Skip to content

Commit 975528f

Browse files
committed
Merge remote-tracking branch 'private/wip-mon-snap-caps'
2 parents dd413ad + 97e3f0a commit 975528f

File tree

6 files changed

+464
-22
lines changed

6 files changed

+464
-22
lines changed

Diff for: qa/workunits/rados/test_pool_access.sh

+92-7
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,107 @@
22

33
set -ex
44

5-
expect_1()
5+
KEYRING=$(mktemp)
6+
trap cleanup EXIT ERR HUP INT QUIT
7+
8+
cleanup() {
9+
(ceph auth del client.mon_read || true) >/dev/null 2>&1
10+
(ceph auth del client.mon_write || true) >/dev/null 2>&1
11+
12+
rm -f $KEYRING
13+
}
14+
15+
expect_false()
616
{
7-
set -x
8-
set +e
9-
"$@"
10-
if [ $? == 1 ]; then return 0; else return 1; fi
17+
set -x
18+
if "$@"; then return 1; else return 0; fi
19+
}
20+
21+
create_pool_op() {
22+
ID=$1
23+
POOL=$2
24+
25+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
26+
import rados
27+
28+
cluster = rados.Rados(conffile="", rados_id="${ID}")
29+
cluster.connect()
30+
cluster.create_pool("${POOL}")
31+
EOF
1132
}
1233

34+
delete_pool_op() {
35+
ID=$1
36+
POOL=$2
37+
38+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
39+
import rados
40+
41+
cluster = rados.Rados(conffile="", rados_id="${ID}")
42+
cluster.connect()
43+
cluster.delete_pool("${POOL}")
44+
EOF
45+
}
46+
47+
create_pool_snap_op() {
48+
ID=$1
49+
POOL=$2
50+
SNAP=$3
51+
52+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
53+
import rados
54+
55+
cluster = rados.Rados(conffile="", rados_id="${ID}")
56+
cluster.connect()
57+
ioctx = cluster.open_ioctx("${POOL}")
58+
59+
ioctx.create_snap("${SNAP}")
60+
EOF
61+
}
62+
63+
remove_pool_snap_op() {
64+
ID=$1
65+
POOL=$2
66+
SNAP=$3
67+
68+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
69+
import rados
70+
71+
cluster = rados.Rados(conffile="", rados_id="${ID}")
72+
cluster.connect()
73+
ioctx = cluster.open_ioctx("${POOL}")
74+
75+
ioctx.remove_snap("${SNAP}")
76+
EOF
77+
}
78+
79+
test_pool_op()
80+
{
81+
ceph auth get-or-create client.mon_read mon 'allow r' >> $KEYRING
82+
ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
83+
84+
expect_false create_pool_op mon_read pool1
85+
create_pool_op mon_write pool1
86+
87+
expect_false create_pool_snap_op mon_read pool1 snap1
88+
create_pool_snap_op mon_write pool1 snap1
89+
90+
expect_false remove_pool_snap_op mon_read pool1 snap1
91+
remove_pool_snap_op mon_write pool1 snap1
92+
93+
expect_false delete_pool_op mon_read pool1
94+
delete_pool_op mon_write pool1
95+
}
1396

1497
key=`ceph auth get-or-create-key client.poolaccess1 mon 'allow r' osd 'allow *'`
1598
rados --id poolaccess1 --key $key -p rbd ls
1699

17100
key=`ceph auth get-or-create-key client.poolaccess2 mon 'allow r' osd 'allow * pool=nopool'`
18-
expect_1 rados --id poolaccess2 --key $key -p rbd ls
101+
expect_false rados --id poolaccess2 --key $key -p rbd ls
19102

20103
key=`ceph auth get-or-create-key client.poolaccess3 mon 'allow r' osd 'allow rw pool=nopool'`
21-
expect_1 rados --id poolaccess3 --key $key -p rbd ls
104+
expect_false rados --id poolaccess3 --key $key -p rbd ls
105+
106+
test_pool_op
22107

23108
echo OK

Diff for: qa/workunits/rbd/permissions.sh

+92
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,27 @@ recreate_pools() {
2929
delete_users() {
3030
(ceph auth del client.volumes || true) >/dev/null 2>&1
3131
(ceph auth del client.images || true) >/dev/null 2>&1
32+
33+
(ceph auth del client.snap_none || true) >/dev/null 2>&1
34+
(ceph auth del client.snap_all || true) >/dev/null 2>&1
35+
(ceph auth del client.snap_pool || true) >/dev/null 2>&1
36+
(ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
37+
(ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1
38+
39+
(ceph auth del client.mon_write || true) >/dev/null 2>&1
3240
}
3341

3442
create_users() {
3543
ceph auth get-or-create client.volumes mon 'profile rbd' osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
3644
ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING
45+
46+
ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
47+
ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
48+
ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
49+
ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
50+
ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
51+
52+
ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
3753
}
3854

3955
expect() {
@@ -142,9 +158,83 @@ test_volumes_access() {
142158
rbd -k $KEYRING --id volumes rm volumes/child
143159
}
144160

161+
create_self_managed_snapshot() {
162+
ID=$1
163+
POOL=$2
164+
165+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
166+
import rados
167+
168+
cluster = rados.Rados(conffile="", rados_id="${ID}")
169+
cluster.connect()
170+
ioctx = cluster.open_ioctx("${POOL}")
171+
172+
snap_id = ioctx.create_self_managed_snap()
173+
print ("Created snap id {}".format(snap_id))
174+
EOF
175+
}
176+
177+
remove_self_managed_snapshot() {
178+
ID=$1
179+
POOL=$2
180+
181+
cat << EOF | CEPH_ARGS="-k $KEYRING" python
182+
import rados
183+
184+
cluster1 = rados.Rados(conffile="", rados_id="mon_write")
185+
cluster1.connect()
186+
ioctx1 = cluster1.open_ioctx("${POOL}")
187+
188+
snap_id = ioctx1.create_self_managed_snap()
189+
print ("Created snap id {}".format(snap_id))
190+
191+
cluster2 = rados.Rados(conffile="", rados_id="${ID}")
192+
cluster2.connect()
193+
ioctx2 = cluster2.open_ioctx("${POOL}")
194+
195+
ioctx2.remove_self_managed_snap(snap_id)
196+
print ("Removed snap id {}".format(snap_id))
197+
EOF
198+
}
199+
200+
test_remove_self_managed_snapshots() {
201+
# Ensure users cannot create self-managed snapshots w/o permissions
202+
expect 1 create_self_managed_snapshot snap_none images
203+
expect 1 create_self_managed_snapshot snap_none volumes
204+
205+
create_self_managed_snapshot snap_all images
206+
create_self_managed_snapshot snap_all volumes
207+
208+
create_self_managed_snapshot snap_pool images
209+
expect 1 create_self_managed_snapshot snap_pool volumes
210+
211+
create_self_managed_snapshot snap_profile_all images
212+
create_self_managed_snapshot snap_profile_all volumes
213+
214+
create_self_managed_snapshot snap_profile_pool images
215+
expect 1 create_self_managed_snapshot snap_profile_pool volumes
216+
217+
# Ensure users cannot delete self-managed snapshots w/o permissions
218+
expect 1 remove_self_managed_snapshot snap_none images
219+
expect 1 remove_self_managed_snapshot snap_none volumes
220+
221+
remove_self_managed_snapshot snap_all images
222+
remove_self_managed_snapshot snap_all volumes
223+
224+
remove_self_managed_snapshot snap_pool images
225+
expect 1 remove_self_managed_snapshot snap_pool volumes
226+
227+
remove_self_managed_snapshot snap_profile_all images
228+
remove_self_managed_snapshot snap_profile_all volumes
229+
230+
remove_self_managed_snapshot snap_profile_pool images
231+
expect 1 remove_self_managed_snapshot snap_profile_pool volumes
232+
}
233+
145234
cleanup() {
146235
rm -f $KEYRING
147236
}
237+
148238
KEYRING=$(mktemp)
149239
trap cleanup EXIT ERR HUP INT QUIT
150240

@@ -157,6 +247,8 @@ test_images_access
157247
recreate_pools
158248
test_volumes_access
159249

250+
test_remove_self_managed_snapshots
251+
160252
delete_pools
161253
delete_users
162254

0 commit comments

Comments
 (0)