Add ceph_keyring_permissions variable to control permissions for

keyring files in /etc/ceph. Default value is the same as it was (0600),
but this variable allows user to override it (f.e. set it to 0640).

Signed-off-by: George Shuklin <george.shuklin@gmail.com>

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 77b119e9bdd5524c1e9602dd20a6fd85f23338ed..6e65f0d853df4c2183f1eba52b466b995e234c1c 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -298,6 +298,9 @@ dummy:
 
 #ceph_conf_key_directory: /etc/ceph
 
+# Permissions for keyring files in /etc/ceph
+#ceph_keyring_permissions: '0600'
+
 #cephx: true
 
 ## Client options

diff --git a/group_vars/clients.yml.sample b/group_vars/clients.yml.sample
index 1f5b886110270d4178101892750bf0c96317c4e9..01d54404d352b61a21146fa13b59e8367ab29274 100644 (file)
--- a/group_vars/clients.yml.sample
+++ b/group_vars/clients.yml.sample
@@ -46,8 +46,8 @@ dummy:
 #
 # To use a particular secret, you have to add 'key' to the dict below, so something like:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
-#
+
 #keys:
-#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
-#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }
+#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "{{ ceph_keyring_permissions }}" }
+#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "{{ ceph_keyring_permissions }}" }
 

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index faa8b3272a428769ae318f5080bc6044c3a3bde4..1d51fb4bd2045778e3ae9011f0c05797bbd53e40 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -298,6 +298,9 @@ ceph_repository: rhcs
 
 #ceph_conf_key_directory: /etc/ceph
 
+# Permissions for keyring files in /etc/ceph
+#ceph_keyring_permissions: '0600'
+
 #cephx: true
 
 ## Client options

diff --git a/roles/ceph-client/defaults/main.yml b/roles/ceph-client/defaults/main.yml
index bf5bed58e5c26c84b5a0d9e8f773e3d5a268293b..ec477f2991507deb6a87402349dfc865673c544c 100644 (file)
--- a/roles/ceph-client/defaults/main.yml
+++ b/roles/ceph-client/defaults/main.yml
@@ -38,7 +38,7 @@ pools:
 #
 # To use a particular secret, you have to add 'key' to the dict below, so something like:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
-#
+
 keys:
-  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
-  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }
+  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "{{ ceph_keyring_permissions }}" }
+  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "{{ ceph_keyring_permissions }}" }

diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml
index 3a426893a3a10266ac9ae25954840bad0a32a461..d5f7ae7fc0658aaa014e8e0ca2598030d2689cc1 100644 (file)
--- a/roles/ceph-client/tasks/pre_requisite.yml
+++ b/roles/ceph-client/tasks/pre_requisite.yml
@@ -5,7 +5,7 @@
     dest: "/etc/ceph/"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
-    - copy_admin_key
\ No newline at end of file
+    - copy_admin_key

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 3dee5c9a5626d16f99cbe58208f24299b1d4431c..906c5d4dbeb42d6c740c7d0d68371bf8ed95efb9 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -290,6 +290,9 @@ generate_fsid: true
 
 ceph_conf_key_directory: /etc/ceph
 
+# Permissions for keyring files in /etc/ceph
+ceph_keyring_permissions: '0600'
+
 cephx: true
 
 ## Client options

diff --git a/roles/ceph-fetch-keys/tasks/main.yml b/roles/ceph-fetch-keys/tasks/main.yml
index 3161e81e374628db25bcede4bdf5d8140576ff06..4990deb389f9568f1b2a21a961068d062af589d4 100644 (file)
--- a/roles/ceph-fetch-keys/tasks/main.yml
+++ b/roles/ceph-fetch-keys/tasks/main.yml
@@ -8,7 +8,7 @@
 - name: set keys permissions
   file:
     path: "{{ item }}"
-    mode: 0600
+    mode: "{{ ceph_keyring_permissions }}"
     owner: root
     group: root
   with_items:

diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml
index fd74bedd71afcb7977c1c5941bb709ff8c3c5b19..8e9383c9db249a3b6d54ba599619e9e44825c6ca 100644 (file)
--- a/roles/ceph-iscsi-gw/tasks/common.yml
+++ b/roles/ceph-iscsi-gw/tasks/common.yml
@@ -11,7 +11,7 @@
     dest: "/etc/ceph/{{ cluster }}.client.admin.keyring"
     owner: "root"
     group: "root"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
 

diff --git a/roles/ceph-mds/tasks/common.yml b/roles/ceph-mds/tasks/common.yml
index c8dffc4368810706604c40806c17b115acc36c12..b99b0610faa7a3a61ee5d559904b2dbcf9ad84db 100644 (file)
--- a/roles/ceph-mds/tasks/common.yml
+++ b/roles/ceph-mds/tasks/common.yml
@@ -16,10 +16,10 @@
     dest: "{{ item.name }}"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - { name: "/var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring", copy_key: true }
     - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
   when:
     - cephx
-    - item.copy_key|bool
\ No newline at end of file
+    - item.copy_key|bool

diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml
index 61d79d4f623d1604dcda3775cd7181e6c1347cc0..5f0945da276ae7a171fd732b00af2c30e9596f19 100644 (file)
--- a/roles/ceph-mgr/tasks/common.yml
+++ b/roles/ceph-mgr/tasks/common.yml
@@ -13,7 +13,7 @@
     dest: "{{ item.dest }}"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - { name: "/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring", dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring", copy_key: true }
     - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", dest: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
@@ -26,6 +26,6 @@
     path: /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
-    - cephx
\ No newline at end of file
+    - cephx

diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml
index 145fcadacb3600c83bcd2e87131cb79bcc8a6ed9..ca22db723190fdec6739aac65f177bf867da5dbc 100644 (file)
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@@ -98,7 +98,7 @@
     path: "{{ item }}"
     owner: "ceph"
     group: "ceph"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - "{{ ceph_keys.get('stdout_lines') | default([]) }}"
   when:

diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml
index bc758c014dd3ca8dead6e814a45cb1a804a97c1e..e3de5a6fed57c3968826d0c5312250d591523dfa 100644 (file)
--- a/roles/ceph-mon/tasks/deploy_monitors.yml
+++ b/roles/ceph-mon/tasks/deploy_monitors.yml
@@ -91,7 +91,7 @@
     state: file
     owner: 'ceph'
     group: 'ceph'
-    mode: '0600'
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
     - admin_secret != 'admin_secret'

diff --git a/roles/ceph-nfs/tasks/common.yml b/roles/ceph-nfs/tasks/common.yml
index 203a11febd5dbbe60991429184946886c05df841..c086f8a987c901a6435d1c7d73c128804cc83621 100644 (file)
--- a/roles/ceph-nfs/tasks/common.yml
+++ b/roles/ceph-nfs/tasks/common.yml
@@ -5,10 +5,10 @@
     dest: "{{ item.name }}"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
     - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
   when:
     - cephx
-    - item.copy_key|bool
\ No newline at end of file
+    - item.copy_key|bool

diff --git a/roles/ceph-osd/tasks/common.yml b/roles/ceph-osd/tasks/common.yml
index d85bc537290d9bb59cb78a2fa95908ff79bed926..daf1f4819a465153934983c88743363dbeb1b186 100644 (file)
--- a/roles/ceph-osd/tasks/common.yml
+++ b/roles/ceph-osd/tasks/common.yml
@@ -18,7 +18,7 @@
     dest: "{{ item.name }}"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - { name: "/var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring", copy_key: true }
     - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }

diff --git a/roles/ceph-rbd-mirror/tasks/common.yml b/roles/ceph-rbd-mirror/tasks/common.yml
index 125a20e0394f1e569f60e1135b71e48dc3369f17..fa191230242722a0c044f977f977d77e864a5187 100644 (file)
--- a/roles/ceph-rbd-mirror/tasks/common.yml
+++ b/roles/ceph-rbd-mirror/tasks/common.yml
@@ -11,7 +11,7 @@
     dest: "/etc/ceph/"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
     - copy_admin_key
@@ -22,7 +22,7 @@
     dest: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
-    - ceph_release_num[ceph_release] >= ceph_release_num.luminous
\ No newline at end of file
+    - ceph_release_num[ceph_release] >= ceph_release_num.luminous

diff --git a/roles/ceph-rbd-mirror/tasks/pre_requisite.yml b/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
index 3fe740d3cfda2f22fe7d6a38ba391e142bb7d505..b7f659d4047f1385c97f9dfe444f08cdfa77fcc7 100644 (file)
--- a/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
+++ b/roles/ceph-rbd-mirror/tasks/pre_requisite.yml
@@ -22,7 +22,7 @@
     path: /etc/ceph/{{ cluster }}.client.rbd-mirror.{{ ansible_hostname }}.keyring
     owner: "ceph"
     group: "ceph"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   when:
     - cephx
     - ceph_release_num[ceph_release] >= ceph_release_num.luminous

diff --git a/roles/ceph-rgw/tasks/common.yml b/roles/ceph-rgw/tasks/common.yml
index 661ce69c9e7f370d9f8fedab012d325f98730517..8bb820e7764f5c362432f9dab5f4e5021bcefca1 100644 (file)
--- a/roles/ceph-rgw/tasks/common.yml
+++ b/roles/ceph-rgw/tasks/common.yml
@@ -18,10 +18,10 @@
     dest: "{{ item.name }}"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-    mode: "0600"
+    mode: "{{ ceph_keyring_permissions }}"
   with_items:
     - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
     - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
   when:
     - cephx
-    - item.copy_key|bool
\ No newline at end of file
+    - item.copy_key|bool