Juju Charms Collection
ceph package

Merge lp:~james-page/charms/precise/ceph/fixup-mon-perms into lp:~charmers/charms/precise/ceph/trunk

  1. Precise Pangolin (12.04)
  2. fixup-mon-perms
  3. Merge into trunk
Proposed by James Page
Status: Merged
Merged at revision: 65
Proposed branch: lp:~james-page/charms/precise/ceph/fixup-mon-perms
Merge into: lp:~charmers/charms/precise/ceph/trunk
Diff against target: 71 lines (+29/-2)
2 files modified
hooks/ceph.py (+15/-2)
hooks/hooks.py (+14/-0)
To merge this branch: bzr merge lp:~james-page/charms/precise/ceph/fixup-mon-perms
Reviewer Review Type Date Requested Status
Adam Gandelman (community) Approve
Review via email: mp+186997@code.launchpad.net

Description of the change

Fixup mon permissions for client and radosgw so pools can be created still

To post a comment you must log in.
Revision history for this message
Edward Hope-Morley (hopem) wrote :

This looks good. As discussed, one concern with increasing the mon permissions is that each client can now delete any pool. Since we can infer the name of the pool the client is creating, it would be nice/safer to restrict the mon operations to a the client's pool but ceph does not appear to allow restricting mon operations to a single pool (like with 'osd allow rw pool=foo'). Lets go ahead with this patch and make sure we follow up with a patch to allow new clients to have their pools created by the ceph charm thus allowing for the rw perm to be removed (which should not break compatibility since the client does not attempt to create the pool if it already exists).

Revision history for this message
Adam Gandelman (gandelman-a) wrote :

This addresses all of my concerns from last weeks. Thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/ceph.py'
2--- hooks/ceph.py 2013-08-27 13:57:46 +0000
3+++ hooks/ceph.py 2013-09-23 10:31:33 +0000
4@@ -224,7 +224,7 @@
5
6 # OSD caps taken from ceph-create-keys
7 _radosgw_caps = {
8- 'mon': ['allow r'],
9+ 'mon': ['allow rw'],
10 'osd': ['allow rwx']
11 }
12
13@@ -234,7 +234,7 @@
14
15
16 _default_caps = {
17- 'mon': ['allow r'],
18+ 'mon': ['allow rw'],
19 'osd': ['allow rwx']
20 }
21
22@@ -259,6 +259,19 @@
23 return parse_key(subprocess.check_output(cmd).strip()) # IGNORE:E1103
24
25
26+def upgrade_key_caps(key, caps):
27+ ''' Upgrade key to have capabilities caps '''
28+ if not is_leader():
29+ # Not the MON leader OR not clustered
30+ return
31+ cmd = [
32+ 'ceph', 'auth', 'caps', key
33+ ]
34+ for subsystem, subcaps in caps.iteritems():
35+ cmd.extend([subsystem, '; '.join(subcaps)])
36+ subprocess.check_call(cmd)
37+
38+
39 def bootstrap_monitor_cluster(secret):
40 hostname = get_unit_hostname()
41 path = '/var/lib/ceph/mon/ceph-{}'.format(hostname)
42
43=== modified file 'hooks/hooks.py'
44--- hooks/hooks.py 2013-08-27 11:47:16 +0000
45+++ hooks/hooks.py 2013-09-23 10:31:33 +0000
46@@ -206,6 +206,19 @@
47 log('End notify_client.')
48
49
50+def upgrade_keys():
51+ ''' Ceph now required mon allow rw for pool creation '''
52+ if len(relation_ids('radosgw')) > 0:
53+ ceph.upgrade_key_caps('client.radosgw.gateway',
54+ ceph._radosgw_caps)
55+ for relid in relation_ids('client'):
56+ units = related_units(relid)
57+ if len(units) > 0:
58+ service_name = units[0].split('/')[0]
59+ ceph.upgrade_key_caps('client.{}'.format(service_name),
60+ ceph._default_caps)
61+
62+
63 @hooks.hook('osd-relation-joined')
64 def osd_relation():
65 log('Begin osd-relation hook.')
66@@ -259,6 +272,7 @@
67 apt_install(packages=filter_installed_packages(ceph.PACKAGES), fatal=True)
68 install_upstart_scripts()
69 ceph.update_monfs()
70+ upgrade_keys()
71 log('End upgrade-charm hook.')
72
73

Subscribers

People subscribed via source and target branches

to all changes: