Bug 1280478

Summary: OSPd over deploying cephx keys
Product: Red Hat OpenStack Reporter: Keith Schincke <kschinck>
Component: openstack-tripleo-heat-templatesAssignee: Yogev Rabl <yrabl>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: athomas, gfidente, jomurphy, mburns, nlevine, rhel-osp-director-maint, sclewis, scohen, seb, tbarron, yrabl
Target Milestone: Upstream M2Keywords: TestOnly, Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 20:37:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Keith Schincke 2015-11-11 20:16:36 UTC 
Description of problem:
When OSPd is configuring the overcloud, all possible cephx authentication keys are deployed to all hosts. 
Example: 
   The OSP controller has the OSD bootstrap key
   The OSP Ceph OSD server has the Ceph admin key 



Version-Release number of selected component (if applicable):
OSPd puddle from Oct 21 

How reproducible:
100%

Steps to Reproduce:
1. Configure overcloud
2. Deploy Overcloud
3. ls /etc/ceph/*keyring

Actual results:
Each node contains ceph.client.admin.keyring, ceph.client.openstack.keyring

Expected results:
Each node contains only the keyrings needed for functionality. 


Additional info:
Comment 2 Giulio Fidente 2016-02-10 16:26:50 UTC 
to scope this a little more, the admin and the bootstrap keyrings are only readable by the root account on the overcloud nodes

we should still avoid the deployment of them on all nodes and distribute the keyrings as needed for the various functionalities
Comment 3 Angus Thomas 2016-02-10 17:35:05 UTC 
We can't block the 7.3 release on this, given that it's not a regression. 

It is effectively an RFE. We'll address in a future release.
Comment 4 Mike Burns 2016-04-07 20:57:01 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 6 Sean Cohen 2016-07-22 13:03:58 UTC 
*** Bug 1326925 has been marked as a duplicate of this bug. ***
Comment 7 Erno Kuvaja 2016-09-23 12:23:17 UTC 
No progress so far.
Comment 8 seb 2016-11-03 12:53:38 UTC 
We agreed on moving this one to 11.
We will commit on bringing this feature for 11.
Comment 10 Alan Bishop 2017-03-29 19:38:43 UTC 
The current expectation is this issue will be resolved when OSP-12 switches from using puppet-ceph to ceph-ansible. ceph-ansible already manages ceph key distribution per the desired behavior in the bug description.

For this reason, the team has said there's little desire to invest resources in fixing this in puppet-ceph.
Comment 18 Yogev Rabl 2017-11-15 17:59:05 UTC 
verified, the admin keyring is set only on the controllers
Comment 21 errata-xmlrpc 2017-12-13 20:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462