ceph-monstore-tool: include rotating keys in rebuilt mon

This avoids an initial period after mon restart in which there are no
rotating keys and authentication can fail.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/src/tools/CMakeLists.txt b/src/tools/CMakeLists.txt
index fa10db7f3adc8c4aaa2de2782db67ebc0a7325ef..4fe63fe4686e830d8721dba2966e4a3613245849 100644 (file)
--- a/src/tools/CMakeLists.txt
+++ b/src/tools/CMakeLists.txt
@@ -48,6 +48,7 @@ install(TARGETS ceph-osdomap-tool DESTINATION bin)
 
 add_executable(ceph-monstore-tool
   ceph_monstore_tool.cc
+  ../auth/cephx/CephxKeyServer.cc
   ../mgr/mgr_commands.cc)
 target_link_libraries(ceph-monstore-tool os global Boost::program_options)
 install(TARGETS ceph-monstore-tool DESTINATION bin)

diff --git a/src/tools/ceph_monstore_tool.cc b/src/tools/ceph_monstore_tool.cc
index 69782690b4053951c0c7a20ae7a57477297925cc..87b84386ed173c2b007733f603ae5473a14cd254 100644 (file)
--- a/src/tools/ceph_monstore_tool.cc
+++ b/src/tools/ceph_monstore_tool.cc
@@ -497,6 +497,20 @@ static int update_auth(MonitorDBStore& st, const string& keyring_path)
     inc.encode(bl, CEPH_FEATURES_ALL);
   }
 
+  // prime rotating secrets
+  {
+    KeyServer ks(g_ceph_context, nullptr);
+    KeyServerData::Incremental auth_inc;
+    auth_inc.op = KeyServerData::AUTH_INC_SET_ROTATING;
+    bool r = ks.prepare_rotating_update(auth_inc.rotating_bl);
+    ceph_assert(r);
+    AuthMonitor::Incremental inc;
+    inc.inc_type = AuthMonitor::AUTH_DATA;
+    encode(auth_inc, inc.auth_data);
+    inc.auth_type = CEPH_AUTH_CEPHX;
+    inc.encode(bl, CEPH_FEATURES_ALL);
+  }
+
   const string prefix("auth");
   auto last_committed = st.get(prefix, "last_committed") + 1;
   auto t = make_shared<MonitorDBStore::Transaction>();