From: Jason Dillaman Date: Tue, 5 Jun 2018 19:40:44 +0000 (-0400) Subject: qa/workunits/rbd: test self-managed snapshot create/remove permissions X-Git-Tag: v12.2.6~2^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=76b03a265fecc07de2eb9d1d014444bb9e9a2887;p=ceph.git qa/workunits/rbd: test self-managed snapshot create/remove permissions Signed-off-by: Jason Dillaman (cherry picked from commit b12dd0bf419ae834abb31c712830fa9c4b5cda9c) (cherry picked from commit 37926b092dd1434e8fdca4620e86c0168aa26b24) Conflicts: qa/workunits/rbd/permissions.sh: use CEPH_KEYRING env variable --- diff --git a/qa/workunits/rbd/permissions.sh b/qa/workunits/rbd/permissions.sh index a435a67bb92c..fdf91bfc6c3a 100755 --- a/qa/workunits/rbd/permissions.sh +++ b/qa/workunits/rbd/permissions.sh @@ -23,11 +23,27 @@ recreate_pools() { delete_users() { (ceph auth del client.volumes || true) >/dev/null 2>&1 (ceph auth del client.images || true) >/dev/null 2>&1 + + (ceph auth del client.snap_none || true) >/dev/null 2>&1 + (ceph auth del client.snap_all || true) >/dev/null 2>&1 + (ceph auth del client.snap_pool || true) >/dev/null 2>&1 + (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1 + (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1 + + (ceph auth del client.mon_write || true) >/dev/null 2>&1 } create_users() { ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING + + ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING + ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING + ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING + ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING + ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING + + ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING } expect() { @@ -126,9 +142,83 @@ test_volumes_access() { rbd -k $KEYRING --id volumes rm volumes/child } +create_self_managed_snapshot() { + ID=$1 + POOL=$2 + + cat << EOF | CEPH_KEYRING="$KEYRING" python +import rados + +cluster = rados.Rados(conffile="", rados_id="${ID}") +cluster.connect() +ioctx = cluster.open_ioctx("${POOL}") + +snap_id = ioctx.create_self_managed_snap() +print ("Created snap id {}".format(snap_id)) +EOF +} + +remove_self_managed_snapshot() { + ID=$1 + POOL=$2 + + cat << EOF | CEPH_KEYRING="$KEYRING" python +import rados + +cluster1 = rados.Rados(conffile="", rados_id="mon_write") +cluster1.connect() +ioctx1 = cluster1.open_ioctx("${POOL}") + +snap_id = ioctx1.create_self_managed_snap() +print ("Created snap id {}".format(snap_id)) + +cluster2 = rados.Rados(conffile="", rados_id="${ID}") +cluster2.connect() +ioctx2 = cluster2.open_ioctx("${POOL}") + +ioctx2.remove_self_managed_snap(snap_id) +print ("Removed snap id {}".format(snap_id)) +EOF +} + +test_remove_self_managed_snapshots() { + # Ensure users cannot create self-managed snapshots w/o permissions + expect 1 create_self_managed_snapshot snap_none images + expect 1 create_self_managed_snapshot snap_none volumes + + create_self_managed_snapshot snap_all images + create_self_managed_snapshot snap_all volumes + + create_self_managed_snapshot snap_pool images + expect 1 create_self_managed_snapshot snap_pool volumes + + create_self_managed_snapshot snap_profile_all images + create_self_managed_snapshot snap_profile_all volumes + + create_self_managed_snapshot snap_profile_pool images + expect 1 create_self_managed_snapshot snap_profile_pool volumes + + # Ensure users cannot delete self-managed snapshots w/o permissions + expect 1 remove_self_managed_snapshot snap_none images + expect 1 remove_self_managed_snapshot snap_none volumes + + remove_self_managed_snapshot snap_all images + remove_self_managed_snapshot snap_all volumes + + remove_self_managed_snapshot snap_pool images + expect 1 remove_self_managed_snapshot snap_pool volumes + + remove_self_managed_snapshot snap_profile_all images + remove_self_managed_snapshot snap_profile_all volumes + + remove_self_managed_snapshot snap_profile_pool images + expect 1 remove_self_managed_snapshot snap_profile_pool volumes +} + cleanup() { rm -f $KEYRING } + KEYRING=$(mktemp) trap cleanup EXIT ERR HUP INT QUIT @@ -141,6 +231,8 @@ test_images_access recreate_pools test_volumes_access +test_remove_self_managed_snapshots + delete_pools delete_users