From 82332b7a3bb043d84f51520cbc3674acb25b25dd Mon Sep 17 00:00:00 2001
From: John Spray <john.spray@redhat.com>
Date: Tue, 16 May 2017 13:28:48 +0100
Subject: [PATCH] ceph-create-keys: update client.admin if it already exists

This means that anyone who de-privileges their client.admin
user will find that it gets resets with full privileges again.
This is necessary because we cannot distinguish between an old
key and a deliberately de-privileged key, and it's okay because
this is the admin key, it's meant to have access to everything.

Fixes: http://tracker.ceph.com/issues/19940
Signed-off-by: John Spray <john.spray@redhat.com>
---
 src/ceph-create-keys | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/ceph-create-keys b/src/ceph-create-keys
index 65ccd4a212c..dda58e62e11 100755
--- a/src/ceph-create-keys
+++ b/src/ceph-create-keys
@@ -136,6 +136,19 @@ def get_key(cluster, mon_id):
                             ],
                         stdout=f,
                         )
+                else:
+                    returncode = subprocess.call(
+                        args=args_prefix + [
+                            'auth',
+                            'caps',
+                            'client.admin',
+                            'mon', 'allow *',
+                            'osd', 'allow *',
+                            'mds', 'allow *',
+                            'mgr', 'allow *',
+                            ],
+                        stdout=f,
+                        )
 
             if returncode != 0:
                 if returncode == errno.EPERM or returncode == errno.EACCES:
-- 
2.39.5