dashboard: allow to set read-only admin user

This commit allows one to set the role for the admin user as read-only.
This can be controlled via the dashboard_admin_user_ro variable but the
default value is false for backward compatibility.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1810176
Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index b0bb29d247f3e3f117eabf2af5d0c6c1d41ff34f..3b31f8f356072be71af0999ff928e005ae76614d 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -754,6 +754,7 @@ dummy:
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+#dashboard_admin_user_ro: false
 # This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index ca165af3cef2eef4f5578132635a5decaa4387b1..092e93628138664e4b29351115c32a647cb30409 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -754,6 +754,7 @@ ceph_docker_registry_auth: true
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+#dashboard_admin_user_ro: false
 # This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections

diff --git a/roles/ceph-dashboard/tasks/configure_dashboard.yml b/roles/ceph-dashboard/tasks/configure_dashboard.yml
index b579a7bf1b98fcc67111c7f9f9ff7187afcf20a8..eff7abd8c4a1127a57e10c8b392242e641ebbe7b 100644 (file)
--- a/roles/ceph-dashboard/tasks/configure_dashboard.yml
+++ b/roles/ceph-dashboard/tasks/configure_dashboard.yml
@@ -84,7 +84,7 @@
     if {{ container_exec_cmd }} ceph --cluster {{ cluster }} dashboard ac-user-show {{ dashboard_admin_user | quote }}; then
       {{ container_exec_cmd }} ceph --cluster {{ cluster }} dashboard ac-user-set-password {{ dashboard_admin_user | quote }} {{ dashboard_admin_password | quote }}
     else
-      {{ container_exec_cmd }} ceph --cluster {{ cluster }} dashboard ac-user-create {{ dashboard_admin_user | quote }} {{ dashboard_admin_password | quote }} administrator
+      {{ container_exec_cmd }} ceph --cluster {{ cluster }} dashboard ac-user-create {{ dashboard_admin_user | quote }} {{ dashboard_admin_password | quote }} {{ 'read-only' if dashboard_admin_user_ro | bool else 'administrator' }}
     fi
   retries: 6
   delay: 5

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 0d9cb3c5a52d291b84935e5e2a074398ba6f240e..7e98826d95b2496fea39ed9e923d87790ecb659f 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -746,6 +746,7 @@ dashboard_enabled: True
 dashboard_protocol: http
 dashboard_port: 8443
 dashboard_admin_user: admin
+dashboard_admin_user_ro: false
 # This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections

diff --git a/tests/functional/collocation/container/group_vars/all b/tests/functional/collocation/container/group_vars/all
index 210071290ebb59420f70da7217b3981a92a5111b..cc7c6abd35bcffe011f79bfee59b951f829a55eb 100644 (file)
--- a/tests/functional/collocation/container/group_vars/all
+++ b/tests/functional/collocation/container/group_vars/all
@@ -22,4 +22,5 @@ ceph_conf_overrides:
 handler_health_mon_check_delay: 10
 handler_health_osd_check_delay: 10
 dashboard_admin_password: $sX!cD$rYU6qR^B!
+dashboard_admin_user_ro: true
 grafana_admin_password: +xFRe+RES@7vg24n
\ No newline at end of file

diff --git a/tests/functional/collocation/group_vars/all b/tests/functional/collocation/group_vars/all
index e940b331a7b75acbba8db3bde3ddc7982734721b..e7fa594ed949285719158075e47a50426ba89814 100644 (file)
--- a/tests/functional/collocation/group_vars/all
+++ b/tests/functional/collocation/group_vars/all
@@ -19,4 +19,5 @@ ceph_conf_overrides:
 handler_health_mon_check_delay: 10
 handler_health_osd_check_delay: 10
 dashboard_admin_password: $sX!cD$rYU6qR^B!
+dashboard_admin_user_ro: true
 grafana_admin_password: +xFRe+RES@7vg24n
\ No newline at end of file