tripleo

Bug #1930620
Comment #10

Comment 10 for bug 1930620

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-16: Fix merged to tripleo-heat-templates (stable/ussuri)

#10

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/796001
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/ab2f7cf5cb2962fa4500b7cccd87a249a8f57d37
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit ab2f7cf5cb2962fa4500b7cccd87a249a8f57d37
Author: Alan Bishop <email address hidden>
Date: Wed Jun 2 12:52:48 2021 -0700

Fix cinder's cephx keyring file permissions

    This patch updates cinder's kolla permissions so that cinder can
    access any cephx keyring associated with CephExternalMultiConfig
    ceph clusters. The new approach parses the cluster names out of the
    CephExternalMultiConfig array, and uses a wildcard to grant access
    to all keys (regardless of the key name) defined for each cluster.
    There is no risk of the wildcard granting improper access to a
    privileged key (e.g. the admin key), because CephExternalMultiConfig
    doesn't include privileged keys.

    This patch replaces similar (but more restrictive) code added in
    I73af5b868de629870a35d38f8436e7025aae791e. That patch allowed cinder
    to access cephx keyrings associated with a new CinderRbdMultiConfig
    parameter, but it didn't cover all potential use cases. For example,
    in a DCN/Edge deployment, cinder services running at the edge need
    access to the central site's client key in order to perform operations
    like offline volume migration.

    NOTE (pre-Wallaby):
    The >= Wallaby versions of this patch tweaks code that was introduced
    in Wallaby by I73af5b868de629870a35d38f8436e7025aae791e. Pre-Wallaby
    versions of this patch _adds_ the tweaked code.

    Closes-Bug: #1930620
    Resolves: rhbz#1962304
    Change-Id: I4423fcbd62b09ef323590fc740dd29e1a17777f5
    (cherry picked from commit f1cd8006fec9f3f68cee21fc2139fb985b0b1fac)
    (cherry picked from commit 74e3884b4a21a27262c48b4df8f0e369a5486f87)
    Conflicts:
            deployment/cinder/cinder-common-container-puppet.yaml
    (cherry picked from commit bc39ac89d2242bfdce9094e9cb22ee63d293ce28)

Reviewed:  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/796001
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/ab2f7cf5cb2962fa4500b7cccd87a249a8f57d37
Submitter: "Zuul (22348)"
Branch:    stable/ussuri

commit ab2f7cf5cb2962fa4500b7cccd87a249a8f57d37
Author: Alan Bishop <abishop@redhat.com>
Date:   Wed Jun 2 12:52:48 2021 -0700

Fix cinder's cephx keyring file permissions
    
    This patch updates cinder's kolla permissions so that cinder can
    access any cephx keyring associated with CephExternalMultiConfig
    ceph clusters. The new approach parses the cluster names out of the
    CephExternalMultiConfig array, and uses a wildcard to grant access
    to all keys (regardless of the key name) defined for each cluster.
    There is no risk of the wildcard granting improper access to a
    privileged key (e.g. the admin key), because CephExternalMultiConfig
    doesn't include privileged keys.
    
    This patch replaces similar (but more restrictive) code added in
    I73af5b868de629870a35d38f8436e7025aae791e. That patch allowed cinder
    to access cephx keyrings associated with a new CinderRbdMultiConfig
    parameter, but it didn't cover all potential use cases. For example,
    in a DCN/Edge deployment, cinder services running at the edge need
    access to the central site's client key in order to perform operations
    like offline volume migration.
    
    NOTE (pre-Wallaby):
    The >= Wallaby versions of this patch tweaks code that was introduced
    in Wallaby by I73af5b868de629870a35d38f8436e7025aae791e. Pre-Wallaby
    versions of this patch _adds_ the tweaked code.
    
    Closes-Bug: #1930620
    Resolves: rhbz#1962304
    Change-Id: I4423fcbd62b09ef323590fc740dd29e1a17777f5
    (cherry picked from commit f1cd8006fec9f3f68cee21fc2139fb985b0b1fac)
    (cherry picked from commit 74e3884b4a21a27262c48b4df8f0e369a5486f87)
    Conflicts:
            deployment/cinder/cinder-common-container-puppet.yaml
    (cherry picked from commit bc39ac89d2242bfdce9094e9cb22ee63d293ce28)