Restrict Cinder, Glance and libvirt Ceph access scope.

Depends-On: I78bffe6764e9cbb16b2a615be766c910ba5d4e48
Change-Id: I112f2d9137f00ab2d0c246b6c0b52e4a546d648a
This commit is contained in:
Jean-Charles Lopez 2018-10-05 15:26:13 -07:00 committed by Chris Wedgwood
parent 9d72fe1a50
commit 1cb646e7d1
4 changed files with 13 additions and 13 deletions

View File

@ -51,10 +51,10 @@ elif [ "x$STORAGE_BACKEND" == "xcinder.backup.drivers.ceph" ]; then
echo $KEYSTR > ${KEYRING} echo $KEYSTR > ${KEYRING}
else else
#NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Adjusted permissions for cinder backup.
ceph auth get-or-create client.${RBD_POOL_USER} \ ceph auth get-or-create client.${RBD_POOL_USER} \
mon "allow *" \ mon "profile rbd" \
osd "allow *" \ osd "profile rbd pool=${RBD_POOL_NAME}" \
mgr "allow *" \
-o ${KEYRING} -o ${KEYRING}
fi fi

View File

@ -48,10 +48,10 @@ if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
echo $KEYSTR > ${KEYRING} echo $KEYSTR > ${KEYRING}
else else
#NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
ceph auth get-or-create client.${RBD_POOL_USER} \ ceph auth get-or-create client.${RBD_POOL_USER} \
mon "allow *" \ mon "profile rbd" \
osd "allow *" \ osd "profile rbd" \
mgr "allow *" \
-o ${KEYRING} -o ${KEYRING}
fi fi

View File

@ -55,10 +55,10 @@ elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
echo "${KEYSTR}" > "${KEYRING}" echo "${KEYSTR}" > "${KEYRING}"
else else
#NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
ceph auth get-or-create "client.${RBD_POOL_USER}" \ ceph auth get-or-create "client.${RBD_POOL_USER}" \
mon "allow *" \ mon "profile rbd" \
osd "allow *" \ osd "profile rbd pool=${RBD_POOL_NAME}" \
mgr "allow *" \
-o "${KEYRING}" -o "${KEYRING}"
fi fi

View File

@ -26,12 +26,12 @@ cat > ${KEYRING} <<EOF
key = {{ .Values.conf.ceph.cinder.keyring }} key = {{ .Values.conf.ceph.cinder.keyring }}
EOF EOF
{{- else }} {{- else }}
if ! [ "x${CEPH_CINDER_USER}" == "xadmin"]; then if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
#NOTE(Portdirect): Determine proper privs to assign keyring #NOTE(Portdirect): Determine proper privs to assign keyring
#NOTE(JCL): Restrict permissions to what is needed. So MON Read only and RBD access.
ceph auth get-or-create client.${CEPH_CINDER_USER} \ ceph auth get-or-create client.${CEPH_CINDER_USER} \
mon "allow *" \ mon "profile rbd" \
osd "allow *" \ osd "profile rbd" \
mgr "allow *" \
-o ${KEYRING} -o ${KEYRING}
rm -f /etc/ceph/ceph.client.admin.keyring rm -f /etc/ceph/ceph.client.admin.keyring