Blame SOURCES/kvm-rbd-New-parameter-key-secret.patch

357786
From c4b9fcd4bf4179a565e2f10d4c93ef6801007270 Mon Sep 17 00:00:00 2001
357786
From: Markus Armbruster <armbru@redhat.com>
357786
Date: Mon, 18 Jun 2018 08:43:30 +0200
357786
Subject: [PATCH 23/54] rbd: New parameter key-secret
357786
357786
RH-Author: Markus Armbruster <armbru@redhat.com>
357786
Message-id: <20180618084330.30009-24-armbru@redhat.com>
357786
Patchwork-id: 80727
357786
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 23/23] rbd: New parameter key-secret
357786
Bugzilla: 1557995
357786
RH-Acked-by: Max Reitz <mreitz@redhat.com>
357786
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
357786
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
357786
357786
Legacy -drive supports "password-secret" parameter that isn't
357786
available with -blockdev / blockdev-add.  That's because we backed out
357786
our first try to provide it there due to interface design doubts, in
357786
commit 577d8c9a811, v2.9.0.
357786
357786
This is the second try.  It brings back the parameter, except it's
357786
named "key-secret" now.
357786
357786
Let's review our reasons for backing out the first try, as stated in
357786
the commit message:
357786
357786
    * BlockdevOptionsRbd member @password-secret isn't actually a
357786
      password, it's a key generated by Ceph.
357786
357786
Addressed by the rename.
357786
357786
    * We're not sure where member @password-secret belongs (see the
357786
      previous commit).
357786
357786
See previous commit.
357786
357786
    * How @password-secret interacts with settings from a configuration
357786
      file specified with @conf is undocumented.
357786
357786
Not actually true, the documentation for @conf says "Values in the
357786
configuration file will be overridden by options specified via QAPI",
357786
and we've tested this.
357786
357786
Signed-off-by: Markus Armbruster <armbru@redhat.com>
357786
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
357786
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
357786
(cherry picked from commit d083f954a95d37b460df0c2fbfe46ad7eb207b10)
357786
[Conflict due to lack of commit e8e16d4baff "rbd: Switch to byte-based
357786
callbacks" trivially resolved]
357786
357786
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
357786
---
357786
 block/rbd.c          | 41 +++++++++++++++++++++++++----------------
357786
 qapi/block-core.json |  6 ++++++
357786
 2 files changed, 31 insertions(+), 16 deletions(-)
357786
357786
diff --git a/block/rbd.c b/block/rbd.c
357786
index 9c0903f..3242bcd 100644
357786
--- a/block/rbd.c
357786
+++ b/block/rbd.c
357786
@@ -232,24 +232,25 @@ done:
357786
 }
357786
 
357786
 
357786
-static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
357786
-                             BlockdevOptionsRbd *opts,
357786
+static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
357786
                              Error **errp)
357786
 {
357786
-    char *acr;
357786
+    char *key, *acr;
357786
     int r;
357786
     GString *accu;
357786
     RbdAuthModeList *auth;
357786
 
357786
-    if (secretid) {
357786
-        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
357786
-                                                        errp);
357786
-        if (!secret) {
357786
-            return -1;
357786
+    if (opts->key_secret) {
357786
+        key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
357786
+        if (!key) {
357786
+            return -EIO;
357786
+        }
357786
+        r = rados_conf_set(cluster, "key", key);
357786
+        g_free(key);
357786
+        if (r < 0) {
357786
+            error_setg_errno(errp, -r, "Could not set 'key'");
357786
+            return r;
357786
         }
357786
-
357786
-        rados_conf_set(cluster, "key", secret);
357786
-        g_free(secret);
357786
     }
357786
 
357786
     if (opts->has_auth_client_required) {
357786
@@ -360,9 +361,7 @@ static QemuOptsList runtime_opts = {
357786
     },
357786
 };
357786
 
357786
-/* FIXME Deprecate and remove keypairs or make it available in QMP.
357786
- * password_secret should eventually be configurable in opts->location. Support
357786
- * for it in .bdrv_open will make it work here as well. */
357786
+/* FIXME Deprecate and remove keypairs or make it available in QMP. */
357786
 static int qemu_rbd_do_create(BlockdevCreateOptions *options,
357786
                               const char *keypairs, const char *password_secret,
357786
                               Error **errp)
357786
@@ -568,6 +567,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
357786
     Error *local_err = NULL;
357786
     int r;
357786
 
357786
+    if (secretid) {
357786
+        if (opts->key_secret) {
357786
+            error_setg(errp,
357786
+                       "Legacy 'password-secret' clashes with 'key-secret'");
357786
+            return -EINVAL;
357786
+        }
357786
+        opts->key_secret = g_strdup(secretid);
357786
+        opts->has_key_secret = true;
357786
+    }
357786
+
357786
     mon_host = qemu_rbd_mon_host(opts, &local_err);
357786
     if (local_err) {
357786
         error_propagate(errp, local_err);
357786
@@ -600,8 +609,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
357786
         }
357786
     }
357786
 
357786
-    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
357786
-        r = -EIO;
357786
+    r = qemu_rbd_set_auth(*cluster, opts, errp);
357786
+    if (r < 0) {
357786
         goto failed_shutdown;
357786
     }
357786
 
357786
diff --git a/qapi/block-core.json b/qapi/block-core.json
357786
index 28001fb..46469be 100644
357786
--- a/qapi/block-core.json
357786
+++ b/qapi/block-core.json
357786
@@ -3196,6 +3196,11 @@
357786
 #                      This maps to Ceph configuration option
357786
 #                      "auth_client_required".  (Since 3.0)
357786
 #
357786
+# @key-secret:         ID of a QCryptoSecret object providing a key
357786
+#                      for cephx authentication.
357786
+#                      This maps to Ceph configuration option
357786
+#                      "key".  (Since 3.0)
357786
+#
357786
 # @server:             Monitor host address and port.  This maps
357786
 #                      to the "mon_host" Ceph option.
357786
 #
357786
@@ -3208,6 +3213,7 @@
357786
             '*snapshot': 'str',
357786
             '*user': 'str',
357786
             '*auth-client-required': ['RbdAuthMode'],
357786
+            '*key-secret': 'str',
357786
             '*server': ['InetSocketAddressBase'] } }
357786
 
357786
 ##
357786
-- 
357786
1.8.3.1
357786