adding manage non admin / mon key keyring capability
Change-Id: I50afa566590f88f3ade7632be2ded3579e35da1d
diff --git a/README.rst b/README.rst
index 1d41a52..944ae77 100644
--- a/README.rst
+++ b/README.rst
@@ -447,6 +447,26 @@
crush_rule: ssd
application: rbd
+
+Ceph manage keyring keys
+------------------------
+
+Keyrings are dynamically generated unless specified by the following pillar.
+
+.. code-block:: yaml
+
+ ceph:
+ common:
+ manage_keyring: true
+ keyring:
+ glance:
+ name: images
+ key: AACf3ulZFFPNDxAAd2DWds3aEkHh4IklZVgIaQ==
+ caps:
+ mon: "allow r"
+ osd: "allow class-read object_prefix rdb_children, allow rwx pool=images"
+
+
Generate CRUSH map - Recommended way
-----------------------------------
diff --git a/ceph/files/keyring b/ceph/files/keyring
index 6ec9e3e..589f5f3 100644
--- a/ceph/files/keyring
+++ b/ceph/files/keyring
@@ -1,3 +1,15 @@
+{%- from "ceph/map.jinja" import common with context %}
+
+{%- if common.get("manage_keyring", False) %}
+
+[client.{{ name }}]
+ key = {{ keyring.key }}
+ {%- for cap_name, cap in keyring.caps.iteritems() %}
+ caps {{ cap_name }} = "{{ cap }}"
+ {%- endfor %}
+
+{%- else %}
+
{%- for node_name, node_grains in salt['mine.get']('ceph:common:keyring:admin', 'grains.items', 'pillar').iteritems() %}
{%- if node_grains.ceph is defined and node_grains.ceph.ceph_keyring is defined %}
@@ -19,3 +31,5 @@
{%- endif %}
{%- endfor %}
+
+{%- endif %}
diff --git a/ceph/setup/crush.sls b/ceph/setup/crush.sls
index c188905..704208d 100644
--- a/ceph/setup/crush.sls
+++ b/ceph/setup/crush.sls
@@ -10,12 +10,15 @@
ceph_compile_crush_map:
cmd.run:
- name: crushtool -c /etc/ceph/crushmap -o /etc/ceph/crushmap.compiled
- - unless: "test -f /etc/ceph/crushmap.compiled"
+ - onchanges:
+ - file: /etc/ceph/crushmap
ceph_enforce_crush_map:
cmd.run:
- name: ceph osd setcrushmap -i /etc/ceph/crushmap.compiled
- unless: "test -f /etc/ceph/crushmap.enforced"
+ - require:
+ - cmd: ceph_compile_crush_map
/etc/ceph/crushmap.enforced:
file.managed:
diff --git a/ceph/setup/keyring.sls b/ceph/setup/keyring.sls
index 419ed64..4c6dcf6 100644
--- a/ceph/setup/keyring.sls
+++ b/ceph/setup/keyring.sls
@@ -4,7 +4,23 @@
{%- if keyring.name is defined %}
-{%- if keyring.name != 'admin' %}
+{%- if keyring.name != 'admin' and keyring.key is defined and common.get("manage_keyring", False) %}
+
+/etc/ceph/ceph.client.{{ keyring.name }}.keyring:
+ file.managed:
+ - source: salt://ceph/files/keyring
+ - template: jinja
+ - defaults:
+ keyring: {{ keyring|yaml }}
+ name: {{ keyring.name }}
+
+ceph_import_keyring_{{ keyring.name }}:
+ cmd.run:
+ - name: "ceph auth import -i /etc/ceph/ceph.client.{{ keyring.name }}.keyring"
+ - onchanges:
+ - file: /etc/ceph/ceph.client.{{ keyring.name }}.keyring
+
+{%- elif keyring.name != 'admin' %}
ceph_create_keyring_{{ keyring.name }}:
cmd.run:
@@ -15,7 +31,23 @@
{%- else %}
-{%- if keyring_name != 'admin' %}
+{%- if keyring_name != 'admin' and keyring.key is defined and common.get("manage_keyring", False) %}
+
+/etc/ceph/ceph.client.{{ keyring_name }}.keyring:
+ file.managed:
+ - source: salt://ceph/files/keyring
+ - template: jinja
+ - defaults:
+ keyring: {{ keyring|yaml }}
+ name: {{ keyring_name }}
+
+ceph_import_keyring_{{ keyring_name }}:
+ cmd.run:
+ - name: "ceph auth import -i /etc/ceph/ceph.client.{{ keyring_name }}.keyring"
+ - onchanges:
+ - file: /etc/ceph/ceph.client.{{ keyring_name }}.keyring
+
+{%- elif keyring_name != 'admin' %}
ceph_create_keyring_{{ keyring_name }}:
cmd.run: