pybind/ceph_volume_client: Optionally authorize existing auth-ids

Optionally allow authorizing auth-ids not created by ceph_volume_client
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 77b42496e25cbd4af2e80a064ddf26221b53733f)

diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index 42dc476ac938895992c0cecc8a546f87257219d2..b748f5d85f784abf3cd2a30b7b52f17c36580bb7 100644 (file)
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -972,7 +972,7 @@ class CephFSVolumeClient(object):
 
         return caps_list
 
-    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
+    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None, allow_existing_id=False):
         """
         Get-or-create a Ceph auth identity for `auth_id` and grant them access
         to
@@ -982,6 +982,8 @@ class CephFSVolumeClient(object):
         :param tenant_id: Optionally provide a stringizable object to
                           restrict any created cephx IDs to other callers
                           passing the same tenant ID.
+        :allow_existing_id: Optionally authorize existing auth-ids not
+                            created by ceph_volume_client
         :return:
         """
 
@@ -1013,7 +1015,7 @@ class CephFSVolumeClient(object):
             }
 
             if auth_meta is None:
-                if existing_caps is not None:
+                if not allow_existing_id and existing_caps is not None:
                     msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
                     log.error(msg)
                     raise CephFSVolumeClientError(msg)