Merge "Restrict libvirt Ceph access scope to what is needed only."

2018-10-26 06:36:49 +00:00 · 2018-10-26 06:36:49 +00:00 · 2e239086e4
commit 2e239086e4
parent 1ca39def84 566a489bbe
1 changed files with 4 additions and 5 deletions
--- a/libvirt/templates/bin/_ceph-keyring.sh.tpl
+++ b/libvirt/templates/bin/_ceph-keyring.sh.tpl
@ -26,12 +26,11 @@ cat > ${KEYRING} <<EOF
    key = {{ .Values.conf.ceph.cinder.keyring }}
 EOF
 {{- else }}
-if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then
-  #NOTE(Portdirect): Determine proper privs to assign keyring
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
+  #NOTE(JCL): Restrict access to the cluster to only what is needed. MON Read only and RBD access.
  ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "allow *" \
-    osd "allow *" \
-    mgr "allow *" \
+    mon "profile rbd" \
+    osd "profile rbd" \
    -o ${KEYRING}

  rm -f /etc/ceph/ceph.client.admin.keyring