From e9b6ef73b8c843d7442b97c992432155c36141a6 Mon Sep 17 00:00:00 2001
From: Michael Fritch <mfritch@suse.com>
Date: Mon, 16 Mar 2020 12:05:56 -0600
Subject: [PATCH] mgr/cephadm: create/update keyring during nfs config

the keyring might already exist from a prior config/reconfig/redeploy.

attempt to get_or_create the keyring first and than update the keyring
caps afterward

Signed-off-by: Michael Fritch <mfritch@suse.com>
(cherry picked from commit 084fd4a91ae781ab7bed9e06ceca17b1a5ca5be2)
---
 src/pybind/mgr/cephadm/module.py | 31 +++++++++++++++++---------
 src/pybind/mgr/cephadm/nfs.py    | 38 +++++++++++++++++++++++++-------
 2 files changed, 50 insertions(+), 19 deletions(-)

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index 0d6e3000854cb..15e2218ad1992 100644
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -2236,11 +2236,6 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
         elif daemon_type == 'nfs':
             cephadm_config, deps = \
                     self._generate_nfs_config(daemon_type, daemon_id, host)
-            cephadm_config.update(
-                    self._get_config_and_keyring(
-                        daemon_type, daemon_id,
-                        keyring=keyring,
-                        extra_config=extra_config))
             extra_args.extend(['--config-json', '-'])
         elif daemon_type == 'alertmanager':
             cephadm_config, deps = self._generate_alertmanager_config()
@@ -2788,9 +2783,26 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
             # cast to keep mypy happy
             spec = cast(NFSServiceSpec, specs[0])
 
-        # generate the cephadm config
         nfs = NFSGanesha(self, daemon_id, spec)
-        return nfs.get_cephadm_config(), deps
+
+        # create the keyring
+        entity = nfs.get_keyring_entity()
+        keyring = nfs.get_or_create_keyring(entity=entity)
+
+        # update the caps after get-or-create, the keyring might already exist!
+        nfs.update_keyring_caps(entity=entity)
+
+        # create the rados config object
+        nfs.create_rados_config_obj()
+
+        # generate the cephadm config
+        cephadm_config = nfs.get_cephadm_config()
+        cephadm_config.update(
+                self._get_config_and_keyring(
+                    daemon_type, daemon_id,
+                    keyring=keyring))
+
+        return cephadm_config, deps
 
     def add_nfs(self, spec):
         return self._add_daemon('nfs', spec, self._create_nfs, self._config_nfs)
@@ -2801,10 +2813,7 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
         self.spec_store.save(spec)
 
     def _create_nfs(self, daemon_id, host, spec):
-        nfs = NFSGanesha(self, daemon_id, spec)
-        keyring = nfs.create_keyring()
-        nfs.create_rados_config_obj()
-        return self._create_daemon('nfs', daemon_id, host, keyring=keyring)
+        return self._create_daemon('nfs', daemon_id, host)
 
     @trivial_completion
     def apply_nfs(self, spec):
diff --git a/src/pybind/mgr/cephadm/nfs.py b/src/pybind/mgr/cephadm/nfs.py
index 319d8ed3de645..d30b09b2e03f9 100644
--- a/src/pybind/mgr/cephadm/nfs.py
+++ b/src/pybind/mgr/cephadm/nfs.py
@@ -39,27 +39,49 @@ class NFSGanesha(object):
         url += self.get_rados_config_name()
         return url
 
-    def create_keyring(self):
+    def get_keyring_entity(self):
         # type: () -> str
-        entity = cephadm.name_to_config_section(self.get_rados_user())
+        return cephadm.name_to_config_section(self.get_rados_user())
 
-        osd_caps='allow rw pool=%s' % (self.spec.pool)
-        if self.spec.namespace:
-            osd_caps='%s namespace=%s' % (osd_caps, self.spec.namespace)
+    def get_or_create_keyring(self, entity=None):
+        # type: (Optional[str]) -> str
+        if not entity:
+            entity = self.get_keyring_entity()
 
         logger.info('Create keyring: %s' % entity)
         ret, keyring, err = self.mgr.mon_command({
             'prefix': 'auth get-or-create',
             'entity': entity,
+        })
+
+        if ret != 0:
+            raise OrchestratorError(
+                    'Unable to create keyring %s: %s %s' \
+                            % (entity, ret, err))
+        return keyring
+
+    def update_keyring_caps(self, entity=None):
+        # type: (Optional[str]) -> None
+        if not entity:
+            entity = self.get_keyring_entity()
+
+        osd_caps='allow rw pool=%s' % (self.spec.pool)
+        if self.spec.namespace:
+            osd_caps='%s namespace=%s' % (osd_caps, self.spec.namespace)
+
+        logger.info('Updating keyring caps: %s' % entity)
+        ret, out, err = self.mgr.mon_command({
+            'prefix': 'auth caps',
+            'entity': entity,
             'caps': ['mon', 'allow r',
                      'osd', osd_caps,
                      'mds', 'allow rw'],
         })
 
         if ret != 0:
-            raise OrchestratorError('Unable to create keyring: %s' % (entity))
-
-        return keyring
+            raise OrchestratorError(
+                    'Unable to update keyring caps %s: %s %s' \
+                            % (entity, ret, err))
 
     def create_rados_config_obj(self):
         # type: () -> None
-- 
2.39.5