tools/ceph_authtool: allow configuring a preferred cipher

This makes testing easier as we can configure all keys in the cluster to be the
given "old" type without modifying each location that ceph-authtool is used.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
(cherry picked from commit 4c450c920e94af177d9b3c57c5ae26df556512fc)

diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index f0cbddf231dff0cdd82a36cf03c4d19de86b6288..40ddccada105dc044dd3d1408d3e6e8fc3c7f110 100644 (file)
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2219,6 +2219,13 @@ options:
   fmt_desc: If the Ceph version supports message signing, Ceph will sign
    all messages so they are more difficult to spoof.
   with_legacy: true
+- name: cephx_preferred_cipher
+  type: str
+  level: dev
+  desc: preferred cipher to use for new authentication keys
+  default: recommended
+  flags:
+  - runtime
 - name: cephx_allowed_ciphers
   type: str
   level: advanced

diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc
index e53f3afa128f8d6b22854adc202c1dfa50d8d55f..09068ec12687ff95adbc825d7e3eeee73fd04ed6 100644 (file)
--- a/src/tools/ceph_authtool.cc
+++ b/src/tools/ceph_authtool.cc
@@ -66,7 +66,7 @@ int main(int argc, const char **argv)
   map<string,bufferlist> caps;
   std::string fn;
 
-  int key_type = CryptoManager::get_key_type("recommended");
+  int key_type = -1;
 
   if (args.empty()) {
     cerr << argv[0] << ": -h or --help for usage" << std::endl;
@@ -175,6 +175,12 @@ int main(int argc, const char **argv)
   common_init_finish(g_ceph_context);
   EntityName ename(g_conf()->name);
 
+  if (key_type < 0) {
+    auto cephx_preferred_cipher = g_conf().get_val<std::string>("cephx_preferred_cipher");
+    cerr << "using key type: " << cephx_preferred_cipher << std::endl;
+    key_type = CryptoManager::get_key_type(cephx_preferred_cipher);
+  }
+
   // Enforce the use of gen-key or add-key when creating to avoid ending up
   // with an "empty" key (key = AAAAAAAAAAAAAAAA)
   if (create_keyring && !gen_key && add_key.empty() && !caps.empty()) {