Red Hat Bugzilla – Bug 1280478
OSPd over deploying cephx keys
Last modified: 2017-12-13 15:37:32 EST
Description of problem:
When OSPd is configuring the overcloud, all possible cephx authentication keys are deployed to all hosts.
The OSP controller has the OSD bootstrap key
The OSP Ceph OSD server has the Ceph admin key
Version-Release number of selected component (if applicable):
OSPd puddle from Oct 21
Steps to Reproduce:
1. Configure overcloud
2. Deploy Overcloud
3. ls /etc/ceph/*keyring
Each node contains ceph.client.admin.keyring, ceph.client.openstack.keyring
Each node contains only the keyrings needed for functionality.
to scope this a little more, the admin and the bootstrap keyrings are only readable by the root account on the overcloud nodes
we should still avoid the deployment of them on all nodes and distribute the keyrings as needed for the various functionalities
We can't block the 7.3 release on this, given that it's not a regression.
It is effectively an RFE. We'll address in a future release.
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
*** Bug 1326925 has been marked as a duplicate of this bug. ***
No progress so far.
We agreed on moving this one to 11.
We will commit on bringing this feature for 11.
The current expectation is this issue will be resolved when OSP-12 switches from using puppet-ceph to ceph-ansible. ceph-ansible already manages ceph key distribution per the desired behavior in the bug description.
For this reason, the team has said there's little desire to invest resources in fixing this in puppet-ceph.
verified, the admin keyring is set only on the controllers
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.