]> git.apps.os.sepia.ceph.com Git - ceph-ci.git/commitdiff
mgr/volumes: Optionally authorize existing auth-ids
authorKotresh HR <khiremat@redhat.com>
Tue, 15 Dec 2020 12:12:25 +0000 (17:42 +0530)
committerKotresh HR <khiremat@redhat.com>
Wed, 13 Jan 2021 12:58:17 +0000 (18:28 +0530)
Optionally allow authorizing auth-ids not created by mgr plugin
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py
src/pybind/mgr/volumes/fs/volume.py
src/pybind/mgr/volumes/module.py

index 1857165dbed308fca7786b0a49bf3362b9e8de26..50e9f0e032f24cfd995ee654eb8ac8ac7dc66fe7 100644 (file)
@@ -301,7 +301,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate):
         auth_meta['dirty'] = False
         self.auth_mdata_mgr.auth_metadata_set(auth_id, auth_meta)
 
-    def authorize(self, auth_id, access_level, tenant_id=None):
+    def authorize(self, auth_id, access_level, tenant_id=None, allow_existing_id=False):
         """
         Get-or-create a Ceph auth identity for `auth_id` and grant them access
         to
@@ -310,6 +310,8 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate):
         :param tenant_id: Optionally provide a stringizable object to
                           restrict any created cephx IDs to other callers
                           passing the same tenant ID.
+        :allow_existing_id: Optionally authorize existing auth-ids not
+                          created by ceph_volume_client.
         :return:
         """
 
@@ -346,7 +348,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate):
             }
 
             if auth_meta is None:
-                if existing_caps is not None:
+                if not allow_existing_id and existing_caps is not None:
                     msg = "auth ID: {0} exists and not created by mgr plugin. Not allowed to modify".format(auth_id)
                     log.error(msg)
                     raise VolumeException(-errno.EPERM, msg)
index a7461b471fe8b8215f71bdb733f7cad957eab0bb..9f82fa550ddbc61175ee76eb45ea6e1b824fc303 100644 (file)
@@ -213,12 +213,13 @@ class VolumeClient(CephfsClient):
         groupname   = kwargs['group_name']
         accesslevel = kwargs['access_level']
         tenant_id   = kwargs['tenant_id']
+        allow_existing_id = kwargs['allow_existing_id']
 
         try:
             with open_volume(self, volname) as fs_handle:
                 with open_group(fs_handle, self.volspec, groupname) as group:
                     with open_subvol(self.mgr, fs_handle, self.volspec, group, subvolname, SubvolumeOpType.ALLOW_ACCESS) as subvolume:
-                        key = subvolume.authorize(authid, accesslevel, tenant_id)
+                        key = subvolume.authorize(authid, accesslevel, tenant_id, allow_existing_id)
                         ret = 0, key, ""
         except VolumeException as ve:
             ret = self.volume_exception_to_retval(ve)
index 7c5155f4b6e6bbde5d3bdda4f02c05a55254228b..66d2c0e1d26601fe12cc5e3bfe4085ac564902ee 100644 (file)
@@ -126,7 +126,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule):
                    'name=auth_id,type=CephString '
                    'name=group_name,type=CephString,req=false '
                    'name=access_level,type=CephString,req=false '
-                   'name=tenant_id,type=CephString,req=false ',
+                   'name=tenant_id,type=CephString,req=false '
+                   'name=allow_existing_id,type=CephBool,req=false ',
             'desc': "Allow a cephx auth ID access to a subvolume",
             'perm': 'rw'
         },
@@ -532,7 +533,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule):
                                            auth_id=cmd['auth_id'],
                                            group_name=cmd.get('group_name', None),
                                            access_level=cmd.get('access_level', 'rw'),
-                                           tenant_id=cmd.get('tenant_id', None))
+                                           tenant_id=cmd.get('tenant_id', None),
+                                           allow_existing_id=cmd.get('allow_existing_id', False))
 
     @mgr_cmd_wrap
     def _cmd_fs_subvolume_deauthorize(self, inbuf, cmd):