Bug 1280478 - OSPd over deploying cephx keys
Summary: OSPd over deploying cephx keys
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M2
: 12.0 (Pike)
Assignee: Yogev Rabl
QA Contact: Yogev Rabl
: 1326925 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-11-11 20:16 UTC by Keith Schincke
Modified: 2018-02-05 19:02 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2017-12-13 20:37:32 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 358609 0 None ABANDONED Don't spread admin keys to ceph-clients 2020-05-11 06:59:01 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Keith Schincke 2015-11-11 20:16:36 UTC
Description of problem:
When OSPd is configuring the overcloud, all possible cephx authentication keys are deployed to all hosts. 
   The OSP controller has the OSD bootstrap key
   The OSP Ceph OSD server has the Ceph admin key 

Version-Release number of selected component (if applicable):
OSPd puddle from Oct 21 

How reproducible:

Steps to Reproduce:
1. Configure overcloud
2. Deploy Overcloud
3. ls /etc/ceph/*keyring

Actual results:
Each node contains ceph.client.admin.keyring, ceph.client.openstack.keyring

Expected results:
Each node contains only the keyrings needed for functionality. 

Additional info:

Comment 2 Giulio Fidente 2016-02-10 16:26:50 UTC
to scope this a little more, the admin and the bootstrap keyrings are only readable by the root account on the overcloud nodes

we should still avoid the deployment of them on all nodes and distribute the keyrings as needed for the various functionalities

Comment 3 Angus Thomas 2016-02-10 17:35:05 UTC
We can't block the 7.3 release on this, given that it's not a regression. 

It is effectively an RFE. We'll address in a future release.

Comment 4 Mike Burns 2016-04-07 20:57:01 UTC
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 6 Sean Cohen 2016-07-22 13:03:58 UTC
*** Bug 1326925 has been marked as a duplicate of this bug. ***

Comment 7 Erno Kuvaja 2016-09-23 12:23:17 UTC
No progress so far.

Comment 8 seb 2016-11-03 12:53:38 UTC
We agreed on moving this one to 11.
We will commit on bringing this feature for 11.

Comment 10 Alan Bishop 2017-03-29 19:38:43 UTC
The current expectation is this issue will be resolved when OSP-12 switches from using puppet-ceph to ceph-ansible. ceph-ansible already manages ceph key distribution per the desired behavior in the bug description.

For this reason, the team has said there's little desire to invest resources in fixing this in puppet-ceph.

Comment 18 Yogev Rabl 2017-11-15 17:59:05 UTC
verified, the admin keyring is set only on the controllers

Comment 21 errata-xmlrpc 2017-12-13 20:37:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.