From: Boris Ranto Date: Thu, 18 May 2017 12:53:04 +0000 (+0200) Subject: restful: Generate cert/key in post scripts X-Git-Tag: ses5-milestone6~9^2~47^2~6 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=92fa210aaa87fcc47b2491fa44f029f7426cd7b9;p=ceph.git restful: Generate cert/key in post scripts This is the simplest way to generate the keys and probably the least likely to cause trouble in the future. Signed-off-by: Boris Ranto --- diff --git a/ceph.spec.in b/ceph.spec.in index 2fae0b1072c..8dc4b7638bc 100644 --- a/ceph.spec.in +++ b/ceph.spec.in @@ -320,6 +320,7 @@ Requires: python-CherryPy Requires: python-Werkzeug %endif Requires: python-pecan +Requires(post): openssl %description mgr ceph-mgr enables python modules that provide services (such as the REST module derived from Calamari) and expose CLI hooks. ceph-mgr gathers @@ -1174,6 +1175,13 @@ fi %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/mgr %post mgr +CERT="%{_sysconfdir}/ceph/ceph-mgr-restful.crt" +PKEY="%{_sysconfdir}/ceph/ceph-mgr-restful.key" +if [ ! -e "$CERT" -o ! -e "$PKEY" ]; then + openssl req -new -nodes -x509 \ + -subj "/O=IT/CN=ceph-mgr-restful" \ + -days 3650 -keyout "$PKEY" -out "$CERT" -extensions v3_ca +fi %if 0%{?suse_version} if [ $1 -eq 1 ] ; then /usr/bin/systemctl preset ceph-mgr@\*.service ceph-mgr.target >/dev/null 2>&1 || : diff --git a/debian/ceph-mgr.postinst b/debian/ceph-mgr.postinst index 6d38ccf09fe..d483d4dccf3 100644 --- a/debian/ceph-mgr.postinst +++ b/debian/ceph-mgr.postinst @@ -24,6 +24,13 @@ set -e case "$1" in configure) + CERT="/etc/ceph/ceph-mgr-restful.crt" + PKEY="/etc/ceph/ceph-mgr-restful.key" + if [ ! -e "$CERT" -o ! -e "$PKEY" ]; then + openssl req -new -nodes -x509 \ + -subj "/O=IT/CN=ceph-mgr-restful" \ + -days 3650 -keyout "$PKEY" -out "$CERT" -extensions v3_ca + fi [ -x /sbin/start ] && start ceph-mgr-all || : if ! dpkg-statoverride --list /var/lib/ceph/mgr >/dev/null diff --git a/debian/control b/debian/control index cc4351d7c65..2099533f3d3 100644 --- a/debian/control +++ b/debian/control @@ -163,6 +163,7 @@ Architecture: linux-any Depends: ceph-base (= ${binary:Version}), python-pecan, python-werkzeug, + openssl, ${misc:Depends}, ${python:Depends}, python-cherrypy3, diff --git a/src/pybind/mgr/restful/module.py b/src/pybind/mgr/restful/module.py index 6ef0070c07f..0f47463ebec 100644 --- a/src/pybind/mgr/restful/module.py +++ b/src/pybind/mgr/restful/module.py @@ -227,12 +227,15 @@ class Module(MgrModule): separators=(',', ': '), ) + cert = self.get_config_json("cert") or '/etc/ceph/ceph-mgr-restful.crt' + pkey = self.get_config_json("pkey") or '/etc/ceph/ceph-mgr-restful.key' + # Create the HTTPS werkzeug server serving pecan app self.server = make_server( host='0.0.0.0', port=8002, app=make_app('restful.api.Root'), - ssl_context=self.load_cert(), + ssl_context=(cert, pkey), ) self.server.serve_forever() @@ -317,43 +320,6 @@ class Module(MgrModule): ) - def load_cert(self): - cert_base = self.get("config").get("mgr_data", "/tmp") + "/ceph-mgr-restful" - cert_file = cert_base + '.crt' - pkey_file = cert_base + '.key' - - # If the files are already there, we are good - if os.access(cert_file, os.R_OK) and os.access(pkey_file, os.R_OK): - return (cert_file, pkey_file) - - # If the certificate is in the ceph config db, write it to the files - cert = self.get_config_json('cert') - pkey = self.get_config_json('pkey') - - if cert and pkey: - f = file(cert_file, 'w') - f.write(cert) - f.close() - - f = file(pkey_file, 'w') - f.write(pkey) - f.close() - return (cert_file, pkey_file) - - # Otherwise, generate the certificate and save it in the config db - make_ssl_devcert(cert_base, host='localhost') - - f = file(cert_file, 'r') - self.set_config_json('cert', f.read()) - f.close() - - f = file(pkey_file, 'r') - self.set_config_json('pkey', f.read()) - f.close() - - return (cert_file, pkey_file) - - def get_doc_api(self, root, prefix=''): doc = {} for _obj in dir(root):