ceph-monstore-tool: include rotating keys in rebuilt mon

This avoids an initial period after mon restart in which there are no
rotating keys and authentication can fail.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit d83d12b90f7d0c2d81c08d3482bc6fecb2bc9059)

diff --git a/src/tools/CMakeLists.txt b/src/tools/CMakeLists.txt
index fdfde4f34ef9034fa42663ed77dc6659df9dcb39..53314d13858c8db3292e5dcb4b8f2b5e03d6a447 100644 (file)
--- a/src/tools/CMakeLists.txt
+++ b/src/tools/CMakeLists.txt
@@ -48,6 +48,7 @@ install(TARGETS ceph-osdomap-tool DESTINATION bin)
 
 add_executable(ceph-monstore-tool
   ceph_monstore_tool.cc
+  ../auth/cephx/CephxKeyServer.cc
   ../mgr/mgr_commands.cc)
 target_link_libraries(ceph-monstore-tool os global Boost::program_options)
 install(TARGETS ceph-monstore-tool DESTINATION bin)

diff --git a/src/tools/ceph_monstore_tool.cc b/src/tools/ceph_monstore_tool.cc
index b4cff0553205dd717033c020c09e17d23ae8d779..6614c9b88a5a0082173c90f017b5fb1a52866f6a 100644 (file)
--- a/src/tools/ceph_monstore_tool.cc
+++ b/src/tools/ceph_monstore_tool.cc
@@ -494,6 +494,20 @@ static int update_auth(MonitorDBStore& st, const string& keyring_path)
     inc.encode(bl, CEPH_FEATURES_ALL);
   }
 
+  // prime rotating secrets
+  {
+    KeyServer ks(g_ceph_context, nullptr);
+    KeyServerData::Incremental auth_inc;
+    auth_inc.op = KeyServerData::AUTH_INC_SET_ROTATING;
+    bool r = ks.prepare_rotating_update(auth_inc.rotating_bl);
+    ceph_assert(r);
+    AuthMonitor::Incremental inc;
+    inc.inc_type = AuthMonitor::AUTH_DATA;
+    encode(auth_inc, inc.auth_data);
+    inc.auth_type = CEPH_AUTH_CEPHX;
+    inc.encode(bl, CEPH_FEATURES_ALL);
+  }
+
   const string prefix("auth");
   auto last_committed = st.get(prefix, "last_committed") + 1;
   auto t = make_shared<MonitorDBStore::Transaction>();