Optionally allow authorizing auth-ids not created by mgr plugin
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.
Fixes: https://tracker.ceph.com/issues/44931
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit
713270d1869e2370b674b1a4bc6f6a37023a5917)
auth_meta['dirty'] = False
self.auth_mdata_mgr.auth_metadata_set(auth_id, auth_meta)
- def authorize(self, auth_id, access_level, tenant_id=None):
+ def authorize(self, auth_id, access_level, tenant_id=None, allow_existing_id=False):
"""
Get-or-create a Ceph auth identity for `auth_id` and grant them access
to
:param tenant_id: Optionally provide a stringizable object to
restrict any created cephx IDs to other callers
passing the same tenant ID.
+ :allow_existing_id: Optionally authorize existing auth-ids not
+ created by ceph_volume_client.
:return:
"""
}
if auth_meta is None:
- if existing_caps is not None:
+ if not allow_existing_id and existing_caps is not None:
msg = "auth ID: {0} exists and not created by mgr plugin. Not allowed to modify".format(auth_id)
log.error(msg)
raise VolumeException(-errno.EPERM, msg)
groupname = kwargs['group_name']
accesslevel = kwargs['access_level']
tenant_id = kwargs['tenant_id']
+ allow_existing_id = kwargs['allow_existing_id']
try:
with open_volume(self, volname) as fs_handle:
with open_group(fs_handle, self.volspec, groupname) as group:
with open_subvol(self.mgr, fs_handle, self.volspec, group, subvolname, SubvolumeOpType.ALLOW_ACCESS) as subvolume:
- key = subvolume.authorize(authid, accesslevel, tenant_id)
+ key = subvolume.authorize(authid, accesslevel, tenant_id, allow_existing_id)
ret = 0, key, ""
except VolumeException as ve:
ret = self.volume_exception_to_retval(ve)
'name=auth_id,type=CephString '
'name=group_name,type=CephString,req=false '
'name=access_level,type=CephString,req=false '
- 'name=tenant_id,type=CephString,req=false ',
+ 'name=tenant_id,type=CephString,req=false '
+ 'name=allow_existing_id,type=CephBool,req=false ',
'desc': "Allow a cephx auth ID access to a subvolume",
'perm': 'rw'
},
auth_id=cmd['auth_id'],
group_name=cmd.get('group_name', None),
access_level=cmd.get('access_level', 'rw'),
- tenant_id=cmd.get('tenant_id', None))
+ tenant_id=cmd.get('tenant_id', None),
+ allow_existing_id=cmd.get('allow_existing_id', False))
@mgr_cmd_wrap
def _cmd_fs_subvolume_deauthorize(self, inbuf, cmd):
projects / ceph.git / commitdiff