From: Jason Dillaman <dillaman@redhat.com>
Date: Thu, 27 Jul 2017 18:07:00 +0000 (-0400)
Subject: mon: new bootstrap-rbd auth profile
X-Git-Tag: v12.1.3~65^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=bedd712840e0d78c3b82a6aecfcd89b129f2ab5c;p=ceph.git

mon: new bootstrap-rbd auth profile

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/ceph.spec.in b/ceph.spec.in
index 93aabf8279d6..055ecac5fa46 100644
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -910,6 +910,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-osd
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-mds
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-rgw
 mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-mgr
+mkdir -p %{buildroot}%{_localstatedir}/lib/ceph/bootstrap-rbd
 
 %if 0%{?suse_version}
 # create __pycache__ directories and their contents
@@ -978,6 +979,7 @@ rm -rf %{buildroot}
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-mds
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-rgw
 %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-mgr
+%attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/bootstrap-rbd
 
 %post base
 /sbin/ldconfig
diff --git a/debian/ceph-base.dirs b/debian/ceph-base.dirs
index a60a331caac3..2ae6860022e0 100644
--- a/debian/ceph-base.dirs
+++ b/debian/ceph-base.dirs
@@ -2,4 +2,5 @@ var/lib/ceph/bootstrap-mds
 var/lib/ceph/bootstrap-mgr
 var/lib/ceph/bootstrap-osd
 var/lib/ceph/bootstrap-rgw
+var/lib/ceph/bootstrap-rbd
 var/lib/ceph/tmp
diff --git a/doc/start/quick-ceph-deploy.rst b/doc/start/quick-ceph-deploy.rst
index f86d7567431c..50b7f307f6ef 100644
--- a/doc/start/quick-ceph-deploy.rst
+++ b/doc/start/quick-ceph-deploy.rst
@@ -101,6 +101,7 @@ configuration details, perform the following steps using ``ceph-deploy``.
    - ``ceph.bootstrap-osd.keyring``
    - ``ceph.bootstrap-mds.keyring``
    - ``ceph.bootstrap-rgw.keyring``
+   - ``ceph.bootstrap-rbd.keyring``
 
 .. note:: If this process fails with a message similar to "Unable to
    find /etc/ceph/ceph.client.admin.keyring", please ensure that the
diff --git a/src/ceph-create-keys b/src/ceph-create-keys
index 75005f5871f2..c14c02f28dc0 100755
--- a/src/ceph-create-keys
+++ b/src/ceph-create-keys
@@ -305,7 +305,11 @@ def main():
         type_='mds',
         wait_count=args.timeout,
         )
-
+    bootstrap_key(
+        cluster=args.cluster,
+        type_='rbd',
+        wait_count=args.timeout,
+        )
 
 if __name__ == '__main__':
     main()
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 5eaa6a30e2ad..c5ce8d1c1633 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -258,6 +258,17 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     profile_grants.back().command_args["caps_osd"] = StringConstraint(
       StringConstraint::MATCH_TYPE_EQUAL, "allow rwx");
   }
+  if (profile == "bootstrap-rbd") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
+    profile_grants.back().command_args["entity"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_PREFIX, "client.");
+    profile_grants.back().command_args["caps_mon"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_EQUAL, "profile rbd");
+    profile_grants.back().command_args["caps_osd"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_REGEX,
+      "^([ ,]*profile(=|[ ]+)['\"]?rbd[^ ,'\"]*['\"]?([ ]+pool(=|[ ]+)['\"]?[^,'\"]+['\"]?)?)+$");
+  }
   if (profile == "fs-client") {
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc
index a3379eefc6c7..cecd8b30e04d 100644
--- a/src/test/mon/moncap.cc
+++ b/src/test/mon/moncap.cc
@@ -258,3 +258,30 @@ TEST(MonCap, CommandRegEx) {
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "",
                               "abc", {{"arg", ""}}, true, true, true));
 }
+
+TEST(MonCap, ProfileBootstrapRBD) {
+  MonCap cap;
+  ASSERT_FALSE(cap.is_allow_all());
+  ASSERT_TRUE(cap.parse("profile bootstrap-rbd", NULL));
+
+  EntityName name;
+  name.from_str("mon.a");
+  ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                             "auth get-or-create", {
+                               {"entity", "client.rbd"},
+                               {"caps_mon", "profile rbd"},
+                               {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"},
+                             }, true, true, true));
+  ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                              "auth get-or-create", {
+                                {"entity", "client.rbd"},
+                                {"caps_mon", "allow *"},
+                                {"caps_osd", "profile rbd"},
+                              }, true, true, true));
+  ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
+                              "auth get-or-create", {
+                                {"entity", "client.rbd"},
+                                {"caps_mon", "profile rbd"},
+                                {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"},
+                              }, true, true, true));
+}