Allow ceph client keyring files to have custom owner/group/mode

This is required for a future patch enabling the ceph immutable object cache. Change-Id: Ifd78224acf389200a79aea25461b499a7c0da5d1
2023-05-10 14:18:36 +01:00 · 2023-05-10 14:18:36 +01:00 · fdd2aaa00b
commit fdd2aaa00b
parent 3502645d5a
3 changed files with 16 additions and 15 deletions
--- a/tasks/ceph_get_keyrings_from_files.yml
+++ b/tasks/ceph_get_keyrings_from_files.yml
@ -21,7 +21,7 @@
      {% set _keys = {} %}
      {% for client in ceph_client_filtered_clients %}
      {%   set _ = _keys.update({
-              client: lookup('file', ceph_keyrings_dir ~ '/' ~ client ~ '.keyring')
+              client: lookup('file', ceph_keyrings_dir ~ '/' ~ client['name'] ~ '.keyring')
          })
      %}
      {% endfor %}
@ -35,16 +35,17 @@

 - name: From files | Provision ceph client keyrings
  copy:
-    dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item }}.keyring"
-    content: "{{ ceph_client_keys[item] }}\n" # noqa 206
-    group:    "{{ cephkeys_access_group }}"
+    dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item['name'] }}.keyring"
+    content: "{{ ceph_client_keys[item['name']] }}\n" # noqa 206
+    owner:    "{{ client['owner'] | default('root') }}"
+    group:    "{{ client['group'] | default(cephkeys_access_group) }}"
    # ideally the permission will be: 0600 and the owner/group will be either
    # glance , nova or cinder. For keys that require access by different users
    # (the cinder one) we should probably create a group 'cephkeys' and add
    # nova/cinder to it.
    # If I'm correct, the use case for multiple users is on the computre nodes,
    # access needed by users libvirt-qemu and nova
-    mode:     0640
+    mode:     "{{ client['mode'] | default ('0640') }}"
  with_items: "{{ ceph_client_filtered_clients }}"
  notify:
    - Restart os services
--- a/tasks/ceph_get_keyrings_from_mons.yml
+++ b/tasks/ceph_get_keyrings_from_mons.yml
@ -20,7 +20,7 @@
  # the first get makes sure the client exists, so the second only runs when it
  # exists, the trick is the different output of both, the second has the right
  # output to put in a keyring; ceph admin should have already created the user
-  shell: "ceph auth get client.{{ item }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item }} --cluster {{ ceph_cluster_name }}"
+  shell: "ceph auth get client.{{ item['name'] }} --cluster {{ ceph_cluster_name }} >/dev/null && ceph auth get-or-create client.{{ item['name'] }} --cluster {{ ceph_cluster_name }}"
  with_items: "{{ ceph_client_filtered_clients }}"
  changed_when: false
  delegate_to: '{{ ceph_mon_host }}'
@ -36,18 +36,18 @@
  # ceph get-or-create ... ... -o file?
  template:
    src:      ceph.client.keyring.j2
-    dest:     "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item }}.keyring"
+    dest:     "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.item['name'] }}.keyring"
    backup:   true
-    owner:    root
+    owner:    "{{ item.item.owner | default('root') }}"
    # TODO
-    group:    "{{ cephkeys_access_group }}"
+    group:    "{{ item.item.group | default(cephkeys_access_group) }}"
    # ideally the permission will be: 0600 and the owner/group will be either
    # glance , nova or cinder. For keys that require access by different users
    # (the cinder one) we should probably create a group 'cephkeys' and add
    # nova/cinder to it.
    # If I'm correct, the use case for multiple users is on the computre nodes,
    # access needed by users libvirt-qemu and nova
-    mode:     0640
+    mode:     "{{ item.item.mode | default('0640') }}"
  with_items: "{{ ceph_client_keyrings.results }}"
  when:
    - not item is skipped
--- a/vars/main.yml
+++ b/vars/main.yml
@ -20,27 +20,27 @@ ceph_components:
  - component: glance_api
    package: "{{ python_ceph_packages }}"
    client:
-      - '{{ glance_ceph_client }}'
+      - name: '{{ glance_ceph_client }}'
    service: '{{ ceph_glance_service_names }}'
  - component: cinder_volume
    package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
    client:
-      - '{{ cinder_ceph_client }}'
+      - name: '{{ cinder_ceph_client }}'
    service: '{{ ceph_cinder_service_names }}'
  - component: cinder_backup
    package: "{{ [ 'ceph-common' ] + python_ceph_packages }}"
    client:
-      - '{{ cinder_backup_ceph_client }}'
+      - name: '{{ cinder_backup_ceph_client }}'
    service: '{{ ceph_cinder_service_names }}'
  - component: nova_compute
    package: "{{ libvirt_packages + [ 'ceph-common' ] + python_ceph_packages  }}"
    client:
-      - '{{ nova_ceph_client }}'
+      - name: "{{ nova_ceph_client }}"
    service: '{{ ceph_nova_service_names }}'
  - component: manila_share
    package: "{{ ['ceph-common'] + python_ceph_packages  }}"
    client:
-      - "{{ manila_ceph_client }}"
+      - name: "{{ manila_ceph_client }}"
    service: "{{ ceph_manila_service_names }}"

 ceph_extra_components: []