From: John Spray <john.spray@redhat.com>
Date: Tue, 16 May 2017 12:28:48 +0000 (+0100)
Subject: ceph-create-keys: update client.admin if it already exists
X-Git-Tag: v12.1.0~552^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=82332b7a3bb043d84f51520cbc3674acb25b25dd;p=ceph-ci.git

ceph-create-keys: update client.admin if it already exists

This means that anyone who de-privileges their client.admin
user will find that it gets resets with full privileges again.
This is necessary because we cannot distinguish between an old
key and a deliberately de-privileged key, and it's okay because
this is the admin key, it's meant to have access to everything.

Fixes: http://tracker.ceph.com/issues/19940
Signed-off-by: John Spray <john.spray@redhat.com>
---

diff --git a/src/ceph-create-keys b/src/ceph-create-keys
index 65ccd4a212c..dda58e62e11 100755
--- a/src/ceph-create-keys
+++ b/src/ceph-create-keys
@@ -136,6 +136,19 @@ def get_key(cluster, mon_id):
                             ],
                         stdout=f,
                         )
+                else:
+                    returncode = subprocess.call(
+                        args=args_prefix + [
+                            'auth',
+                            'caps',
+                            'client.admin',
+                            'mon', 'allow *',
+                            'osd', 'allow *',
+                            'mds', 'allow *',
+                            'mgr', 'allow *',
+                            ],
+                        stdout=f,
+                        )
 
             if returncode != 0:
                 if returncode == errno.EPERM or returncode == errno.EACCES: