Increase flexibility with managing client keys in profile

This commit introduces the client_keys hash parameter to ceph::profile. This allows one to use the profile to inject and configure any client keys with any parameter. Backwards compatibility is *NOT* maintained for the purpose of staying as clean and as simple as possible in the context of drafting the first stable release of puppet-ceph. This avoids shipping the first stable release with, already, a deprecation that will have to be maintained throughout an entire release cycle. Some tests have been added and test coverage is in general improved as part of this commit. Change-Id: Ie6adbd601388ab52c37037004bd0ceef9fc41942
2015-02-27 13:44:24 -05:00 · 2015-02-27 13:44:24 -05:00 · 2041c1e7b5
parent 7f7847315c
commit 2041c1e7b5
15 changed files with 403 additions and 130 deletions
--- a/examples/common.yaml
+++ b/examples/common.yaml
@ -18,10 +18,29 @@ ceph::profile::params::public_network: '10.11.12.0/24'
 ceph::profile::params::mon_key: 'AQATGHJTUCBqIBAA7M2yafV1xctn1pgr3GcKPg=='
 # as an alternative to specifying the mon key you can provide an exising keyring
 #ceph::profile::params::mon_keyring: '/etc/ceph/ceph.mon.keyring'
-ceph::profile::params::admin_key: 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA=='
-ceph::profile::params::admin_key_mode: '0600'
-ceph::profile::params::bootstrap_osd_key: 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw=='
-ceph::profile::params::bootstrap_mds_key: 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw=='
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA=='
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.bootstrap-osd':
+    secret: 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw=='
+    keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-osd'
+  'client.bootstrap-mds':
+    secret: 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw=='
+    keyring_path: '/var/lib/ceph/bootstrap-mds/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-mds'
+  'client.volumes':
+    secret: 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw=='
+    mode: '0600'
+    user: 'cinder'
+    group: 'cinder'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+
 ceph::profile::params::osds:
  '/dev/sdc':
    journal: '/dev/sdb1'
--- a/examples/nodes/client.yaml
+++ b/examples/nodes/client.yaml
@ -0,0 +1,9 @@
+---
+ceph::profile::params::client_keys:
+  'client.volumes':
+    secret: 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw=='
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
--- a/manifests/profile/client.pp
+++ b/manifests/profile/client.pp
@ -14,21 +14,21 @@
 #   limitations under the License.
 #
 # Author: David Gurtner <aldavud@crimson.ch>
+# Author: David Moreau Simard <dmsimard@iweb.com>
 #
-# Class: ceph::profile::client
+# == Class: ceph::profile::client
 #
 # Profile for a Ceph client
 #
 class ceph::profile::client {
-  require ceph::profile::base
+  require ::ceph::profile::base

-  # if this is also a mon, the key is already defined
-  if ! defined(Ceph::Key['client.admin']) {
-    if $ceph::profile::params::admin_key {
-      ceph::key { 'client.admin':
-        keyring_path => '/etc/ceph/ceph.client.admin.keyring',
-        secret       => $ceph::profile::params::admin_key,
-        mode         => $ceph::profile::params::admin_key_mode,
+  # If the same server is hosting a mon, osd and client, the key resource is
+  # ultimately handled by the mon class.
+  if ! defined(Class['ceph::keys']) {
+    if !empty($ceph::profile::params::client_keys) {
+      class { '::ceph::keys':
+        args => $ceph::profile::params::client_keys
      }
    }
  }
--- a/manifests/profile/mon.pp
+++ b/manifests/profile/mon.pp
@ -14,13 +14,14 @@
 #   limitations under the License.
 #
 # Author: David Gurtner <aldavud@crimson.ch>
+# Author: David Moreau Simard <dmsimard@iweb.com>
 #
 # == Class: ceph::profile::mon
 #
 # Profile for a Ceph mon
 #
 class ceph::profile::mon {
-  require ceph::profile::base
+  require ::ceph::profile::base

  Ceph_Config<| |> ->
  ceph::mon { $::hostname:
@ -29,36 +30,16 @@ class ceph::profile::mon {
    keyring             => $ceph::profile::params::mon_keyring,
  }

-  Ceph::Key {
+  $defaults = {
    inject         => true,
    inject_as_id   => 'mon.',
    inject_keyring => "/var/lib/ceph/mon/ceph-${::hostname}/keyring",
  }

-  # this supports providing the key manually
-  if $ceph::profile::params::admin_key {
-    ceph::key { 'client.admin':
-      secret  => $ceph::profile::params::admin_key,
-      cap_mon => 'allow *',
-      cap_osd => 'allow *',
-      cap_mds => 'allow',
-      mode    => $ceph::profile::params::admin_key_mode,
-    }
-  }
-
-  if $ceph::profile::params::bootstrap_osd_key {
-    ceph::key { 'client.bootstrap-osd':
-      secret       => $ceph::profile::params::bootstrap_osd_key,
-      keyring_path => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
-      cap_mon      => 'allow profile bootstrap-osd',
-    }
-  }
-
-  if $ceph::profile::params::bootstrap_mds_key {
-    ceph::key { 'client.bootstrap-mds':
-      secret       => $ceph::profile::params::bootstrap_mds_key,
-      keyring_path => '/var/lib/ceph/bootstrap-mds/ceph.keyring',
-      cap_mon      => 'allow profile bootstrap-mds',
+  if !empty($ceph::profile::params::client_keys) {
+    class { '::ceph::keys':
+      args     => $ceph::profile::params::client_keys,
+      defaults => $defaults
    }
  }
 }
--- a/manifests/profile/osd.pp
+++ b/manifests/profile/osd.pp
@ -14,23 +14,14 @@
 #   limitations under the License.
 #
 # Author: David Gurtner <aldavud@crimson.ch>
+# Author: David Moreau Simard <dmsimard@iweb.com>
 #
 # Class: ceph::profle::osd
 #
 # Profile for a Ceph osd
 #
 class ceph::profile::osd {
-  require ceph::profile::base
-
-  # this supports providing the key manually
-  if $ceph::profile::params::bootstrap_osd_key {
-    if ! defined(Ceph::Key['client.bootstrap-osd']) {
-      ceph::key { 'client.bootstrap-osd':
-        keyring_path => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
-        secret       => $ceph::profile::params::bootstrap_osd_key,
-      }
-    }
-  }
+  require ::ceph::profile::client

  class { '::ceph::osds':
    args => $ceph::profile::params::osds,
--- a/manifests/profile/params.pp
+++ b/manifests/profile/params.pp
@ -14,6 +14,7 @@
 #   limitations under the License.
 #
 #  Author: David Gurtner <aldavud@crimson.ch>
+#  Author: David Moreau Simard <dmsimard@iweb.com>
 #
 # == Class: ceph::profile::params
 #
@ -69,22 +70,17 @@
 # [*public_network*] The address of the public network.
 #   Optional. {public-network-ip/netmask}
 #
-# [*admin_key*] The admin secret key.
-#   Optional.
-#
-# [*admin_key_mode*] The admin key mode.
-#   Optional.
-#
 # [*mon_key*] The mon secret key.
 #   Optional. Either mon_key or mon_keyring need to be set when using cephx.
 #
 # [*mon_keyring*] The location of the keyring retrieved by default
 #   Optional. Either mon_key or mon_keyring need to be set when using cephx
 #
-# [*bootstrap_osd_key*] The osd secret key (used for bootstrap)
-#   Optional.
+# [*client_keys*] A hash of client keys that will be passed to ceph::keys.
+#   Optional but required when using cephx.
+#   See ceph::key for hash parameters andstructure.
 #
-# [*bootstrap_mds_key*] The mds secret key (used for bootstrap)
+# [*osds*] A Ceph osd hash
 #   Optional.
 #
 # [*manage_repo*] Whether we should manage the local repository (true) or depend
@ -92,9 +88,6 @@
 #   the repo by yourself.
 #   Optional. Defaults to true
 #
-# [*osds*] A Ceph osd hash
-#   Optional.
-#
 class ceph::profile::params (
  # puppet 2.7 compatibiliy hack. TODO: change to undef once 2.7 is deprecated
  $fsid = '4b5c8c0a-ff60-454b-a1b4-9747aa737d19',
@ -108,13 +101,15 @@ class ceph::profile::params (
  $osd_pool_default_min_size = undef,
  $cluster_network = undef,
  $public_network = undef,
-  $admin_key = undef,
-  $admin_key_mode = undef,
  $mon_key = undef,
  $mon_keyring = undef,
-  $bootstrap_osd_key = undef,
-  $bootstrap_mds_key = undef,
+  $client_keys = {},
  $osds = undef,
  $manage_repo = true,
 ) {
+  validate_hash($client_keys)
+
+  if $authentication_type == 'cephx' and empty($client_keys) {
+    fail("client_keys must be provided when using authentication_type = 'cephx'")
+  }
 }
--- a/spec/classes/ceph_profile_client_spec.rb
+++ b/spec/classes/ceph_profile_client_spec.rb
@ -14,17 +14,79 @@
 #   limitations under the License.
 #
 #  Author: David Gurtner <aldavud@crimson.ch>
+#  Author: David Moreau Simard <dmsimard@iweb.com>
 #
 require 'spec_helper'

 describe 'ceph::profile::client' do

  shared_examples_for 'ceph profile client' do
-    it { is_expected.to contain_ceph__key('client.admin').with(
-      :secret       => 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA==',
-      :keyring_path => '/etc/ceph/ceph.client.admin.keyring',
-      :mode         => '0644')
-    }
+    context 'with the default client keys defined in common.yaml' do
+
+      it { is_expected.to contain_class('ceph::profile::base') }
+      it { is_expected.to contain_class('ceph::keys').with(
+        'args' => {
+          'client.admin' => {
+            'secret'  => 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA==',
+            'mode'    => '0600',
+            'cap_mon' => 'allow *',
+            'cap_osd' => 'allow *',
+            'cap_mds' => 'allow *'
+          },
+          'client.bootstrap-osd' => {
+            'secret'       => 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw==',
+            'keyring_path' => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
+            'cap_mon'      => 'allow profile bootstrap-osd'
+          },
+          'client.bootstrap-mds' => {
+            'secret'       => 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw==',
+            'keyring_path' => '/var/lib/ceph/bootstrap-mds/ceph.keyring',
+            'cap_mon'      => 'allow profile bootstrap-mds'
+          },
+          'client.volumes' => {
+            'secret'  => 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw==',
+            'mode'    => '0644',
+            'user'    => 'root',
+            'group'   => 'root',
+            'cap_mon' => 'allow r',
+            'cap_osd' => 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+          }
+        }
+      )}
+    end
+
+    context 'with the specific client keys defined in client.yaml' do
+
+      before :each do
+        facts.merge!( :hostname => 'client')
+      end
+
+      it { is_expected.to contain_class('ceph::profile::base') }
+      it { is_expected.to contain_class('ceph::keys').with(
+        'args' => {
+          'client.volumes' => {
+            'secret'  => 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw==',
+            'mode'    => '0644',
+            'user'    => 'root',
+            'group'   => 'root',
+            'cap_mon' => 'allow r',
+            'cap_osd' => 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+          }
+        }
+      )}
+    end
+
+    context 'without cephx and client_keys' do
+      let :pre_condition do
+        "class { 'ceph::profile::params':
+          authentication_type => 'undef',
+          client_keys         => {}
+        }"
+      end
+
+      it { is_expected.to contain_class('ceph::profile::base') }
+      it { is_expected.to_not contain_class('ceph::keys') }
+    end
  end

  context 'on Debian' do
--- a/spec/classes/ceph_profile_mon_spec.rb
+++ b/spec/classes/ceph_profile_mon_spec.rb
@ -20,36 +20,45 @@ require 'spec_helper'
 describe 'ceph::profile::mon' do

  shared_examples_for 'ceph profile mon' do
+
    it { is_expected.to contain_ceph__mon('first').with(
      :authentication_type => 'cephx',
      :key                 => 'AQATGHJTUCBqIBAA7M2yafV1xctn1pgr3GcKPg==')
    }
-    it { is_expected.to contain_ceph__key('client.admin').with(
-      :secret          => 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA==',
-      :cap_mon         => 'allow *',
-      :cap_osd         => 'allow *',
-      :cap_mds         => 'allow',
-      :mode            => '0644',
-      :inject          => true,
-      :inject_as_id    => 'mon.',
-      :inject_keyring  => '/var/lib/ceph/mon/ceph-first/keyring')
-    }
-    it { is_expected.to contain_ceph__key('client.bootstrap-osd').with(
-      :secret          => 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw==',
-      :keyring_path    => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
-      :cap_mon         => 'allow profile bootstrap-osd',
-      :inject          => true,
-      :inject_as_id    => 'mon.',
-      :inject_keyring  => '/var/lib/ceph/mon/ceph-first/keyring')
-    }
-    it { is_expected.to contain_ceph__key('client.bootstrap-mds').with(
-      :secret          => 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw==',
-      :keyring_path    => '/var/lib/ceph/bootstrap-mds/ceph.keyring',
-      :cap_mon         => 'allow profile bootstrap-mds',
-      :inject          => true,
-      :inject_as_id    => 'mon.',
-      :inject_keyring  => '/var/lib/ceph/mon/ceph-first/keyring')
-    }
+    it { is_expected.to contain_class('ceph::keys').with(
+      'args' => {
+        'client.admin' => {
+          'secret'  => 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA==',
+          'mode'    => '0600',
+          'cap_mon' => 'allow *',
+          'cap_osd' => 'allow *',
+          'cap_mds' => 'allow *'
+        },
+        'client.bootstrap-osd' => {
+          'secret'       => 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw==',
+          'keyring_path' => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
+          'cap_mon'      => 'allow profile bootstrap-osd'
+        },
+        'client.bootstrap-mds' => {
+          'secret'       => 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw==',
+          'keyring_path' => '/var/lib/ceph/bootstrap-mds/ceph.keyring',
+          'cap_mon'      => 'allow profile bootstrap-mds'
+        },
+        'client.volumes' => {
+          'secret'  => 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw==',
+          'mode'    => '0644',
+          'user'    => 'root',
+          'group'   => 'root',
+          'cap_mon' => 'allow r',
+          'cap_osd' => 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+        }
+      },
+      'defaults' => {
+        'inject'         => true,
+        'inject_as_id'   => 'mon.',
+        'inject_keyring' => '/var/lib/ceph/mon/ceph-first/keyring'
+      }
+    )}
  end

  context 'on Debian' do
--- a/spec/classes/ceph_profile_osd_spec.rb
+++ b/spec/classes/ceph_profile_osd_spec.rb
@ -26,10 +26,7 @@ describe 'ceph::profile::osd' do
        facts.merge!( :hostname => 'osd')
      end

-      it { is_expected.to contain_ceph__key('client.bootstrap-osd').with(
-        :keyring_path     => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
-        :secret           => 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw==')
-      }
+      it { is_expected.to contain_class('ceph::profile::client') }
      it { is_expected.to contain_ceph__osd('/dev/sdc').with(:journal => '/dev/sdb1') }
      it { is_expected.to contain_ceph__osd('/dev/sdd').with(:journal => '/dev/sdb2') }
    end
@ -40,10 +37,7 @@ describe 'ceph::profile::osd' do
        facts.merge!( :hostname => 'first')
      end

-      it { is_expected.to contain_ceph__key('client.bootstrap-osd').with(
-        :keyring_path     => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
-        :secret           => 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw==')
-      }
+      it { is_expected.to contain_class('ceph::profile::client') }
      it { is_expected.to contain_ceph__osd('/dev/sdb').with( :journal => '/tmp/journal') }
    end
  end
--- a/spec/classes/ceph_profile_params_spec.rb
+++ b/spec/classes/ceph_profile_params_spec.rb
@ -0,0 +1,87 @@
+#
+#  Copyright (C) 2015 iWeb Technologies Inc.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#  Author: David Moreau Simard <dmsimard@iweb.com>
+#
+require 'spec_helper'
+
+describe 'ceph::profile::params' do
+
+  shared_examples_for 'ceph profile params' do
+    describe "should fail when client_keys is not a hash" do
+
+      let :pre_condition do
+        "class { 'ceph::profile::params':
+          client_keys => 'client.admin'
+        }"
+      end
+
+      it { is_expected.to raise_error Puppet::Error, /is not a Hash/ }
+    end
+
+    describe "should fail when using cephx without client_keys" do
+
+      let :pre_condition do
+        "class { 'ceph::profile::params':
+          authentication_type => 'cephx',
+          client_keys => {}
+        }"
+      end
+
+      it { is_expected.to raise_error Puppet::Error,
+        /client_keys must be provided when using authentication_type = 'cephx'/
+      }
+    end
+  end
+
+  context 'on Debian' do
+
+    let :facts do
+      {
+        :osfamily        => 'Debian',
+        :lsbdistcodename => 'wheezy'
+      }
+    end
+
+    it_configures 'ceph profile params'
+  end
+
+  context 'on Ubuntu' do
+
+    let :facts do
+      {
+        :osfamily        => 'Debian',
+        :lsbdistcodename => 'Precise'
+      }
+    end
+
+    it_configures 'ceph profile params'
+  end
+
+  context 'on RHEL6' do
+
+    let :facts do
+      { :osfamily => 'RedHat', }
+    end
+
+    it_configures 'ceph profile params'
+  end
+end
+# Local Variables:
+# compile-command: "cd ../.. ;
+#    BUNDLE_PATH=/tmp/vendor bundle install ;
+#    BUNDLE_PATH=/tmp/vendor bundle exec rake spec
+# "
+# End:
--- a/spec/fixtures/hieradata/common.yaml
+++ b/spec/fixtures/hieradata/common.yaml
@ -1,6 +1,6 @@
 ---
 ######## Ceph
-ceph::profile::params::release: 'firefly'
+ceph::profile::params::release: 'giant'

 ######## Ceph.conf
 ceph::profile::params::fsid: '4b5c8c0a-ff60-454b-a1b4-9747aa737d19'
@ -16,13 +16,30 @@ ceph::profile::params::public_network: '10.11.12.0/24'

 ######## Keys
 ceph::profile::params::mon_key: 'AQATGHJTUCBqIBAA7M2yafV1xctn1pgr3GcKPg=='
-ceph::profile::params::admin_key: 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA=='
-ceph::profile::params::admin_key_mode: '0644'
-ceph::profile::params::bootstrap_osd_key: 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw=='
-ceph::profile::params::bootstrap_mds_key: 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw=='
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: 'AQBMGHJTkC8HKhAAJ7NH255wYypgm1oVuV41MA=='
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.bootstrap-osd':
+    secret: 'AQARG3JTsDDEHhAAVinHPiqvJkUi5Mww/URupw=='
+    keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-osd'
+  'client.bootstrap-mds':
+    secret: 'AQCztJdSyNb0NBAASA2yPZPuwXeIQnDJ9O8gVw=='
+    keyring_path: '/var/lib/ceph/bootstrap-mds/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-mds'
+  'client.volumes':
+    secret: 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw=='
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
 ceph::profile::params::osds:
  '/dev/sdc':
    journal: '/dev/sdb1'
  '/dev/sdd':
    journal: '/dev/sdb2'
-
--- a/spec/fixtures/hieradata/nodes/client.yaml
+++ b/spec/fixtures/hieradata/nodes/client.yaml
@ -0,0 +1,9 @@
+---
+ceph::profile::params::client_keys:
+  'client.volumes':
+    secret: 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw=='
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
--- a/spec/system/ceph_profile_client_spec.rb
+++ b/spec/system/ceph_profile_client_spec.rb
@ -14,6 +14,7 @@
 #   limitations under the License.
 #
 #  Author: David Gurtner <aldavud@crimson.ch>
+#  Author: David Moreau Simard <dmsimard@iweb.com>
 #
 require 'spec_helper_system'

@ -25,6 +26,7 @@ describe 'ceph::profile::client' do
  packages = "[ 'python-ceph', 'ceph-common', 'librados2', 'librbd1', 'libcephfs1' ]"
  fsid = 'a4807c9a-e76f-4666-a297-6d6cbc922e3a'
  admin_key = 'AQA0TVRTsP/aHxAAFBvntu1dSEJHxtJeFFrRsg=='
+  volumes_key = 'AQA4MPZTOGU0ARAAXH9a0fXxVq0X25n2yPREDw=='
  mon_key = 'AQATGHJTUCBqIBAA7M2yafV1xctn1pgr3GcKPg=='
  hieradata_common = '/var/lib/hiera/common.yaml'
  hiera_shared = <<-EOS
@ -39,6 +41,7 @@ ceph::profile::params::mon_host: '10.11.12.2:6789'
   ->
   file { [
      '/etc/ceph/ceph.client.admin.keyring',
+      '/etc/ceph/ceph.client.volumes.keyring'
     ]:
     ensure => absent
   }
@ -65,12 +68,25 @@ ceph::profile::params::mon_host: '10.11.12.2:6789'
      end

      describe 'on one host' do
-        it 'should install one monitor and one client on one host', :cephx do
+        it 'should install one monitor and one extra client on one host', :cephx do
          hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
 ceph::profile::params::mon_key: '#{mon_key}'
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.volumes':
+    secret: #{volumes_key}
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
          EOS

          file = Tempfile.new('hieradata')
@ -99,10 +115,21 @@ ceph::profile::params::mon_key: '#{mon_key}'
            r.exit_code.should be_zero
          end

+          shell 'ceph -n client.volumes -s' do |r|
+            r.stdout.should =~ /1 mons .* quorum 0 first/
+            r.stderr.should be_empty
+            r.exit_code.should be_zero
+          end
+
          shell 'ceph auth list' do |r|
            r.stdout.should =~ /#{admin_key}/
            r.exit_code.should be_zero
          end
+
+          shell 'ceph auth list' do |r|
+            r.stdout.should =~ /#{volumes_key}/
+            r.exit_code.should be_zero
+          end
        end

        it 'should uninstall one monitor' do
@ -115,12 +142,42 @@ ceph::profile::params::mon_key: '#{mon_key}'
      describe 'on two hosts' do
        it 'should install one monitor on first host, one client on second host', :cephx do
          ['first', 'second'].each do |vm|
-            hiera = <<-EOS
+            if vm == "first"
+              hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
 ceph::profile::params::mon_key: '#{mon_key}'
-            EOS
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.volumes':
+    secret: #{volumes_key}
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+              EOS
+            end
+
+            if vm == "second"
+              hiera = <<-EOS
+ceph::profile::params::release: '#{release}'
+ceph::profile::params::authentication_type: 'cephx'
+ceph::profile::params::client_keys:
+  'client.volumes':
+    secret: #{volumes_key}
+    mode: '0644'
+    user: 'root'
+    group: 'root'
+    cap_mon: 'allow r'
+    cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes'
+              EOS
+            end

            file = Tempfile.new('hieradata')
            begin
@ -150,15 +207,27 @@ ceph::profile::params::mon_key: '#{mon_key}'
            end
          end

-          shell 'ceph -s' do |r|
-            r.stdout.should =~ /1 mons .* quorum 0 first/
-            r.stderr.should be_empty
-            r.exit_code.should be_zero
-          end
+          ['first', 'second'].each do |vm|
+            if vm == "first"
+              shell 'ceph -s' do |r|
+                r.stdout.should =~ /1 mons .* quorum 0 first/
+                r.stderr.should be_empty
+                r.exit_code.should be_zero
+              end

-          shell 'ceph auth list' do |r|
-            r.stdout.should =~ /#{admin_key}/
-            r.exit_code.should be_zero
+              shell 'ceph auth list' do |r|
+                r.stdout.should =~ /#{admin_key}/
+                r.exit_code.should be_zero
+              end
+            end
+
+            if vm == "second"
+              shell 'ceph -n client.volumes -s' do |r|
+                r.stdout.should =~ /1 mons .* quorum 0 first/
+                r.stderr.should be_empty
+                r.exit_code.should be_zero
+              end
+            end
          end
        end

--- a/spec/system/ceph_profile_mon_spec.rb
+++ b/spec/system/ceph_profile_mon_spec.rb
@ -14,6 +14,7 @@
 #   limitations under the License.
 #
 #  Author: David Gurtner <aldavud@crimson.ch>
+#  Author: David Moreau Simard <dmsimard@iweb.com>
 #
 require 'spec_helper_system'

@ -123,10 +124,16 @@ ceph::profile::params::mon_host: '10.11.12.2:6789'
          hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
 ceph::profile::params::mon_key: '#{mon_key}'
 ceph::profile::params::mon_initial_members: 'first'
 ceph::profile::params::mon_host: '10.11.12.2:6789'
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
          EOS

          file = Tempfile.new('hieradata')
@ -199,10 +206,16 @@ ceph::profile::params::mon_host: '10.11.12.2:6789'
          hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
 ceph::profile::params::mon_keyring: '#{keyring_path}'
 ceph::profile::params::mon_initial_members: 'first'
 ceph::profile::params::mon_host: '10.11.12.2:6789'
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
          EOS

          file = Tempfile.new('hieradata')
--- a/spec/system/ceph_profile_osd_spec.rb
+++ b/spec/system/ceph_profile_osd_spec.rb
@ -194,11 +194,20 @@ ceph::profile::params::osds:
          hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
-ceph::profile::params::bootstrap_osd_key: '#{bootstrap_osd_key}'
 ceph::profile::params::mon_key: '#{mon_key}'
 ceph::profile::params::osds:
  '/dev/sdb': {}
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.bootstrap-osd':
+    secret: #{bootstrap_osd_key}
+    keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-osd'
          EOS

          file = Tempfile.new('hieradata')
@ -341,11 +350,20 @@ ceph::profile::params::osds:
            hiera = <<-EOS
 ceph::profile::params::release: '#{release}'
 ceph::profile::params::authentication_type: 'cephx'
-ceph::profile::params::admin_key: '#{admin_key}'
-ceph::profile::params::bootstrap_osd_key: '#{bootstrap_osd_key}'
 ceph::profile::params::mon_key: '#{mon_key}'
 ceph::profile::params::osds:
  '/dev/sdb': {}
+ceph::profile::params::client_keys:
+  'client.admin':
+    secret: #{admin_key}
+    mode: '0600'
+    cap_mon: 'allow *'
+    cap_osd: 'allow *'
+    cap_mds: 'allow *'
+  'client.bootstrap-osd':
+    secret: #{bootstrap_osd_key}
+    keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring'
+    cap_mon: 'allow profile bootstrap-osd'
            EOS

            file = Tempfile.new('hieradata')