Blame SOURCES/kvm-rbd-New-parameter-auth-client-required.patch

357786
From 92e418ec44b35eedff728cc692a09bd001d0762e Mon Sep 17 00:00:00 2001
357786
From: Markus Armbruster <armbru@redhat.com>
357786
Date: Mon, 18 Jun 2018 08:43:29 +0200
357786
Subject: [PATCH 22/54] rbd: New parameter auth-client-required
357786
357786
RH-Author: Markus Armbruster <armbru@redhat.com>
357786
Message-id: <20180618084330.30009-23-armbru@redhat.com>
357786
Patchwork-id: 80731
357786
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 22/23] rbd: New parameter auth-client-required
357786
Bugzilla: 1557995
357786
RH-Acked-by: Max Reitz <mreitz@redhat.com>
357786
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
357786
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
357786
357786
Parameter auth-client-required lets you configure authentication
357786
methods.  We tried to provide that in v2.9.0, but backed out due to
357786
interface design doubts (commit 464444fcc16).
357786
357786
This commit is similar to what we backed out, but simpler: we use a
357786
list of enumeration values instead of a list of objects with a member
357786
of enumeration type.
357786
357786
Let's review our reasons for backing out the first try, as stated in
357786
the commit message:
357786
357786
    * The implementation uses deprecated rados_conf_set() key
357786
      "auth_supported".  No biggie.
357786
357786
Fixed: we use "auth-client-required".
357786
357786
    * The implementation makes -drive silently ignore invalid parameters
357786
      "auth" and "auth-supported.*.X" where X isn't "auth".  Fixable (in
357786
      fact I'm going to fix similar bugs around parameter server), so
357786
      again no biggie.
357786
357786
That fix is commit 2836284db60.  This commit doesn't bring the bugs
357786
back.
357786
357786
    * BlockdevOptionsRbd member @password-secret applies only to
357786
      authentication method cephx.  Should it be a variant member of
357786
      RbdAuthMethod?
357786
357786
We've had time to ponder, and we decided to stick to the way Ceph
357786
configuration works: the key configured separately, and silently
357786
ignored if the authentication method doesn't use it.
357786
357786
    * BlockdevOptionsRbd member @user could apply to both methods cephx
357786
      and none, but I'm not sure it's actually used with none.  If it
357786
      isn't, should it be a variant member of RbdAuthMethod?
357786
357786
Likewise.
357786
357786
    * The client offers a *set* of authentication methods, not a list.
357786
      Should the methods be optional members of BlockdevOptionsRbd instead
357786
      of members of list @auth-supported?  The latter begs the question
357786
      what multiple entries for the same method mean.  Trivial question
357786
      now that RbdAuthMethod contains nothing but @type, but less so when
357786
      RbdAuthMethod acquires other members, such the ones discussed above.
357786
357786
Again, we decided to stick to the way Ceph configuration works, except
357786
we make auth-client-required a list of enumeration values instead of a
357786
string containing keywords separated by delimiters.
357786
357786
    * How BlockdevOptionsRbd member @auth-supported interacts with
357786
      settings from a configuration file specified with @conf is
357786
      undocumented.  I suspect it's untested, too.
357786
357786
Not actually true, the documentation for @conf says "Values in the
357786
configuration file will be overridden by options specified via QAPI",
357786
and we've tested this.
357786
357786
Signed-off-by: Markus Armbruster <armbru@redhat.com>
357786
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
357786
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
357786
(cherry picked from commit a3699de4dde82bc76b33a83798a9da82c2336cce)
357786
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
357786
---
357786
 block/rbd.c          | 42 ++++++++++++++++++++++++++++++++----------
357786
 qapi/block-core.json | 13 +++++++++++++
357786
 2 files changed, 45 insertions(+), 10 deletions(-)
357786
357786
diff --git a/block/rbd.c b/block/rbd.c
357786
index c834d72..9c0903f 100644
357786
--- a/block/rbd.c
357786
+++ b/block/rbd.c
357786
@@ -233,20 +233,42 @@ done:
357786
 
357786
 
357786
 static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
357786
+                             BlockdevOptionsRbd *opts,
357786
                              Error **errp)
357786
 {
357786
-    if (secretid == 0) {
357786
-        return 0;
357786
-    }
357786
+    char *acr;
357786
+    int r;
357786
+    GString *accu;
357786
+    RbdAuthModeList *auth;
357786
+
357786
+    if (secretid) {
357786
+        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
357786
+                                                        errp);
357786
+        if (!secret) {
357786
+            return -1;
357786
+        }
357786
 
357786
-    gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
357786
-                                                    errp);
357786
-    if (!secret) {
357786
-        return -1;
357786
+        rados_conf_set(cluster, "key", secret);
357786
+        g_free(secret);
357786
     }
357786
 
357786
-    rados_conf_set(cluster, "key", secret);
357786
-    g_free(secret);
357786
+    if (opts->has_auth_client_required) {
357786
+        accu = g_string_new("");
357786
+        for (auth = opts->auth_client_required; auth; auth = auth->next) {
357786
+            if (accu->str[0]) {
357786
+                g_string_append_c(accu, ';');
357786
+            }
357786
+            g_string_append(accu, RbdAuthMode_str(auth->value));
357786
+        }
357786
+        acr = g_string_free(accu, FALSE);
357786
+        r = rados_conf_set(cluster, "auth_client_required", acr);
357786
+        g_free(acr);
357786
+        if (r < 0) {
357786
+            error_setg_errno(errp, -r,
357786
+                             "Could not set 'auth_client_required'");
357786
+            return r;
357786
+        }
357786
+    }
357786
 
357786
     return 0;
357786
 }
357786
@@ -578,7 +600,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
357786
         }
357786
     }
357786
 
357786
-    if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
357786
+    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
357786
         r = -EIO;
357786
         goto failed_shutdown;
357786
     }
357786
diff --git a/qapi/block-core.json b/qapi/block-core.json
357786
index b38d5d6..28001fb 100644
357786
--- a/qapi/block-core.json
357786
+++ b/qapi/block-core.json
357786
@@ -3170,6 +3170,14 @@
357786
 
357786
 
357786
 ##
357786
+# @RbdAuthMode:
357786
+#
357786
+# Since: 3.0
357786
+##
357786
+{ 'enum': 'RbdAuthMode',
357786
+  'data': [ 'cephx', 'none' ] }
357786
+
357786
+##
357786
 # @BlockdevOptionsRbd:
357786
 #
357786
 # @pool:               Ceph pool name.
357786
@@ -3184,6 +3192,10 @@
357786
 #
357786
 # @user:               Ceph id name.
357786
 #
357786
+# @auth-client-required: Acceptable authentication modes.
357786
+#                      This maps to Ceph configuration option
357786
+#                      "auth_client_required".  (Since 3.0)
357786
+#
357786
 # @server:             Monitor host address and port.  This maps
357786
 #                      to the "mon_host" Ceph option.
357786
 #
357786
@@ -3195,6 +3207,7 @@
357786
             '*conf': 'str',
357786
             '*snapshot': 'str',
357786
             '*user': 'str',
357786
+            '*auth-client-required': ['RbdAuthMode'],
357786
             '*server': ['InetSocketAddressBase'] } }
357786
 
357786
 ##
357786
-- 
357786
1.8.3.1
357786