Merge "Check for usage of same Cephx ID as manila service"

2016-08-03 19:56:55 +00:00 · 2016-08-03 19:56:55 +00:00 · 22b7b10335
commit 22b7b10335
parent e305b117db bd21193dec
3 changed files with 26 additions and 0 deletions
--- a/manila/share/drivers/cephfs/cephfs_native.py
+++ b/manila/share/drivers/cephfs/cephfs_native.py
@ -213,6 +213,17 @@ class CephFSNativeDriver(driver.ShareDriver,):

        ceph_auth_id = access['access_to']

+        # We need to check here rather than the API or Manila Client to see
+        # if the ceph_auth_id is the same as the one specified for Manila's
+        # usage. This is due to the fact that the API and the Manila client
+        # cannot read the contents of the Manila configuration file. If it
+        # is the same, we need to error out.
+        if ceph_auth_id == CONF.cephfs_auth_id:
+            error_message = (_('Ceph authentication ID %s must be different '
+                             'than the one the Manila service uses.') %
+                             ceph_auth_id)
+            raise exception.InvalidInput(message=error_message)
+
        auth_result = self.volume_client.authorize(self._share_path(share),
                                                   ceph_auth_id)

--- a/manila/tests/share/drivers/cephfs/test_cephfs_native.py
+++ b/manila/tests/share/drivers/cephfs/test_cephfs_native.py
@ -87,6 +87,7 @@ class CephFSNativeDriverTestCase(test.TestCase):
        self._share = fake_share.fake_share(share_proto='CEPHFS')

        self.fake_conf.set_default('driver_handles_share_servers', False)
+        self.fake_conf.set_default('cephfs_auth_id', 'manila')

        self.mock_object(cephfs_native, "ceph_volume_client",
                         MockVolumeClientModule)
@ -190,6 +191,15 @@ class CephFSNativeDriverTestCase(test.TestCase):
                              'access_to': 'alice'
                          })

+    def test_allow_access_same_cephx_id_as_manila_service(self):
+        self.assertRaises(exception.InvalidInput,
+                          self._driver._allow_access,
+                          self._context, self._share, {
+                              'access_level': constants.ACCESS_LEVEL_RW,
+                              'access_type': 'cephx',
+                              'access_to': 'manila',
+                          })
+
    def test_deny_access(self):
        self._driver._deny_access(self._context, self._share, {
            'access_level': 'rw',
--- a/releasenotes/notes/fix_cephx_validation-cba4df77f9f45c6e.yaml
+++ b/releasenotes/notes/fix_cephx_validation-cba4df77f9f45c6e.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - Check the Cephx ID used when granting access to a CephFS share to make
+    sure it's not the same as the one Manila uses to communicate with the
+    Ceph backend.