New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mon,osd: new rbd-based cephx cap profiles #15991

Merged
merged 11 commits into from Jul 22, 2017

Conversation

Projects
None yet
2 participants
@dillaman
Contributor

dillaman commented Jun 29, 2017

The new profiles allow the current style caps of:

mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=images, allow rx pool=glance'

to optionally be specified as:

mon 'profile=rbd' osd 'profile=rbd pool=images, profile=rbd-read-only pool=glance'

This not only fixes an issue with blacklisting dead exclusive-lock clients caused by the currently documented mon 'allow r', but it also simplifies the rbd_children handling that is often missed and allows automatic improved security once cephx osd caps can restrict by class method.

TODO

  • update rbd docs
  • update teuthology tests to utilize the new caps

@dillaman dillaman requested a review from liewegas Jun 29, 2017

@dillaman

This comment has been minimized.

Contributor

dillaman commented Jul 8, 2017

Pending #16212 so the rbd-mirror tests can be run

@dillaman

This comment has been minimized.

Contributor

dillaman commented Jul 11, 2017

ready for review -- passes rbd tests

if (profile.name == "rbd") {
// RBD read-write grant
profile_grants.emplace_back(OSDCapMatch("", "", "rbd_children"),
OSDCapSpec(osd_rwxa_t(OSD_CAP_CLS_R)));

This comment has been minimized.

@liewegas

liewegas Jul 11, 2017

Member

Just a thought: once we have pool tags we could restrict this to only rbd-tagged pools, too.

This comment has been minimized.

@dillaman

dillaman Jul 12, 2017

Contributor

Sounds good -- it would also be nice to have the monitor validate the OSDCap as well. Right now, I can run ceph auth get-or-create client.test mon 'allow r' osd 'fdsfdfa' and it doesn't complain, but it will barf if you provide an unreadable MonCap.

@liewegas

looks good! I'm guesing that expand_profile() came from MonCap; I wonder if we have the same race there?

@dillaman

This comment has been minimized.

Contributor

dillaman commented Jul 12, 2017

@liewegas Yes, it was originally modeled after the MonCap profiles. The race only hit in the OSDs during tests with message failure injections -- and only if multiple messages were replayed to the same OSD in different PG thread shards.

@dillaman dillaman added this to the luminous milestone Jul 17, 2017

@liewegas

This comment has been minimized.

Member

liewegas commented Jul 18, 2017

rebase?

@dillaman

This comment has been minimized.

Contributor

dillaman commented Jul 19, 2017

rebase pushed

@liewegas

This comment has been minimized.

Member

liewegas commented Jul 20, 2017

rebase?

@liewegas

This comment has been minimized.

Member

liewegas commented Jul 20, 2017

btw you can just add the release notes directly to release-notes since its effectively a draft for 12.2.0 anyway

dillaman added some commits Jun 26, 2017

mon: support regex-based restrictions on command caps
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
mon: added 'rbd' profile
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
osd: primitive cephx osd profile cap support
The two new example profiles are read-only and read-write

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
osd: new 'rbd'/'rbd-read-only' osd cap profiles
The 'rbd' profile provides read-only class access on all pools
to the 'rbd_children' object and write access to the optionally
specified pool. The 'rbd-read-only' profile does as its name
implies.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
mon,osd: drop the "allow" prefix for profile caps
The use of the a profile implies that it sets everything up. If
support for deny is ever added, it doesn't make much sense to
deny a profile.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
doc: include details for new RBD cap profiles
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
qa/suites/rbd: mirroring tests should use rbd cap profiles
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
qa/workunits/rbd: devstack test should use auth profiles
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
qa/workunits/rbd: rbd-mirror tests should use 'mirror' user
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
osd: expand profile caps upon construction to avoid potential race
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
PendingReleaseNotes: added blurb for new RBD cap profiles
Signed-off-by: Jason Dillaman <dillaman@redhat.com>

@liewegas liewegas merged commit 4e6487c into ceph:master Jul 22, 2017

3 of 4 checks passed

make check make check failed
Details
Signed-off-by all commits in this PR are signed
Details
Unmodified Submodules submodules for project are unmodified
Details
make check (arm64) make check succeeded
Details

@dillaman dillaman deleted the dillaman:wip-rbd-auth-profile branch Jul 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment