Use a different ceph key for admin/client user

By default only the admin user key is generated and this key is used
for both admin and openstack user.
Because the mode of the client's key file is 644, any user with a
valid shell on the controller/compute/ceph nodes can made admin
operations on the ceph cluster.
This patch allows to used the random key generated by tripleoclient
for the openstack user.

Change-Id: I771bbee81c0acfe593e92a99ad12d6f1f7f445ef
Closes-bug: #1566927
Depends-On: I404665c09084f0a6cd2d8872940ee90220dc5f69

diff --git a/puppet/ceph-cluster-config.yaml b/puppet/ceph-cluster-config.yaml
index dc2f98e..d8d4f0a 100644 (file)
--- a/puppet/ceph-cluster-config.yaml
+++ b/puppet/ceph-cluster-config.yaml
@@ -91,7 +91,7 @@ resources:
                         cap_mon: 'allow profile bootstrap-osd'
                       },
                       client.CLIENT_USER: {
-                        secret: 'ADMIN_KEY',
+                        secret: 'CLIENT_KEY',
                         mode: '0644',
                         cap_mon: 'allow r',
                         cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL'
@@ -99,6 +99,7 @@ resources:
                     }"
                     params:
                       CLIENT_USER: {get_param: CephClientUserName}
+                      CLIENT_KEY: {get_param: ceph_client_key}
                       ADMIN_KEY: {get_param: ceph_admin_key}
                       NOVA_POOL: {get_param: NovaRbdPoolName}
                       CINDER_POOL: {get_param: CinderRbdPoolName}