From: Michael Fritch <mfritch@suse.com>
Date: Wed, 7 Oct 2020 19:38:10 +0000 (-0600)
Subject: mgr/cephadm: add RGW support for NFS ganesha
X-Git-Tag: v15.2.8~14^2~10
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=098bc573154ae3111170b4dce0ddc7a38245a6af;p=ceph.git

mgr/cephadm: add RGW support for NFS ganesha

- create an RGW keyring for NFS daemon access
- generate RGW FSAL in ganesha.conf

Fixes: https://tracker.ceph.com/issues/43686
Signed-off-by: Michael Fritch <mfritch@suse.com>
(cherry picked from commit 5a2ffc3dba52b9ebb55a10ed8f8dd6cc9febd1a3)
---

diff --git a/src/pybind/mgr/cephadm/services/nfs.py b/src/pybind/mgr/cephadm/services/nfs.py
index 41c6a93a589a..bdf4205d9b15 100644
--- a/src/pybind/mgr/cephadm/services/nfs.py
+++ b/src/pybind/mgr/cephadm/services/nfs.py
@@ -7,7 +7,7 @@ import rados
 from orchestrator import OrchestratorError, DaemonDescription
 
 from cephadm import utils
-from cephadm.services.cephadmservice import CephadmDaemonSpec, CephService
+from cephadm.services.cephadmservice import AuthEntity, CephadmDaemonSpec, CephService
 
 if TYPE_CHECKING:
     from cephadm.module import CephadmOrchestrator
@@ -49,19 +49,24 @@ class NFSService(CephService):
 
         deps: List[str] = []
 
-        # create the keyring
-        user = f'{daemon_type}.{daemon_id}'
-        keyring = self.create_keyring(daemon_spec)
+        # create the RADOS recovery pool keyring
+        rados_user = f'{daemon_type}.{daemon_id}'
+        rados_keyring = self.create_keyring(daemon_spec)
 
         # create the rados config object
         self.create_rados_config_obj(spec)
 
+        # create the RGW keyring
+        rgw_user = f'{rados_user}-rgw'
+        rgw_keyring = self.create_rgw_keyring(daemon_spec)
+
         # generate the ganesha config
         def get_ganesha_conf() -> str:
-            context = dict(user=user,
+            context = dict(user=rados_user,
                            nodeid=daemon_spec.name(),
                            pool=spec.pool,
                            namespace=spec.namespace if spec.namespace else '',
+                           rgw_user=rgw_user,
                            url=spec.rados_config_location())
             return self.mgr.template.render('services/nfs/ganesha.conf.j2', context)
 
@@ -71,7 +76,7 @@ class NFSService(CephService):
             config['pool'] = spec.pool
             if spec.namespace:
                 config['namespace'] = spec.namespace
-            config['userid'] = user
+            config['userid'] = rados_user
             config['extra_args'] = ['-N', 'NIV_EVENT']
             config['files'] = {
                 'ganesha.conf': get_ganesha_conf(),
@@ -79,36 +84,20 @@ class NFSService(CephService):
             config.update(
                 self.get_config_and_keyring(
                     daemon_type, daemon_id,
-                    keyring=keyring,
+                    keyring=rados_keyring,
                     host=host
                 )
             )
+            config['rgw'] = {
+                'cluster': 'ceph',
+                'user': rgw_user,
+                'keyring': rgw_keyring,
+            }
             logger.debug('Generated cephadm config-json: %s' % config)
             return config
 
         return get_cephadm_config(), deps
 
-    def create_keyring(self, daemon_spec: CephadmDaemonSpec) -> str:
-        assert daemon_spec.spec
-        daemon_id = daemon_spec.daemon_id
-        spec = daemon_spec.spec
-
-        entity = self.get_auth_entity(daemon_id)
-        logger.info('Create keyring: %s' % entity)
-
-        osd_caps = 'allow rw pool=%s' % (spec.pool)
-        if spec.namespace:
-            osd_caps = '%s namespace=%s' % (osd_caps, spec.namespace)
-
-        ret, keyring, err = self.mgr.check_mon_command({
-            'prefix': 'auth get-or-create',
-            'entity': entity,
-            'caps': ['mon', 'allow r',
-                     'osd', osd_caps],
-        })
-
-        return keyring
-
     def create_rados_config_obj(self,
                                 spec: NFSServiceSpec,
                                 clobber: bool = False) -> None:
@@ -130,3 +119,37 @@ class NFSService(CephService):
                 # Create an empty config object
                 logger.info('Creating rados config object: %s' % obj)
                 ioctx.write_full(obj, ''.encode('utf-8'))
+
+    def create_keyring(self, daemon_spec: CephadmDaemonSpec[NFSServiceSpec]) -> str:
+        assert daemon_spec.spec
+        daemon_id = daemon_spec.daemon_id
+        spec = daemon_spec.spec
+        entity: AuthEntity = self.get_auth_entity(daemon_id)
+
+        osd_caps = 'allow rw pool=%s' % (spec.pool)
+        if spec.namespace:
+            osd_caps = '%s namespace=%s' % (osd_caps, spec.namespace)
+
+        logger.info('Create keyring: %s' % entity)
+        ret, keyring, err = self.mgr.check_mon_command({
+            'prefix': 'auth get-or-create',
+            'entity': entity,
+            'caps': ['mon', 'allow r',
+                     'osd', osd_caps],
+        })
+
+        return keyring
+
+    def create_rgw_keyring(self, daemon_spec: CephadmDaemonSpec[NFSServiceSpec]) -> str:
+        daemon_id = daemon_spec.daemon_id
+        entity: AuthEntity = self.get_auth_entity(f'{daemon_id}-rgw')
+
+        logger.info('Create keyring: %s' % entity)
+        ret, keyring, err = self.mgr.check_mon_command({
+            'prefix': 'auth get-or-create',
+            'entity': entity,
+            'caps': ['mon', 'allow r',
+                     'osd', 'allow rwx'],
+        })
+
+        return keyring
diff --git a/src/pybind/mgr/cephadm/templates/services/nfs/ganesha.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nfs/ganesha.conf.j2
index 5fe78320ee90..174870c03730 100644
--- a/src/pybind/mgr/cephadm/templates/services/nfs/ganesha.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/nfs/ganesha.conf.j2
@@ -31,4 +31,9 @@ RADOS_URLS {
         watch_url = "{{ url }}";
 }
 
+RGW {
+        cluster = "ceph";
+        name = "client.{{ rgw_user }}";
+}
+
 %url    {{ url }}