From d823bf6ac91eb1fd12b0acea5161ba83b819f9f7 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente@redhat.com>
Date: Wed, 27 Jul 2016 16:09:49 +0200
Subject: [PATCH] Refresh keys if caps are changed

Updates the local keyring if any of its param (including caps) are
changed.

Change-Id: I24abbf23cae4f3449c3f1d46df3b3b0a7422c839
Closes-Bug: 1606918
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
---
 manifests/key.pp              | 18 +++++++++++++-----
 spec/defines/ceph_key_spec.rb |  2 +-
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/manifests/key.pp b/manifests/key.pp
index 849e6623..c8e87486 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -113,13 +113,17 @@ define ceph::key (
     }
   }
 
+  # ceph-authtool --add-key is idempotent, will just update pre-existing keys
   exec { "ceph-key-${name}":
     command   => "/bin/true # comment to satisfy puppet syntax requirements
 set -ex
 ceph-authtool ${keyring_path} --name '${name}' --add-key '${secret}' ${caps}",
-    unless    => "/bin/true # comment to satisfy puppet syntax requirements
+    onlyif    => "/bin/true # comment to satisfy puppet syntax requirements
 set -ex
-sed -n 'N;\\%.*${name}.*\\n\\s*key = ${secret}%p' ${keyring_path} | grep ${name}",
+NEW_KEYRING=\$(mktemp)
+ceph-authtool \$NEW_KEYRING --name '${name}' --add-key '${secret}' ${caps}
+diff -N \$NEW_KEYRING ${keyring_path} | grep '<'
+rm \$NEW_KEYRING",
     require   => [ Package['ceph'], File[$keyring_path], ],
     logoutput => true,
   }
@@ -136,13 +140,17 @@ sed -n 'N;\\%.*${name}.*\\n\\s*key = ${secret}%p' ${keyring_path} | grep ${name}
 
     Ceph_config<||> -> Exec["ceph-injectkey-${name}"]
     Ceph::Mon<||> -> Exec["ceph-injectkey-${name}"]
+    # ceph auth import is idempotent, will just update pre-existing keys
     exec { "ceph-injectkey-${name}":
       command   => "/bin/true # comment to satisfy puppet syntax requirements
 set -ex
-ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth add ${name} --in-file=${keyring_path}",
-      unless    => "/bin/true # comment to satisfy puppet syntax requirements
+ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth import -i ${keyring_path}",
+      onlyif    => "/bin/true # comment to satisfy puppet syntax requirements
 set -ex
-ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth get ${name} | grep ${secret}",
+OLD_KEYRING=\$(mktemp)
+ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth get ${name} -o \$OLD_KEYRING || true
+diff -N \$OLD_KEYRING ${keyring_path} | grep '>'
+rm \$OLD_KEYRING",
       require   => [ Package['ceph'], Exec["ceph-key-${name}"], ],
       logoutput => true,
     }
diff --git a/spec/defines/ceph_key_spec.rb b/spec/defines/ceph_key_spec.rb
index 664b7673..0daf4894 100644
--- a/spec/defines/ceph_key_spec.rb
+++ b/spec/defines/ceph_key_spec.rb
@@ -50,7 +50,7 @@ describe 'ceph::key' do
           'selinux_ignore_defaults' => true,
         )
         is_expected.to contain_exec('ceph-injectkey-client.admin').with(
-           'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph    auth add client.admin --in-file=/etc/ceph/ceph.client.admin.keyring"
+           'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph    auth import -i /etc/ceph/ceph.client.admin.keyring"
         )
       }