Allow providing ceph with keys instead of pulling them out of mon nodes
Bug #1606977 reported by
Michał Jastrzębski
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openstack-ansible |
Confirmed
|
Wishlist
|
Qin Wang | ||
Bug Description
Currently OSA requires access to ceph-mon node to pull out keys. This might be security problem if corporate policy dictates that ceph nodes is off limits. OSA should have ability to provide all the access details as part of configuration instead of forcing pulling it's on it's own.
https:/
| Changed in openstack-ansible: | |
| assignee: | nobody → Michał Jastrzębski (inc007) |
Revision history for this message
| Jean-Philippe Evrard (jean-philippe-evrard) wrote | #1 |
| Changed in openstack-ansible: | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
Revision history for this message
| Jean-Philippe Evrard (jean-philippe-evrard) wrote | #2 |
| Changed in openstack-ansible: | |
| assignee: | Michał Jastrzębski (inc007) → Qin Wang (qwang) |
To post a comment you must log in.
Hello,
Thanks for your bug submission.
For your information, you can provide your own ceph configuration by filling the ceph_conf_file variable.
However I'm not really sure about what you mention as off-limits.
The ceph-client role is made in such way that nodes (compute nodes for example) will connect on the ceph cluster to fetch what's needed for its good behavior: it's not the deploy node that will fetch these secrets.
According to my understanding, no security is breached or off-limits: the compute nodes HAVE TO have access on the mons anyway -- at least to have a well functioning system later.
Could you further explain?
Thank you in advance.