mirror of https://github.com/ceph/ceph-ansible.git
Client: keep consistency between `openstack_key` and `keys`
To keep consistency between `{{ openstack_keys }}` and `{{ keys }}` respectively in `ceph-mon` and `ceph-client` roles. This commit also add the possibility to set mds caps. Fixes: #1680 Co-Authored-by: John Fulton <johfulto@redhat.com> Co-Authored-by: Giulio Fidente <gfidente@redhat.com> Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>pull/1677/head
parent
a98b723a6a
commit
d0311c6aa3
|
@ -10,6 +10,7 @@ pools:
|
||||||
- { name: test, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
- { name: test, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
||||||
- { name: test2, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
- { name: test2, pgs: "{{ ceph_conf_overrides.global.osd_pool_default_pg_num }}" }
|
||||||
|
|
||||||
|
# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
|
||||||
keys:
|
keys:
|
||||||
- { name: client.test, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=test'" }
|
- { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test" }
|
||||||
- { name: client.test2, value: "mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=test2'" }
|
- { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2" }
|
||||||
|
|
|
@ -1,14 +1,32 @@
|
||||||
---
|
---
|
||||||
- name: create pools
|
- name: create pools
|
||||||
command: ceph --cluster {{ cluster }} osd pool create {{ item.name }} {{ item.pgs }}
|
command: "ceph --cluster {{ cluster }} osd pool create {{ item.name }} {{ item.pgs }}"
|
||||||
with_items: "{{ pools }}"
|
with_items: "{{ pools }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
when: pools | length > 0
|
||||||
|
|
||||||
- name: create keys
|
- name: create key(s)
|
||||||
command: ceph --cluster {{ cluster }} auth get-or-create {{ item.name }} {{ item.value }} -o /etc/ceph/{{ cluster }}.{{ item.name }}.keyring
|
shell: "ceph-authtool -C /etc/ceph/{{ cluster }}.{{ item.name }}.keyring --name {{ item.name }} --add-key {{ item.key }} --cap mon \"{{ item.mon_cap|default('') }}\" --cap osd \"{{ item.osd_cap|default('') }}\" --cap mds \"{{ item.mds_cap|default('') }}\""
|
||||||
args:
|
args:
|
||||||
creates: /etc/ceph/{{ cluster }}.{{ item.name }}.keyring
|
creates: /etc/ceph/{{ cluster }}.{{ item.name }}.keyring
|
||||||
with_items: "{{ keys }}"
|
with_items: "{{ keys }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: cephx
|
when:
|
||||||
|
- cephx
|
||||||
|
- keys | length > 0
|
||||||
|
|
||||||
|
- name: check if key(s) already exist(s)
|
||||||
|
command: "ceph --cluster {{ cluster }} auth get {{ item.name }}"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
with_items: "{{ keys }}"
|
||||||
|
register: keys_exist
|
||||||
|
|
||||||
|
- name: add key(s) to ceph
|
||||||
|
command: "ceph --cluster {{ cluster }} auth import -i /etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
|
||||||
|
changed_when: false
|
||||||
|
with_together:
|
||||||
|
- "{{ keys }}"
|
||||||
|
- "{{ keys_exist.results }}"
|
||||||
|
when: item.1.rc != 0
|
||||||
|
|
|
@ -96,11 +96,11 @@ openstack_pools:
|
||||||
# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
|
# e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
|
||||||
# By default, keys will be auto-generated.
|
# By default, keys will be auto-generated.
|
||||||
openstack_keys:
|
openstack_keys:
|
||||||
- { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}'" }
|
- { name: client.glance, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_glance_pool.name }}" }
|
||||||
- { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}'" }
|
- { name: client.cinder, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_pool.name }}, allow rwx pool={{ openstack_nova_pool.name }}, allow rx pool={{ openstack_glance_pool.name }}" }
|
||||||
- { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}'" }
|
- { name: client.cinder-backup, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_cinder_backup_pool.name }}" }
|
||||||
- { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}'" }
|
- { name: client.gnocchi, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool={{ openstack_gnocchi_pool.name }}" }
|
||||||
- { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "mon 'allow r'", osd_cap: "osd 'allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups'" }
|
- { name: client.openstack, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=images, allow rwx pool=vms, allow rwx pool=volumes, allow rwx pool=backups" }
|
||||||
|
|
||||||
##########
|
##########
|
||||||
# DOCKER #
|
# DOCKER #
|
||||||
|
|
|
@ -5,11 +5,10 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
# NOTE: (leseb): I know this is not ideal since this only allows 2 caps.
|
|
||||||
# A future version could use "--caps CAPSFILE"
|
# A future version could use "--caps CAPSFILE"
|
||||||
# which will set all of capabilities associated with a given key, for all subsystems
|
# which will set all of capabilities associated with a given key, for all subsystems
|
||||||
- name: create openstack key(s)
|
- name: create openstack key(s)
|
||||||
shell: "{{ docker_exec_cmd }} ceph-authtool -C /etc/ceph/{{ cluster }}.{{ item.name }}.keyring --name {{ item.name }} --add-key {{ item.key }} --cap {{ item.mon_cap }} --cap {{ item.osd_cap }}"
|
shell: "{{ docker_exec_cmd }} ceph-authtool -C /etc/ceph/{{ cluster }}.{{ item.name }}.keyring --name {{ item.name }} --add-key {{ item.key }} --cap mon \"{{ item.mon_cap|default('') }}\" --cap osd \"{{ item.osd_cap|default('') }}\" --cap mds \"{{ item.mds_cap|default('') }}\""
|
||||||
args:
|
args:
|
||||||
creates: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
|
creates: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
|
||||||
with_items: "{{ openstack_keys }}"
|
with_items: "{{ openstack_keys }}"
|
||||||
|
|
Loading…
Reference in New Issue