yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
ae23c9
From 7aafba282f161865e4ffc4a2da7e06d59d3dfe9a Mon Sep 17 00:00:00 2001
ae23c9
From: Markus Armbruster <armbru@redhat.com>
ae23c9
Date: Mon, 18 Jun 2018 08:43:29 +0200
ae23c9
Subject: [PATCH 031/268] rbd: New parameter auth-client-required
ae23c9
ae23c9
RH-Author: Markus Armbruster <armbru@redhat.com>
ae23c9
Message-id: <20180618084330.30009-23-armbru@redhat.com>
ae23c9
Patchwork-id: 80731
ae23c9
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 22/23] rbd: New parameter auth-client-required
ae23c9
Bugzilla: 1557995
ae23c9
RH-Acked-by: Max Reitz <mreitz@redhat.com>
ae23c9
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
ae23c9
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
ae23c9
Parameter auth-client-required lets you configure authentication
ae23c9
methods.  We tried to provide that in v2.9.0, but backed out due to
ae23c9
interface design doubts (commit 464444fcc16).
ae23c9
ae23c9
This commit is similar to what we backed out, but simpler: we use a
ae23c9
list of enumeration values instead of a list of objects with a member
ae23c9
of enumeration type.
ae23c9
ae23c9
Let's review our reasons for backing out the first try, as stated in
ae23c9
the commit message:
ae23c9
ae23c9
    * The implementation uses deprecated rados_conf_set() key
ae23c9
      "auth_supported".  No biggie.
ae23c9
ae23c9
Fixed: we use "auth-client-required".
ae23c9
ae23c9
    * The implementation makes -drive silently ignore invalid parameters
ae23c9
      "auth" and "auth-supported.*.X" where X isn't "auth".  Fixable (in
ae23c9
      fact I'm going to fix similar bugs around parameter server), so
ae23c9
      again no biggie.
ae23c9
ae23c9
That fix is commit 2836284db60.  This commit doesn't bring the bugs
ae23c9
back.
ae23c9
ae23c9
    * BlockdevOptionsRbd member @password-secret applies only to
ae23c9
      authentication method cephx.  Should it be a variant member of
ae23c9
      RbdAuthMethod?
ae23c9
ae23c9
We've had time to ponder, and we decided to stick to the way Ceph
ae23c9
configuration works: the key configured separately, and silently
ae23c9
ignored if the authentication method doesn't use it.
ae23c9
ae23c9
    * BlockdevOptionsRbd member @user could apply to both methods cephx
ae23c9
      and none, but I'm not sure it's actually used with none.  If it
ae23c9
      isn't, should it be a variant member of RbdAuthMethod?
ae23c9
ae23c9
Likewise.
ae23c9
ae23c9
    * The client offers a *set* of authentication methods, not a list.
ae23c9
      Should the methods be optional members of BlockdevOptionsRbd instead
ae23c9
      of members of list @auth-supported?  The latter begs the question
ae23c9
      what multiple entries for the same method mean.  Trivial question
ae23c9
      now that RbdAuthMethod contains nothing but @type, but less so when
ae23c9
      RbdAuthMethod acquires other members, such the ones discussed above.
ae23c9
ae23c9
Again, we decided to stick to the way Ceph configuration works, except
ae23c9
we make auth-client-required a list of enumeration values instead of a
ae23c9
string containing keywords separated by delimiters.
ae23c9
ae23c9
    * How BlockdevOptionsRbd member @auth-supported interacts with
ae23c9
      settings from a configuration file specified with @conf is
ae23c9
      undocumented.  I suspect it's untested, too.
ae23c9
ae23c9
Not actually true, the documentation for @conf says "Values in the
ae23c9
configuration file will be overridden by options specified via QAPI",
ae23c9
and we've tested this.
ae23c9
ae23c9
Signed-off-by: Markus Armbruster <armbru@redhat.com>
ae23c9
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
(cherry picked from commit a3699de4dde82bc76b33a83798a9da82c2336cce)
ae23c9
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
ae23c9
---
ae23c9
 block/rbd.c          | 42 ++++++++++++++++++++++++++++++++----------
ae23c9
 qapi/block-core.json | 13 +++++++++++++
ae23c9
 2 files changed, 45 insertions(+), 10 deletions(-)
ae23c9
ae23c9
diff --git a/block/rbd.c b/block/rbd.c
ae23c9
index c834d72..9c0903f 100644
ae23c9
--- a/block/rbd.c
ae23c9
+++ b/block/rbd.c
ae23c9
@@ -233,20 +233,42 @@ done:
ae23c9
 
ae23c9
 
ae23c9
 static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
ae23c9
+                             BlockdevOptionsRbd *opts,
ae23c9
                              Error **errp)
ae23c9
 {
ae23c9
-    if (secretid == 0) {
ae23c9
-        return 0;
ae23c9
-    }
ae23c9
+    char *acr;
ae23c9
+    int r;
ae23c9
+    GString *accu;
ae23c9
+    RbdAuthModeList *auth;
ae23c9
+
ae23c9
+    if (secretid) {
ae23c9
+        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
ae23c9
+                                                        errp);
ae23c9
+        if (!secret) {
ae23c9
+            return -1;
ae23c9
+        }
ae23c9
 
ae23c9
-    gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
ae23c9
-                                                    errp);
ae23c9
-    if (!secret) {
ae23c9
-        return -1;
ae23c9
+        rados_conf_set(cluster, "key", secret);
ae23c9
+        g_free(secret);
ae23c9
     }
ae23c9
 
ae23c9
-    rados_conf_set(cluster, "key", secret);
ae23c9
-    g_free(secret);
ae23c9
+    if (opts->has_auth_client_required) {
ae23c9
+        accu = g_string_new("");
ae23c9
+        for (auth = opts->auth_client_required; auth; auth = auth->next) {
ae23c9
+            if (accu->str[0]) {
ae23c9
+                g_string_append_c(accu, ';');
ae23c9
+            }
ae23c9
+            g_string_append(accu, RbdAuthMode_str(auth->value));
ae23c9
+        }
ae23c9
+        acr = g_string_free(accu, FALSE);
ae23c9
+        r = rados_conf_set(cluster, "auth_client_required", acr);
ae23c9
+        g_free(acr);
ae23c9
+        if (r < 0) {
ae23c9
+            error_setg_errno(errp, -r,
ae23c9
+                             "Could not set 'auth_client_required'");
ae23c9
+            return r;
ae23c9
+        }
ae23c9
+    }
ae23c9
 
ae23c9
     return 0;
ae23c9
 }
ae23c9
@@ -578,7 +600,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
ae23c9
         }
ae23c9
     }
ae23c9
 
ae23c9
-    if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
ae23c9
+    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
ae23c9
         r = -EIO;
ae23c9
         goto failed_shutdown;
ae23c9
     }
ae23c9
diff --git a/qapi/block-core.json b/qapi/block-core.json
ae23c9
index c50517b..d1da7d1 100644
ae23c9
--- a/qapi/block-core.json
ae23c9
+++ b/qapi/block-core.json
ae23c9
@@ -3170,6 +3170,14 @@
ae23c9
 
ae23c9
 
ae23c9
 ##
ae23c9
+# @RbdAuthMode:
ae23c9
+#
ae23c9
+# Since: 3.0
ae23c9
+##
ae23c9
+{ 'enum': 'RbdAuthMode',
ae23c9
+  'data': [ 'cephx', 'none' ] }
ae23c9
+
ae23c9
+##
ae23c9
 # @BlockdevOptionsRbd:
ae23c9
 #
ae23c9
 # @pool:               Ceph pool name.
ae23c9
@@ -3184,6 +3192,10 @@
ae23c9
 #
ae23c9
 # @user:               Ceph id name.
ae23c9
 #
ae23c9
+# @auth-client-required: Acceptable authentication modes.
ae23c9
+#                      This maps to Ceph configuration option
ae23c9
+#                      "auth_client_required".  (Since 3.0)
ae23c9
+#
ae23c9
 # @server:             Monitor host address and port.  This maps
ae23c9
 #                      to the "mon_host" Ceph option.
ae23c9
 #
ae23c9
@@ -3195,6 +3207,7 @@
ae23c9
             '*conf': 'str',
ae23c9
             '*snapshot': 'str',
ae23c9
             '*user': 'str',
ae23c9
+            '*auth-client-required': ['RbdAuthMode'],
ae23c9
             '*server': ['InetSocketAddressBase'] } }
ae23c9
 
ae23c9
 ##
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9