yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
ae23c9
From f560f687deba14702f4a8f6987168e2d51c5088a Mon Sep 17 00:00:00 2001
ae23c9
From: Markus Armbruster <armbru@redhat.com>
ae23c9
Date: Mon, 18 Jun 2018 08:43:30 +0200
ae23c9
Subject: [PATCH 032/268] rbd: New parameter key-secret
ae23c9
ae23c9
RH-Author: Markus Armbruster <armbru@redhat.com>
ae23c9
Message-id: <20180618084330.30009-24-armbru@redhat.com>
ae23c9
Patchwork-id: 80727
ae23c9
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 23/23] rbd: New parameter key-secret
ae23c9
Bugzilla: 1557995
ae23c9
RH-Acked-by: Max Reitz <mreitz@redhat.com>
ae23c9
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
ae23c9
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
ae23c9
Legacy -drive supports "password-secret" parameter that isn't
ae23c9
available with -blockdev / blockdev-add.  That's because we backed out
ae23c9
our first try to provide it there due to interface design doubts, in
ae23c9
commit 577d8c9a811, v2.9.0.
ae23c9
ae23c9
This is the second try.  It brings back the parameter, except it's
ae23c9
named "key-secret" now.
ae23c9
ae23c9
Let's review our reasons for backing out the first try, as stated in
ae23c9
the commit message:
ae23c9
ae23c9
    * BlockdevOptionsRbd member @password-secret isn't actually a
ae23c9
      password, it's a key generated by Ceph.
ae23c9
ae23c9
Addressed by the rename.
ae23c9
ae23c9
    * We're not sure where member @password-secret belongs (see the
ae23c9
      previous commit).
ae23c9
ae23c9
See previous commit.
ae23c9
ae23c9
    * How @password-secret interacts with settings from a configuration
ae23c9
      file specified with @conf is undocumented.
ae23c9
ae23c9
Not actually true, the documentation for @conf says "Values in the
ae23c9
configuration file will be overridden by options specified via QAPI",
ae23c9
and we've tested this.
ae23c9
ae23c9
Signed-off-by: Markus Armbruster <armbru@redhat.com>
ae23c9
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
ae23c9
(cherry picked from commit d083f954a95d37b460df0c2fbfe46ad7eb207b10)
ae23c9
[Conflict due to lack of commit e8e16d4baff "rbd: Switch to byte-based
ae23c9
callbacks" trivially resolved]
ae23c9
ae23c9
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
ae23c9
---
ae23c9
 block/rbd.c          | 41 +++++++++++++++++++++++++----------------
ae23c9
 qapi/block-core.json |  6 ++++++
ae23c9
 2 files changed, 31 insertions(+), 16 deletions(-)
ae23c9
ae23c9
diff --git a/block/rbd.c b/block/rbd.c
ae23c9
index 9c0903f..3242bcd 100644
ae23c9
--- a/block/rbd.c
ae23c9
+++ b/block/rbd.c
ae23c9
@@ -232,24 +232,25 @@ done:
ae23c9
 }
ae23c9
 
ae23c9
 
ae23c9
-static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
ae23c9
-                             BlockdevOptionsRbd *opts,
ae23c9
+static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
ae23c9
                              Error **errp)
ae23c9
 {
ae23c9
-    char *acr;
ae23c9
+    char *key, *acr;
ae23c9
     int r;
ae23c9
     GString *accu;
ae23c9
     RbdAuthModeList *auth;
ae23c9
 
ae23c9
-    if (secretid) {
ae23c9
-        gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
ae23c9
-                                                        errp);
ae23c9
-        if (!secret) {
ae23c9
-            return -1;
ae23c9
+    if (opts->key_secret) {
ae23c9
+        key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
ae23c9
+        if (!key) {
ae23c9
+            return -EIO;
ae23c9
+        }
ae23c9
+        r = rados_conf_set(cluster, "key", key);
ae23c9
+        g_free(key);
ae23c9
+        if (r < 0) {
ae23c9
+            error_setg_errno(errp, -r, "Could not set 'key'");
ae23c9
+            return r;
ae23c9
         }
ae23c9
-
ae23c9
-        rados_conf_set(cluster, "key", secret);
ae23c9
-        g_free(secret);
ae23c9
     }
ae23c9
 
ae23c9
     if (opts->has_auth_client_required) {
ae23c9
@@ -360,9 +361,7 @@ static QemuOptsList runtime_opts = {
ae23c9
     },
ae23c9
 };
ae23c9
 
ae23c9
-/* FIXME Deprecate and remove keypairs or make it available in QMP.
ae23c9
- * password_secret should eventually be configurable in opts->location. Support
ae23c9
- * for it in .bdrv_open will make it work here as well. */
ae23c9
+/* FIXME Deprecate and remove keypairs or make it available in QMP. */
ae23c9
 static int qemu_rbd_do_create(BlockdevCreateOptions *options,
ae23c9
                               const char *keypairs, const char *password_secret,
ae23c9
                               Error **errp)
ae23c9
@@ -568,6 +567,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
ae23c9
     Error *local_err = NULL;
ae23c9
     int r;
ae23c9
 
ae23c9
+    if (secretid) {
ae23c9
+        if (opts->key_secret) {
ae23c9
+            error_setg(errp,
ae23c9
+                       "Legacy 'password-secret' clashes with 'key-secret'");
ae23c9
+            return -EINVAL;
ae23c9
+        }
ae23c9
+        opts->key_secret = g_strdup(secretid);
ae23c9
+        opts->has_key_secret = true;
ae23c9
+    }
ae23c9
+
ae23c9
     mon_host = qemu_rbd_mon_host(opts, &local_err);
ae23c9
     if (local_err) {
ae23c9
         error_propagate(errp, local_err);
ae23c9
@@ -600,8 +609,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
ae23c9
         }
ae23c9
     }
ae23c9
 
ae23c9
-    if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
ae23c9
-        r = -EIO;
ae23c9
+    r = qemu_rbd_set_auth(*cluster, opts, errp);
ae23c9
+    if (r < 0) {
ae23c9
         goto failed_shutdown;
ae23c9
     }
ae23c9
 
ae23c9
diff --git a/qapi/block-core.json b/qapi/block-core.json
ae23c9
index d1da7d1..51eafdd 100644
ae23c9
--- a/qapi/block-core.json
ae23c9
+++ b/qapi/block-core.json
ae23c9
@@ -3196,6 +3196,11 @@
ae23c9
 #                      This maps to Ceph configuration option
ae23c9
 #                      "auth_client_required".  (Since 3.0)
ae23c9
 #
ae23c9
+# @key-secret:         ID of a QCryptoSecret object providing a key
ae23c9
+#                      for cephx authentication.
ae23c9
+#                      This maps to Ceph configuration option
ae23c9
+#                      "key".  (Since 3.0)
ae23c9
+#
ae23c9
 # @server:             Monitor host address and port.  This maps
ae23c9
 #                      to the "mon_host" Ceph option.
ae23c9
 #
ae23c9
@@ -3208,6 +3213,7 @@
ae23c9
             '*snapshot': 'str',
ae23c9
             '*user': 'str',
ae23c9
             '*auth-client-required': ['RbdAuthMode'],
ae23c9
+            '*key-secret': 'str',
ae23c9
             '*server': ['InetSocketAddressBase'] } }
ae23c9
 
ae23c9
 ##
ae23c9
-- 
ae23c9
1.8.3.1
ae23c9