From 634d0849a5539d71e4d1b9cdd326cfb002f3da0a Mon Sep 17 00:00:00 2001 From: Kotresh HR Date: Tue, 15 Dec 2020 17:31:54 +0530 Subject: [PATCH] mgr/volumes: Preserve existing caps while authorize/deauthorize auth-id Authorize/Deauthorize used to overwrite the caps of auth-id which would end up deleting existing caps. This patch fixes the same by retaining the existing caps by appending or deleting the new caps as needed. Fixes: https://tracker.ceph.com/issues/44931 Signed-off-by: Kotresh HR (cherry picked from commit 2dece3be081fe572455d6b634e38a663d1643dc8) --- .../mgr/volumes/fs/operations/access.py | 44 +++++++++++++------ 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/src/pybind/mgr/volumes/fs/operations/access.py b/src/pybind/mgr/volumes/fs/operations/access.py index 61585e704e990..158e21c2619bd 100644 --- a/src/pybind/mgr/volumes/fs/operations/access.py +++ b/src/pybind/mgr/volumes/fs/operations/access.py @@ -1,5 +1,27 @@ import errno import json +from typing import List + +def prepare_updated_caps_list(existing_caps, mds_cap_str, osd_cap_str, authorize=True): + caps_list = [] # type: List[str] + for k, v in existing_caps['caps'].items(): + if k == 'mds' or k == 'osd': + continue + elif k == 'mon': + if not authorize and v == 'allow r': + continue + caps_list.extend((k,v)) + + if mds_cap_str: + caps_list.extend(('mds', mds_cap_str)) + if osd_cap_str: + caps_list.extend(('osd', osd_cap_str)) + + if authorize and 'mon' not in caps_list: + caps_list.extend(('mon', 'allow r')) + + return caps_list + def allow_access(mgr, client_entity, want_mds_cap, want_osd_cap, unwanted_mds_cap, unwanted_osd_cap, existing_caps): @@ -19,8 +41,8 @@ def allow_access(mgr, client_entity, want_mds_cap, want_osd_cap, if not orig_mds_caps: return want_mds_cap, want_osd_cap - mds_cap_tokens = orig_mds_caps.split(",") - osd_cap_tokens = orig_osd_caps.split(",") + mds_cap_tokens = [x.strip() for x in orig_mds_caps.split(",")] + osd_cap_tokens = [x.strip() for x in orig_osd_caps.split(",")] if want_mds_cap in mds_cap_tokens: return orig_mds_caps, orig_osd_caps @@ -41,14 +63,12 @@ def allow_access(mgr, client_entity, want_mds_cap, want_osd_cap, orig_mds_caps, orig_osd_caps, want_mds_cap, want_osd_cap, unwanted_mds_cap, unwanted_osd_cap) + caps_list = prepare_updated_caps_list(cap, mds_cap_str, osd_cap_str) mgr.mon_command( { "prefix": "auth caps", 'entity': client_entity, - 'caps': [ - 'mds', mds_cap_str, - 'osd', osd_cap_str, - 'mon', cap['caps'].get('mon', 'allow r')], + 'caps': caps_list }) ret, out, err = mgr.mon_command( { @@ -86,8 +106,8 @@ def deny_access(mgr, client_entity, want_mds_caps, want_osd_caps): return def cap_remove(orig_mds_caps, orig_osd_caps, want_mds_caps, want_osd_caps): - mds_cap_tokens = orig_mds_caps.split(",") - osd_cap_tokens = orig_osd_caps.split(",") + mds_cap_tokens = [x.strip() for x in orig_mds_caps.split(",")] + osd_cap_tokens = [x.strip() for x in orig_osd_caps.split(",")] for want_mds_cap, want_osd_cap in zip(want_mds_caps, want_osd_caps): if want_mds_cap in mds_cap_tokens: @@ -103,7 +123,8 @@ def deny_access(mgr, client_entity, want_mds_caps, want_osd_caps): mds_cap_str, osd_cap_str = cap_remove(orig_mds_caps, orig_osd_caps, want_mds_caps, want_osd_caps) - if not mds_cap_str: + caps_list = prepare_updated_caps_list(cap, mds_cap_str, osd_cap_str, authorize=False) + if not caps_list: mgr.mon_command( { 'prefix': 'auth rm', @@ -114,8 +135,5 @@ def deny_access(mgr, client_entity, want_mds_caps, want_osd_caps): { "prefix": "auth caps", 'entity': client_entity, - 'caps': [ - 'mds', mds_cap_str, - 'osd', osd_cap_str, - 'mon', cap['caps'].get('mon', 'allow r')], + 'caps': caps_list }) -- 2.39.5