[pve-devel] [PATCH pve-manager master v1 1/6] ceph: tools: add helper sub for creating or updating keyring files
Max R. Carrara
m.carrara at proxmox.com
Tue Sep 16 19:20:02 CEST 2025
Add `create_or_update_keyring_file()`, a more generic version of
`create_or_update_crash_keyring_file()`, in order to avoid duplicating
the underlying logic for other kinds of keyrings / Ceph auth entities.
Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
PVE/Ceph/Tools.pm | 80 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/PVE/Ceph/Tools.pm b/PVE/Ceph/Tools.pm
index f50d2272..dce9156a 100644
--- a/PVE/Ceph/Tools.pm
+++ b/PVE/Ceph/Tools.pm
@@ -3,6 +3,7 @@ package PVE::Ceph::Tools;
use strict;
use warnings;
+use Carp qw(croak);
use File::Path;
use File::Basename;
use IO::File;
@@ -455,6 +456,85 @@ sub get_or_create_admin_keyring {
return $pve_ckeyring_path;
}
+=head3 create_or_update_keyring_file($dest_file, $entity, $caps [, $rados])
+
+Creates or updates a keyring file C<$dest_file> for C<$entity>. If the
+C<$entity> is created, it gains the capabilities provided with C<$caps>.
+Otherwise, capabilities are not updated.
+
+B<NOTE:> The caller is responsible for ensuring that the provided C<$dest_file>
+is in fact for the given C<$entity>.
+
+Returns C<1> if C<$dest_file> was created or updated, C<0> otherwise.
+
+=over
+
+=item * C<$dest_file>
+
+The path of the keyring file, for example C</etc/pve/ceph/ceph.client.crash.keyring>.
+
+=item * C<$entity>
+
+The entity for which to create the authentication entry and corresponding
+keyring, for example C<client.crash>. If the entity already exists, its
+capabilities are not updated.
+
+=item * C<$caps>
+
+The capabilities to set when creating C<$entity>, for example:
+
+ my $caps = [
+ mgr => 'allow profile osd',
+ mon => 'allow profile osd',
+ osd => 'allow *',
+ ];
+
+=item * C<$rados> (optional)
+
+An existing C<L<PVE::RADOS>> object. If not provided, a new object will be
+created instead.
+
+=back
+
+For an explanation on Ceph capabilities, see:
+L<https://docs.ceph.com/en/latest/rados/operations/user-management/#authorization-capabilities>
+
+=cut
+
+my sub create_or_update_keyring_file {
+ my ($dest_file, $entity, $caps, $rados) = @_;
+
+ croak '$dest_file is undef' if !defined($dest_file);
+ croak '$entity is undef' if !defined($entity);
+ croak '$caps is undef' if !defined($caps);
+
+ $rados = PVE::RADOS->new() if !defined($rados);
+
+ my $output = $rados->mon_command({
+ prefix => 'auth get-or-create',
+ entity => "$entity",
+ caps => $caps,
+ format => 'plain',
+ });
+
+ if (-f $dest_file) {
+ my $contents = PVE::Tools::file_get_contents($dest_file);
+
+ if ($contents ne $output) {
+ PVE::Tools::file_set_contents($dest_file, $output);
+ return 1;
+ }
+
+ return 0;
+
+ } else {
+ PVE::Tools::file_set_contents($dest_file, $output);
+ return 1;
+ }
+
+ return 0;
+}
+
# is also used in `pve-init-ceph-crash` helper
sub create_or_update_crash_keyring_file {
my ($rados) = @_;
--
2.47.3
More information about the pve-devel
mailing list