mirror of https://github.com/ceph/ceph-ansible.git
Allow user to define ACLs for OpenStack keys
The keys and openstack_keys structure now supports an optional key called acls whose value is a list of strings one could pass to setfacl. The ansible ACL module applies the ACLs to all openstack keys with this property. Fixes: #1688pull/1696/head
John Fulton
parent
94651197ff
commit
73633f05a0
|
|
@ -19,7 +19,9 @@ dummy:
|
|||
# - { name: test2, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
||||
|
||||
# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
|
||||
# To have have ansible setfacl the generated key for $user, set the acls var like so:
|
||||
# acls: ["u:$user:r--"]
|
||||
#keys:
|
||||
# - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test" }
|
||||
# - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2" }
|
||||
# - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", acls: [] }
|
||||
# - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", acls: [] }
|
||||
|
||||
|
|
|
|||
|
|
@ -103,12 +103,15 @@ dummy:
|
|||
# The value for 'key' can be a pre-generated key,
|
||||
# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
|
||||
# By default, keys will be auto-generated.
|
||||
#
|
||||
# To have have ansible setfacl the generated key, set the acls var like so:
|
||||
# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
|
||||
#openstack_keys:
|
||||
# - { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}" }
|
||||
# - { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}" }
|
||||
# - { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}" }
|
||||
# - { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}" }
|
||||
# - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups" }
|
||||
# - { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}", acls: [] }
|
||||
# - { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}", acls: [] }
|
||||
# - { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}", acls: [] }
|
||||
# - { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}", acls: [] }
|
||||
# - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", acls: [] }
|
||||
|
||||
##########
|
||||
# DOCKER #
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ dummy:
|
|||
# important to split them into shards. We suggest about 100K
|
||||
# objects per shard as a conservative maximum.
|
||||
#rgw_override_bucket_index_max_shards: 16
|
||||
#
|
||||
|
||||
# Consider setting a quota on buckets so that exceeding this
|
||||
# limit will require admin intervention.
|
||||
#rgw_bucket_default_quota_max_objects: 1638400 # i.e., 100K * 16
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ pools:
|
|||
- { name: test2, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
||||
|
||||
# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
|
||||
# To have have ansible setfacl the generated key for $user, set the acls var like so:
|
||||
# acls: ["u:$user:r--"]
|
||||
keys:
|
||||
- { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test" }
|
||||
- { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2" }
|
||||
- { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", acls: [] }
|
||||
- { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", acls: [] }
|
||||
|
|
|
|||
|
|
@ -30,3 +30,16 @@
|
|||
- "{{ keys }}"
|
||||
- "{{ keys_exist.results }}"
|
||||
when: item.1.rc != 0
|
||||
|
||||
- name: setfacl for key(s)
|
||||
acl:
|
||||
path: "/etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
|
||||
entry: "{{ item.1 }}"
|
||||
state: present
|
||||
with_subelements:
|
||||
- "{{ keys }}"
|
||||
- acls
|
||||
- skip_missing: true
|
||||
when:
|
||||
- cephx
|
||||
- keys | length > 0
|
||||
|
|
|
|||
|
|
@ -95,12 +95,15 @@ openstack_pools:
|
|||
# The value for 'key' can be a pre-generated key,
|
||||
# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
|
||||
# By default, keys will be auto-generated.
|
||||
#
|
||||
# To have have ansible setfacl the generated key, set the acls var like so:
|
||||
# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
|
||||
openstack_keys:
|
||||
- { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}" }
|
||||
- { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}" }
|
||||
- { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}" }
|
||||
- { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}" }
|
||||
- { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups" }
|
||||
- { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}", acls: [] }
|
||||
- { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}", acls: [] }
|
||||
- { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}", acls: [] }
|
||||
- { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}", acls: [] }
|
||||
- { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups", acls: [] }
|
||||
|
||||
##########
|
||||
# DOCKER #
|
||||
|
|
|
|||
|
|
@ -49,3 +49,16 @@
|
|||
- cephx
|
||||
- openstack_config
|
||||
- item.0 != groups[mon_group_name] | last
|
||||
|
||||
- name: setfacl for openstack key(s)
|
||||
acl:
|
||||
path: "/etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
|
||||
entry: "{{ item.1 }}"
|
||||
state: present
|
||||
with_subelements:
|
||||
- "{{ openstack_keys }}"
|
||||
- acls
|
||||
- skip_missing: true
|
||||
when:
|
||||
- openstack_config
|
||||
- cephx
|
||||
|
|
|
|||
Loading…
Reference in New Issue