Merge pull request #1010 from dachary/wip-mon-keyring

implement --key as an alternative to --keyring when ceph-mon --mkfs Reviewed-by: Sage Weil <sage@inktank.com>
2024-12-28 06:23:08 +00:00 · 2014-01-01 18:47:57 -08:00 · 2014-01-01 18:47:57 -08:00 · 4fe0b1bbe7
commit 4fe0b1bbe7
parent e74ab284c6 4c8a313443
4 changed files with 90 additions and 54 deletions
--- a/src/auth/KeyRing.h
+++ b/src/auth/KeyRing.h
@ -25,8 +25,8 @@ class KeyRing : public KeyStore {
  map<EntityName, EntityAuth> keys;

  int set_modifier(const char *type, const char *val, EntityName& name, map<string, bufferlist>& caps);
-  void decode_plaintext(bufferlist::iterator& bl);
 public:
+  void decode_plaintext(bufferlist::iterator& bl);
  /* Create a KeyRing from a Ceph context.
   * We will use the configuration stored inside the context. */
  int from_ceph_context(CephContext *cct);
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@ -95,14 +95,16 @@ void AuthMonitor::create_initial()
  check_rotate();
  assert(pending_auth.size() == 1);

-  KeyRing keyring;
-  bufferlist bl;
-  int ret = mon->store->get("mkfs", "keyring", bl);
-  assert(ret == 0);
-  bufferlist::iterator p = bl.begin();
-  ::decode(keyring, p);
+  if (mon->is_keyring_required()) {
+    KeyRing keyring;
+    bufferlist bl;
+    int ret = mon->store->get("mkfs", "keyring", bl);
+    assert(ret == 0);
+    bufferlist::iterator p = bl.begin();
+    ::decode(keyring, p);

-  import_keyring(keyring);
+    import_keyring(keyring);
+  }

  max_global_id = MIN_GLOBAL_ID;

@ -187,7 +189,7 @@ void AuthMonitor::update_from_paxos(bool *need_bootstrap)
    keys_ver++;
    mon->key_server.set_ver(keys_ver);

-    if (keys_ver == 1) {
+    if (keys_ver == 1 && mon->is_keyring_required()) {
      MonitorDBStore::Transaction t;
      t.erase("mkfs", "keyring");
      mon->store->apply_transaction(t);
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@ -472,35 +472,39 @@ int Monitor::preinit()
  init_paxos();
  health_monitor->init();

-  // we need to bootstrap authentication keys so we can form an
-  // initial quorum.
-  if (authmon()->get_last_committed() == 0) {
-    dout(10) << "loading initial keyring to bootstrap authentication for mkfs" << dendl;
-    bufferlist bl;
-    store->get("mkfs", "keyring", bl);
-    KeyRing keyring;
-    bufferlist::iterator p = bl.begin();
-    ::decode(keyring, p);
-    extract_save_mon_key(keyring);
-  }
+  int r;

-  string keyring_loc = g_conf->mon_data + "/keyring";
-
-  int r = keyring.load(cct, keyring_loc);
-  if (r < 0) {
-    EntityName mon_name;
-    mon_name.set_type(CEPH_ENTITY_TYPE_MON);
-    EntityAuth mon_key;
-    if (key_server.get_auth(mon_name, mon_key)) {
-      dout(1) << "copying mon. key from old db to external keyring" << dendl;
-      keyring.add(mon_name, mon_key);
+  if (is_keyring_required()) {
+    // we need to bootstrap authentication keys so we can form an
+    // initial quorum.
+    if (authmon()->get_last_committed() == 0) {
+      dout(10) << "loading initial keyring to bootstrap authentication for mkfs" << dendl;
      bufferlist bl;
-      keyring.encode_plaintext(bl);
-      write_default_keyring(bl);
-    } else {
-      derr << "unable to load initial keyring " << g_conf->keyring << dendl;
-      lock.Unlock();
-      return r;
+      store->get("mkfs", "keyring", bl);
+      KeyRing keyring;
+      bufferlist::iterator p = bl.begin();
+      ::decode(keyring, p);
+      extract_save_mon_key(keyring);
+    }
+
+    string keyring_loc = g_conf->mon_data + "/keyring";
+
+    r = keyring.load(cct, keyring_loc);
+    if (r < 0) {
+      EntityName mon_name;
+      mon_name.set_type(CEPH_ENTITY_TYPE_MON);
+      EntityAuth mon_key;
+      if (key_server.get_auth(mon_name, mon_key)) {
+	dout(1) << "copying mon. key from old db to external keyring" << dendl;
+	keyring.add(mon_name, mon_key);
+	bufferlist bl;
+	keyring.encode_plaintext(bl);
+	write_default_keyring(bl);
+      } else {
+	derr << "unable to load initial keyring " << g_conf->keyring << dendl;
+	lock.Unlock();
+	return r;
+      }
    }
  }

@ -2009,6 +2013,17 @@ void Monitor::set_leader_supported_commands(const MonCommand *cmds, int size)
  leader_supported_mon_commands_size = size;
 }

+bool Monitor::is_keyring_required()
+{
+  string auth_cluster_required = g_conf->auth_supported.length() ?
+    g_conf->auth_supported : g_conf->auth_cluster_required;
+  string auth_service_required = g_conf->auth_supported.length() ?
+    g_conf->auth_supported : g_conf->auth_service_required;
+
+  return auth_service_required == "cephx" ||
+    auth_cluster_required == "cephx";
+}
+
 void Monitor::handle_command(MMonCommand *m)
 {
  if (m->fsid != monmap->fsid) {
@ -3771,25 +3786,43 @@ int Monitor::mkfs(bufferlist& osdmapbl)
    t.put("mkfs", "osdmap", osdmapbl);
  }

-  KeyRing keyring;
-  string keyring_filename;
-  if (!ceph_resolve_file_search(g_conf->keyring, keyring_filename)) {
-    derr << "unable to find a keyring file on " << g_conf->keyring << dendl;
-    return -ENOENT;
+  if (is_keyring_required()) {
+    KeyRing keyring;
+    string keyring_filename;
+    if (!ceph_resolve_file_search(g_conf->keyring, keyring_filename)) {
+      derr << "unable to find a keyring file on " << g_conf->keyring << dendl;
+      if (g_conf->key != "") {
+	string keyring_plaintext = "[mon.]\n\tkey = " + g_conf->key +
+	  "\n\tcaps mon = \"allow *\"\n";
+	bufferlist bl;
+	bl.append(keyring_plaintext);
+	try {
+	  bufferlist::iterator i = bl.begin();
+	  keyring.decode_plaintext(i);
+	}
+	catch (const buffer::error& e) {
+	  derr << "error decoding keyring " << keyring_plaintext
+	       << ": " << e.what() << dendl;
+	  return -EINVAL;
+	}
+      } else {
+	return -ENOENT;
+      }
+    } else {
+      r = keyring.load(g_ceph_context, keyring_filename);
+      if (r < 0) {
+	derr << "unable to load initial keyring " << g_conf->keyring << dendl;
+	return r;
+      }
+    }
+
+    // put mon. key in external keyring; seed with everything else.
+    extract_save_mon_key(keyring);
+
+    bufferlist keyringbl;
+    keyring.encode_plaintext(keyringbl);
+    t.put("mkfs", "keyring", keyringbl);
  }
-
-  r = keyring.load(g_ceph_context, keyring_filename);
-  if (r < 0) {
-    derr << "unable to load initial keyring " << g_conf->keyring << dendl;
-    return r;
-  }
-
-  // put mon. key in external keyring; seed with everything else.
-  extract_save_mon_key(keyring);
-
-  bufferlist keyringbl;
-  keyring.encode_plaintext(keyringbl);
-  t.put("mkfs", "keyring", keyringbl);
  write_fsid(t);
  store->apply_transaction(t);

--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@ -881,6 +881,7 @@ public:
  void get_leader_supported_commands(const MonCommand **cmds, int *count);
  /// the Monitor owns this pointer once you pass it in
  void set_leader_supported_commands(const MonCommand *cmds, int size);
+  static bool is_keyring_required();
 };

 #define CEPH_MON_FEATURE_INCOMPAT_BASE CompatSet::Feature (1, "initial feature set (~v.18)")