ceph
/
ceph-ansible
mirror of https://github.com/ceph/ceph-ansible.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ceph_key: remove 'update' state 

With this change, the state `present` is enough to update a keyring.
If the keyring already exist, it will be updated if caps or secret
passed to the module are different.
If the keyring doen't exist, it will be created.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1808367

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 553584cbd0)
pull/5267/head
Guillaume Abrioux 2020-03-17 15:34:11 +01:00 committed by Dimitri Savineau
parent edfeb98593
commit b107dcf80b
1 changed files with 44 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
library/ceph_key.py
View File

@ -57,12 +57,10 @@ options:
If 'absent' is used, the module will simply delete the keyring. If 'absent' is used, the module will simply delete the keyring.
If 'list' is used, the module will list all the keys and will If 'list' is used, the module will list all the keys and will
return a json output. return a json output.
If 'update' is used, the module will **only** update
the capabilities of a given keyring.
If 'info' is used, the module will return in a json format the If 'info' is used, the module will return in a json format the
description of a given keyring. description of a given keyring.
required: true required: true
choices: ['present', 'absent', 'list', 'update', 'info'] choices: ['present', 'absent', 'list', 'info']
default: list default: list
caps: caps:
description: description:
@ -154,12 +152,6 @@ caps:
caps: "{{ caps }}" caps: "{{ caps }}"
import_key: False import_key: False
- name: update cephx key
ceph_key:
name: "my_key"
state: update
caps: "{{ caps }}"
- name: delete cephx key - name: delete cephx key
ceph_key: ceph_key:
name: "my_key" name: "my_key"
@ -318,29 +310,7 @@ def create_key(module, result, cluster, name, secret, caps, import_key, auid, de
return cmd_list return cmd_list
def update_key(cluster, name, caps, containerized=None): def delete_key(cluster, name, container_image=None):
'''
Update a CephX key's capabilities
'''
cmd_list = []
args = [
'caps',
name,
]
args = generate_caps(args, "ceph", caps)
user = "client.admin"
user_key = os.path.join(
"/etc/ceph/" + cluster + ".client.admin.keyring")
cmd_list.append(generate_ceph_cmd(
cluster, args, user, user_key, containerized))
return cmd_list
def delete_key(cluster, name, containerized=None):
''' '''
Delete a CephX key Delete a CephX key
''' '''
@ -518,8 +488,10 @@ def run_module():
auid = module.params.get('auid') auid = module.params.get('auid')
dest = module.params.get('dest') dest = module.params.get('dest')
changed = False
result = dict( result = dict(
changed=False, changed=changed,
stdout='', stdout='',
stderr='', stderr='',
rc='', rc='',
@ -536,17 +508,33 @@ def run_module():
# Test if the key exists, if it does we skip its creation # Test if the key exists, if it does we skip its creation
# We only want to run this check when a key needs to be added # We only want to run this check when a key needs to be added
# There is no guarantee that any cluster is running and we don't need one # There is no guarantee that any cluster is running and we don't need one
if import_key: key_exist = 1
_secret = secret
_caps = caps
if (state in ["present", "update"] and import_key) or state == "info":
user = "client.admin" user = "client.admin"
user_key = os.path.join( user_key = os.path.join(
"/etc/ceph/" + cluster + ".client.admin.keyring") "/etc/ceph/" + cluster + ".client.admin.keyring")
output_format = "json" output_format = "json"
_info_key = []
rc, cmd, out, err = exec_commands( rc, cmd, out, err = exec_commands(
module, info_key(cluster, name, user, user_key, output_format, containerized)) # noqa E501 module, info_key(cluster, name, user, user_key, output_format, containerized)) # noqa E501
key_exist = rc
if key_exist == 0:
_info_key = json.loads(out)
_secret = _info_key[0]['key']
_caps = _info_key[0]['caps']
if import_key and secret == _secret and caps == _caps:
result["stdout"] = "{0} already exists and doesn't need to be updated.".format(name) # noqa E501
result["rc"] = 0
module.exit_json(**result)
if state == "present": # "update" is here only for backward compatibility
if not caps: if state in ["present", "update"]:
if not caps and import_key and rc != 0:
fatal("Capabilities must be provided when state is 'present'", module) # noqa E501 fatal("Capabilities must be provided when state is 'present'", module) # noqa E501
if import_key and key_exist != 0 and secret is None and caps is None:
fatal("Keyring doesn't exist, you must provide 'secret' and 'caps'", module) # noqa E501
# Build a different path for bootstrap keys as there are stored as # Build a different path for bootstrap keys as there are stored as
# /var/lib/ceph/bootstrap-rbd/ceph.keyring # /var/lib/ceph/bootstrap-rbd/ceph.keyring
@ -558,36 +546,28 @@ def run_module():
file_args['path'] = file_path file_args['path'] = file_path
# We allow 'present' to override any existing key # There's no need to run create_key() if neither secret nor caps have changed
# ONLY if a secret is provided if (key_exist == 0 and (secret != _secret or caps != _caps)) or key_exist != 0:
# if not we skip the creation rc, cmd, out, err = exec_commands(module, create_key(
if import_key: module, result, cluster, name, secret, caps, import_key, auid, file_path, containerized)) # noqa E501
if rc == 0 and not secret: if rc != 0:
# If the key exists in Ceph we must fetch it on the system result["stdout"] = "Couldn't create or update {0}".format(name)
# because nothing tells us it exists on the fs or not result["stderr"] = err
rc, cmd, out, err = exec_commands(module, get_key(cluster, name, file_path, containerized)) # noqa E501 module.exit_json(**result)
result["stdout"] = "skipped, since {0} already exists, we only fetched the key at {1}. If you want to update a key use 'state: update'".format( # noqa E501 changed = True
# fetch the key on the system
if key_exist != 1 and not import_key:
rc, cmd, out, err = exec_commands(module, get_key(cluster, name, file_path, containerized)) # noqa E501
result["rc"] = rc
if rc != 0:
result["stdout"] = "Couldn't fetch the key {0} at {1}.".format( # noqa E501
name, file_path) name, file_path)
result['rc'] = rc
module.set_fs_attributes_if_different(file_args, False)
module.exit_json(**result) module.exit_json(**result)
rc, cmd, out, err = exec_commands(module, create_key( result["stdout"] = "fetched the key {0} at {1}.".format( # noqa E501
module, result, cluster, name, secret, caps, import_key, auid, file_path, containerized)) # noqa E501 name, file_path)
module.set_fs_attributes_if_different(file_args, False) module.set_fs_attributes_if_different(file_args, False)
elif state == "update":
if not caps:
fatal("Capabilities must be provided when state is 'update'", module) # noqa E501
if rc != 0:
result["stdout"] = "skipped, since {0} does not exist".format(name)
result['rc'] = 0
module.exit_json(**result)
rc, cmd, out, err = exec_commands(
module, update_key(cluster, name, caps, containerized))
# After the update we don't need to overwrite the key on the filesystem
# since the secret has not changed
elif state == "absent": elif state == "absent":
rc, cmd, out, err = exec_commands( rc, cmd, out, err = exec_commands(
@ -669,7 +649,7 @@ def run_module():
else: else:
module.fail_json( module.fail_json(
msg='State must either be "present" or "absent" or "update" or "list" or "info" or "fetch_initial_keys".', changed=False, rc=1) # noqa E501 msg='State must either be "present" or "absent" or "list" or "info" or "fetch_initial_keys".', changed=False, rc=1) # noqa E501
endd = datetime.datetime.now() endd = datetime.datetime.now()
delta = endd - startd delta = endd - startd
@ -682,7 +662,7 @@ def run_module():
rc=rc, rc=rc,
stdout=out.rstrip("\r\n"), stdout=out.rstrip("\r\n"),
stderr=err.rstrip("\r\n"), stderr=err.rstrip("\r\n"),
changed=True, changed=changed,
) )
if rc != 0: if rc != 0: