1280478 – OSPd over deploying cephx keys

Bug 1280478 - OSPd over deploying cephx keys

Summary: OSPd over deploying cephx keys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	Upstream M2
Target Release:	12.0 (Pike)
Assignee:	Yogev Rabl
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1326925 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-11 20:16 UTC by Keith Schincke
Modified:	2018-02-05 19:02 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 20:37:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	358609	0	None	ABANDONED	Don't spread admin keys to ceph-clients	2020-05-11 06:59:01 UTC
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Keith Schincke 2015-11-11 20:16:36 UTC

Description of problem:
When OSPd is configuring the overcloud, all possible cephx authentication keys are deployed to all hosts. 
Example: 
   The OSP controller has the OSD bootstrap key
   The OSP Ceph OSD server has the Ceph admin key 



Version-Release number of selected component (if applicable):
OSPd puddle from Oct 21 

How reproducible:
100%

Steps to Reproduce:
1. Configure overcloud
2. Deploy Overcloud
3. ls /etc/ceph/*keyring

Actual results:
Each node contains ceph.client.admin.keyring, ceph.client.openstack.keyring

Expected results:
Each node contains only the keyrings needed for functionality. 


Additional info:

Comment 2 Giulio Fidente 2016-02-10 16:26:50 UTC

to scope this a little more, the admin and the bootstrap keyrings are only readable by the root account on the overcloud nodes

we should still avoid the deployment of them on all nodes and distribute the keyrings as needed for the various functionalities

Comment 3 Angus Thomas 2016-02-10 17:35:05 UTC

We can't block the 7.3 release on this, given that it's not a regression. 

It is effectively an RFE. We'll address in a future release.

Comment 4 Mike Burns 2016-04-07 20:57:01 UTC

This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 6 Sean Cohen 2016-07-22 13:03:58 UTC

*** Bug 1326925 has been marked as a duplicate of this bug. ***

Comment 7 Erno Kuvaja 2016-09-23 12:23:17 UTC

No progress so far.

Comment 8 seb 2016-11-03 12:53:38 UTC

We agreed on moving this one to 11.
We will commit on bringing this feature for 11.

Comment 10 Alan Bishop 2017-03-29 19:38:43 UTC

The current expectation is this issue will be resolved when OSP-12 switches from using puppet-ceph to ceph-ansible. ceph-ansible already manages ceph key distribution per the desired behavior in the bug description.

For this reason, the team has said there's little desire to invest resources in fixing this in puppet-ceph.

Comment 18 Yogev Rabl 2017-11-15 17:59:05 UTC

verified, the admin keyring is set only on the controllers

Comment 21 errata-xmlrpc 2017-12-13 20:37:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.