From 713270d1869e2370b674b1a4bc6f6a37023a5917 Mon Sep 17 00:00:00 2001 From: Kotresh HR Date: Tue, 15 Dec 2020 17:42:25 +0530 Subject: [PATCH] mgr/volumes: Optionally authorize existing auth-ids Optionally allow authorizing auth-ids not created by mgr plugin via the option 'allow_existing_id'. This can help existing deployers of manila to disallow/allow authorization of pre-created auth IDs via a manila driver config that sets 'allow_existing_id' to False/True. Fixes: https://tracker.ceph.com/issues/44931 Signed-off-by: Kotresh HR --- .../mgr/volumes/fs/operations/versions/subvolume_v1.py | 6 ++++-- src/pybind/mgr/volumes/fs/volume.py | 3 ++- src/pybind/mgr/volumes/module.py | 6 ++++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py index 1857165dbed..50e9f0e032f 100644 --- a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py +++ b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_v1.py @@ -301,7 +301,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): auth_meta['dirty'] = False self.auth_mdata_mgr.auth_metadata_set(auth_id, auth_meta) - def authorize(self, auth_id, access_level, tenant_id=None): + def authorize(self, auth_id, access_level, tenant_id=None, allow_existing_id=False): """ Get-or-create a Ceph auth identity for `auth_id` and grant them access to @@ -310,6 +310,8 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): :param tenant_id: Optionally provide a stringizable object to restrict any created cephx IDs to other callers passing the same tenant ID. + :allow_existing_id: Optionally authorize existing auth-ids not + created by ceph_volume_client. :return: """ @@ -346,7 +348,7 @@ class SubvolumeV1(SubvolumeBase, SubvolumeTemplate): } if auth_meta is None: - if existing_caps is not None: + if not allow_existing_id and existing_caps is not None: msg = "auth ID: {0} exists and not created by mgr plugin. Not allowed to modify".format(auth_id) log.error(msg) raise VolumeException(-errno.EPERM, msg) diff --git a/src/pybind/mgr/volumes/fs/volume.py b/src/pybind/mgr/volumes/fs/volume.py index a7461b471fe..9f82fa550dd 100644 --- a/src/pybind/mgr/volumes/fs/volume.py +++ b/src/pybind/mgr/volumes/fs/volume.py @@ -213,12 +213,13 @@ class VolumeClient(CephfsClient): groupname = kwargs['group_name'] accesslevel = kwargs['access_level'] tenant_id = kwargs['tenant_id'] + allow_existing_id = kwargs['allow_existing_id'] try: with open_volume(self, volname) as fs_handle: with open_group(fs_handle, self.volspec, groupname) as group: with open_subvol(self.mgr, fs_handle, self.volspec, group, subvolname, SubvolumeOpType.ALLOW_ACCESS) as subvolume: - key = subvolume.authorize(authid, accesslevel, tenant_id) + key = subvolume.authorize(authid, accesslevel, tenant_id, allow_existing_id) ret = 0, key, "" except VolumeException as ve: ret = self.volume_exception_to_retval(ve) diff --git a/src/pybind/mgr/volumes/module.py b/src/pybind/mgr/volumes/module.py index 7c5155f4b6e..66d2c0e1d26 100644 --- a/src/pybind/mgr/volumes/module.py +++ b/src/pybind/mgr/volumes/module.py @@ -126,7 +126,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule): 'name=auth_id,type=CephString ' 'name=group_name,type=CephString,req=false ' 'name=access_level,type=CephString,req=false ' - 'name=tenant_id,type=CephString,req=false ', + 'name=tenant_id,type=CephString,req=false ' + 'name=allow_existing_id,type=CephBool,req=false ', 'desc': "Allow a cephx auth ID access to a subvolume", 'perm': 'rw' }, @@ -532,7 +533,8 @@ class Module(orchestrator.OrchestratorClientMixin, MgrModule): auth_id=cmd['auth_id'], group_name=cmd.get('group_name', None), access_level=cmd.get('access_level', 'rw'), - tenant_id=cmd.get('tenant_id', None)) + tenant_id=cmd.get('tenant_id', None), + allow_existing_id=cmd.get('allow_existing_id', False)) @mgr_cmd_wrap def _cmd_fs_subvolume_deauthorize(self, inbuf, cmd): -- 2.39.5