[pve-devel] [PATCH pve-manager master v1 1/6] ceph: tools: add helper sub for creating or updating keyring files

Max R. Carrara m.carrara at proxmox.com
Tue Sep 16 19:20:02 CEST 2025 

Add `create_or_update_keyring_file()`, a more generic version of
`create_or_update_crash_keyring_file()`, in order to avoid duplicating
the underlying logic for other kinds of keyrings / Ceph auth entities.

Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
 PVE/Ceph/Tools.pm | 80 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/PVE/Ceph/Tools.pm b/PVE/Ceph/Tools.pm
index f50d2272..dce9156a 100644
--- a/PVE/Ceph/Tools.pm
+++ b/PVE/Ceph/Tools.pm
@@ -3,6 +3,7 @@ package PVE::Ceph::Tools;
 use strict;
 use warnings;
 
+use Carp qw(croak);
 use File::Path;
 use File::Basename;
 use IO::File;
@@ -455,6 +456,85 @@ sub get_or_create_admin_keyring {
     return $pve_ckeyring_path;
 }
 
+=head3 create_or_update_keyring_file($dest_file, $entity, $caps [, $rados])
+
+Creates or updates a keyring file C<$dest_file> for C<$entity>. If the
+C<$entity> is created, it gains the capabilities provided with C<$caps>.
+Otherwise, capabilities are not updated.
+
+B<NOTE:> The caller is responsible for ensuring that the provided C<$dest_file>
+is in fact for the given C<$entity>.
+
+Returns C<1> if C<$dest_file> was created or updated, C<0> otherwise.
+
+=over
+
+=item * C<$dest_file>
+
+The path of the keyring file, for example C</etc/pve/ceph/ceph.client.crash.keyring>.
+
+=item * C<$entity>
+
+The entity for which to create the authentication entry and corresponding
+keyring, for example C<client.crash>. If the entity already exists, its
+capabilities are not updated.
+
+=item * C<$caps>
+
+The capabilities to set when creating C<$entity>, for example:
+
+    my $caps = [
+        mgr => 'allow profile osd',
+        mon => 'allow profile osd',
+        osd => 'allow *',
+    ];
+
+=item * C<$rados> (optional)
+
+An existing C<L<PVE::RADOS>> object. If not provided, a new object will be
+created instead.
+
+=back
+
+For an explanation on Ceph capabilities, see:
+L<https://docs.ceph.com/en/latest/rados/operations/user-management/#authorization-capabilities>
+
+=cut
+
+my sub create_or_update_keyring_file {
+    my ($dest_file, $entity, $caps, $rados) = @_;
+
+    croak '$dest_file is undef' if !defined($dest_file);
+    croak '$entity is undef' if !defined($entity);
+    croak '$caps is undef' if !defined($caps);
+
+    $rados = PVE::RADOS->new() if !defined($rados);
+
+    my $output = $rados->mon_command({
+        prefix => 'auth get-or-create',
+        entity => "$entity",
+        caps => $caps,
+        format => 'plain',
+    });
+
+    if (-f $dest_file) {
+        my $contents = PVE::Tools::file_get_contents($dest_file);
+
+        if ($contents ne $output) {
+            PVE::Tools::file_set_contents($dest_file, $output);
+            return 1;
+        }
+
+        return 0;
+
+    } else {
+        PVE::Tools::file_set_contents($dest_file, $output);
+        return 1;
+    }
+
+    return 0;
+}
+
 # is also used in `pve-init-ceph-crash` helper
 sub create_or_update_crash_keyring_file {
     my ($rados) = @_;
-- 
2.47.3

More information about the pve-devel mailing list