Merge pull request ceph#59631 from thotz/create-user-without-creds-cli

radosgw-admin: create user without creds cli

Reviewed-by: Matt Benjamin <[email protected]>
Reviewed-by: Casey Bodley <[email protected]>

Author: ivancich

doc/man/8/radosgw-admin.rst

@@ -541,6 +541,13 @@ Options
 
     Generate random secret key.
 
+.. option:: --generate-key
+
+    create user with or without credentials.
+    If this option set to false, then user cannot set --gen-access-key/--gen-secret/--secret-key/--access-key.
+    If this option set to true, then user cannot set  --secret-key/--access-key and bypass options for --gen-secret/--gen-access-key.
+    Default is true.
+
 .. option:: --key-type=<type>
 
     Key type, options are: swift, s3.

doc/radosgw/admin.rst

@@ -262,6 +262,7 @@ include:
 - ``--secret-key=<key>`` manually specifies a S3 secret key or a Swift secret key.
 - ``--gen-access-key`` automatically generates a random S3 access key.
 - ``--gen-secret`` automatically generates a random S3 secret key or a random Swift secret key.
+- ``--generate-key`` create user with or without credentials. If sets to false, then user cannot set ``gen-secret/gen-access-key/access-key/secret-key``
 
 Adding S3 keys
 ~~~~~~~~~~~~~~

src/bash_completion/radosgw-admin

@@ -19,7 +19,7 @@ _radosgw_admin()
 
         if [[ ${cur} == -* ]] ; then
             COMPREPLY=( $(compgen -W "--uid --subuser --access-key --os-user --email --auth_uid --secret --os-secret --gen-access-key --gen-secret \
-                                      --access --display-name --bucket --object --date --conf --name --id --version -s -w" -- ${cur}) )
+                                      --access --display-name --bucket --object --date --conf --name --id --version -s -w --generate-key" -- ${cur}) )
             return 0
         fi
 

src/rgw/rgw_admin.cc

@@ -361,6 +361,7 @@ void usage()
   cout << "   --secret/--secret-key=<key>       specify secret key\n";
   cout << "   --gen-access-key                  generate random access key (for S3)\n";
   cout << "   --gen-secret                      generate random secret key\n";
+  cout << "   --generate-key                    create user with or without credentials\n";
   cout << "   --key-type=<type>                 key type, options are: swift, s3\n";
   cout << "   --key-active=<bool>               activate or deactivate a key\n";
   cout << "   --temp-url-key[-2]=<key>          temp url key\n";
@@ -3556,6 +3557,13 @@ int main(int argc, const char **argv)
   OPT opt_cmd = OPT::NO_CMD;
   int gen_access_key = 0;
   int gen_secret_key = 0;
+  enum generate_key_enum {
+    OPTION_SET_FALSE = 0,
+    OPTION_SET_TRUE  = 1,
+    OPTION_NOT_SET   = 2,
+  };
+
+  generate_key_enum generate_key = OPTION_NOT_SET;
   bool set_perm = false;
   bool set_temp_url_key = false;
   map<int, string> temp_url_keys;
@@ -3837,6 +3845,17 @@ int main(int argc, const char **argv)
         cerr << "bad key type: " << key_type_str << std::endl;
         exit(1);
       }
+    } else if (ceph_argparse_witharg(args, i, &val, "--generate-key", (char*)NULL)) {
+      key_type_str = val;
+      if (key_type_str.compare("true") == 0) {
+	generate_key = OPTION_SET_TRUE;
+      } else if(key_type_str.compare("false") == 0) {
+	generate_key = OPTION_SET_FALSE;
+      } else {
+        cerr << "wrong value for --generate-key: " << key_type_str << " please specify either true or false" << std::endl;
+        exit(1);
+      }
+      // do nothing
     } else if (ceph_argparse_binary_flag(args, i, &key_active, NULL, "--key-active", (char*)NULL)) {
       key_active_specified = true;
     } else if (ceph_argparse_witharg(args, i, &val, "--job-id", (char*)NULL)) {
@@ -4600,14 +4619,21 @@ int main(int argc, const char **argv)
     }
 
     /* check key parameter conflict */
-    if ((!access_key.empty()) && gen_access_key) {
-        cerr << "ERROR: key parameter conflict, --access-key & --gen-access-key" << std::endl;
+    if ((!access_key.empty()) && (gen_access_key || generate_key == OPTION_SET_TRUE)) {
+        cerr << "ERROR: key parameter conflict, --access-key & --gen-access-key/generate-key" << std::endl;
         return EINVAL;
     }
-    if ((!secret_key.empty()) && gen_secret_key) {
-        cerr << "ERROR: key parameter conflict, --secret & --gen-secret" << std::endl;
+    if ((!secret_key.empty()) && (gen_secret_key || generate_key == OPTION_SET_TRUE)) {
+        cerr << "ERROR: key parameter conflict, --secret & --gen-secret/generate-key" << std::endl;
         return EINVAL;
     }
+    if (generate_key == OPTION_SET_FALSE) {
+      if ((!access_key.empty()) || gen_access_key || (!secret_key.empty()) || gen_secret_key) {
+        cerr << "ERROR: key parameter conflict, if --generate-key is not set so no other key parameters can be set" << std::endl;
+        return EINVAL;
+      }
+    }
+
   }
 
   // default to pretty json
@@ -6772,7 +6798,7 @@ int main(int argc, const char **argv)
     }
     break;
   case OPT::USER_CREATE:
-    if (!user_op.has_existing_user()) {
+    if (!user_op.has_existing_user() && (generate_key != OPTION_SET_FALSE)) {
       user_op.set_generate_key(); // generate a new key by default
     }
     ret = ruser.add(dpp(), user_op, null_yield, &err_msg);

src/test/cli/radosgw-admin/help.t

@@ -226,6 +226,7 @@
      --secret/--secret-key=<key>       specify secret key
      --gen-access-key                  generate random access key (for S3)
      --gen-secret                      generate random secret key
+     --generate-key                    create user with or without credentials
      --key-type=<type>                 key type, options are: swift, s3
      --key-active=<bool>               activate or deactivate a key
      --temp-url-key[-2]=<key>          temp url key