mon,ceph-disk: add lockbox permissions to bootstrap-osd

author Loic Dachary <ldachary@redhat.com>

Tue, 15 Nov 2016 16:16:37 +0000 (17:16 +0100)

committer Loic Dachary <ldachary@redhat.com>

Wed, 16 Nov 2016 23:51:35 +0000 (00:51 +0100)
author Loic Dachary <ldachary@redhat.com>
Tue, 15 Nov 2016 16:16:37 +0000 (17:16 +0100)
committer Loic Dachary <ldachary@redhat.com>
Wed, 16 Nov 2016 23:51:35 +0000 (00:51 +0100)
diff --git a/src/ceph-disk/ceph_disk/main.py b/src/ceph-disk/ceph_disk/main.py

index 4b79f50cb9bbbc9a3f6456c60eecdb587a4ff02b..b8c0f1ffece7d691daf0da51be55b0c4f3eaa53d 100755 (executable)
--- a/src/ceph-disk/ceph_disk/main.py
+++ b/src/ceph-disk/ceph_disk/main.py
@@ -1757,6 +1757,13 @@ class Prepare(object):
              default='/etc/ceph/dmcrypt-keys',
              help='directory where dm-crypt keys are stored',
          )
+        parser.add_argument(
+            '--prepare-key',
+            metavar='PATH',
+            help='bootstrap-osd keyring path template (%(default)s)',
+            default='{statedir}/bootstrap-osd/{cluster}.keyring',
+            dest='prepare_key_template',
+        )
          return parser
  
      @staticmethod
@@ -2278,9 +2285,14 @@ class Lockbox(object):
          key_size = CryptHelpers.get_dmcrypt_keysize(self.args)
          key = open('/dev/urandom', 'rb').read(key_size / 8)
          base64_key = base64.b64encode(key)
+        cluster = self.args.cluster
+        bootstrap = self.args.prepare_key_template.format(cluster=cluster,
+                                                          statedir=STATEDIR)
          command_check_call(
              [
                  'ceph',
+                '--name', 'client.bootstrap-osd',
+                '--keyring', bootstrap,
                  'config-key',
                  'put',
                  'dm-crypt/osd/' + self.args.osd_uuid + '/luks',
@@ -2290,6 +2302,8 @@ class Lockbox(object):
          keyring, stderr, ret = command(
              [
                  'ceph',
+                '--name', 'client.bootstrap-osd',
+                '--keyring', bootstrap,
                  'auth',
                  'get-or-create',
                  'client.osd-lockbox.' + self.args.osd_uuid,
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc

index a2540b56411c304c0bd22fffd6a1372ca2a2b9c3..45b66a8bb72d1a7768efa726f467bfc3909ef5d5 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -146,10 +146,16 @@ void MonCapGrant::expand_profile(EntityName name) const
      profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
    }
    if (profile == "bootstrap-osd") {
+    string prefix = "dm-crypt/osd";
+    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
      profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
      profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
      profile_grants.push_back(MonCapGrant("mon getmap"));
      profile_grants.push_back(MonCapGrant("osd create"));
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));
+    profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
+    prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
+    profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
      profile_grants.push_back(MonCapGrant("auth add"));
      profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
      profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");
author	Loic Dachary <ldachary@redhat.com>
	Tue, 15 Nov 2016 16:16:37 +0000 (17:16 +0100)
committer	Loic Dachary <ldachary@redhat.com>
	Wed, 16 Nov 2016 23:51:35 +0000 (00:51 +0100)
src/ceph-disk/ceph_disk/main.py		patch \| blob \| history
src/mon/MonCap.cc		patch \| blob \| history