Merge pull request #11996 from dachary/wip-17849-bootstrap-osd

mon,ceph-disk: add lockbox permissions to bootstrap-osd Reviewed-by: Sage Weil <sage@redhat.com>
ceph · Nov 16, 2016 · 88ce18d · 88ce18d
2 parents 41408ec + c1c6224
commit 88ce18d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/src/ceph-disk/ceph_disk/main.py b/src/ceph-disk/ceph_disk/main.py
@@ -1776,6 +1776,13 @@ def parser():
             default='/etc/ceph/dmcrypt-keys',
             help='directory where dm-crypt keys are stored',
         )
+        parser.add_argument(
+            '--prepare-key',
+            metavar='PATH',
+            help='bootstrap-osd keyring path template (%(default)s)',
+            default='{statedir}/bootstrap-osd/{cluster}.keyring',
+            dest='prepare_key_template',
+        )
         return parser
 
     @staticmethod
@@ -2382,9 +2389,14 @@ def create_key(self):
         key_size = CryptHelpers.get_dmcrypt_keysize(self.args)
         key = open('/dev/urandom', 'rb').read(key_size / 8)
         base64_key = base64.b64encode(key)
+        cluster = self.args.cluster
+        bootstrap = self.args.prepare_key_template.format(cluster=cluster,
+                                                          statedir=STATEDIR)
         command_check_call(
             [
                 'ceph',
+                '--name', 'client.bootstrap-osd',
+                '--keyring', bootstrap,
                 'config-key',
                 'put',
                 'dm-crypt/osd/' + self.args.osd_uuid + '/luks',
@@ -2394,6 +2406,8 @@ def create_key(self):
         keyring, stderr, ret = command(
             [
                 'ceph',
+                '--name', 'client.bootstrap-osd',
+                '--keyring', bootstrap,
                 'auth',
                 'get-or-create',
                 'client.osd-lockbox.' + self.args.osd_uuid,

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
@@ -145,10 +145,16 @@ void MonCapGrant::expand_profile(EntityName name) const
     profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
   }
   if (profile == "bootstrap-osd") {
+    string prefix = "dm-crypt/osd";
+    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
     profile_grants.push_back(MonCapGrant("mon getmap"));
     profile_grants.push_back(MonCapGrant("osd create"));
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));
+    profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
+    prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
+    profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
     profile_grants.push_back(MonCapGrant("auth add"));
     profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
     profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");