Comment 3 for bug 1065883

You can actually specify the uuid for the secret when you add it to libvirt, so it can be the same on all compute hosts.

i.e.

<secret ephemeral='no' private='no'>
  <usage type='ceph'>
    <name>client.volumes secret</name>
  </usage>
  <uuid>a060c8a3-d905-45ec-84a6-0b5d7e25c5cb</uuid>
</secret>

Libvirt only generates a random uuid if you don't specify one. I'll update the Ceph docs to clarify this.

Your patch does make sense if you want to control more finely which rados user's your using on the compute nodes. It's easier than running multiple (cinder|nova)-volume processes, but the long term solution probably involves changing the volume driver to use different rados pools and users based on volume_type or some other configuration.

However, with the current rbd volume driver using only a single pool, I'm not sure how much finer-grained the compute node permissions could be compared to the volume service permissions. What do you have in mind?

BTW, sheepdog and nbd don't have auth support through libvirt, so you don't need to check specifically for rbd in your patch.