pybind/ceph_volume_client: Optionally authorize existing auth-ids

Optionally allow authorizing auth-ids not created by ceph_volume_client
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 77b42496e25cbd4af2e80a064ddf26221b53733f)

diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index 33f6beabd18090ff49f21b455e2aaee9c845ab99..7f48a4660795faaebfeaf1ead615cb9ac26bd6d5 100644 (file)
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -961,7 +961,7 @@ class CephFSVolumeClient(object):
 
         return caps_list
 
-    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
+    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None, allow_existing_id=False):
         """
         Get-or-create a Ceph auth identity for `auth_id` and grant them access
         to
@@ -971,6 +971,8 @@ class CephFSVolumeClient(object):
         :param tenant_id: Optionally provide a stringizable object to
                           restrict any created cephx IDs to other callers
                           passing the same tenant ID.
+        :allow_existing_id: Optionally authorize existing auth-ids not
+                            created by ceph_volume_client
         :return:
         """
 
@@ -1002,7 +1004,7 @@ class CephFSVolumeClient(object):
             }
 
             if auth_meta is None:
-                if existing_caps is not None:
+                if not allow_existing_id and existing_caps is not None:
                     msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
                     log.error(msg)
                     raise CephFSVolumeClientError(msg)