[Bug 1424771] Fix merged to charm-ceph (master)

OpenStack Infra 1424771 at bugs.launchpad.net
Fri Feb 10 21:14:49 UTC 2017

Reviewed:  https://review.openstack.org/432289
Committed: https://git.openstack.org/cgit/openstack/charm-ceph/commit/?id=3dfeff7a19e16b166c302a8896b39e8357eeb6f7
Submitter: Jenkins
Branch:    master

commit 3dfeff7a19e16b166c302a8896b39e8357eeb6f7
Author: Chris MacNaughton <chmacnaughton at gmail.com>
Date:   Fri Feb 10 07:54:14 2017 -0500

    Sync in charms.ceph
    This brings in the new broker change to restrict
    key access by groups
    Change-Id: I19ad0142b4227ba555a0794e8b938372d9fdb84c
    Partial-Bug: 1424771

You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Juju Charms Collection.
Matching subscriptions: charm-bugs

  Excessive caps for CephX users glance, cinder, nova-compute

Status in charms.openstack:
Status in ceph package in Juju Charms Collection:
  In Progress
Status in ceph-mon package in Juju Charms Collection:
Status in cinder package in Juju Charms Collection:
Status in glance package in Juju Charms Collection:
Status in nova-compute package in Juju Charms Collection:

Bug description:
  The cephx identities, which the charms generate for glance, cinder and
  nova-compute, have excessive capabilities. They allow write access to
  mons, and unrestricted access to OSDs.

  The following caps should be sufficient:

  For client.glance:
  mon = "allow r"
  osd = "allow rw pool=glance"

  For client.cinder:
  mon = "allow r"
  osd = "allow rw pool=cinder"

  For client.nova-compute:
  mon = "allow r"
  osd = "allow rwx pool=cinder"

To manage notifications about this bug go to:

More information about the Ubuntu-openstack-bugs mailing list