|
|
357786 |
From 92e418ec44b35eedff728cc692a09bd001d0762e Mon Sep 17 00:00:00 2001
|
|
|
357786 |
From: Markus Armbruster <armbru@redhat.com>
|
|
|
357786 |
Date: Mon, 18 Jun 2018 08:43:29 +0200
|
|
|
357786 |
Subject: [PATCH 22/54] rbd: New parameter auth-client-required
|
|
|
357786 |
|
|
|
357786 |
RH-Author: Markus Armbruster <armbru@redhat.com>
|
|
|
357786 |
Message-id: <20180618084330.30009-23-armbru@redhat.com>
|
|
|
357786 |
Patchwork-id: 80731
|
|
|
357786 |
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 22/23] rbd: New parameter auth-client-required
|
|
|
357786 |
Bugzilla: 1557995
|
|
|
357786 |
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
|
|
357786 |
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
|
|
|
357786 |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
357786 |
|
|
|
357786 |
Parameter auth-client-required lets you configure authentication
|
|
|
357786 |
methods. We tried to provide that in v2.9.0, but backed out due to
|
|
|
357786 |
interface design doubts (commit 464444fcc16).
|
|
|
357786 |
|
|
|
357786 |
This commit is similar to what we backed out, but simpler: we use a
|
|
|
357786 |
list of enumeration values instead of a list of objects with a member
|
|
|
357786 |
of enumeration type.
|
|
|
357786 |
|
|
|
357786 |
Let's review our reasons for backing out the first try, as stated in
|
|
|
357786 |
the commit message:
|
|
|
357786 |
|
|
|
357786 |
* The implementation uses deprecated rados_conf_set() key
|
|
|
357786 |
"auth_supported". No biggie.
|
|
|
357786 |
|
|
|
357786 |
Fixed: we use "auth-client-required".
|
|
|
357786 |
|
|
|
357786 |
* The implementation makes -drive silently ignore invalid parameters
|
|
|
357786 |
"auth" and "auth-supported.*.X" where X isn't "auth". Fixable (in
|
|
|
357786 |
fact I'm going to fix similar bugs around parameter server), so
|
|
|
357786 |
again no biggie.
|
|
|
357786 |
|
|
|
357786 |
That fix is commit 2836284db60. This commit doesn't bring the bugs
|
|
|
357786 |
back.
|
|
|
357786 |
|
|
|
357786 |
* BlockdevOptionsRbd member @password-secret applies only to
|
|
|
357786 |
authentication method cephx. Should it be a variant member of
|
|
|
357786 |
RbdAuthMethod?
|
|
|
357786 |
|
|
|
357786 |
We've had time to ponder, and we decided to stick to the way Ceph
|
|
|
357786 |
configuration works: the key configured separately, and silently
|
|
|
357786 |
ignored if the authentication method doesn't use it.
|
|
|
357786 |
|
|
|
357786 |
* BlockdevOptionsRbd member @user could apply to both methods cephx
|
|
|
357786 |
and none, but I'm not sure it's actually used with none. If it
|
|
|
357786 |
isn't, should it be a variant member of RbdAuthMethod?
|
|
|
357786 |
|
|
|
357786 |
Likewise.
|
|
|
357786 |
|
|
|
357786 |
* The client offers a *set* of authentication methods, not a list.
|
|
|
357786 |
Should the methods be optional members of BlockdevOptionsRbd instead
|
|
|
357786 |
of members of list @auth-supported? The latter begs the question
|
|
|
357786 |
what multiple entries for the same method mean. Trivial question
|
|
|
357786 |
now that RbdAuthMethod contains nothing but @type, but less so when
|
|
|
357786 |
RbdAuthMethod acquires other members, such the ones discussed above.
|
|
|
357786 |
|
|
|
357786 |
Again, we decided to stick to the way Ceph configuration works, except
|
|
|
357786 |
we make auth-client-required a list of enumeration values instead of a
|
|
|
357786 |
string containing keywords separated by delimiters.
|
|
|
357786 |
|
|
|
357786 |
* How BlockdevOptionsRbd member @auth-supported interacts with
|
|
|
357786 |
settings from a configuration file specified with @conf is
|
|
|
357786 |
undocumented. I suspect it's untested, too.
|
|
|
357786 |
|
|
|
357786 |
Not actually true, the documentation for @conf says "Values in the
|
|
|
357786 |
configuration file will be overridden by options specified via QAPI",
|
|
|
357786 |
and we've tested this.
|
|
|
357786 |
|
|
|
357786 |
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
|
357786 |
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
357786 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
357786 |
(cherry picked from commit a3699de4dde82bc76b33a83798a9da82c2336cce)
|
|
|
357786 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
357786 |
---
|
|
|
357786 |
block/rbd.c | 42 ++++++++++++++++++++++++++++++++----------
|
|
|
357786 |
qapi/block-core.json | 13 +++++++++++++
|
|
|
357786 |
2 files changed, 45 insertions(+), 10 deletions(-)
|
|
|
357786 |
|
|
|
357786 |
diff --git a/block/rbd.c b/block/rbd.c
|
|
|
357786 |
index c834d72..9c0903f 100644
|
|
|
357786 |
--- a/block/rbd.c
|
|
|
357786 |
+++ b/block/rbd.c
|
|
|
357786 |
@@ -233,20 +233,42 @@ done:
|
|
|
357786 |
|
|
|
357786 |
|
|
|
357786 |
static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
|
|
|
357786 |
+ BlockdevOptionsRbd *opts,
|
|
|
357786 |
Error **errp)
|
|
|
357786 |
{
|
|
|
357786 |
- if (secretid == 0) {
|
|
|
357786 |
- return 0;
|
|
|
357786 |
- }
|
|
|
357786 |
+ char *acr;
|
|
|
357786 |
+ int r;
|
|
|
357786 |
+ GString *accu;
|
|
|
357786 |
+ RbdAuthModeList *auth;
|
|
|
357786 |
+
|
|
|
357786 |
+ if (secretid) {
|
|
|
357786 |
+ gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
|
|
357786 |
+ errp);
|
|
|
357786 |
+ if (!secret) {
|
|
|
357786 |
+ return -1;
|
|
|
357786 |
+ }
|
|
|
357786 |
|
|
|
357786 |
- gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
|
|
357786 |
- errp);
|
|
|
357786 |
- if (!secret) {
|
|
|
357786 |
- return -1;
|
|
|
357786 |
+ rados_conf_set(cluster, "key", secret);
|
|
|
357786 |
+ g_free(secret);
|
|
|
357786 |
}
|
|
|
357786 |
|
|
|
357786 |
- rados_conf_set(cluster, "key", secret);
|
|
|
357786 |
- g_free(secret);
|
|
|
357786 |
+ if (opts->has_auth_client_required) {
|
|
|
357786 |
+ accu = g_string_new("");
|
|
|
357786 |
+ for (auth = opts->auth_client_required; auth; auth = auth->next) {
|
|
|
357786 |
+ if (accu->str[0]) {
|
|
|
357786 |
+ g_string_append_c(accu, ';');
|
|
|
357786 |
+ }
|
|
|
357786 |
+ g_string_append(accu, RbdAuthMode_str(auth->value));
|
|
|
357786 |
+ }
|
|
|
357786 |
+ acr = g_string_free(accu, FALSE);
|
|
|
357786 |
+ r = rados_conf_set(cluster, "auth_client_required", acr);
|
|
|
357786 |
+ g_free(acr);
|
|
|
357786 |
+ if (r < 0) {
|
|
|
357786 |
+ error_setg_errno(errp, -r,
|
|
|
357786 |
+ "Could not set 'auth_client_required'");
|
|
|
357786 |
+ return r;
|
|
|
357786 |
+ }
|
|
|
357786 |
+ }
|
|
|
357786 |
|
|
|
357786 |
return 0;
|
|
|
357786 |
}
|
|
|
357786 |
@@ -578,7 +600,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|
|
357786 |
}
|
|
|
357786 |
}
|
|
|
357786 |
|
|
|
357786 |
- if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
|
|
|
357786 |
+ if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
|
|
|
357786 |
r = -EIO;
|
|
|
357786 |
goto failed_shutdown;
|
|
|
357786 |
}
|
|
|
357786 |
diff --git a/qapi/block-core.json b/qapi/block-core.json
|
|
|
357786 |
index b38d5d6..28001fb 100644
|
|
|
357786 |
--- a/qapi/block-core.json
|
|
|
357786 |
+++ b/qapi/block-core.json
|
|
|
357786 |
@@ -3170,6 +3170,14 @@
|
|
|
357786 |
|
|
|
357786 |
|
|
|
357786 |
##
|
|
|
357786 |
+# @RbdAuthMode:
|
|
|
357786 |
+#
|
|
|
357786 |
+# Since: 3.0
|
|
|
357786 |
+##
|
|
|
357786 |
+{ 'enum': 'RbdAuthMode',
|
|
|
357786 |
+ 'data': [ 'cephx', 'none' ] }
|
|
|
357786 |
+
|
|
|
357786 |
+##
|
|
|
357786 |
# @BlockdevOptionsRbd:
|
|
|
357786 |
#
|
|
|
357786 |
# @pool: Ceph pool name.
|
|
|
357786 |
@@ -3184,6 +3192,10 @@
|
|
|
357786 |
#
|
|
|
357786 |
# @user: Ceph id name.
|
|
|
357786 |
#
|
|
|
357786 |
+# @auth-client-required: Acceptable authentication modes.
|
|
|
357786 |
+# This maps to Ceph configuration option
|
|
|
357786 |
+# "auth_client_required". (Since 3.0)
|
|
|
357786 |
+#
|
|
|
357786 |
# @server: Monitor host address and port. This maps
|
|
|
357786 |
# to the "mon_host" Ceph option.
|
|
|
357786 |
#
|
|
|
357786 |
@@ -3195,6 +3207,7 @@
|
|
|
357786 |
'*conf': 'str',
|
|
|
357786 |
'*snapshot': 'str',
|
|
|
357786 |
'*user': 'str',
|
|
|
357786 |
+ '*auth-client-required': ['RbdAuthMode'],
|
|
|
357786 |
'*server': ['InetSocketAddressBase'] } }
|
|
|
357786 |
|
|
|
357786 |
##
|
|
|
357786 |
--
|
|
|
357786 |
1.8.3.1
|
|
|
357786 |
|