cryptospore / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
26ba25
From 7aafba282f161865e4ffc4a2da7e06d59d3dfe9a Mon Sep 17 00:00:00 2001
26ba25
From: Markus Armbruster <armbru@redhat.com>
26ba25
Date: Mon, 18 Jun 2018 08:43:29 +0200
26ba25
Subject: [PATCH 031/268] rbd: New parameter auth-client-required
26ba25
26ba25
RH-Author: Markus Armbruster <armbru@redhat.com>
26ba25
Message-id: <20180618084330.30009-23-armbru@redhat.com>
26ba25
Patchwork-id: 80731
26ba25
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 22/23] rbd: New parameter auth-client-required
26ba25
Bugzilla: 1557995
26ba25
RH-Acked-by: Max Reitz <mreitz@redhat.com>
26ba25
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
26ba25
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
26ba25
26ba25
Parameter auth-client-required lets you configure authentication
26ba25
methods.  We tried to provide that in v2.9.0, but backed out due to
26ba25
interface design doubts (commit 464444fcc16).
26ba25
26ba25
This commit is similar to what we backed out, but simpler: we use a
26ba25
list of enumeration values instead of a list of objects with a member
26ba25
of enumeration type.
26ba25
26ba25
Let's review our reasons for backing out the first try, as stated in
26ba25
the commit message:
26ba25
26ba25
    * The implementation uses deprecated rados_conf_set() key
26ba25
      "auth_supported".  No biggie.
26ba25
26ba25
Fixed: we use "auth-client-required".
26ba25
26ba25
    * The implementation makes -drive silently ignore invalid parameters
26ba25
      "auth" and "auth-supported.*.X" where X isn't "auth".  Fixable (in
26ba25
      fact I'm going to fix similar bugs around parameter server), so
26ba25
      again no biggie.
26ba25
26ba25
That fix is commit 2836284db60.  This commit doesn't bring the bugs
26ba25
back.
26ba25
26ba25
    * BlockdevOptionsRbd member @password-secret applies only to
26ba25
      authentication method cephx.  Should it be a variant member of
26ba25
      RbdAuthMethod?
26ba25
26ba25
We've had time to ponder, and we decided to stick to the way Ceph
26ba25
configuration works: the key configured separately, and silently
26ba25
ignored if the authentication method doesn't use it.
26ba25
26ba25
    * BlockdevOptionsRbd member @user could apply to both methods cephx
26ba25
      and none, but I'm not sure it's actually used with none.  If it
26ba25
      isn't, should it be a variant member of RbdAuthMethod?
26ba25
26ba25
Likewise.
26ba25
26ba25
    * The client offers a *set* of authentication methods, not a list.
26ba25
      Should the methods be optional members of BlockdevOptionsRbd instead
26ba25
      of members of list @auth-supported?  The latter begs the question
26ba25
      what multiple entries for the same method mean.  Trivial question
26ba25
      now that RbdAuthMethod contains nothing but @type, but less so when
26ba25
      RbdAuthMethod acquires other members, such the ones discussed above.
26ba25
26ba25
Again, we decided to stick to the way Ceph configuration works, except
26ba25
we make auth-client-required a list of enumeration values instead of a
26ba25
string containing keywords separated by delimiters.
26ba25
26ba25
    * How BlockdevOptionsRbd member @auth-supported interacts with
26ba25
      settings from a configuration file specified with @conf is
26ba25
      undocumented.  I suspect it's untested, too.
26ba25
26ba25
Not actually true, the documentation for @conf says "Values in the
26ba25
configuration file will be overridden by options specified via QAPI",
26ba25
and we've tested this.
26ba25
26ba25
Signed-off-by: Markus Armbruster <armbru@redhat.com>
26ba25
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
26ba25
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
26ba25
(cherry picked from commit a3699de4dde82bc76b33a83798a9da82c2336cce)
26ba25
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
26ba25
---
26ba25
 block/rbd.c          | 42 ++++++++++++++++++++++++++++++++----------
26ba25
 qapi/block-core.json | 13 +++++++++++++
26ba25
 2 files changed, 45 insertions(+), 10 deletions(-)
26ba25
26ba25
diff --git a/block/rbd.c b/block/rbd.c
26ba25
index c834d72..9c0903f 100644
26ba25
--- a/block/rbd.c
26ba25
+++ b/block/rbd.c
26ba25
@@ -233,20 +233,42 @@ done:
26ba25
 
26ba25
 
26ba25
 static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
26ba25
+                             BlockdevOptionsRbd *opts,
26ba25
                              Error **errp)
26ba25
 {
26ba25
-    if (secretid == 0) {
26ba25
-        return 0;
26ba25
-    }
26ba25
+    char *acr;
26ba25
+    int r;
26ba25
+    GString *accu;
26ba25
+    RbdAuthModeList *auth;
26ba25
+
26ba25
+    if (secretid) {
26ba25
+        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
26ba25
+                                                        errp);
26ba25
+        if (!secret) {
26ba25
+            return -1;
26ba25
+        }
26ba25
 
26ba25
-    gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
26ba25
-                                                    errp);
26ba25
-    if (!secret) {
26ba25
-        return -1;
26ba25
+        rados_conf_set(cluster, "key", secret);
26ba25
+        g_free(secret);
26ba25
     }
26ba25
 
26ba25
-    rados_conf_set(cluster, "key", secret);
26ba25
-    g_free(secret);
26ba25
+    if (opts->has_auth_client_required) {
26ba25
+        accu = g_string_new("");
26ba25
+        for (auth = opts->auth_client_required; auth; auth = auth->next) {
26ba25
+            if (accu->str[0]) {
26ba25
+                g_string_append_c(accu, ';');
26ba25
+            }
26ba25
+            g_string_append(accu, RbdAuthMode_str(auth->value));
26ba25
+        }
26ba25
+        acr = g_string_free(accu, FALSE);
26ba25
+        r = rados_conf_set(cluster, "auth_client_required", acr);
26ba25
+        g_free(acr);
26ba25
+        if (r < 0) {
26ba25
+            error_setg_errno(errp, -r,
26ba25
+                             "Could not set 'auth_client_required'");
26ba25
+            return r;
26ba25
+        }
26ba25
+    }
26ba25
 
26ba25
     return 0;
26ba25
 }
26ba25
@@ -578,7 +600,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
26ba25
         }
26ba25
     }
26ba25
 
26ba25
-    if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
26ba25
+    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
26ba25
         r = -EIO;
26ba25
         goto failed_shutdown;
26ba25
     }
26ba25
diff --git a/qapi/block-core.json b/qapi/block-core.json
26ba25
index c50517b..d1da7d1 100644
26ba25
--- a/qapi/block-core.json
26ba25
+++ b/qapi/block-core.json
26ba25
@@ -3170,6 +3170,14 @@
26ba25
 
26ba25
 
26ba25
 ##
26ba25
+# @RbdAuthMode:
26ba25
+#
26ba25
+# Since: 3.0
26ba25
+##
26ba25
+{ 'enum': 'RbdAuthMode',
26ba25
+  'data': [ 'cephx', 'none' ] }
26ba25
+
26ba25
+##
26ba25
 # @BlockdevOptionsRbd:
26ba25
 #
26ba25
 # @pool:               Ceph pool name.
26ba25
@@ -3184,6 +3192,10 @@
26ba25
 #
26ba25
 # @user:               Ceph id name.
26ba25
 #
26ba25
+# @auth-client-required: Acceptable authentication modes.
26ba25
+#                      This maps to Ceph configuration option
26ba25
+#                      "auth_client_required".  (Since 3.0)
26ba25
+#
26ba25
 # @server:             Monitor host address and port.  This maps
26ba25
 #                      to the "mon_host" Ceph option.
26ba25
 #
26ba25
@@ -3195,6 +3207,7 @@
26ba25
             '*conf': 'str',
26ba25
             '*snapshot': 'str',
26ba25
             '*user': 'str',
26ba25
+            '*auth-client-required': ['RbdAuthMode'],
26ba25
             '*server': ['InetSocketAddressBase'] } }
26ba25
 
26ba25
 ##
26ba25
-- 
26ba25
1.8.3.1
26ba25