Turn on cephx support by default

README

@@ -80,8 +80,5 @@ bootstrapping key and propagate it to the other nodes in the cluster. Since
 all OSDs run on nodes that also run mon, we don't need this and did not
 implement it.
 
-The charm does not currently implement cephx and its explicitly turned off in
-the configuration generated for ceph.
-
 See http://ceph.com/docs/master/dev/mon-bootstrap/ for more information on Ceph
 monitor cluster deployment strategies and pitfalls. 

TODO

@@ -4,4 +4,3 @@ Ceph Charm
  * fix tunables (http://tracker.newdream.net/issues/2210)
  * more than 192 PGs
  * fixup data placement in crush to be host not osd driven
- * cephx support

hooks/ceph.py

@@ -71,3 +71,51 @@ def is_osd_disk(dev):
     except subprocess.CalledProcessError:
         pass
     return False
+
+_bootstrap_keyring = "/var/lib/ceph/bootstrap-osd/ceph.keyring"
+
+
+def import_osd_bootstrap_key(key):
+    if not os.path.exists(_bootstrap_keyring):
+        cmd = [
+            'ceph-authtool',
+            _bootstrap_keyring,
+            '--create-keyring',
+            '--name=client.bootstrap-osd',
+            '--add-key={}'.format(key)
+            ]
+        subprocess.check_call(cmd)
+
+# OSD caps taken from ceph-create-keys
+_osd_bootstrap_caps = [
+    'allow command osd create ...',
+    'allow command osd crush set ...',
+   r'allow command auth add * osd allow\ * mon allow\ rwx',
+    'allow command mon getmap'
+    ]
+
+
+def get_osd_bootstrap_key():
+    cmd = [
+        'ceph',
+        '--name', 'mon.',
+        '--keyring',
+        '/var/lib/ceph/mon/ceph-{}/keyring'.format(
+                                        utils.get_unit_hostname()
+                                        ),
+        'auth', 'get-or-create', 'client.bootstrap-osd',
+        'mon', '; '.join(_osd_bootstrap_caps)
+        ]
+    output = subprocess.check_output(cmd).strip()  # IGNORE:E1103
+    # get-or-create appears to have different output depending
+    # on whether its 'get' or 'create'
+    # 'create' just returns the key, 'get' is more verbose and
+    # needs parsing
+    key = None
+    if len(output.splitlines()) == 1:
+        key = output
+    else:
+        for element in output.splitlines():
+            if 'key' in element:
+                key = element.split(' = ')[1].strip()  # IGNORE:E1103
+    return key

hooks/hooks.py

@@ -142,6 +142,7 @@ def mon_relation():
         bootstrap_monitor_cluster()
 
         ceph.wait_for_quorum()
+
         for dev in utils.config_get('osd-devices').split(' '):
             osdize(dev)
         subprocess.call(['udevadm', 'trigger',
@@ -161,6 +162,7 @@ def notify_osds():
 
     for relid in utils.relation_ids('osd'):
         utils.relation_set(fsid=utils.config_get('fsid'),
+                           osd_bootstrap_key=ceph.get_osd_bootstrap_key(),
                            rid=relid)
 
     utils.juju_log('INFO', 'End notify_osds.')
@@ -171,8 +173,10 @@ def osd_relation():
 
     if ceph.is_quorum():
         utils.juju_log('INFO',
-                       'mon cluster in quorum - providing OSD with fsid')
+                       'mon cluster in quorum - \
-        utils.relation_set(fsid=utils.config_get('fsid'))
+                        providing OSD with fsid & keys')
+        utils.relation_set(fsid=utils.config_get('fsid'),
+                           osd_bootstrap_key=ceph.get_osd_bootstrap_key())
     else:
         utils.juju_log('INFO',
                        'mon cluster not in quorum - deferring fsid provision')

revision

@@ -1 +1 @@
-71
+80

templates/ceph.conf

@@ -1,5 +1,5 @@
 [global]
- auth supported = none
+ auth supported = cephx
  keyring = /etc/ceph/$cluster.$name.keyring
  mon host = {{ mon_hosts }}
  fsid = {{ fsid }}