From: Kotresh HR Date: Tue, 15 Dec 2020 12:12:25 +0000 (+0530) Subject: mgr/volumes: Optionally authorize existing auth-ids X-Git-Tag: v15.2.10~20^2~8 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=48ab77b8f304d67182d19d5e88b82c8997caf884;p=ceph.git mgr/volumes: Optionally authorize existing auth-ids Optionally allow authorizing auth-ids not created by mgr plugin via the option 'allow_existing_id'. This can help existing deployers of manila to disallow/allow authorization of pre-created auth IDs via a manila driver config that sets 'allow_existing_id' to False/True. Fixes: https://tracker.ceph.com/issues/44931 Signed-off-by: Kotresh HR (cherry picked from commit 713270d1869e2370b674b1a4bc6f6a37023a5917) --- diff --git a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py index c75fd0d6ada1..fd803d641417 100644 --- a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py +++ b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py @@ -301,7 +301,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): auth_meta['dirty'] = False self.auth_mdata_mgr.auth_metadata_set(auth_id, auth_meta) - def authorize(self, auth_id, access_level, tenant_id=None): + def authorize(self, auth_id, access_level, tenant_id=None, allow_existing_id=False): """ Get-or-create a Ceph auth identity for `auth_id` and grant them access to @@ -310,6 +310,8 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): :param tenant_id: Optionally provide a stringizable object to restrict any created cephx IDs to other callers passing the same tenant ID. + :allow_existing_id: Optionally authorize existing auth-ids not + created by ceph_volume_client. :return: """ @@ -346,7 +348,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): } if auth_meta is None: - if existing_caps is not None: + if not allow_existing_id and existing_caps is not None: msg = "auth ID: {0} exists and not created by mgr plugin. Not allowed to modify".format(auth_id) log.error(msg) raise VolumeException(-errno.EPERM, msg) diff --git a/src/pybind/mgr/volumes/fs/volume.py b/src/pybind/mgr/volumes/fs/volume.py index 1567001ba38e..1f9a1ede7b00 100644 --- a/src/pybind/mgr/volumes/fs/volume.py +++ b/src/pybind/mgr/volumes/fs/volume.py @@ -214,12 +214,13 @@ class VolumeClient(object): groupname = kwargs['group_name'] accesslevel = kwargs['access_level'] tenant_id = kwargs['tenant_id'] + allow_existing_id = kwargs['allow_existing_id'] try: with open_volume(self, volname) as fs_handle: with open_group(fs_handle, self.volspec, groupname) as group: with open_subvol(self.mgr, fs_handle, self.volspec, group, subvolname, SubvolumeOpType.ALLOW_ACCESS) as subvolume: - key = subvolume.authorize(authid, accesslevel, tenant_id) + key = subvolume.authorize(authid, accesslevel, tenant_id, allow_existing_id) ret = 0, key, "" except VolumeException as ve: ret = self.volume_exception_to_retval(ve) diff --git a/src/pybind/mgr/volumes/module.py b/src/pybind/mgr/volumes/module.py index eff40b6d0728..8f7f39b066f5 100644 --- a/src/pybind/mgr/volumes/module.py +++ b/src/pybind/mgr/volumes/module.py @@ -124,7 +124,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule): 'name=auth_id,type=CephString ' 'name=group_name,type=CephString,req=false ' 'name=access_level,type=CephString,req=false ' - 'name=tenant_id,type=CephString,req=false ', + 'name=tenant_id,type=CephString,req=false ' + 'name=allow_existing_id,type=CephBool,req=false ', 'desc': "Allow a cephx auth ID access to a subvolume", 'perm': 'rw' }, @@ -530,7 +531,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule): auth_id=cmd['auth_id'], group_name=cmd.get('group_name', None), access_level=cmd.get('access_level', 'rw'), - tenant_id=cmd.get('tenant_id', None)) + tenant_id=cmd.get('tenant_id', None), + allow_existing_id=cmd.get('allow_existing_id', False)) @mgr_cmd_wrap def _cmd_fs_subvolume_deauthorize(self, inbuf, cmd):