commit ab2f7cf5cb2962fa4500b7cccd87a249a8f57d37
Author: Alan Bishop <email address hidden>
Date: Wed Jun 2 12:52:48 2021 -0700
Fix cinder's cephx keyring file permissions
This patch updates cinder's kolla permissions so that cinder can
access any cephx keyring associated with CephExternalMultiConfig
ceph clusters. The new approach parses the cluster names out of the
CephExternalMultiConfig array, and uses a wildcard to grant access
to all keys (regardless of the key name) defined for each cluster.
There is no risk of the wildcard granting improper access to a
privileged key (e.g. the admin key), because CephExternalMultiConfig
doesn't include privileged keys.
This patch replaces similar (but more restrictive) code added in
I73af5b868de629870a35d38f8436e7025aae791e. That patch allowed cinder
to access cephx keyrings associated with a new CinderRbdMultiConfig
parameter, but it didn't cover all potential use cases. For example,
in a DCN/Edge deployment, cinder services running at the edge need
access to the central site's client key in order to perform operations
like offline volume migration.
NOTE (pre-Wallaby):
The >= Wallaby versions of this patch tweaks code that was introduced
in Wallaby by I73af5b868de629870a35d38f8436e7025aae791e. Pre-Wallaby
versions of this patch _adds_ the tweaked code.
Closes-Bug: #1930620
Resolves: rhbz#1962304
Change-Id: I4423fcbd62b09ef323590fc740dd29e1a17777f5
(cherry picked from commit f1cd8006fec9f3f68cee21fc2139fb985b0b1fac)
(cherry picked from commit 74e3884b4a21a27262c48b4df8f0e369a5486f87)
Conflicts: deployment/cinder/cinder-common-container-puppet.yaml
(cherry picked from commit bc39ac89d2242bfdce9094e9cb22ee63d293ce28)
Reviewed: https:/ /review. opendev. org/c/openstack /tripleo- heat-templates/ +/796001 /opendev. org/openstack/ tripleo- heat-templates/ commit/ ab2f7cf5cb2962f a4500b7cccd87a2 49a8f57d37
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/ussuri
commit ab2f7cf5cb2962f a4500b7cccd87a2 49a8f57d37
Author: Alan Bishop <email address hidden>
Date: Wed Jun 2 12:52:48 2021 -0700
Fix cinder's cephx keyring file permissions
This patch updates cinder's kolla permissions so that cinder can tiConfig lMultiConfig array, and uses a wildcard to grant access tiConfig
access any cephx keyring associated with CephExternalMul
ceph clusters. The new approach parses the cluster names out of the
CephExterna
to all keys (regardless of the key name) defined for each cluster.
There is no risk of the wildcard granting improper access to a
privileged key (e.g. the admin key), because CephExternalMul
doesn't include privileged keys.
This patch replaces similar (but more restrictive) code added in e629870a35d38f8 436e7025aae791e . That patch allowed cinder onfig
I73af5b868d
to access cephx keyrings associated with a new CinderRbdMultiC
parameter, but it didn't cover all potential use cases. For example,
in a DCN/Edge deployment, cinder services running at the edge need
access to the central site's client key in order to perform operations
like offline volume migration.
NOTE (pre-Wallaby): 870a35d38f8436e 7025aae791e. Pre-Wallaby
The >= Wallaby versions of this patch tweaks code that was introduced
in Wallaby by I73af5b868de629
versions of this patch _adds_ the tweaked code.
Closes-Bug: #1930620 f323590fc740dd2 9e1a17777f5 68cee21fc2139fb 985b0b1fac) 262c48b4df8f0e3 69a5486f87)
deployment /cinder/ cinder- common- container- puppet. yaml dce9094e9cb22ee 63d293ce28)
Resolves: rhbz#1962304
Change-Id: I4423fcbd62b09e
(cherry picked from commit f1cd8006fec9f3f
(cherry picked from commit 74e3884b4a21a27
Conflicts:
(cherry picked from commit bc39ac89d2242bf