Browse Source

NetApp cDOT: Fix security style for CIFS shares

If the backing FlexVol security style is configured
incorrectly, end users cannot write to their manila
shares.

Change-Id: I12c85c54c7318592ac0b34efe3624d175d2e6976
Closes-Bug: #1696000
(cherry picked from commit 5e8df296ab)
(cherry picked from commit 48b5c91ad7)
changes/86/587686/1
Goutham Pacha Ravi 1 year ago
parent
commit
0aecd7d994

+ 30
- 0
manila/share/drivers/netapp/dataontap/client/client_cmode.py View File

@@ -1383,6 +1383,36 @@ class NetAppCmodeClient(client_base.NetAppBaseClient):
1383 1383
                     errors[0].get_child_content('error-code'),
1384 1384
                     errors[0].get_child_content('error-message'))
1385 1385
 
1386
+    @na_utils.trace
1387
+    def set_volume_security_style(self, volume_name, security_style='unix'):
1388
+        """Set volume security style"""
1389
+        api_args = {
1390
+            'query': {
1391
+                'volume-attributes': {
1392
+                    'volume-id-attributes': {
1393
+                        'name': volume_name,
1394
+                    },
1395
+                },
1396
+            },
1397
+            'attributes': {
1398
+                'volume-attributes': {
1399
+                    'volume-security-attributes': {
1400
+                        'style': security_style,
1401
+                    },
1402
+                },
1403
+            },
1404
+        }
1405
+        result = self.send_request('volume-modify-iter', api_args)
1406
+        failures = result.get_child_content('num-failed')
1407
+        if failures and int(failures) > 0:
1408
+            failure_list = result.get_child_by_name(
1409
+                'failure-list') or netapp_api.NaElement('none')
1410
+            errors = failure_list.get_children()
1411
+            if errors:
1412
+                raise netapp_api.NaApiError(
1413
+                    errors[0].get_child_content('error-code'),
1414
+                    errors[0].get_child_content('error-message'))
1415
+
1386 1416
     @na_utils.trace
1387 1417
     def set_volume_name(self, volume_name, new_volume_name):
1388 1418
         """Set flexvol name."""

+ 4
- 0
manila/share/drivers/netapp/dataontap/protocols/cifs_cmode.py View File

@@ -33,6 +33,10 @@ class NetAppCmodeCIFSHelper(base.NetAppBaseHelper):
33 33
         self._client.create_cifs_share(share_name)
34 34
         self._client.remove_cifs_share_access(share_name, 'Everyone')
35 35
 
36
+        # Ensure 'ntfs' security style
37
+        self._client.set_volume_security_style(share_name,
38
+                                               security_style='ntfs')
39
+
36 40
         # Return a callback that may be used for generating export paths
37 41
         # for this share.
38 42
         return (lambda export_address, share_name=share_name:

+ 43
- 0
manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py View File

@@ -2597,6 +2597,49 @@ class NetAppClientCmodeTestCase(test.TestCase):
2597 2597
                           fake.SHARE_NAME,
2598 2598
                           10)
2599 2599
 
2600
+    @ddt.data(None, 'ntfs')
2601
+    def test_set_volume_security_style(self, security_style):
2602
+
2603
+        api_response = netapp_api.NaElement(fake.VOLUME_MODIFY_ITER_RESPONSE)
2604
+        self.mock_object(self.client,
2605
+                         'send_request',
2606
+                         mock.Mock(return_value=api_response))
2607
+        kwargs = {'security_style': security_style} if security_style else {}
2608
+
2609
+        self.client.set_volume_security_style(fake.SHARE_NAME, **kwargs)
2610
+
2611
+        volume_modify_iter_args = {
2612
+            'query': {
2613
+                'volume-attributes': {
2614
+                    'volume-id-attributes': {
2615
+                        'name': fake.SHARE_NAME
2616
+                    }
2617
+                }
2618
+            },
2619
+            'attributes': {
2620
+                'volume-attributes': {
2621
+                    'volume-security-attributes': {
2622
+                        'style': security_style or 'unix',
2623
+                    },
2624
+                },
2625
+            },
2626
+        }
2627
+        self.client.send_request.assert_called_once_with(
2628
+            'volume-modify-iter', volume_modify_iter_args)
2629
+
2630
+    def test_set_volume_security_style_api_error(self):
2631
+
2632
+        api_response = netapp_api.NaElement(
2633
+            fake.VOLUME_MODIFY_ITER_ERROR_RESPONSE)
2634
+        self.mock_object(self.client,
2635
+                         'send_request',
2636
+                         mock.Mock(return_value=api_response))
2637
+
2638
+        self.assertRaises(netapp_api.NaApiError,
2639
+                          self.client.set_volume_security_style,
2640
+                          fake.SHARE_NAME,
2641
+                          'ntfs')
2642
+
2600 2643
     def test_volume_exists(self):
2601 2644
 
2602 2645
         api_response = netapp_api.NaElement(fake.VOLUME_GET_NAME_RESPONSE)

+ 2
- 0
manila/tests/share/drivers/netapp/dataontap/protocols/test_cifs_cmode.py View File

@@ -55,6 +55,8 @@ class NetAppClusteredCIFSHelperTestCase(test.TestCase):
55 55
             fake.SHARE_NAME)
56 56
         self.mock_client.remove_cifs_share_access.assert_called_once_with(
57 57
             fake.SHARE_NAME, 'Everyone')
58
+        self.mock_client.set_volume_security_style.assert_called_once_with(
59
+            fake.SHARE_NAME, security_style='ntfs')
58 60
 
59 61
     def test_delete_share(self):
60 62
 

+ 4
- 0
releasenotes/notes/bug-1696000-netapp-fix-security-style-on-cifs-shares-cbdd557a27d11961.yaml View File

@@ -0,0 +1,4 @@
1
+---
2
+fixes:
3
+  - The NetApp ONTAP driver has been fixed to ensure the "security style" on
4
+    CIFS shares is always "ntfs".

Loading…
Cancel
Save