mon/client: remove acl code

Applying ACL on the keyrings is not used anymore so let's remove this code. Signed-off-by: Sébastien Han <seb@redhat.com>
2018-04-20 16:44:41 +02:00 · 2018-04-20 16:44:41 +02:00 · 85732d11b9
parent cfe8e51d99
commit 85732d11b9
7 changed files with 19 additions and 44 deletions
--- a/group_vars/clients.yml.sample
+++ b/group_vars/clients.yml.sample
@ -38,10 +38,6 @@ dummy:
 #  - "{{ test }}"
 #  - "{{ test2 }}"

-# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
-# To have have ansible setfacl the generated key for $user, set the acls var like so:
-# acls: ["u:$user:r--"]
-#
 # Generate a keyring using ceph-authtool CLI or python.
 # Eg:
 #  $ ceph-authtool --gen-print-key
@ -52,6 +48,6 @@ dummy:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
 #
 #keys:
-#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600", acls: [] }
-#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600", acls: [] }
+#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
+#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }

--- a/group_vars/mons.yml.sample
+++ b/group_vars/mons.yml.sample
@ -139,14 +139,12 @@ dummy:
 # e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
 # By default, keys will be auto-generated.
 #
-# To have have ansible setfacl the generated key, set the acls var like so:
-# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
 #openstack_keys:
-#  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
+#  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+#  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+#  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
+#  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", }
+#  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }


 ##########
--- a/infrastructure-playbooks/ceph-keys.yml
+++ b/infrastructure-playbooks/ceph-keys.yml
@ -17,9 +17,9 @@
      - client.leseb1
      - client.pythonnnn
    keys_to_create:
-      - { name: client.pythonnnn, caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600", acls: [] }
-      - { name: client.existpassss, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
-      - { name: client.path, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
+      - { name: client.pythonnnn, caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600" }
+      - { name: client.existpassss, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }
+      - { name: client.path, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }

  tasks:
    - name: create ceph key(s) module
--- a/library/ceph_key.py
+++ b/library/ceph_key.py
@ -102,8 +102,8 @@ options:
 EXAMPLES = '''

 keys_to_create:
-  - { name: client.key, key: "AQAin8tUUK84ExAA/QgBtI7gEMWdmnvKBzlXdQ==", caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600", acls: [] }
-  - { name: client.cle, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
+  - { name: client.key, key: "AQAin8tUUK84ExAA/QgBtI7gEMWdmnvKBzlXdQ==", caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600" }
+  - { name: client.cle, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }

 caps:
  mon: "allow rwx"
--- a/roles/ceph-client/defaults/main.yml
+++ b/roles/ceph-client/defaults/main.yml
@ -30,10 +30,6 @@ pools:
  - "{{ test }}"
  - "{{ test2 }}"

-# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
-# To have have ansible setfacl the generated key for $user, set the acls var like so:
-# acls: ["u:$user:r--"]
-#
 # Generate a keyring using ceph-authtool CLI or python.
 # Eg:
 #  $ ceph-authtool --gen-print-key
@ -44,5 +40,5 @@ pools:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
 #
 keys:
-  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600", acls: [] }
-  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600", acls: [] }
+  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
+  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }
--- a/roles/ceph-client/tasks/create_users_keys.yml
+++ b/roles/ceph-client/tasks/create_users_keys.yml
@ -97,16 +97,3 @@
  when:
    - not item.get('skipped', False)
    - not inventory_hostname == groups.get(client_group_name, []) | first
-
- name: setfacl for cephx key(s)
-  acl:
-    path: "{{ ceph_conf_key_directory }}/{{ cluster }}.{{ item.0.name }}.keyring"
-    entry: "{{ item.1 }}"
-    state: present
-  with_subelements:
-    - "{{ keys }}"
-    - acls
-    - skip_missing: true
-  when:
-    - cephx
-    - keys | length > 0
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@ -131,14 +131,12 @@ openstack_pools:
 # e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
 # By default, keys will be auto-generated.
 #
-# To have have ansible setfacl the generated key, set the acls var like so:
-# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
 openstack_keys:
-  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
+  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
+  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", }
+  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }


 ##########