Allow local rbd user and secret_uuid configuration

By default, the rbd_user and rbd_secret_uuid are specified in the
nova-volume/cinder configuration and passed to nova-compute when
volumes are attached to instances.

This change allows these values to be specified locally in
nova-compute which means access control to RADOS devices in ceph
can be managed independently from nova-volume/cinder with no
requirement for consistent uuid's for libvirt secrets.

Fixes bug 1065883.

Change-Id: I9f07d040ae267bfbe8f794a5d22d327106314cc6

nova/tests/test_libvirt.py

@@ -299,6 +299,38 @@ def test_libvirt_rbd_driver_auth_enabled(self):
         libvirt_driver.disconnect_volume(connection_info, mount_device)
         connection_info = vol_driver.terminate_connection(vol, self.connr)
 
+    def test_libvirt_rbd_driver_auth_enabled_flags_override(self):
+        vol_driver = volume_driver.RBDDriver()
+        libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
+        name = 'volume-00000001'
+        vol = {'id': 1, 'name': name}
+        connection_info = vol_driver.initialize_connection(vol, self.connr)
+        uuid = '875a8070-d0b9-4949-8b31-104d125c9a64'
+        user = 'foo'
+        secret_type = 'ceph'
+        connection_info['data']['auth_enabled'] = True
+        connection_info['data']['auth_username'] = user
+        connection_info['data']['secret_type'] = secret_type
+        connection_info['data']['secret_uuid'] = uuid
+
+        flags_uuid = '37152720-1785-11e2-a740-af0c1d8b8e4b'
+        flags_user = 'bar'
+        self.flags(rbd_user=flags_user,
+                   rbd_secret_uuid=flags_uuid)
+
+        mount_device = "vde"
+        conf = libvirt_driver.connect_volume(connection_info, mount_device)
+        tree = conf.format_dom()
+        self.assertEqual(tree.get('type'), 'network')
+        self.assertEqual(tree.find('./source').get('protocol'), 'rbd')
+        rbd_name = '%s/%s' % (FLAGS.rbd_pool, name)
+        self.assertEqual(tree.find('./source').get('name'), rbd_name)
+        self.assertEqual(tree.find('./auth').get('username'), flags_user)
+        self.assertEqual(tree.find('./auth/secret').get('type'), secret_type)
+        self.assertEqual(tree.find('./auth/secret').get('uuid'), flags_uuid)
+        libvirt_driver.disconnect_volume(connection_info, mount_device)
+        connection_info = vol_driver.terminate_connection(vol, self.connr)
+
     def test_libvirt_rbd_driver_auth_disabled(self):
         vol_driver = volume_driver.RBDDriver()
         libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
@@ -324,6 +356,40 @@ def test_libvirt_rbd_driver_auth_disabled(self):
         libvirt_driver.disconnect_volume(connection_info, mount_device)
         connection_info = vol_driver.terminate_connection(vol, self.connr)
 
+    def test_libvirt_rbd_driver_auth_disabled_flags_override(self):
+        vol_driver = volume_driver.RBDDriver()
+        libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
+        name = 'volume-00000001'
+        vol = {'id': 1, 'name': name}
+        connection_info = vol_driver.initialize_connection(vol, self.connr)
+        uuid = '875a8070-d0b9-4949-8b31-104d125c9a64'
+        user = 'foo'
+        secret_type = 'ceph'
+        connection_info['data']['auth_enabled'] = False
+        connection_info['data']['auth_username'] = user
+        connection_info['data']['secret_type'] = secret_type
+        connection_info['data']['secret_uuid'] = uuid
+
+        # NOTE: Supplying the rbd_secret_uuid will enable authentication
+        # locally in nova-compute even if not enabled in nova-volume/cinder
+        flags_uuid = '37152720-1785-11e2-a740-af0c1d8b8e4b'
+        flags_user = 'bar'
+        self.flags(rbd_user=flags_user,
+                   rbd_secret_uuid=flags_uuid)
+
+        mount_device = "vde"
+        conf = libvirt_driver.connect_volume(connection_info, mount_device)
+        tree = conf.format_dom()
+        self.assertEqual(tree.get('type'), 'network')
+        self.assertEqual(tree.find('./source').get('protocol'), 'rbd')
+        rbd_name = '%s/%s' % (FLAGS.rbd_pool, name)
+        self.assertEqual(tree.find('./source').get('name'), rbd_name)
+        self.assertEqual(tree.find('./auth').get('username'), flags_user)
+        self.assertEqual(tree.find('./auth/secret').get('type'), secret_type)
+        self.assertEqual(tree.find('./auth/secret').get('uuid'), flags_uuid)
+        libvirt_driver.disconnect_volume(connection_info, mount_device)
+        connection_info = vol_driver.terminate_connection(vol, self.connr)
+
     def test_libvirt_lxc_volume(self):
         self.stubs.Set(os.path, 'exists', lambda x: True)
         vol_driver = volume_driver.ISCSIDriver()

nova/virt/libvirt/volume.py

@@ -87,10 +87,19 @@ def connect_volume(self, connection_info, mount_device):
         conf.target_bus = "virtio"
         conf.serial = connection_info.get('serial')
         netdisk_properties = connection_info['data']
-        if netdisk_properties.get('auth_enabled'):
-            conf.auth_username = netdisk_properties['auth_username']
+        auth_enabled = netdisk_properties.get('auth_enabled')
+        if (conf.source_protocol == 'rbd' and
+            FLAGS.rbd_secret_uuid):
+            conf.auth_secret_uuid = FLAGS.rbd_secret_uuid
+            auth_enabled = True  # Force authentication locally
+            if FLAGS.rbd_user:
+                conf.auth_username = FLAGS.rbd_user
+        if auth_enabled:
+            conf.auth_username = (conf.auth_username or
+                                  netdisk_properties['auth_username'])
             conf.auth_secret_type = netdisk_properties['secret_type']
-            conf.auth_secret_uuid = netdisk_properties['secret_uuid']
+            conf.auth_secret_uuid = (conf.auth_secret_uuid or
+                                     netdisk_properties['secret_uuid'])
         return conf