Merge "Fix for manage_keyring behavior."
diff --git a/README.rst b/README.rst
index f178dd3..a41eb28 100644
--- a/README.rst
+++ b/README.rst
@@ -526,39 +526,48 @@
Ceph manage clients keyring keys
-------------------------
+--------------------------------
Keyrings are dynamically generated unless specified by the manage_keyring pillar.
-This settings has no effect on admin keyring.
+This settings has effect on admin keyring only if caps are not defined.
.. code-block:: yaml
ceph:
+ setup:
+ enabled: true
common:
manage_keyring: true
keyring:
+ admin:
+ key: AACf3ulZFFPNDxAAd2DWds3aEkHh4IklZVgIaQ==
+ mode: 600
glance:
name: images
key: AACf3ulZFFPNDxAAd2DWds3aEkHh4IklZVgIaQ==
+ user: glance
caps:
mon: "allow r"
osd: "allow class-read object_prefix rdb_children, allow rwx pool=images"
Ceph manage admin keyring
---------------------------
-To use pre-defined admin key add manage_admin_keyring and admin keyring definition to ceph mon nodes in cluster_model/ceph/mon.yml
+-------------------------
+To use pre-defined admin key add manage_admin_keyring and admin keyring definition to
+ceph mon nodes in cluster_model/ceph/mon.yml
-ceph:
- common:
- manage_admin_keyring: true
- keyring:
- admin:
- caps:
- mds: "allow *"
- mgr: "allow *"
- mon: "allow *"
- osd: "allow *"
- key: AACf3ulZFFPNDxAAd2DWds3aEkHh4IklZVgIaQ==
+.. code-block:: yaml
+
+ ceph:
+ common:
+ manage_admin_keyring: true
+ keyring:
+ admin:
+ caps:
+ mds: "allow *"
+ mgr: "allow *"
+ mon: "allow *"
+ osd: "allow *"
+ key: AACf3ulZFFPNDxAAd2DWds3aEkHh4IklZVgIaQ==
Specify alternative keyring path and username
diff --git a/ceph/common.sls b/ceph/common.sls
index 6b9608c..751c0ad 100644
--- a/ceph/common.sls
+++ b/ceph/common.sls
@@ -1,5 +1,6 @@
{%- from "ceph/map.jinja" import common with context %}
+{%- set ceph_cluster = common.get('cluster_name', 'ceph') %}
{% if not common.get('container_mode', False) %}
common_packages:
@@ -24,7 +25,7 @@
common_config:
file.managed:
- - name: {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.conf
+ - name: {{ common.prefix_dir }}/etc/ceph/{{ ceph_cluster }}.conf
- user: ceph
- group: ceph
- source: salt://ceph/files/{{ common.version }}/ceph.conf.{{ grains.os_family }}
@@ -34,27 +35,19 @@
- pkg: common_packages
{%- endif %}
+{%- if common.keyring is defined and common.keyring.admin is defined and common.keyring.admin.caps is defined %}
+ {%- set managed_keyring_path = common.get('keyring', {}).get('admin', {}).get('path', common.prefix_dir + '/etc/ceph/' + ceph_cluster + '.client.admin.keyring') %}
-{%- if common.keyring is defined and common.keyring.admin is defined %}
-
-{%- if common.get("manage_admin_keyring", False) %}
-
-ceph_create_keyring_admin:
- cmd.run:
- - name: "ceph-authtool --create-keyring {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring --add-key {{ common.keyring.admin.key }} -n client.admin {%- for cap_name, cap in common.keyring.admin.caps.iteritems() %} --cap {{ cap_name }} '{{ cap }}' {%- endfor %}"
- - unless: "test -f {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring"
- - require:
- {% if not common.get('container_mode', False) %}
- - pkg: common_packages
+ {%- if common.get("manage_admin_keyring", False) %}
+ {%- set admin_cmd = '--add-key ' + common.keyring.admin.key %}
+ {%- else %}
+ {%- set admin_cmd = '--gen-key' %}
{%- endif %}
- - file: common_config
-
-{%- else %}
ceph_create_keyring_admin:
cmd.run:
- - name: "ceph-authtool --create-keyring {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring --gen-key -n client.admin {%- for cap_name, cap in common.keyring.admin.caps.iteritems() %} --cap {{ cap_name }} '{{ cap }}' {%- endfor %}"
- - unless: "test -f {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring"
+ - name: "ceph-authtool --create-keyring {{ managed_keyring_path }} {{ admin_cmd }} -n client.admin {%- for cap_name, cap in common.keyring.admin.caps.iteritems() %} --cap {{ cap_name }} '{{ cap }}' {%- endfor %}"
+ - unless: "test -f {{ managed_keyring_path }}"
- require:
{% if not common.get('container_mode', False) %}
- pkg: common_packages
@@ -63,29 +56,32 @@
{%- endif %}
-{%- endif %}
-
+{# Pick first element from grains, check if it has ceph_keyring for current cluster and this keyring belongs to 'admin' #}
{%- for node_name, node_grains in salt['mine.get']('ceph:common:keyring:admin', 'grains.items', 'pillar').iteritems() %}
+ {%- if loop.index0 == 0 %}
+ {%- if node_grains.ceph is defined and node_grains.ceph.get('fsid', '') == common.fsid %}
+ {%- for keyring_name, keyring_obj in node_grains.ceph.get('ceph_keyring', {}).iteritems() %}
+ {%- if keyring_name == 'admin' %}
+ {%- set keyring_path = keyring_obj.get('path', common.prefix_dir + '/etc/ceph/' + ceph_cluster + '.client.admin.keyring') %}
-{%- if node_grains.ceph is defined and node_grains.ceph.ceph_keyring is defined and node_grains.ceph.ceph_keyring.admin is defined and node_grains.ceph.get('fsid', '') == common.fsid %}
-
-{%- if loop.index0 == 0 %}
-
-{{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring:
+grains_admin_keyring_manage:
file.managed:
+ - name: {{ keyring_path }}
- source: salt://ceph/files/keyring
- template: jinja
- - unless: "test -f {{ common.prefix_dir }}/etc/ceph/{{ common.get('cluster_name', 'ceph') }}.client.admin.keyring"
+ - unless: "test -f {{ keyring_path }}"
- defaults:
node_grains: {{ node_grains|yaml }}
+ keyring: {{ keyring_obj|yaml }}
+ name: {{ keyring_name }}
- require:
{% if not common.get('container_mode', False) %}
- pkg: common_packages
{%- endif %}
- file: common_config
-{%- endif %}
-
-{%- endif %}
-
+ {%- endif %}
+ {%- endfor %}
+ {%- endif %}
+ {%- endif %}
{%- endfor %}
diff --git a/ceph/files/keyring b/ceph/files/keyring
index 03b9ee3..b196edb 100644
--- a/ceph/files/keyring
+++ b/ceph/files/keyring
@@ -1,27 +1,31 @@
-{%- from "ceph/map.jinja" import common with context %}
+{%- from "ceph/map.jinja" import common with context -%}
-{%- if common.get("manage_keyring", False) %}
+{%- if common.get("manage_keyring", False) -%}
[client.{{ name }}]
key = {{ keyring.key }}
- {%- for cap_name, cap in keyring.caps.iteritems() %}
+ {%- if keyring.caps is defined %}
+ {%- for cap_name, cap in keyring.caps.iteritems() %}
caps {{ cap_name }} = "{{ cap }}"
- {%- endfor %}
+ {%- endfor %}
+ {%- endif %}
{%- else %}
-{%- for name, keyring in node_grains.ceph.get("ceph_keyring", {}).iteritems() %}
+ {%- for name, keyring in node_grains.ceph.get("ceph_keyring", {}).iteritems() %}
-{%- if name == 'admin' %}
+ {%- if name == 'admin' %}
[client.{{ name }}]
key = {{ keyring.key }}
- {%- for cap_name, cap in keyring.get("caps", {}).iteritems() %}
+ {%- if keyring.caps is defined %}
+ {%- for cap_name, cap in keyring.get("caps", {}).iteritems() %}
caps {{ cap_name }} = "{{ cap }}"
- {%- endfor %}
+ {%- endfor %}
+ {%- endif %}
-{%- endif %}
+ {%- endif %}
-{%- endfor %}
+ {%- endfor %}
{%- endif %}
diff --git a/ceph/setup/init.sls b/ceph/setup/init.sls
index 6e099ae..703a101 100644
--- a/ceph/setup/init.sls
+++ b/ceph/setup/init.sls
@@ -12,5 +12,8 @@
{%- if common.get('keyring') %}
- ceph.setup.keyring
{%- endif %}
+{%- if common.get('manage_keyring', False) %}
+- ceph.setup.managed_keyring
+{%- endif %}
{%- endif %}
diff --git a/ceph/setup/keyring.sls b/ceph/setup/keyring.sls
index fe88880..f9fbbf8 100644
--- a/ceph/setup/keyring.sls
+++ b/ceph/setup/keyring.sls
@@ -19,6 +19,8 @@
{%- if keyring.key is defined and common.get("manage_keyring", False) %}
+ {%- if keyring.caps is defined %}
+
{{ keyring_path }}:
file.managed:
- source: salt://ceph/files/keyring
@@ -39,6 +41,8 @@
- onchanges:
- file: {{ keyring_path }}
+ {%- endif %}
+
{%- else %}
ceph_create_keyring_{{ keyring_client_name }}:
diff --git a/ceph/setup/managed_keyring.sls b/ceph/setup/managed_keyring.sls
new file mode 100644
index 0000000..7125ec6
--- /dev/null
+++ b/ceph/setup/managed_keyring.sls
@@ -0,0 +1,43 @@
+{%- from "ceph/map.jinja" import common with context %}
+
+managed_echo:
+ cmd.run:
+ - name: echo "Managed keyrings are enabled"
+
+{% for keyring_name, keyring in common.get('keyring', {}).iteritems() %}
+
+ {%- set keyring_client_name = keyring.get('name', keyring_name) %}
+ {%- set ceph_cluster = common.get('cluster_name', 'ceph') %}
+ {%- set keyring_path = keyring.get('path', common.prefix_dir + '/etc/ceph/' + ceph_cluster + '.client.' + keyring_client_name + '.keyring') %}
+
+ {%- if keyring_client_name == 'admin' and keyring.get(keyring_client_name, {}).caps is defined %}
+ {# Reuse old logic from ceph.common #}
+ {%- set create_keyring_file = False %}
+ {%- else %}
+ {%- set create_keyring_file = keyring.get('enabled', True) %}
+ {%- endif %}
+
+ {%- if create_keyring_file %}
+
+managed_keyring_{{ keyring_path }}:
+ file.managed:
+ - name: {{ keyring_path }}
+ - source: salt://ceph/files/keyring
+ - template: jinja
+ - user: {{ keyring.get('user', 'root') }}
+ - group: {{ keyring.get('group', 'root') }}
+ - mode: {{ keyring.get('mode', '640') }}
+ - makedirs: true
+ - defaults:
+ keyring: {{ keyring|yaml }}
+ name: {{ keyring.name }}
+
+ {%- else %}
+
+managed_keyring_{{ keyring_path }}:
+ file.absent:
+ - name: {{ keyring_path }}
+
+ {%- endif %}
+
+{%- endfor %}