Bug 1280478 - OSPd over deploying cephx keys
OSPd over deploying cephx keys
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
urgent Severity urgent
: Upstream M2
: 12.0 (Pike)
Assigned To: Yogev Rabl
Yogev Rabl
: TestOnly, Triaged
: 1326925 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-11-11 15:16 EST by Keith Schincke
Modified: 2017-12-13 15:37 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-13 15:37:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 358609 None None None 2016-08-22 08:36 EDT

  None (edit)
Description Keith Schincke 2015-11-11 15:16:36 EST
Description of problem:
When OSPd is configuring the overcloud, all possible cephx authentication keys are deployed to all hosts. 
   The OSP controller has the OSD bootstrap key
   The OSP Ceph OSD server has the Ceph admin key 

Version-Release number of selected component (if applicable):
OSPd puddle from Oct 21 

How reproducible:

Steps to Reproduce:
1. Configure overcloud
2. Deploy Overcloud
3. ls /etc/ceph/*keyring

Actual results:
Each node contains ceph.client.admin.keyring, ceph.client.openstack.keyring

Expected results:
Each node contains only the keyrings needed for functionality. 

Additional info:
Comment 2 Giulio Fidente 2016-02-10 11:26:50 EST
to scope this a little more, the admin and the bootstrap keyrings are only readable by the root account on the overcloud nodes

we should still avoid the deployment of them on all nodes and distribute the keyrings as needed for the various functionalities
Comment 3 Angus Thomas 2016-02-10 12:35:05 EST
We can't block the 7.3 release on this, given that it's not a regression. 

It is effectively an RFE. We'll address in a future release.
Comment 4 Mike Burns 2016-04-07 16:57:01 EDT
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 6 Sean Cohen 2016-07-22 09:03:58 EDT
*** Bug 1326925 has been marked as a duplicate of this bug. ***
Comment 7 Erno Kuvaja 2016-09-23 08:23:17 EDT
No progress so far.
Comment 8 seb 2016-11-03 08:53:38 EDT
We agreed on moving this one to 11.
We will commit on bringing this feature for 11.
Comment 10 Alan Bishop 2017-03-29 15:38:43 EDT
The current expectation is this issue will be resolved when OSP-12 switches from using puppet-ceph to ceph-ansible. ceph-ansible already manages ceph key distribution per the desired behavior in the bug description.

For this reason, the team has said there's little desire to invest resources in fixing this in puppet-ceph.
Comment 18 Yogev Rabl 2017-11-15 12:59:05 EST
verified, the admin keyring is set only on the controllers
Comment 21 errata-xmlrpc 2017-12-13 15:37:32 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.