restful: Generate cert/key in post scripts

This is the simplest way to generate the keys and probably the least
likely to cause trouble in the future.

Signed-off-by: Boris Ranto <branto@redhat.com>

diff --git a/ceph.spec.in b/ceph.spec.in
index 2fae0b1072c1dbf6c7d8b6daebb626a982f642a0..8dc4b7638bcf0492f5d09e20ae107813ee1a96a1 100644 (file)
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -320,6 +320,7 @@ Requires:   python-CherryPy
 Requires:       python-Werkzeug
 %endif
 Requires:       python-pecan
+Requires(post):        openssl
 %description mgr
 ceph-mgr enables python modules that provide services (such as the REST
 module derived from Calamari) and expose CLI hooks.  ceph-mgr gathers
@@ -1174,6 +1175,13 @@ fi
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/mgr
 
 %post mgr
+CERT="%{_sysconfdir}/ceph/ceph-mgr-restful.crt"
+PKEY="%{_sysconfdir}/ceph/ceph-mgr-restful.key"
+if [ ! -e "$CERT" -o ! -e "$PKEY" ]; then
+  openssl req -new -nodes -x509 \
+    -subj "/O=IT/CN=ceph-mgr-restful" \
+    -days 3650 -keyout "$PKEY" -out "$CERT" -extensions v3_ca
+fi
 %if 0%{?suse_version}
 if [ $1 -eq 1 ] ; then
   /usr/bin/systemctl preset ceph-mgr@\*.service ceph-mgr.target >/dev/null 2>&1 || :

diff --git a/debian/ceph-mgr.postinst b/debian/ceph-mgr.postinst
index 6d38ccf09feb3ea3cc9c6255320485a61207be94..d483d4dccf371a2050fb598339ed6f88798fbf02 100644 (file)
--- a/debian/ceph-mgr.postinst
+++ b/debian/ceph-mgr.postinst
@@ -24,6 +24,13 @@ set -e
 
 case "$1" in
     configure)
+       CERT="/etc/ceph/ceph-mgr-restful.crt"
+       PKEY="/etc/ceph/ceph-mgr-restful.key"
+       if [ ! -e "$CERT" -o ! -e "$PKEY" ]; then
+           openssl req -new -nodes -x509 \
+               -subj "/O=IT/CN=ceph-mgr-restful" \
+               -days 3650 -keyout "$PKEY" -out "$CERT" -extensions v3_ca
+       fi
        [ -x /sbin/start ] && start ceph-mgr-all || :
 
        if ! dpkg-statoverride --list /var/lib/ceph/mgr >/dev/null

diff --git a/debian/control b/debian/control
index cc4351d7c652b65a2abf87ad92f0c70059fe9dcc..2099533f3d3dd0b498f18ee7a9c103858cc098a6 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -163,6 +163,7 @@ Architecture: linux-any
 Depends: ceph-base (= ${binary:Version}),
          python-pecan,
          python-werkzeug,
+         openssl,
          ${misc:Depends},
          ${python:Depends},
         python-cherrypy3,

diff --git a/src/pybind/mgr/restful/module.py b/src/pybind/mgr/restful/module.py
index 6ef0070c07f025a370bba897b9a431f7aed8e5ee..0f47463ebecc166840c78b6a3ae4711d85a40524 100644 (file)
--- a/src/pybind/mgr/restful/module.py
+++ b/src/pybind/mgr/restful/module.py
@@ -227,12 +227,15 @@ class Module(MgrModule):
             separators=(',', ': '),
         )
 
+        cert = self.get_config_json("cert") or '/etc/ceph/ceph-mgr-restful.crt'
+        pkey = self.get_config_json("pkey") or '/etc/ceph/ceph-mgr-restful.key'
+
         # Create the HTTPS werkzeug server serving pecan app
         self.server = make_server(
             host='0.0.0.0',
             port=8002,
             app=make_app('restful.api.Root'),
-            ssl_context=self.load_cert(),
+            ssl_context=(cert, pkey),
         )
 
         self.server.serve_forever()
@@ -317,43 +320,6 @@ class Module(MgrModule):
             )
 
 
-    def load_cert(self):
-        cert_base = self.get("config").get("mgr_data", "/tmp") + "/ceph-mgr-restful"
-        cert_file = cert_base + '.crt'
-        pkey_file = cert_base + '.key'
-
-        # If the files are already there, we are good
-        if os.access(cert_file, os.R_OK) and os.access(pkey_file, os.R_OK):
-            return (cert_file, pkey_file)
-
-        # If the certificate is in the ceph config db, write it to the files
-        cert = self.get_config_json('cert')
-        pkey = self.get_config_json('pkey')
-
-        if cert and pkey:
-            f = file(cert_file, 'w')
-            f.write(cert)
-            f.close()
-
-            f = file(pkey_file, 'w')
-            f.write(pkey)
-            f.close()
-            return (cert_file, pkey_file)
-
-        # Otherwise, generate the certificate and save it in the config db
-        make_ssl_devcert(cert_base, host='localhost')
-
-        f = file(cert_file, 'r')
-        self.set_config_json('cert', f.read())
-        f.close()
-
-        f = file(pkey_file, 'r')
-        self.set_config_json('pkey', f.read())
-        f.close()
-
-        return (cert_file, pkey_file)
-
-
     def get_doc_api(self, root, prefix=''):
         doc = {}
         for _obj in dir(root):