From 670d7a2495ca420c4dabf658c34d298b86f0d1a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Fri, 23 Jun 2017 12:35:39 +0200 Subject: [PATCH] mon: rework openstack keys creation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We now allow a user to pass a key secret. Fixes: https://github.com/ceph/ceph-ansible/issues/1617 Signed-off-by: Sébastien Han --- group_vars/mons.yml.sample | 13 +++++++---- roles/ceph-mon/defaults/main.yml | 13 +++++++---- roles/ceph-mon/tasks/openstack_config.yml | 27 +++++++++++++++++++---- 3 files changed, 41 insertions(+), 12 deletions(-) diff --git a/group_vars/mons.yml.sample b/group_vars/mons.yml.sample index f4750abc8..8244d650e 100644 --- a/group_vars/mons.yml.sample +++ b/group_vars/mons.yml.sample @@ -72,11 +72,16 @@ dummy: # - "{{ openstack_cinder_backup_pool }}" # - "{{ openstack_gnocchi_pool }}" + +# The value for 'key' can be a pre-generated key, +# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ==" +# By default, keys will be auto-generated. #openstack_keys: -# - { name: client.glance, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}'" } -# - { name: client.cinder, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}'" } -# - { name: client.cinder-backup, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}'" } -# - { name: client.gnocchi, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}'" } +# - { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}'" } +# - { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}'" } +# - { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}'" } +# - { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}'" } +# - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups'" } ########## # DOCKER # diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml index f627383c8..629b8b924 100644 --- a/roles/ceph-mon/defaults/main.yml +++ b/roles/ceph-mon/defaults/main.yml @@ -64,11 +64,16 @@ openstack_pools: - "{{ openstack_cinder_backup_pool }}" - "{{ openstack_gnocchi_pool }}" + +# The value for 'key' can be a pre-generated key, +# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ==" +# By default, keys will be auto-generated. openstack_keys: - - { name: client.glance, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}'" } - - { name: client.cinder, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}'" } - - { name: client.cinder-backup, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}'" } - - { name: client.gnocchi, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}'" } + - { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}'" } + - { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}'" } + - { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}'" } + - { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}'" } + - { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups'" } ########## # DOCKER # diff --git a/roles/ceph-mon/tasks/openstack_config.yml b/roles/ceph-mon/tasks/openstack_config.yml index 5c45b9970..bfc1b446b 100644 --- a/roles/ceph-mon/tasks/openstack_config.yml +++ b/roles/ceph-mon/tasks/openstack_config.yml @@ -1,14 +1,33 @@ --- -- name: create openstack pool +- name: create openstack pool(s) command: "{{ docker_exec_cmd }} ceph --cluster {{ cluster }} osd pool create {{ item.name }} {{ item.pg_num }}" with_items: "{{ openstack_pools | unique }}" changed_when: false failed_when: false -- name: create openstack keys - command: "{{ docker_exec_cmd }} ceph --cluster {{ cluster }} auth get-or-create {{ item.name }} {{ item.value }} -o /etc/ceph/{{ cluster }}.{{ item.name }}.keyring" +# NOTE: (leseb): I know this is not ideal since this only allows 2 caps. +# A future version could use "--caps CAPSFILE" +# which will set all of capabilities associated with a given key, for all subsystems +- name: create openstack key(s) + shell: | + "{{ docker_exec_cmd }} ceph-authtool -C /etc/ceph/{{ cluster }}.{{ item.name }}.keyring --name {{ item.name }} --add-key {{ item.key }} --cap {{ item.mon_cap }} --cap {{ item.osd_cap }}" args: - creates: /etc/ceph/{{ cluster }}.{{ item.name }}.keyring + creates: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring" with_items: "{{ openstack_keys }}" changed_when: false when: cephx + +- name: check if openstack key(s) already exist(s) + command: "{{ docker_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}" + changed_when: false + failed_when: false + with_items: "{{ openstack_keys }}" + register: openstack_key_exist + +- name: add openstack key(s) to ceph + command: "{{ docker_exec_cmd }} ceph --cluster {{ cluster }} auth import -i {{ item.0.name }}.keyring" + changed_when: false + with_together: + - "{{ openstack_keys }}" + - "{{ openstack_key_exist.results }}" + when: item.1.rc != 0