From d3b841ce1dcfe27eab03cc50444783e38891812c Mon Sep 17 00:00:00 2001
From: Dimitri Savineau <dsavinea@redhat.com>
Date: Wed, 6 Apr 2016 16:48:12 +0200
Subject: Use a different ceph key for admin/client user

By default only the admin user key is generated and this key is used
for both admin and openstack user.
Because the mode of the client's key file is 644, any user with a
valid shell on the controller/compute/ceph nodes can made admin
operations on the ceph cluster.
This patch allows to used the random key generated by tripleoclient
for the openstack user.

Change-Id: I771bbee81c0acfe593e92a99ad12d6f1f7f445ef
Closes-bug: #1566927
Depends-On: I404665c09084f0a6cd2d8872940ee90220dc5f69
---
 puppet/ceph-cluster-config.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'puppet')

diff --git a/puppet/ceph-cluster-config.yaml b/puppet/ceph-cluster-config.yaml
index dc2f98ed..d8d4f0af 100644
--- a/puppet/ceph-cluster-config.yaml
+++ b/puppet/ceph-cluster-config.yaml
@@ -91,7 +91,7 @@ resources:
                         cap_mon: 'allow profile bootstrap-osd'
                       },
                       client.CLIENT_USER: {
-                        secret: 'ADMIN_KEY',
+                        secret: 'CLIENT_KEY',
                         mode: '0644',
                         cap_mon: 'allow r',
                         cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL'
@@ -99,6 +99,7 @@ resources:
                     }"
                     params:
                       CLIENT_USER: {get_param: CephClientUserName}
+                      CLIENT_KEY: {get_param: ceph_client_key}
                       ADMIN_KEY: {get_param: ceph_admin_key}
                       NOVA_POOL: {get_param: NovaRbdPoolName}
                       CINDER_POOL: {get_param: CinderRbdPoolName}
-- 
cgit 1.2.3-korg