#!/usr/bin/python # Copyright 2018, Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from __future__ import absolute_import, division, print_function __metaclass__ = type ANSIBLE_METADATA = { 'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community' } DOCUMENTATION = ''' --- module: ceph_key author: Sebastien Han short_description: Manage Cephx key(s) version_added: "2.6" description: - Manage CephX creation, deletion and updates. It can also list and get information about keyring(s). options: cluster: description: - The ceph cluster name. required: false default: ceph name: description: - name of the CephX key required: true state: description: - If 'present' is used, the module creates a keyring with the associated capabilities. If 'present' is used and a secret is provided the module will always add the key. Which means it will update the keyring if the secret changes, the same goes for the capabilities. If 'absent' is used, the module will simply delete the keyring. If 'list' is used, the module will list all the keys and will return a json output. If 'update' is used, the module will **only** update the capabilities of a given keyring. If 'info' is used, the module will return in a json format the description of a given keyring. required: true choices: ['present', 'absent', 'list', 'update', 'info'] default: list caps: description: - CephX key capabilities default: None required: false secret: description: - keyring's secret value required: false default: None containerized: description: - Wether or not this is a containerized cluster. The value is assigned or not depending on how the playbook runs. required: false default: None import_key: description: - Wether or not to import the created keyring into Ceph. This can be useful for someone that only wants to generate keyrings but not add them into Ceph. required: false default: True auid: description: - Sets the auid (authenticated user id) for the specified keyring required: false default: None dest: description: - Destination to write the keyring required: false default: /etc/ceph/ ''' EXAMPLES = ''' keys_to_create: - { name: client.key, key: "AQAin8tUUK84ExAA/QgBtI7gEMWdmnvKBzlXdQ==", caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600", acls: [] } - { name: client.cle, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] } caps: mon: "allow rwx" mds: "allow *" - name: create ceph admin key ceph_key: name: client.admin state: present secret: AQAin8tU2DsKFBAAFIAzVTzkL3+gtAjjpQiomw== auid: 0 caps: mon: allow * osd: allow * mgr: allow * mds: allow mode: 0400 import_key: False - name: create monitor initial keyring ceph_key: name: mon. state: present secret: AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q== caps: mon: allow * dest: "/var/lib/ceph/tmp/keyring.mon" import_key: False - name: create cephx key ceph_key: name: "{{ keys_to_create }}" state: present caps: "{{ caps }}" - name: create cephx key but don't import it in Ceph ceph_key: name: "{{ keys_to_create }}" state: present caps: "{{ caps }}" import_key: False - name: update cephx key ceph_key: name: "my_key" state: update caps: "{{ caps }}" - name: delete cephx key ceph_key: name: "my_key" state: absent - name: info cephx key ceph_key: name: "my_key"" state: info - name: list cephx keys ceph_key: state: list ''' RETURN = '''# ''' from ansible.module_utils.basic import AnsibleModule import datetime import os import struct import time import base64 def fatal(message, module): ''' Report a fatal error and exit ''' if module: module.fail_json(msg=message, rc=1) else: raise(Exception(message)) def generate_secret(): ''' Generate a CephX secret ''' key = os.urandom(16) header = struct.pack('