From a0ffc859f5763850342a165ec4c49b3b1e83bb95 Mon Sep 17 00:00:00 2001 From: Ramana Raja Date: Thu, 23 Jun 2016 23:22:12 +0530 Subject: [PATCH] ceph_volume_client: disallow tenants to share auth IDs Restrict an auth ID to a single OpenStack tenant to enforce strong tenant isolation of shares. Signed-off-by: Ramana Raja (cherry picked from commit 82445a20a258a4c8800f273dc5f2484aace0e413) --- src/pybind/ceph_volume_client.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py index 83a128367a992..7110aae01c6d5 100644 --- a/src/pybind/ceph_volume_client.py +++ b/src/pybind/ceph_volume_client.py @@ -192,6 +192,13 @@ class EvictionError(Exception): pass +class CephFSVolumeClientError(Exception): + """ + Something went wrong talking to Ceph using CephFSVolumeClient. + """ + pass + + class CephFSVolumeClient(object): """ Combine libcephfs and librados interfaces to implement a @@ -878,6 +885,12 @@ class CephFSVolumeClient(object): # have mon auth caps that prevent it from accessing those keys # (e.g. limit it to only access keys with a manila.* prefix) else: + # Disallow tenants to share auth IDs + if auth_meta['tenant_id'].__str__() != tenant_id.__str__(): + msg = "auth ID: {0} is already in use".format(auth_id) + log.error(msg) + raise CephFSVolumeClientError(msg) + if auth_meta['dirty']: self._recover_auth_meta(auth_id, auth_meta) @@ -897,14 +910,9 @@ class CephFSVolumeClient(object): self._auth_metadata_set(auth_id, auth_meta) if tenant_id: - if auth_meta['tenant_id'] == tenant_id.__str__(): - return { - 'auth_key': key - } - else: - return { - 'auth_key': None - } + return { + 'auth_key': key + } else: # Caller wasn't multi-tenant aware: be safe and don't give # them a key -- 2.39.5