From 1cb646e7d1c5276ccc97037aec3f71607efaa1e1 Mon Sep 17 00:00:00 2001
From: Jean-Charles Lopez <jl970p@att.com>
Date: Fri, 5 Oct 2018 15:26:13 -0700
Subject: [PATCH] Restrict Cinder, Glance and libvirt Ceph access scope.

Depends-On: I78bffe6764e9cbb16b2a615be766c910ba5d4e48
Change-Id: I112f2d9137f00ab2d0c246b6c0b52e4a546d648a
---
 cinder/templates/bin/_backup-storage-init.sh.tpl | 6 +++---
 cinder/templates/bin/_storage-init.sh.tpl        | 6 +++---
 glance/templates/bin/_storage-init.sh.tpl        | 6 +++---
 nova/templates/bin/_ceph-keyring.sh.tpl          | 8 ++++----
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/cinder/templates/bin/_backup-storage-init.sh.tpl b/cinder/templates/bin/_backup-storage-init.sh.tpl
index 40f3e50df5..0223097934 100644
--- a/cinder/templates/bin/_backup-storage-init.sh.tpl
+++ b/cinder/templates/bin/_backup-storage-init.sh.tpl
@@ -51,10 +51,10 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
     echo $KEYSTR  > ${KEYRING}
   else
     #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Adjusted permissions for cinder backup.
     ceph auth get-or-create client.${RBD_POOL_USER} \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
       -o ${KEYRING}
   fi
 
diff --git a/cinder/templates/bin/_storage-init.sh.tpl b/cinder/templates/bin/_storage-init.sh.tpl
index bbce6d5401..3932c98ad6 100644
--- a/cinder/templates/bin/_storage-init.sh.tpl
+++ b/cinder/templates/bin/_storage-init.sh.tpl
@@ -48,10 +48,10 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
     echo $KEYSTR  > ${KEYRING}
   else
     #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
     ceph auth get-or-create client.${RBD_POOL_USER} \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd" \
       -o ${KEYRING}
   fi
 
diff --git a/glance/templates/bin/_storage-init.sh.tpl b/glance/templates/bin/_storage-init.sh.tpl
index 4082c5222b..119c4b3733 100644
--- a/glance/templates/bin/_storage-init.sh.tpl
+++ b/glance/templates/bin/_storage-init.sh.tpl
@@ -55,10 +55,10 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
     echo "${KEYSTR}" > "${KEYRING}"
   else
     #NOTE(Portdirect): Determine proper privs to assign keyring
+    #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
     ceph auth get-or-create "client.${RBD_POOL_USER}" \
-      mon "allow *" \
-      osd "allow *" \
-      mgr "allow *" \
+      mon "profile rbd" \
+      osd "profile rbd pool=${RBD_POOL_NAME}" \
       -o "${KEYRING}"
   fi
 
diff --git a/nova/templates/bin/_ceph-keyring.sh.tpl b/nova/templates/bin/_ceph-keyring.sh.tpl
index 418a40c27d..cdfef24b82 100644
--- a/nova/templates/bin/_ceph-keyring.sh.tpl
+++ b/nova/templates/bin/_ceph-keyring.sh.tpl
@@ -26,12 +26,12 @@ cat > ${KEYRING} <<EOF
     key = {{ .Values.conf.ceph.cinder.keyring }}
 EOF
 {{- else }}
-if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
   #NOTE(Portdirect): Determine proper privs to assign keyring
+  #NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
   ceph auth get-or-create client.${CEPH_CINDER_USER} \
-    mon "allow *" \
-    osd "allow *" \
-    mgr "allow *" \
+    mon "profile rbd" \
+    osd "profile rbd" \
     -o ${KEYRING}
 
   rm -f /etc/ceph/ceph.client.admin.keyring