Implement key rotation on the ceph-radosgw charm
This patchset implements key rotation in the ceph-radosgw charm, by replacing the keyring file if it exists and the ceph-mon relation reports a new key. Change-Id: I447b5f827e39118e7dbd430b1c63b3ec4ea3e176 func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1195
This commit is contained in:
parent
6f2a7540e8
commit
940be7fdfc
@ -50,19 +50,20 @@ def import_radosgw_key(key, name=None):
|
||||
link_path = None
|
||||
owner = group = 'root'
|
||||
|
||||
if not os.path.exists(keyring_path):
|
||||
exists = os.path.exists(keyring_path)
|
||||
if not exists:
|
||||
mkdir(path=os.path.dirname(keyring_path),
|
||||
owner=owner, group=group, perms=0o750)
|
||||
cmd = [
|
||||
'ceph-authtool',
|
||||
keyring_path,
|
||||
'--create-keyring',
|
||||
'--name=client.{}'.format(
|
||||
name or 'radosgw.gateway'
|
||||
),
|
||||
|
||||
cmd = ['ceph-authtool', keyring_path]
|
||||
if not exists:
|
||||
cmd.append('--create-keyring')
|
||||
cmd.extend([
|
||||
'--name=client.{}'.format(name or 'radosgw.gateway'),
|
||||
'--add-key={}'.format(key)
|
||||
]
|
||||
])
|
||||
subprocess.check_call(cmd)
|
||||
if not exists:
|
||||
cmd = [
|
||||
'chown',
|
||||
'{}:{}'.format(owner, group),
|
||||
@ -74,9 +75,8 @@ def import_radosgw_key(key, name=None):
|
||||
# operations for multi-site configuration
|
||||
if link_path:
|
||||
symlink(keyring_path, link_path)
|
||||
return True
|
||||
|
||||
return False
|
||||
return not exists
|
||||
|
||||
|
||||
def normalize_pool_name(pool):
|
||||
|
@ -335,8 +335,7 @@ def mon_relation(rid=None, unit=None):
|
||||
key_name = None
|
||||
|
||||
if key:
|
||||
new_keyring = ceph.import_radosgw_key(key,
|
||||
name=key_name)
|
||||
ceph.import_radosgw_key(key, name=key_name)
|
||||
# NOTE(jamespage):
|
||||
# Deal with switch from radosgw init script to
|
||||
# systemd named units for radosgw instances by
|
||||
@ -358,7 +357,6 @@ def mon_relation(rid=None, unit=None):
|
||||
# in systemd and stop the process restarting once
|
||||
# zone configuration is complete.
|
||||
if (not is_unit_paused_set() and
|
||||
new_keyring and
|
||||
not multisite_deployment()):
|
||||
log('Resume service "{}" as we now have keys for it.'
|
||||
.format(service_name()), level=DEBUG)
|
||||
|
@ -45,6 +45,7 @@ tests:
|
||||
- zaza.openstack.charm_tests.swift.tests.S3APITest
|
||||
- zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes
|
||||
- zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation
|
||||
- zaza.openstack.charm_tests.ceph.tests.CephMonKeyRotationTests
|
||||
|
||||
tests_options:
|
||||
force_deploy:
|
||||
|
Loading…
Reference in New Issue
Block a user