I70e7f620accb186da2013ba95472777c25739cc1
99 lines
3.3 KiB
Smarty
99 lines
3.3 KiB
Smarty
#!/bin/bash
|
|
|
|
{{/*
|
|
Copyright 2017 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
set -x
|
|
if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
|
|
SECRET=$(mktemp --suffix .yaml)
|
|
KEYRING=$(mktemp --suffix .keyring)
|
|
function cleanup {
|
|
rm -f "${SECRET}" "${KEYRING}"
|
|
}
|
|
trap cleanup EXIT
|
|
fi
|
|
|
|
set -ex
|
|
if [ "x$STORAGE_BACKEND" == "xpvc" ]; then
|
|
echo "No action required."
|
|
elif [ "x$STORAGE_BACKEND" == "xswift" ]; then
|
|
: ${OS_INTERFACE:="internal"}
|
|
OS_TOKEN="$(openstack token issue -f value -c id)"
|
|
OS_PROJECT_ID="$(openstack project show service -f value -c id)"
|
|
OS_SWIFT_ENDPOINT_PREFIX="$(openstack endpoint list --service swift --interface ${OS_INTERFACE} -f value -c URL | awk -F '$' '{ print $1 }')"
|
|
OS_SWIFT_SCOPED_ENDPOINT="${OS_SWIFT_ENDPOINT_PREFIX}${OS_PROJECT_ID}"
|
|
curl --fail -i -X POST "${OS_SWIFT_SCOPED_ENDPOINT}" \
|
|
-H "X-Auth-Token: ${OS_TOKEN}" \
|
|
-H "X-Account-Meta-Temp-URL-Key: ${SWIFT_TMPURL_KEY}"
|
|
elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
|
|
ceph -s
|
|
function ensure_pool () {
|
|
ceph osd pool stats "$1" || ceph osd pool create "$1" "$2"
|
|
local test_luminous
|
|
test_luminous=$(ceph tell osd.* version | egrep -c "12.2|luminous" | xargs echo)
|
|
if [[ ${test_luminous} -gt 0 ]]; then
|
|
ceph osd pool application enable "$1" "$3"
|
|
fi
|
|
}
|
|
ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"
|
|
|
|
if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
|
|
echo "Cephx user client.${RBD_POOL_USER} already exist."
|
|
echo "Update its cephx caps"
|
|
ceph auth caps client.${RBD_POOL_USER} \
|
|
mon "profile rbd" \
|
|
osd "profile rbd pool=${RBD_POOL_NAME}"
|
|
ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
|
|
else
|
|
#NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
|
|
ceph auth get-or-create "client.${RBD_POOL_USER}" \
|
|
mon "profile rbd" \
|
|
osd "profile rbd pool=${RBD_POOL_NAME}" \
|
|
-o "${KEYRING}"
|
|
fi
|
|
|
|
ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' "${KEYRING}" | base64 -w0)
|
|
cat > "${SECRET}" <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: "${RBD_POOL_SECRET}"
|
|
type: kubernetes.io/rbd
|
|
data:
|
|
key: "${ENCODED_KEYRING}"
|
|
EOF
|
|
kubectl apply --namespace "${NAMESPACE}" -f "${SECRET}"
|
|
elif [ "x${STORAGE_BACKEND}" == "xradosgw" ]; then
|
|
radosgw-admin user stats --uid="${RADOSGW_USERNAME}" || \
|
|
radosgw-admin user create \
|
|
--uid="${RADOSGW_USERNAME}" \
|
|
--display-name="${RADOSGW_USERNAME} user"
|
|
|
|
radosgw-admin subuser create \
|
|
--uid="${RADOSGW_USERNAME}" \
|
|
--subuser="${RADOSGW_USERNAME}:swift" \
|
|
--access=full
|
|
|
|
radosgw-admin key create \
|
|
--subuser="${RADOSGW_USERNAME}:swift" \
|
|
--key-type=swift \
|
|
--secret="${RADOSGW_PASSWORD}"
|
|
|
|
radosgw-admin user modify \
|
|
--uid="${RADOSGW_USERNAME}" \
|
|
--temp-url-key="${RADOSGW_TMPURL_KEY}"
|
|
fi
|