From: Jason Dillaman <dillaman@redhat.com>
Date: Thu, 29 Jun 2017 01:42:41 +0000 (-0400)
Subject: osd: new 'rbd'/'rbd-read-only' osd cap profiles
X-Git-Tag: v12.1.2~162^2~7
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=90d41ab4b50203b058a74054f885855941bc583e;p=ceph.git

osd: new 'rbd'/'rbd-read-only' osd cap profiles

The 'rbd' profile provides read-only class access on all pools
to the 'rbd_children' object and write access to the optionally
specified pool. The 'rbd-read-only' profile does as its name
implies.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/src/osd/OSDCap.cc b/src/osd/OSDCap.cc
index c759ab76825d..68f3ba5379ed 100644
--- a/src/osd/OSDCap.cc
+++ b/src/osd/OSDCap.cc
@@ -245,6 +245,24 @@ void OSDCapGrant::expand_profile() const
     profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
                                 OSDCapSpec(osd_rwxa_t(OSD_CAP_R | OSD_CAP_W)));
   }
+
+  if (profile.name == "rbd") {
+    // RBD read-write grant
+    profile_grants.emplace_back(OSDCapMatch("", "", "rbd_children"),
+                                OSDCapSpec(osd_rwxa_t(OSD_CAP_CLS_R)));
+    profile_grants.emplace_back(OSDCapMatch("", "", "rbd_mirroring"),
+                                OSDCapSpec(osd_rwxa_t(OSD_CAP_CLS_R)));
+    profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
+                                OSDCapSpec(osd_rwxa_t(OSD_CAP_R |
+                                                      OSD_CAP_W |
+                                                      OSD_CAP_X)));
+  }
+  if (profile.name == "rbd-read-only") {
+    // RBD read-only grant
+    profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
+                                OSDCapSpec(osd_rwxa_t(OSD_CAP_R |
+                                                      OSD_CAP_CLS_R)));
+  }
 }
 
 bool OSDCap::allow_all() const
diff --git a/src/test/osd/osdcap.cc b/src/test/osd/osdcap.cc
index 7080bdeff334..7820a77a666a 100644
--- a/src/test/osd/osdcap.cc
+++ b/src/test/osd/osdcap.cc
@@ -1015,5 +1015,23 @@ TEST(OSDCap, AllowProfile) {
   ASSERT_FALSE(cap.is_capable("foo", "", 0, "asdf", true, true, {}));
   ASSERT_TRUE(cap.is_capable("foo", "", 0, "asdf", true, false, {}));
   ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", false, true, {}));
+
+  // RBD
+  cap.grants.clear();
+  ASSERT_TRUE(cap.parse("allow profile rbd pool abc", NULL));
+  ASSERT_FALSE(cap.allow_all());
+  ASSERT_FALSE(cap.is_capable("foo", "", 0, "asdf", true, true, {}));
+  ASSERT_FALSE(cap.is_capable("foo", "", 0, "rbd_children", true, false, {}));
+  ASSERT_TRUE(cap.is_capable("foo", "", 0, "rbd_children", false, false,
+                             {{"rbd", true, false, true}}));
+  ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", true, true,
+                             {{"rbd", true, true, true}}));
+
+  cap.grants.clear();
+  ASSERT_TRUE(cap.parse("allow profile rbd-read-only pool abc", NULL));
+  ASSERT_FALSE(cap.allow_all());
+  ASSERT_FALSE(cap.is_capable("foo", "", 0, "rbd_children", true, false, {}));
+  ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", true, false,
+                             {{"rbd", true, false, true}}));
 }