From 49f72811c704ae6b789b6bd0a57b0dd63c6f8318 Mon Sep 17 00:00:00 2001 From: Adam King Date: Wed, 24 Feb 2021 16:13:01 -0500 Subject: [PATCH] mgr/cephadm: update caps if necessary when getting keyring If the caps change from the old version to the new one it causes issues in the upgrade. This allows the caps to be updated. Currently only seeing this with iscsi but changing it for other as a precaution Signed-off-by: Adam King (cherry picked from commit 7c0d532f3a4839f4199a13773fb5fa8b6fb3f183) --- .../mgr/cephadm/services/cephadmservice.py | 65 +++++++++---------- src/pybind/mgr/cephadm/services/iscsi.py | 15 ++--- src/pybind/mgr/cephadm/services/nfs.py | 18 ++--- src/pybind/mgr/cephadm/tests/test_services.py | 7 +- 4 files changed, 48 insertions(+), 57 deletions(-) diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index de2e14e3879a4..00c0e960de49a 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -140,6 +140,18 @@ class CephadmService(metaclass=ABCMeta): # defined, return empty Daemon Desc return DaemonDescription() + def get_keyring_with_caps(self, entity: AuthEntity, caps: List[str]) -> str: + ret, keyring, err = self.mgr.check_mon_command({ + 'prefix': 'auth get-or-create', + 'entity': entity, + }) + ret, out, err = self.mgr.check_mon_command({ + 'prefix': 'auth caps', + 'entity': entity, + 'caps': caps, + }) + return keyring + def _inventory_get_addr(self, hostname: str) -> str: """Get a host's address with its hostname.""" return self.mgr.inventory.get_addr(hostname) @@ -510,13 +522,10 @@ class MgrService(CephService): mgr_id, _ = daemon_spec.daemon_id, daemon_spec.host # get mgr. key - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(mgr_id), - 'caps': ['mon', 'profile mgr', - 'osd', 'allow *', - 'mds', 'allow *'], - }) + keyring = self.get_keyring_with_caps(self.get_auth_entity(mgr_id), + ['mon', 'profile mgr', + 'osd', 'allow *', + 'mds', 'allow *']) # Retrieve ports used by manager modules # In the case of the dashboard port and with several manager daemons @@ -617,14 +626,11 @@ class MdsService(CephService): assert self.TYPE == daemon_spec.daemon_type mds_id, _ = daemon_spec.daemon_id, daemon_spec.host - # get mgr. key - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(mds_id), - 'caps': ['mon', 'profile mds', - 'osd', 'allow rw tag cephfs *=*', - 'mds', 'allow'], - }) + # get mds. key + keyring = self.get_keyring_with_caps(self.get_auth_entity(mds_id), + ['mon', 'profile mds', + 'osd', 'allow rw tag cephfs *=*', + 'mds', 'allow']) daemon_spec.keyring = keyring daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec) @@ -731,13 +737,10 @@ class RgwService(CephService): return daemon_spec def get_keyring(self, rgw_id: str) -> str: - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(rgw_id), - 'caps': ['mon', 'allow *', - 'mgr', 'allow rw', - 'osd', 'allow rwx tag rgw *=*'], - }) + keyring = self.get_keyring_with_caps(self.get_auth_entity(rgw_id), + ['mon', 'allow *', + 'mgr', 'allow rw', + 'osd', 'allow rwx tag rgw *=*']) return keyring def ok_to_stop( @@ -783,12 +786,9 @@ class RbdMirrorService(CephService): assert self.TYPE == daemon_spec.daemon_type daemon_id, _ = daemon_spec.daemon_id, daemon_spec.host - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(daemon_id), - 'caps': ['mon', 'profile rbd-mirror', - 'osd', 'profile rbd'], - }) + keyring = self.get_keyring_with_caps(self.get_auth_entity(daemon_id), + ['mon', 'profile rbd-mirror', + 'osd', 'profile rbd']) daemon_spec.keyring = keyring @@ -817,12 +817,9 @@ class CrashService(CephService): assert self.TYPE == daemon_spec.daemon_type daemon_id, host = daemon_spec.daemon_id, daemon_spec.host - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(daemon_id, host=host), - 'caps': ['mon', 'profile crash', - 'mgr', 'profile crash'], - }) + keyring = self.get_keyring_with_caps(self.get_auth_entity(daemon_id, host=host), + ['mon', 'profile crash', + 'mgr', 'profile crash']) daemon_spec.keyring = keyring diff --git a/src/pybind/mgr/cephadm/services/iscsi.py b/src/pybind/mgr/cephadm/services/iscsi.py index efa25430a4670..c4e0762d27443 100644 --- a/src/pybind/mgr/cephadm/services/iscsi.py +++ b/src/pybind/mgr/cephadm/services/iscsi.py @@ -27,15 +27,12 @@ class IscsiService(CephService): spec = cast(IscsiServiceSpec, self.mgr.spec_store[daemon_spec.service_name].spec) igw_id = daemon_spec.daemon_id - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': self.get_auth_entity(igw_id), - 'caps': ['mon', 'profile rbd, ' - 'allow command "osd blocklist", ' - 'allow command "config-key get" with "key" prefix "iscsi/"', - 'mgr', 'allow command "service status"', - 'osd', 'allow rwx'], - }) + keyring = self.get_keyring_with_caps(self.get_auth_entity(igw_id), + ['mon', 'profile rbd, ' + 'allow command "osd blocklist", ' + 'allow command "config-key get" with "key" prefix "iscsi/"', + 'mgr', 'allow command "service status"', + 'osd', 'allow rwx']) if spec.ssl_cert: if isinstance(spec.ssl_cert, list): diff --git a/src/pybind/mgr/cephadm/services/nfs.py b/src/pybind/mgr/cephadm/services/nfs.py index 760132b01212a..1eca6f923a450 100644 --- a/src/pybind/mgr/cephadm/services/nfs.py +++ b/src/pybind/mgr/cephadm/services/nfs.py @@ -118,12 +118,9 @@ class NFSService(CephService): osd_caps = '%s namespace=%s' % (osd_caps, spec.namespace) logger.info('Create keyring: %s' % entity) - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': entity, - 'caps': ['mon', 'allow r', - 'osd', osd_caps], - }) + keyring = self.get_keyring_with_caps(entity, + ['mon', 'allow r', + 'osd', osd_caps]) return keyring @@ -132,12 +129,9 @@ class NFSService(CephService): entity: AuthEntity = self.get_auth_entity(f'{daemon_id}-rgw') logger.info('Create keyring: %s' % entity) - ret, keyring, err = self.mgr.check_mon_command({ - 'prefix': 'auth get-or-create', - 'entity': entity, - 'caps': ['mon', 'allow r', - 'osd', 'allow rwx tag rgw *=*'], - }) + keyring = self.get_keyring_with_caps(entity, + ['mon', 'allow r', + 'osd', 'allow rwx tag rgw *=*']) return keyring diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index 19fc5b36e4012..1f140945bc42c 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -107,10 +107,13 @@ class TestCephadmService: 'osd', 'allow rwx'] expected_call = call({'prefix': 'auth get-or-create', - 'entity': 'client.iscsi.a', - 'caps': expected_caps}) + 'entity': 'client.iscsi.a'}) + expected_call2 = call({'prefix': 'auth caps', + 'entity': 'client.iscsi.a', + 'caps': expected_caps}) assert expected_call in mgr.check_mon_command.mock_calls + assert expected_call2 in mgr.check_mon_command.mock_calls def test_get_auth_entity(self): mgr = FakeMgr() -- 2.39.5