From: Ramana Raja Date: Thu, 23 Jun 2016 17:52:12 +0000 (+0530) Subject: ceph_volume_client: disallow tenants to share auth IDs X-Git-Tag: v10.2.3~113^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a0ffc859f5763850342a165ec4c49b3b1e83bb95;p=ceph.git ceph_volume_client: disallow tenants to share auth IDs Restrict an auth ID to a single OpenStack tenant to enforce strong tenant isolation of shares. Signed-off-by: Ramana Raja (cherry picked from commit 82445a20a258a4c8800f273dc5f2484aace0e413) --- diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py index 83a128367a99..7110aae01c6d 100644 --- a/src/pybind/ceph_volume_client.py +++ b/src/pybind/ceph_volume_client.py @@ -192,6 +192,13 @@ class EvictionError(Exception): pass +class CephFSVolumeClientError(Exception): + """ + Something went wrong talking to Ceph using CephFSVolumeClient. + """ + pass + + class CephFSVolumeClient(object): """ Combine libcephfs and librados interfaces to implement a @@ -878,6 +885,12 @@ class CephFSVolumeClient(object): # have mon auth caps that prevent it from accessing those keys # (e.g. limit it to only access keys with a manila.* prefix) else: + # Disallow tenants to share auth IDs + if auth_meta['tenant_id'].__str__() != tenant_id.__str__(): + msg = "auth ID: {0} is already in use".format(auth_id) + log.error(msg) + raise CephFSVolumeClientError(msg) + if auth_meta['dirty']: self._recover_auth_meta(auth_id, auth_meta) @@ -897,14 +910,9 @@ class CephFSVolumeClient(object): self._auth_metadata_set(auth_id, auth_meta) if tenant_id: - if auth_meta['tenant_id'] == tenant_id.__str__(): - return { - 'auth_key': key - } - else: - return { - 'auth_key': None - } + return { + 'auth_key': key + } else: # Caller wasn't multi-tenant aware: be safe and don't give # them a key