From: Guillaume Abrioux <gabrioux@redhat.com>
Date: Tue, 12 Dec 2017 10:25:26 +0000 (+0100)
Subject: client: don't try to generate keys
X-Git-Tag: beta-3.1.0~20
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=ab1dd3027a4b9932e58f28b86ab46979eb1f1682;p=ceph-ansible.git

client: don't try to generate keys

the entrypoint to generate users keyring is `ceph-authtool`, therefore,
it can expand the `$(ceph-authtool --gen-print-key)` inside the
container. Users must generate a keyring themselves.
This commit also adds a check to ensure keyring are properly filled when
`user_config: true`.

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
---

diff --git a/group_vars/clients.yml.sample b/group_vars/clients.yml.sample
index 301c37238..b4fc87117 100644
--- a/group_vars/clients.yml.sample
+++ b/group_vars/clients.yml.sample
@@ -21,7 +21,12 @@ dummy:
 # Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
 # To have have ansible setfacl the generated key for $user, set the acls var like so:
 # acls: ["u:$user:r--"]
+#
+# Generate a keyring using ceph-authtool CLI or python.
+# Eg:
+#  $ ceph-authtool --gen-print-key
+#  $ python2 -c "import os ; import struct ; import time; import base64 ; key = os.urandom(16) ; header = struct.pack('<hiih',1,int(time.time()),0,len(key)) ; print base64.b64encode(header + key)"
 #keys:
-#  - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
-#  - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
+#  - { name: client.test, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+#  - { name: client.test2, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
 
diff --git a/roles/ceph-client/defaults/main.yml b/roles/ceph-client/defaults/main.yml
index 4a18e81a2..37e43aa06 100644
--- a/roles/ceph-client/defaults/main.yml
+++ b/roles/ceph-client/defaults/main.yml
@@ -13,6 +13,11 @@ pools:
 # Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
 # To have have ansible setfacl the generated key for $user, set the acls var like so:
 # acls: ["u:$user:r--"]
+#
+# Generate a keyring using ceph-authtool CLI or python.
+# Eg:
+#  $ ceph-authtool --gen-print-key
+#  $ python2 -c "import os ; import struct ; import time; import base64 ; key = os.urandom(16) ; header = struct.pack('<hiih',1,int(time.time()),0,len(key)) ; print base64.b64encode(header + key)"
 keys:
-  - { name: client.test, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
-  - { name: client.test2, key: "$(ceph-authtool --gen-print-key)", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
+  - { name: client.test, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+  - { name: client.test2, key: "ADD-KEYRING-HERE==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }
diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml
index ec90bf5d9..dc9717a44 100644
--- a/roles/ceph-client/tasks/pre_requisite.yml
+++ b/roles/ceph-client/tasks/pre_requisite.yml
@@ -1,4 +1,12 @@
 ---
+- name: check keys has been filled in users.key variables
+  fail:
+    msg: "you must generate and set keys properly in users.key variables"
+  with_items: "{{ keys }}"
+  when:
+    - user_config
+    - item.key == 'ADD-KEYRING-HERE=='
+
 - name: set selinux permissions
   shell: |
     chcon -Rt svirt_sandbox_file_t {{ item }}
diff --git a/tests/functional/centos/7/cluster/group_vars/clients b/tests/functional/centos/7/cluster/group_vars/clients
index 291237f58..d4627808d 100644
--- a/tests/functional/centos/7/cluster/group_vars/clients
+++ b/tests/functional/centos/7/cluster/group_vars/clients
@@ -1,2 +1,5 @@
 ---
 copy_admin_key: true
+keys:
+  - { name: client.test, key: "AQAin8tUoMPDGRAACcfAQHbq4eTuUoTCZdW1Uw==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test", mode: "0600", acls: [] }
+  - { name: client.test2, key: "AQAin8tUAJkGGhAA8WZ8Lz5c7IkT8QZ5s7bI1A==", mon_cap: "allow r", osd_cap: "allow class-read object_prefix rbd_children, allow rwx pool=test2", mode: "0600", acls: [] }