[Bug 1424771] Fix merged to charm-nova-compute (master)

OpenStack Infra 1424771 at bugs.launchpad.net
Tue Feb 14 21:17:02 UTC 2017 

Reviewed:  https://review.openstack.org/433621
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=6fbc53d28f66f0fe418315676e16f8c3ad3ce7d5
Submitter: Jenkins
Branch:    master

commit 6fbc53d28f66f0fe418315676e16f8c3ad3ce7d5
Author: James Page <james.page at ubuntu.com>
Date:   Tue Feb 14 12:26:48 2017 +0000

    Add support for cephx pool grouping and permissions
    
    Sync charmhelpers and add configuration option to allow access
    to ceph pools to be limited based on grouping.
    
    Nova will require access to volumes, images and vms pool groups.
    
    Change-Id: I1c188d983609577ab34f7aef7854954c104b58bd
    Partial-Bug: 1424771

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Juju Charms Collection.
Matching subscriptions: charm-bugs
https://bugs.launchpad.net/bugs/1424771

Title:
  Excessive caps for CephX users glance, cinder, nova-compute

Status in charms.openstack:
  In Progress
Status in ceph package in Juju Charms Collection:
  In Progress
Status in ceph-mon package in Juju Charms Collection:
  In Progress
Status in ceph-radosgw package in Juju Charms Collection:
  Fix Committed
Status in cinder package in Juju Charms Collection:
  Fix Committed
Status in cinder-ceph package in Juju Charms Collection:
  Fix Committed
Status in glance package in Juju Charms Collection:
  Fix Committed
Status in nova-compute package in Juju Charms Collection:
  Fix Committed

Bug description:
  The cephx identities, which the charms generate for glance, cinder and
  nova-compute, have excessive capabilities. They allow write access to
  mons, and unrestricted access to OSDs.

  The following caps should be sufficient:

  For client.glance:
  mon = "allow r"
  osd = "allow rw pool=glance"

  For client.cinder:
  mon = "allow r"
  osd = "allow rw pool=cinder"

  For client.nova-compute:
  mon = "allow r"
  osd = "allow rwx pool=cinder"

To manage notifications about this bug go to:
https://bugs.launchpad.net/charms.openstack/+bug/1424771/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list