qa: test auth rotate

batrick · batrick · commit 2ae027f27191 · 2024-06-20T21:31:12.000-04:00
Signed-off-by: Patrick Donnelly &lt;pdonnell@redhat.com&gt;
diff --git a/qa/workunits/cephtool/test.sh b/qa/workunits/cephtool/test.sh
@@ -609,6 +609,26 @@ function test_auth()
   ceph auth del client.xx
   expect_false ceph auth get client.xx
 
+  # test rotation
+  ceph auth get-or-create client.admin2 mon 'allow *'
+  ceph auth get client.admin2 >> keyring1
+  env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2 >> keyring2
+  # they are the same:
+  expect_true diff -au keyring1 keyring2
+  # rotate itself
+  env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth rotate client.admin2 >> keyring3
+  # only the key has changed:
+  diff -au keyring1 keyring3 | grep -E '^[-+][^-+]' | expect_false grep -v key
+  # the key in keyring1 no longer works:
+  expect_false env CEPH_KEYRING=keyring1 ceph -n client.admin2 auth get client.admin2
+  # the key in keyring3 should work:
+  expect_true env CEPH_KEYRING=keyring3 ceph -n client.admin2 auth get client.admin2
+  # now verify the key from `auth get` matches what rotate produced:
+  expect_true ceph auth get client.admin2 >> keyring4
+  expect_true diff -au keyring3 keyring4
+  expect_true ceph auth rm client.admin2
+  rm keyring[1234]
+
   # (almost) interactive mode
   echo -e 'auth add client.xx mon "allow *" osd "allow *"\n' | ceph
   ceph auth get client.xx
