Skip to content
Permalink
Browse files

Merge pull request #272 from trhoden/wip_key_perms

Fix: keyring permissions where world readable
  • Loading branch information
codenrhoden committed Mar 20, 2015
2 parents 764d6e3 + 3cdc6cb commit eee56770393bf19ed2dd5389226c6190c08dee3f
Showing with 52 additions and 46 deletions.
  1. +39 −36 ceph_deploy/gatherkeys.py
  2. +13 −10 ceph_deploy/new.py
@@ -30,51 +30,54 @@ def fetch_file(args, frompath, topath, _hosts):


def gatherkeys(args):
# client.admin
keyring = '/etc/ceph/{cluster}.client.admin.keyring'.format(
cluster=args.cluster)
r = fetch_file(
args=args,
frompath=keyring,
topath='{cluster}.client.admin.keyring'.format(
cluster=args.cluster),
_hosts=args.mon,
)
if not r:
raise exc.KeyNotFoundError(keyring, args.mon)

# mon.
keyring = '/var/lib/ceph/mon/{cluster}-{{hostname}}/keyring'.format(
cluster=args.cluster)
r = fetch_file(
args=args,
frompath=keyring,
topath='{cluster}.mon.keyring'.format(cluster=args.cluster),
_hosts=args.mon,
)
if not r:
raise exc.KeyNotFoundError(keyring, args.mon)
oldmask = os.umask(077)
try:
# client.admin
keyring = '/etc/ceph/{cluster}.client.admin.keyring'.format(
cluster=args.cluster)
r = fetch_file(
args=args,
frompath=keyring,
topath='{cluster}.client.admin.keyring'.format(
cluster=args.cluster),
_hosts=args.mon,
)
if not r:
raise exc.KeyNotFoundError(keyring, args.mon)

# bootstrap
for what in ['osd', 'mds', 'rgw']:
keyring = '/var/lib/ceph/bootstrap-{what}/{cluster}.keyring'.format(
what=what,
# mon.
keyring = '/var/lib/ceph/mon/{cluster}-{{hostname}}/keyring'.format(
cluster=args.cluster)
r = fetch_file(
args=args,
frompath=keyring,
topath='{cluster}.bootstrap-{what}.keyring'.format(
cluster=args.cluster,
what=what),
topath='{cluster}.mon.keyring'.format(cluster=args.cluster),
_hosts=args.mon,
)
if not r:
if what in ['osd', 'mds']:
raise exc.KeyNotFoundError(keyring, args.mon)
else:
LOG.warning(("No RGW bootstrap key found. Will not be able to "
"deploy RGW daemons"))
raise exc.KeyNotFoundError(keyring, args.mon)

# bootstrap
for what in ['osd', 'mds', 'rgw']:
keyring = '/var/lib/ceph/bootstrap-{what}/{cluster}.keyring'.format(
what=what,
cluster=args.cluster)
r = fetch_file(
args=args,
frompath=keyring,
topath='{cluster}.bootstrap-{what}.keyring'.format(
cluster=args.cluster,
what=what),
_hosts=args.mon,
)
if not r:
if what in ['osd', 'mds']:
raise exc.KeyNotFoundError(keyring, args.mon)
else:
LOG.warning(("No RGW bootstrap key found. Will not be able to "
"deploy RGW daemons"))
finally:
os.umask(oldmask)

@priority(40)
def make(parser):
@@ -211,18 +211,21 @@ def new_mon_keyring(args):
keypath = '{name}.mon.keyring'.format(
name=args.cluster,
)

oldmask = os.umask(077)
LOG.debug('Writing monitor keyring to %s...', keypath)
tmp = '%s.tmp' % keypath
with file(tmp, 'w') as f:
f.write(mon_keyring)
try:
os.rename(tmp, keypath)
except OSError as e:
if e.errno == errno.EEXIST:
raise exc.ClusterExistsError(keypath)
else:
raise
tmp = '%s.tmp' % keypath
with open(tmp, 'w', 0600) as f:
f.write(mon_keyring)
try:
os.rename(tmp, keypath)
except OSError as e:
if e.errno == errno.EEXIST:
raise exc.ClusterExistsError(keypath)
else:
raise
finally:
os.umask(oldmask)


@priority(10)

0 comments on commit eee5677

Please sign in to comment.
You can’t perform that action at this time.