client: don't try to generate keys

the entrypoint to generate users keyring is `ceph-authtool`, therefore,
it can expand the `$(ceph-authtool --gen-print-key)` inside the
container. Users must generate a keyring themselves.
This commit also adds a check to ensure keyring are properly filled when
`user_config: true`.

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>

group_vars/clients.yml.sample

@@ -21,7 +21,12 @@ dummy:
 # Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
 # To have have ansible setfacl the generated key for $user, set the acls var like so:
 # acls: ["u:$user:r--"]
+#
+# Generate a keyring using ceph-authtool CLI or python.
+# Eg:
+#  $ ceph-authtool --gen-print-key
+#  $ python2 -c "import os ; import struct ; import time; import base64 ; key = os.urandom(16) ; header = struct.pack('<hiih',1,int(time.time()),0,len(key)) ; print base64.b64encode(header + key)"
 #keys:
-#  - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
-#  - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
+#  - { name: client.test, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+#  - { name: client.test2, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
 

roles/ceph-client/defaults/main.yml

@@ -13,6 +13,11 @@ pools:
 # Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
 # To have have ansible setfacl the generated key for $user, set the acls var like so:
 # acls: ["u:$user:r--"]
+#
+# Generate a keyring using ceph-authtool CLI or python.
+# Eg:
+#  $ ceph-authtool --gen-print-key
+#  $ python2 -c "import os ; import struct ; import time; import base64 ; key = os.urandom(16) ; header = struct.pack('<hiih',1,int(time.time()),0,len(key)) ; print base64.b64encode(header + key)"
 keys:
-  - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
-  - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
+  - { name: client.test, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+  - { name: client.test2, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }

roles/ceph-client/tasks/pre_requisite.yml

@@ -1,4 +1,12 @@
 ---
+- name: check keys has been filled in users.key variables
+  fail:
+    msg: "you must generate and set keys properly in users.key variables"
+  with_items: "{{ keys }}"
+  when:
+    - user_config
+    - item.key == 'ADD-KEYRING-HERE=='
+
 - name: set selinux permissions
   shell: |
     chcon -Rt svirt_sandbox_file_t {{ item }}

tests/functional/centos/7/cluster/group_vars/clients

@@ -1,2 +1,5 @@
 ---
 copy_admin_key: true
+keys:
+  - { name: client.test, key: "AQAin8tUoMPDGRAACcfAQHbq4eTuUoTCZdW1Uw==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+  - { name: client.test2, key: "AQAin8tUAJkGGhAA8WZ8Lz5c7IkT8QZ5s7bI1A==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }