Bug 1326925

Summary: Ceph admin key should not be hosted on non-admin nodes
Product: Red Hat OpenStack Reporter: Neil Levine <nlevine>
Component: rhosp-directorAssignee: Erno Kuvaja <ekuvaja>
Status: CLOSED DUPLICATE QA Contact: Arik Chernetsky <achernet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dbecker, gfidente, jefbrown, jomurphy, mburns, morazi, rhel-osp-director-maint, scohen
Target Milestone: ---   
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-22 13:03:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neil Levine 2016-04-13 18:52:17 UTC 
In an attempt to improve the security model around Ceph deployments, we want to ensure that there are no client.admin.keys Ceph keys (the "superuser" key) on any nodes except the Ceph admin node. Currently, the client.admin.key is hosted on the Controller/MON host, having been (I believe) generated from OSP-D. 

Ideally, OSP-D would only create nova/cinder/glance (or image/volume) specific keys for the service controllers and only host the client.admin.key on the undercloud hosts or Ceph admin node.
Comment 2 Jeff Brown 2016-07-13 19:27:50 UTC 
Hi Erno,

Is this a bug you could fix?

Thanks,

Jeff