mgr/nfs: use bucket owner creds for rgw bucket export

The bucket owner can always read/write to the bucket, so use those creds
for the export.  This is less complicated than setting up a dedicated
user anyway.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 7d2f7efe3fd36e88e5ba9469cc918c4e915b7e82)

diff --git a/src/pybind/mgr/nfs/export.py b/src/pybind/mgr/nfs/export.py
index 7724c63b99e9d8594b1039655130f402a2d5869a..44afe3dd3e7b8d7ee7a266659612304edb775ec2 100644 (file)
--- a/src/pybind/mgr/nfs/export.py
+++ b/src/pybind/mgr/nfs/export.py
@@ -181,10 +181,8 @@ class ExportMgr:
             })
             log.info(f"Deleted export user {export.fsal.user_id}")
         elif isinstance(export.fsal, RGWFSAL):
-            assert export.fsal.user_id
-            uid = f'nfs.{export.cluster_id}.{export.path}'
-            self._exec(['radosgw-admin', 'user', 'rm', '--uid', uid])
-            log.info(f"Deleted export RGW user {uid}")
+            # do nothing; we're using the bucket owner creds.
+            pass
 
     def _create_export_user(self, export: Export) -> None:
         if isinstance(export.fsal, CephFSFSAL):
@@ -205,16 +203,22 @@ class ExportMgr:
 
         elif isinstance(export.fsal, RGWFSAL):
             rgwfsal = cast(RGWFSAL, export.fsal)
-            rgwfsal.user_id = f'nfs.{export.cluster_id}.{export.path}'
-            ret, out, err = self._exec(['radosgw-admin', 'user', 'info', '--uid',
-                                        rgwfsal.user_id])
+            ret, out, err = self._exec(['radosgw-admin', 'bucket', 'stats', '--bucket',
+                                        export.path])
             if ret:
-                ret, out, err = self._exec(['radosgw-admin', 'user', 'create',
-                                            '--uid', rgwfsal.user_id,
-                                            '--display-name', rgwfsal.user_id])
-                if ret:
-                    raise NFSException(f'Failed to create user {rgwfsal.user_id}')
+                raise NFSException(f'Failed to fetch owner for bucket {export.path}')
             j = json.loads(out)
+            owner = j.get('owner', '')
+            rgwfsal.user_id = owner
+            ret, out, err = self._exec([
+                'radosgw-admin', 'user', 'info', '--uid', owner
+            ])
+            if ret:
+                raise NFSException(
+                    f'Failed to fetch key for bucket {export.path} owner {owner}'
+                )
+            j = json.loads(out)
+
             # FIXME: make this more tolerate of unexpected output?
             rgwfsal.access_key_id = j['keys'][0]['access_key']
             rgwfsal.secret_access_key = j['keys'][0]['secret_key']

diff --git a/src/pybind/mgr/nfs/tests/test_nfs.py b/src/pybind/mgr/nfs/tests/test_nfs.py
index b0db0ced8170c35be29eca318489dc297028997b..dc50ec3db4c7a43644c9f830afcd757f45a504ac 100644 (file)
--- a/src/pybind/mgr/nfs/tests/test_nfs.py
+++ b/src/pybind/mgr/nfs/tests/test_nfs.py
@@ -662,7 +662,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4, 3]
         assert export.transports == ["TCP", "UDP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1
@@ -706,7 +705,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4]
         assert export.transports == ["TCP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.newbucket"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1
@@ -749,7 +747,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4]
         assert export.transports == ["TCP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.newestbucket"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1
@@ -835,7 +832,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4]
         assert export.transports == ["TCP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1
@@ -852,7 +848,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4]
         assert export.transports == ["TCP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket2"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1
@@ -914,7 +909,6 @@ NFS_CORE_PARAM {
         assert export.protocols == [4]
         assert export.transports == ["TCP"]
         assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
         assert export.fsal.access_key_id == "the_access_key"
         assert export.fsal.secret_access_key == "the_secret_key"
         assert len(export.clients) == 1