|
|
ae23c9 |
From f560f687deba14702f4a8f6987168e2d51c5088a Mon Sep 17 00:00:00 2001
|
|
|
ae23c9 |
From: Markus Armbruster <armbru@redhat.com>
|
|
|
ae23c9 |
Date: Mon, 18 Jun 2018 08:43:30 +0200
|
|
|
ae23c9 |
Subject: [PATCH 032/268] rbd: New parameter key-secret
|
|
|
ae23c9 |
|
|
|
ae23c9 |
RH-Author: Markus Armbruster <armbru@redhat.com>
|
|
|
ae23c9 |
Message-id: <20180618084330.30009-24-armbru@redhat.com>
|
|
|
ae23c9 |
Patchwork-id: 80727
|
|
|
ae23c9 |
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 23/23] rbd: New parameter key-secret
|
|
|
ae23c9 |
Bugzilla: 1557995
|
|
|
ae23c9 |
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Legacy -drive supports "password-secret" parameter that isn't
|
|
|
ae23c9 |
available with -blockdev / blockdev-add. That's because we backed out
|
|
|
ae23c9 |
our first try to provide it there due to interface design doubts, in
|
|
|
ae23c9 |
commit 577d8c9a811, v2.9.0.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
This is the second try. It brings back the parameter, except it's
|
|
|
ae23c9 |
named "key-secret" now.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Let's review our reasons for backing out the first try, as stated in
|
|
|
ae23c9 |
the commit message:
|
|
|
ae23c9 |
|
|
|
ae23c9 |
* BlockdevOptionsRbd member @password-secret isn't actually a
|
|
|
ae23c9 |
password, it's a key generated by Ceph.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Addressed by the rename.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
* We're not sure where member @password-secret belongs (see the
|
|
|
ae23c9 |
previous commit).
|
|
|
ae23c9 |
|
|
|
ae23c9 |
See previous commit.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
* How @password-secret interacts with settings from a configuration
|
|
|
ae23c9 |
file specified with @conf is undocumented.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Not actually true, the documentation for @conf says "Values in the
|
|
|
ae23c9 |
configuration file will be overridden by options specified via QAPI",
|
|
|
ae23c9 |
and we've tested this.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
|
ae23c9 |
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ae23c9 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
ae23c9 |
(cherry picked from commit d083f954a95d37b460df0c2fbfe46ad7eb207b10)
|
|
|
ae23c9 |
[Conflict due to lack of commit e8e16d4baff "rbd: Switch to byte-based
|
|
|
ae23c9 |
callbacks" trivially resolved]
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
ae23c9 |
---
|
|
|
ae23c9 |
block/rbd.c | 41 +++++++++++++++++++++++++----------------
|
|
|
ae23c9 |
qapi/block-core.json | 6 ++++++
|
|
|
ae23c9 |
2 files changed, 31 insertions(+), 16 deletions(-)
|
|
|
ae23c9 |
|
|
|
ae23c9 |
diff --git a/block/rbd.c b/block/rbd.c
|
|
|
ae23c9 |
index 9c0903f..3242bcd 100644
|
|
|
ae23c9 |
--- a/block/rbd.c
|
|
|
ae23c9 |
+++ b/block/rbd.c
|
|
|
ae23c9 |
@@ -232,24 +232,25 @@ done:
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
|
|
|
ae23c9 |
|
|
|
ae23c9 |
-static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
|
|
|
ae23c9 |
- BlockdevOptionsRbd *opts,
|
|
|
ae23c9 |
+static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
|
|
|
ae23c9 |
Error **errp)
|
|
|
ae23c9 |
{
|
|
|
ae23c9 |
- char *acr;
|
|
|
ae23c9 |
+ char *key, *acr;
|
|
|
ae23c9 |
int r;
|
|
|
ae23c9 |
GString *accu;
|
|
|
ae23c9 |
RbdAuthModeList *auth;
|
|
|
ae23c9 |
|
|
|
ae23c9 |
- if (secretid) {
|
|
|
ae23c9 |
- gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
|
|
ae23c9 |
- errp);
|
|
|
ae23c9 |
- if (!secret) {
|
|
|
ae23c9 |
- return -1;
|
|
|
ae23c9 |
+ if (opts->key_secret) {
|
|
|
ae23c9 |
+ key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
|
|
|
ae23c9 |
+ if (!key) {
|
|
|
ae23c9 |
+ return -EIO;
|
|
|
ae23c9 |
+ }
|
|
|
ae23c9 |
+ r = rados_conf_set(cluster, "key", key);
|
|
|
ae23c9 |
+ g_free(key);
|
|
|
ae23c9 |
+ if (r < 0) {
|
|
|
ae23c9 |
+ error_setg_errno(errp, -r, "Could not set 'key'");
|
|
|
ae23c9 |
+ return r;
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
-
|
|
|
ae23c9 |
- rados_conf_set(cluster, "key", secret);
|
|
|
ae23c9 |
- g_free(secret);
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
|
|
|
ae23c9 |
if (opts->has_auth_client_required) {
|
|
|
ae23c9 |
@@ -360,9 +361,7 @@ static QemuOptsList runtime_opts = {
|
|
|
ae23c9 |
},
|
|
|
ae23c9 |
};
|
|
|
ae23c9 |
|
|
|
ae23c9 |
-/* FIXME Deprecate and remove keypairs or make it available in QMP.
|
|
|
ae23c9 |
- * password_secret should eventually be configurable in opts->location. Support
|
|
|
ae23c9 |
- * for it in .bdrv_open will make it work here as well. */
|
|
|
ae23c9 |
+/* FIXME Deprecate and remove keypairs or make it available in QMP. */
|
|
|
ae23c9 |
static int qemu_rbd_do_create(BlockdevCreateOptions *options,
|
|
|
ae23c9 |
const char *keypairs, const char *password_secret,
|
|
|
ae23c9 |
Error **errp)
|
|
|
ae23c9 |
@@ -568,6 +567,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|
|
ae23c9 |
Error *local_err = NULL;
|
|
|
ae23c9 |
int r;
|
|
|
ae23c9 |
|
|
|
ae23c9 |
+ if (secretid) {
|
|
|
ae23c9 |
+ if (opts->key_secret) {
|
|
|
ae23c9 |
+ error_setg(errp,
|
|
|
ae23c9 |
+ "Legacy 'password-secret' clashes with 'key-secret'");
|
|
|
ae23c9 |
+ return -EINVAL;
|
|
|
ae23c9 |
+ }
|
|
|
ae23c9 |
+ opts->key_secret = g_strdup(secretid);
|
|
|
ae23c9 |
+ opts->has_key_secret = true;
|
|
|
ae23c9 |
+ }
|
|
|
ae23c9 |
+
|
|
|
ae23c9 |
mon_host = qemu_rbd_mon_host(opts, &local_err);
|
|
|
ae23c9 |
if (local_err) {
|
|
|
ae23c9 |
error_propagate(errp, local_err);
|
|
|
ae23c9 |
@@ -600,8 +609,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
|
|
|
ae23c9 |
- if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
|
|
|
ae23c9 |
- r = -EIO;
|
|
|
ae23c9 |
+ r = qemu_rbd_set_auth(*cluster, opts, errp);
|
|
|
ae23c9 |
+ if (r < 0) {
|
|
|
ae23c9 |
goto failed_shutdown;
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
|
|
|
ae23c9 |
diff --git a/qapi/block-core.json b/qapi/block-core.json
|
|
|
ae23c9 |
index d1da7d1..51eafdd 100644
|
|
|
ae23c9 |
--- a/qapi/block-core.json
|
|
|
ae23c9 |
+++ b/qapi/block-core.json
|
|
|
ae23c9 |
@@ -3196,6 +3196,11 @@
|
|
|
ae23c9 |
# This maps to Ceph configuration option
|
|
|
ae23c9 |
# "auth_client_required". (Since 3.0)
|
|
|
ae23c9 |
#
|
|
|
ae23c9 |
+# @key-secret: ID of a QCryptoSecret object providing a key
|
|
|
ae23c9 |
+# for cephx authentication.
|
|
|
ae23c9 |
+# This maps to Ceph configuration option
|
|
|
ae23c9 |
+# "key". (Since 3.0)
|
|
|
ae23c9 |
+#
|
|
|
ae23c9 |
# @server: Monitor host address and port. This maps
|
|
|
ae23c9 |
# to the "mon_host" Ceph option.
|
|
|
ae23c9 |
#
|
|
|
ae23c9 |
@@ -3208,6 +3213,7 @@
|
|
|
ae23c9 |
'*snapshot': 'str',
|
|
|
ae23c9 |
'*user': 'str',
|
|
|
ae23c9 |
'*auth-client-required': ['RbdAuthMode'],
|
|
|
ae23c9 |
+ '*key-secret': 'str',
|
|
|
ae23c9 |
'*server': ['InetSocketAddressBase'] } }
|
|
|
ae23c9 |
|
|
|
ae23c9 |
##
|
|
|
ae23c9 |
--
|
|
|
ae23c9 |
1.8.3.1
|
|
|
ae23c9 |
|