ceph backup access restrictions
Change-Id: Ib13c1b318de432351b8f76d560a03f4020e68ddc
diff --git a/ceph/backup.sls b/ceph/backup.sls
index 83faf48..44c18a6 100644
--- a/ceph/backup.sls
+++ b/ceph/backup.sls
@@ -87,10 +87,27 @@
{%- if key.get('enabled', False) %}
+{%- set clients = [] %}
+{%- for node_name, node_grains in salt['mine.get']('*', 'grains.items').iteritems() %}
+{%- if node_grains.get('ceph_backup', {}).get('client') %}
+{%- set client = node_grains.get('ceph_backup').get('client') %}
+{%- if client.get('addresses') and client.get('addresses', []) is iterable %}
+{%- for address in client.addresses %}
+{%- do clients.append(address|string) %}
+{%- endfor %}
+{%- endif %}
+{%- endif %}
+{%- endfor %}
+
ceph_key_{{ key.key }}:
ssh_auth.present:
- user: ceph
- name: {{ key.key }}
+ - options:
+ - no-pty
+{%- if clients %}
+ - from="{{ clients|join(',') }}"
+{%- endif %}
- require:
- file: {{ backup.backup_dir }}/full
diff --git a/ceph/meta/salt.yml b/ceph/meta/salt.yml
index 1dc9a8c..35a9a7a 100644
--- a/ceph/meta/salt.yml
+++ b/ceph/meta/salt.yml
@@ -1,9 +1,31 @@
grain:
- {%- if pillar.get('ceph', {}).get('osd', {}).get('enabled', False) %}
+{%- set addresses = [] %}
+{%- if pillar.get('ceph', {}).get('backup', {}).get('client') %}
+
+{%- set ips = salt['grains.get']("fqdn_ip4")|list %}
+{%- if ips %}
+ {%- for ip in ips %}
+ {%- if not (ip|string).startswith('127.') %}
+ {%- do addresses.append(ip) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
+{%- if addresses %}
+ ceph:
+ ceph_backup:
+ client:
+ addresses: {{ addresses|yaml }}
+{%- endif %}
+
+{%- endif %}
+
+{%- if pillar.get('ceph', {}).get('osd', {}).get('enabled', False) %}
{%- from "ceph/map.jinja" import osd with context %}
{%- if osd.crush_parent is defined %}
+ {%- if not addresses %}
ceph:
+ {%- endif %}
{%- set ceph_crush_parent = {'ceph_crush_parent': osd.crush_parent} %}
{{ ceph_crush_parent|yaml(False)|indent(4) }}
{%- endif %}
- {%- endif %}
\ No newline at end of file
+{%- endif %}