mon/AuthMonitor: provide command to rotate the key for a user credential

[batrick]

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows
• jenkins test rook e2e

[batrick]

jenkins test make check

[batrick]

jenkins test api

[batrick]

jenkins test make check

[rzarzynski]

ACK.

[rzarzynski]

Yeah, secret should be different...

[rzarzynski]

... so we shouldn't be able to operate using the old one.

[rzarzynski]

I would love to see a check ensuring the only thing that got changed is the secret itself; particularly that the caps are untouched.

[batrick]

diff --git a/qa/workunits/cephtool/test.sh b/qa/workunits/cephtool/test.sh
index d024ce6912d4..266f133c6037 100755
--- a/qa/workunits/cephtool/test.sh
+++ b/qa/workunits/cephtool/test.sh
@@ -613,14 +613,20 @@ function test_auth()
   ceph auth get-or-create client.admin2 mon 'allow *'
   ceph auth get client.admin2 >> keyring1
   env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2 >> keyring2
-  diff -au keyring1 keyring2
+  # they are the same:
+  expect_true diff -au keyring1 keyring2
   # rotate itself
   env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth rotate client.admin2 >> keyring3
-  expect_false diff -au keyring1 keyring3
+  # only the key has changed:
+  diff -au keyring1 keyring3 | grep -E '^[-+][^-+]' | expect_false grep -v key
+  # the key in keyring1 no longer works:
   expect_false env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2
+  # the key in keyring3 should work:
   expect_true env CEPH_KEYRING=keyring3 ceph -n client.admin2 auth get client.admin2
+  # now verify the key from `auth get` matches what rotate produced:
   expect_true ceph auth get client.admin2 >> keyring4
   expect_true diff -au keyring3 keyring4
+  expect_true ceph auth rm client.admin2
   rm keyring[1234]
 
   # (almost) interactive mode

[rzarzynski]

👍 Thank you!

[rzarzynski]

👍 Thank you!

[batrick]

This PR is under test in https://tracker.ceph.com/issues/66609.

[batrick]

https://tracker.ceph.com/issues/66609#note-1