Check for usage of same Cephx ID as manila service

There is an issue that happens when access is granted to a manila share using the same Cephx ID that Manila uses when it is communicating with the Ceph backend (e.g. the identity specified by the cephfs_auth_id configuration option). When a request is made to revoke access to the share with that Cephx ID, the share will become stuck in the "deleting" state. This commit adds logic to the _allow_access method in the CephFS Native driver that checks to see if the Cephx ID given is the same that Manila is using for its communication with the Ceph backend. If that is the case, the creation of the access rule will fail with an error. APIImpact DocImpact Change-Id: Ida89b0061db1c8780a19475510b830d013a5c154 Closes-Bug: #1608592
2016-08-01 17:24:21 -04:00 · 2016-08-01 17:24:21 -04:00 · bd21193dec
commit bd21193dec
parent d6637a43b8
3 changed files with 26 additions and 0 deletions
--- a/manila/share/drivers/cephfs/cephfs_native.py
+++ b/manila/share/drivers/cephfs/cephfs_native.py
@ -213,6 +213,17 @@ class CephFSNativeDriver(driver.ShareDriver,):

        ceph_auth_id = access['access_to']

+        # We need to check here rather than the API or Manila Client to see
+        # if the ceph_auth_id is the same as the one specified for Manila's
+        # usage. This is due to the fact that the API and the Manila client
+        # cannot read the contents of the Manila configuration file. If it
+        # is the same, we need to error out.
+        if ceph_auth_id == CONF.cephfs_auth_id:
+            error_message = (_('Ceph authentication ID %s must be different '
+                             'than the one the Manila service uses.') %
+                             ceph_auth_id)
+            raise exception.InvalidInput(message=error_message)
+
        auth_result = self.volume_client.authorize(self._share_path(share),
                                                   ceph_auth_id)

--- a/manila/tests/share/drivers/cephfs/test_cephfs_native.py
+++ b/manila/tests/share/drivers/cephfs/test_cephfs_native.py
@ -87,6 +87,7 @@ class CephFSNativeDriverTestCase(test.TestCase):
        self._share = fake_share.fake_share(share_proto='CEPHFS')

        self.fake_conf.set_default('driver_handles_share_servers', False)
+        self.fake_conf.set_default('cephfs_auth_id', 'manila')

        self.mock_object(cephfs_native, "ceph_volume_client",
                         MockVolumeClientModule)
@ -190,6 +191,15 @@ class CephFSNativeDriverTestCase(test.TestCase):
                              'access_to': 'alice'
                          })

+    def test_allow_access_same_cephx_id_as_manila_service(self):
+        self.assertRaises(exception.InvalidInput,
+                          self._driver._allow_access,
+                          self._context, self._share, {
+                              'access_level': constants.ACCESS_LEVEL_RW,
+                              'access_type': 'cephx',
+                              'access_to': 'manila',
+                          })
+
    def test_deny_access(self):
        self._driver._deny_access(self._context, self._share, {
            'access_level': 'rw',
--- a/releasenotes/notes/fix_cephx_validation-cba4df77f9f45c6e.yaml
+++ b/releasenotes/notes/fix_cephx_validation-cba4df77f9f45c6e.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - Check the Cephx ID used when granting access to a CephFS share to make
+    sure it's not the same as the one Manila uses to communicate with the
+    Ceph backend.