Blame SOURCES/kvm-rbd-New-parameter-auth-client-required.patch

383d26
From 92e418ec44b35eedff728cc692a09bd001d0762e Mon Sep 17 00:00:00 2001
383d26
From: Markus Armbruster <armbru@redhat.com>
383d26
Date: Mon, 18 Jun 2018 08:43:29 +0200
383d26
Subject: [PATCH 22/54] rbd: New parameter auth-client-required
383d26
383d26
RH-Author: Markus Armbruster <armbru@redhat.com>
383d26
Message-id: <20180618084330.30009-23-armbru@redhat.com>
383d26
Patchwork-id: 80731
383d26
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 22/23] rbd: New parameter auth-client-required
383d26
Bugzilla: 1557995
383d26
RH-Acked-by: Max Reitz <mreitz@redhat.com>
383d26
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
383d26
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
383d26
383d26
Parameter auth-client-required lets you configure authentication
383d26
methods.  We tried to provide that in v2.9.0, but backed out due to
383d26
interface design doubts (commit 464444fcc16).
383d26
383d26
This commit is similar to what we backed out, but simpler: we use a
383d26
list of enumeration values instead of a list of objects with a member
383d26
of enumeration type.
383d26
383d26
Let's review our reasons for backing out the first try, as stated in
383d26
the commit message:
383d26
383d26
    * The implementation uses deprecated rados_conf_set() key
383d26
      "auth_supported".  No biggie.
383d26
383d26
Fixed: we use "auth-client-required".
383d26
383d26
    * The implementation makes -drive silently ignore invalid parameters
383d26
      "auth" and "auth-supported.*.X" where X isn't "auth".  Fixable (in
383d26
      fact I'm going to fix similar bugs around parameter server), so
383d26
      again no biggie.
383d26
383d26
That fix is commit 2836284db60.  This commit doesn't bring the bugs
383d26
back.
383d26
383d26
    * BlockdevOptionsRbd member @password-secret applies only to
383d26
      authentication method cephx.  Should it be a variant member of
383d26
      RbdAuthMethod?
383d26
383d26
We've had time to ponder, and we decided to stick to the way Ceph
383d26
configuration works: the key configured separately, and silently
383d26
ignored if the authentication method doesn't use it.
383d26
383d26
    * BlockdevOptionsRbd member @user could apply to both methods cephx
383d26
      and none, but I'm not sure it's actually used with none.  If it
383d26
      isn't, should it be a variant member of RbdAuthMethod?
383d26
383d26
Likewise.
383d26
383d26
    * The client offers a *set* of authentication methods, not a list.
383d26
      Should the methods be optional members of BlockdevOptionsRbd instead
383d26
      of members of list @auth-supported?  The latter begs the question
383d26
      what multiple entries for the same method mean.  Trivial question
383d26
      now that RbdAuthMethod contains nothing but @type, but less so when
383d26
      RbdAuthMethod acquires other members, such the ones discussed above.
383d26
383d26
Again, we decided to stick to the way Ceph configuration works, except
383d26
we make auth-client-required a list of enumeration values instead of a
383d26
string containing keywords separated by delimiters.
383d26
383d26
    * How BlockdevOptionsRbd member @auth-supported interacts with
383d26
      settings from a configuration file specified with @conf is
383d26
      undocumented.  I suspect it's untested, too.
383d26
383d26
Not actually true, the documentation for @conf says "Values in the
383d26
configuration file will be overridden by options specified via QAPI",
383d26
and we've tested this.
383d26
383d26
Signed-off-by: Markus Armbruster <armbru@redhat.com>
383d26
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
383d26
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
383d26
(cherry picked from commit a3699de4dde82bc76b33a83798a9da82c2336cce)
383d26
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
383d26
---
383d26
 block/rbd.c          | 42 ++++++++++++++++++++++++++++++++----------
383d26
 qapi/block-core.json | 13 +++++++++++++
383d26
 2 files changed, 45 insertions(+), 10 deletions(-)
383d26
383d26
diff --git a/block/rbd.c b/block/rbd.c
383d26
index c834d72..9c0903f 100644
383d26
--- a/block/rbd.c
383d26
+++ b/block/rbd.c
383d26
@@ -233,20 +233,42 @@ done:
383d26
 
383d26
 
383d26
 static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
383d26
+                             BlockdevOptionsRbd *opts,
383d26
                              Error **errp)
383d26
 {
383d26
-    if (secretid == 0) {
383d26
-        return 0;
383d26
-    }
383d26
+    char *acr;
383d26
+    int r;
383d26
+    GString *accu;
383d26
+    RbdAuthModeList *auth;
383d26
+
383d26
+    if (secretid) {
383d26
+        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
383d26
+                                                        errp);
383d26
+        if (!secret) {
383d26
+            return -1;
383d26
+        }
383d26
 
383d26
-    gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
383d26
-                                                    errp);
383d26
-    if (!secret) {
383d26
-        return -1;
383d26
+        rados_conf_set(cluster, "key", secret);
383d26
+        g_free(secret);
383d26
     }
383d26
 
383d26
-    rados_conf_set(cluster, "key", secret);
383d26
-    g_free(secret);
383d26
+    if (opts->has_auth_client_required) {
383d26
+        accu = g_string_new("");
383d26
+        for (auth = opts->auth_client_required; auth; auth = auth->next) {
383d26
+            if (accu->str[0]) {
383d26
+                g_string_append_c(accu, ';');
383d26
+            }
383d26
+            g_string_append(accu, RbdAuthMode_str(auth->value));
383d26
+        }
383d26
+        acr = g_string_free(accu, FALSE);
383d26
+        r = rados_conf_set(cluster, "auth_client_required", acr);
383d26
+        g_free(acr);
383d26
+        if (r < 0) {
383d26
+            error_setg_errno(errp, -r,
383d26
+                             "Could not set 'auth_client_required'");
383d26
+            return r;
383d26
+        }
383d26
+    }
383d26
 
383d26
     return 0;
383d26
 }
383d26
@@ -578,7 +600,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
383d26
         }
383d26
     }
383d26
 
383d26
-    if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
383d26
+    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
383d26
         r = -EIO;
383d26
         goto failed_shutdown;
383d26
     }
383d26
diff --git a/qapi/block-core.json b/qapi/block-core.json
383d26
index b38d5d6..28001fb 100644
383d26
--- a/qapi/block-core.json
383d26
+++ b/qapi/block-core.json
383d26
@@ -3170,6 +3170,14 @@
383d26
 
383d26
 
383d26
 ##
383d26
+# @RbdAuthMode:
383d26
+#
383d26
+# Since: 3.0
383d26
+##
383d26
+{ 'enum': 'RbdAuthMode',
383d26
+  'data': [ 'cephx', 'none' ] }
383d26
+
383d26
+##
383d26
 # @BlockdevOptionsRbd:
383d26
 #
383d26
 # @pool:               Ceph pool name.
383d26
@@ -3184,6 +3192,10 @@
383d26
 #
383d26
 # @user:               Ceph id name.
383d26
 #
383d26
+# @auth-client-required: Acceptable authentication modes.
383d26
+#                      This maps to Ceph configuration option
383d26
+#                      "auth_client_required".  (Since 3.0)
383d26
+#
383d26
 # @server:             Monitor host address and port.  This maps
383d26
 #                      to the "mon_host" Ceph option.
383d26
 #
383d26
@@ -3195,6 +3207,7 @@
383d26
             '*conf': 'str',
383d26
             '*snapshot': 'str',
383d26
             '*user': 'str',
383d26
+            '*auth-client-required': ['RbdAuthMode'],
383d26
             '*server': ['InetSocketAddressBase'] } }
383d26
 
383d26
 ##
383d26
-- 
383d26
1.8.3.1
383d26