aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDimitri Savineau <dsavinea@redhat.com>2016-04-06 16:48:12 +0200
committerDimitri Savineau <dsavinea@redhat.com>2016-04-06 17:18:55 +0200
commitd3b841ce1dcfe27eab03cc50444783e38891812c (patch)
tree4cdb8904086b2fabc434fd4a6e533c4a13712049
parent0a53ba43cc8a93f47868ffbbeb7faea325529c81 (diff)
Use a different ceph key for admin/client user
By default only the admin user key is generated and this key is used for both admin and openstack user. Because the mode of the client's key file is 644, any user with a valid shell on the controller/compute/ceph nodes can made admin operations on the ceph cluster. This patch allows to used the random key generated by tripleoclient for the openstack user. Change-Id: I771bbee81c0acfe593e92a99ad12d6f1f7f445ef Closes-bug: #1566927 Depends-On: I404665c09084f0a6cd2d8872940ee90220dc5f69
-rw-r--r--puppet/ceph-cluster-config.yaml3
1 files changed, 2 insertions, 1 deletions
diff --git a/puppet/ceph-cluster-config.yaml b/puppet/ceph-cluster-config.yaml
index dc2f98ed..d8d4f0af 100644
--- a/puppet/ceph-cluster-config.yaml
+++ b/puppet/ceph-cluster-config.yaml
@@ -91,7 +91,7 @@ resources:
cap_mon: 'allow profile bootstrap-osd'
},
client.CLIENT_USER: {
- secret: 'ADMIN_KEY',
+ secret: 'CLIENT_KEY',
mode: '0644',
cap_mon: 'allow r',
cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL'
@@ -99,6 +99,7 @@ resources:
}"
params:
CLIENT_USER: {get_param: CephClientUserName}
+ CLIENT_KEY: {get_param: ceph_client_key}
ADMIN_KEY: {get_param: ceph_admin_key}
NOVA_POOL: {get_param: NovaRbdPoolName}
CINDER_POOL: {get_param: CinderRbdPoolName}