1326925 – Ceph admin key should not be hosted on non-admin nodes

Bug 1326925 - Ceph admin key should not be hosted on non-admin nodes

Summary: Ceph admin key should not be hosted on non-admin nodes

Keywords:
Status:	CLOSED DUPLICATE of bug 1280478
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	10.0 (Newton)
Assignee:	Erno Kuvaja
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-13 18:52 UTC by Neil Levine
Modified:	2017-02-06 19:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-22 13:03:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Neil Levine 2016-04-13 18:52:17 UTC

In an attempt to improve the security model around Ceph deployments, we want to ensure that there are no client.admin.keys Ceph keys (the "superuser" key) on any nodes except the Ceph admin node. Currently, the client.admin.key is hosted on the Controller/MON host, having been (I believe) generated from OSP-D. 

Ideally, OSP-D would only create nova/cinder/glance (or image/volume) specific keys for the service controllers and only host the client.admin.key on the undercloud hosts or Ceph admin node.

Comment 2 Jeff Brown 2016-07-13 19:27:50 UTC

Hi Erno,

Is this a bug you could fix?

Thanks,

Jeff

Note You need to log in before you can comment on or make changes to this bug.