Adjust key distribution mechanism for Swift

In preparation for Swift global cluster we need a solution that moves away from a centralised "memcache" server as a distribution mechanism, since we can't guarantee that all swift hosts will have access to one memcache server. This patch uses ansible variables (which were already being set) as the distribution mechanism so that the authorized_keys file can be generated by using the ansible variables set for each host as part of the tasks. Additionally this moves away from using "shell" commands to generate the key and adjust the authorized_keys file and instead uses the built in ansible "authorized_keys" module as well as the built in "generate_ssh_key" option for the "user" module. Finally this adds a "swift_recreate_keys" option which can be set to "True" in order to recreate all the swift keys, and recreate the authorized_keys file. This was happening on every run and will now not happen by default, unless the variable is set to "True". Change-Id: Ic4eb05042244c32050233e1445633d5731f9603b Partially-Implements: blueprint multi-region-swift
2015-07-09 11:10:09 +01:00 · 2015-07-09 11:10:09 +01:00 · e0c8cfc43c
commit e0c8cfc43c
parent 7b237fc5fc
6 changed files with 39 additions and 113 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -72,6 +72,8 @@ swift_default_drive_weight: 100
 swift_allow_versions: True
 # This will allow all users to create containers and upload to swift if set to True
 swift_allow_all_users: False
+# If you want to regenerate the swift keys, on a run, for rsync purposes set this var to True otherwise keys will be generated on the first run and not regenerated each run.
+swift_recreate_keys: False

 swift_account_server_program_config_options: /etc/swift/account-server/account-server.conf
 swift_account_replicator_program_config_options: /etc/swift/account-server/account-server-replicator.conf
--- a/tasks/swift_key_create.yml
+++ b/tasks/swift_key_create.yml
@ -1,74 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Remove old key file(s) if found
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items:
-    - "{{ swift_system_home_folder }}/.ssh/authorized_keys"
-    - "{{ swift_system_home_folder }}/.ssh/id_rsa"
-    - "{{ swift_system_home_folder }}/.ssh/id_rsa.pub"
-  tags:
-    - swift-key
-    - swift-key-create
-
- name: Create the swift SSH key if it doesnt exist
-  command: |
-    ssh-keygen -f {{ swift_system_home_folder }}/.ssh/id_rsa -t rsa -q -N ""
-  sudo: yes
-  sudo_user: "{{ swift_system_user_name }}"
-  tags:
-    - swift-key
-    - swift-key-create
-
- name: Create empty 'authorized_keys' file
-  file:
-    path: "{{ swift_system_home_folder }}/.ssh/authorized_keys"
-    state: "touch"
-  tags:
-    - swift-key
-    - swift-key-create
-
- name: Change permissions on the generated keys
-  file:
-    path: "{{ item.path }}"
-    group: "{{ swift_system_user_name }}"
-    owner: "{{ swift_system_user_name }}"
-    mode: "{{ item.mode }}"
-  with_items:
-    - { path: "{{ swift_system_home_folder }}/.ssh/authorized_keys", mode: "0700" }
-    - { path: "{{ swift_system_home_folder }}/.ssh/id_rsa", mode: "0600" }
-    - { path: "{{ swift_system_home_folder }}/.ssh/id_rsa.pub", mode: "0644" }
-  tags:
-    - swift-key
-    - swift-key-create
-
- name: Get public key contents
-  command: |
-    cat {{ swift_system_home_folder }}/.ssh/id_rsa.pub
-  register: swift_pub
-  changed_when: false
-  tags:
-    - swift-key
-    - swift-key-create
-
- name: Build authorized keys
-  shell: |
-    echo "{{ swift_pub.stdout }}" | tee -a {{ swift_system_home_folder }}/.ssh/authorized_keys
-  delegate_to: "{{ groups['swift_hosts'][0] }}"
-  tags:
-    - swift-key
-    - swift-key-create
--- a/tasks/swift_key_distribute.yml
+++ b/tasks/swift_key_distribute.yml
@ -13,21 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Retrieve authorized keys
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "retrieve"
-    file_mode: "{{ item.file_mode }}"
-    dir_mode: "{{ item.dir_mode }}"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ swift_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys", file_mode: "0640", dir_mode: "0750" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Create authorized keys file from host vars
+  authorized_key:
+    user: "{{ swift_system_user_name }}"
+    key: "{{ hostvars[item]['swift_pubkey'] }}"
+  with_items: groups['swift_all']
  tags:
    - swift-key
+    - swift-key-create
    - swift-key-distribute
--- a/tasks/swift_key_populate.yml
+++ b/tasks/swift_key_populate.yml
@ -13,19 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Distribute authorized keys for cluster consumption
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "present"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ swift_system_home_folder }}/.ssh/authorized_keys", name: "authorized_keys" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Get public key contents and store as var
+  command: |
+    cat {{ swift_system_home_folder }}/.ssh/id_rsa.pub
+  register: swift_pub
+  changed_when: false
  tags:
    - swift-key
-    - swift-key-store
+    - swift-key-create
+
+- name: Register a fact for the swift pub key
+  set_fact:
+     swift_pubkey: "{{ swift_pub.stdout }}"
+  tags:
+    - swift-key
+    - swift-key-create
--- a/tasks/swift_key_setup.yml
+++ b/tasks/swift_key_setup.yml
@ -13,21 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: swift_key_create.yml
+- include: swift_key_populate.yml
  tags:
    - swift-key
    - swift-key-create

- include: swift_key_store.yml
-  when: >
-    inventory_hostname == groups['swift_hosts'][0]
-  tags:
-    - swift-key
-    - swift-key-store
-
 - include: swift_key_distribute.yml
-  when: >
-    inventory_hostname != groups['swift_hosts'][0]
  tags:
    - swift-key
+    - swift-key-create
    - swift-key-distribute
--- a/tasks/swift_pre_install.yml
+++ b/tasks/swift_pre_install.yml
@ -21,6 +21,19 @@
  tags:
    - swift-group

+- name: Remove old key file(s) if found
+  file:
+    path: "{{ item }}"
+    state: "absent"
+  with_items:
+    - "{{ swift_system_home_folder }}/.ssh/authorized_keys"
+    - "{{ swift_system_home_folder }}/.ssh/id_rsa"
+    - "{{ swift_system_home_folder }}/.ssh/id_rsa.pub"
+  when: swift_recreate_keys == True
+  tags:
+    - swift-key
+    - swift-key-create
+
 - name: Create the swift system user
  user:
    name: "{{ swift_system_user_name }}"
@ -30,8 +43,11 @@
    system: "yes"
    createhome: "yes"
    home: "{{ swift_system_home_folder }}"
+    generate_ssh_key: "yes"
  tags:
    - swift-user
+    - swift-key
+    - swift-key-create

 - name: Create swift dir
  file: