mon: new bootstrap-rbd auth profile

Signed-off-by: Jason Dillaman <dillaman@redhat.com>

diff --git a/ceph.spec.in b/ceph.spec.in
index 93aabf8279d6e6c7ae44e75d4928c7c9a09af3fe..055ecac5fa46f474af86974d01525b856b0524b8 100644 (file)
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -910,6 +910,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-osd
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-mds
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-rgw
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-mgr
+mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-rbd
 
 %if 0%{?suse_version}
 # create __pycache__ directories and their contents
@@ -978,6 +979,7 @@ rm -rf %{buildroot}
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-mds
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-rgw
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-mgr
+%attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-rbd
 
 %post base
 /sbin/ldconfig

diff --git a/debian/ceph-base.dirs b/debian/ceph-base.dirs
index a60a331caac3bad477298e65bdfd879e6da5a0fe..2ae6860022e038126cfdd67d1f32f1a6c866f46a 100644 (file)
--- a/debian/ceph-base.dirs
+++ b/debian/ceph-base.dirs
@@ -2,4 +2,5 @@ var/lib/ceph/bootstrap-mds
 var/lib/ceph/bootstrap-mgr
 var/lib/ceph/bootstrap-osd
 var/lib/ceph/bootstrap-rgw
+var/lib/ceph/bootstrap-rbd
 var/lib/ceph/tmp

diff --git a/doc/start/quick-ceph-deploy.rst b/doc/start/quick-ceph-deploy.rst
index f86d7567431c0d293d392b3770cc6e9f6472728b..50b7f307f6ef2828e9cca7474913ed1bfeb227c2 100644 (file)
--- a/doc/start/quick-ceph-deploy.rst
+++ b/doc/start/quick-ceph-deploy.rst
@@ -101,6 +101,7 @@ configuration details, perform the following steps using ``ceph-deploy``.
    - ``ceph.bootstrap-osd.keyring``
    - ``ceph.bootstrap-mds.keyring``
    - ``ceph.bootstrap-rgw.keyring``
+   - ``ceph.bootstrap-rbd.keyring``
 
 .. note:: If this process fails with a message similar to "Unable to
    find /etc/ceph/ceph.client.admin.keyring", please ensure that the

diff --git a/src/ceph-create-keys b/src/ceph-create-keys
index 75005f5871f223d6ccd78e4ba307ed32af2db475..c14c02f28dc0dcadfef53d30e8bb6d832586ded1 100755 (executable)
--- a/src/ceph-create-keys
+++ b/src/ceph-create-keys
@@ -305,7 +305,11 @@ def main():
         type_='mds',
         wait_count=args.timeout,
         )
-
+    bootstrap_key(
+        cluster=args.cluster,
+        type_='rbd',
+        wait_count=args.timeout,
+        )
 
 if __name__ == '__main__':
     main()

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 5eaa6a30e2adc993bf8df1707d0218ab42d15c52..c5ce8d1c1633cdff6f72ae24a2ffe6b0c0fc66e3 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -258,6 +258,17 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     profile_grants.back().command_args["caps_osd"] = StringConstraint(
       StringConstraint::MATCH_TYPE_EQUAL, "allow rwx");
   }
+  if (profile == "bootstrap-rbd") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
+    profile_grants.back().command_args["entity"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_PREFIX, "client.");
+    profile_grants.back().command_args["caps_mon"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_EQUAL, "profile rbd");
+    profile_grants.back().command_args["caps_osd"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_REGEX,
+      "^([ ,]*profile(=|[ ]+)['\"]?rbd[^ ,'\"]*['\"]?([ ]+pool(=|[ ]+)['\"]?[^,'\"]+['\"]?)?)+$");
+  }
   if (profile == "fs-client") {
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));

diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc
index a3379eefc6c79aabf8053750b1495508cea15443..cecd8b30e04d2b424a4b9e5b12229b80f59137d1 100644 (file)
--- a/src/test/mon/moncap.cc
+++ b/src/test/mon/moncap.cc
@@ -258,3 +258,30 @@ TEST(MonCap, CommandRegEx) {
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "",
                               "abc", {{"arg", ""}}, true, true, true));
 }
+
+TEST(MonCap, ProfileBootstrapRBD) {
+  MonCap cap;
+  ASSERT_FALSE(cap.is_allow_all());
+  ASSERT_TRUE(cap.parse("profile bootstrap-rbd", NULL));
+
+  EntityName name;
+  name.from_str("mon.a");
+  ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                             "auth get-or-create", {
+                               {"entity", "client.rbd"},
+                               {"caps_mon", "profile rbd"},
+                               {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"},
+                             }, true, true, true));
+  ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                              "auth get-or-create", {
+                                {"entity", "client.rbd"},
+                                {"caps_mon", "allow *"},
+                                {"caps_osd", "profile rbd"},
+                              }, true, true, true));
+  ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                              "auth get-or-create", {
+                                {"entity", "client.rbd"},
+                                {"caps_mon", "profile rbd"},
+                                {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"},
+                              }, true, true, true));
+}