Browse Source

NetApp cDOT: Fix security style for CIFS shares

If the backing FlexVol security style is configured
incorrectly, end users cannot write to their manila
shares.

Change-Id: I12c85c54c7318592ac0b34efe3624d175d2e6976
Closes-Bug: #1696000
(cherry picked from commit 5e8df296ab)
Goutham Pacha Ravi 1 year ago
parent
commit
48b5c91ad7

+ 30
- 0
manila/share/drivers/netapp/dataontap/client/client_cmode.py View File

@@ -1563,6 +1563,36 @@ class NetAppCmodeClient(client_base.NetAppBaseClient):
1563 1563
                     errors[0].get_child_content('error-code'),
1564 1564
                     errors[0].get_child_content('error-message'))
1565 1565
 
1566
+    @na_utils.trace
1567
+    def set_volume_security_style(self, volume_name, security_style='unix'):
1568
+        """Set volume security style"""
1569
+        api_args = {
1570
+            'query': {
1571
+                'volume-attributes': {
1572
+                    'volume-id-attributes': {
1573
+                        'name': volume_name,
1574
+                    },
1575
+                },
1576
+            },
1577
+            'attributes': {
1578
+                'volume-attributes': {
1579
+                    'volume-security-attributes': {
1580
+                        'style': security_style,
1581
+                    },
1582
+                },
1583
+            },
1584
+        }
1585
+        result = self.send_request('volume-modify-iter', api_args)
1586
+        failures = result.get_child_content('num-failed')
1587
+        if failures and int(failures) > 0:
1588
+            failure_list = result.get_child_by_name(
1589
+                'failure-list') or netapp_api.NaElement('none')
1590
+            errors = failure_list.get_children()
1591
+            if errors:
1592
+                raise netapp_api.NaApiError(
1593
+                    errors[0].get_child_content('error-code'),
1594
+                    errors[0].get_child_content('error-message'))
1595
+
1566 1596
     @na_utils.trace
1567 1597
     def set_volume_name(self, volume_name, new_volume_name):
1568 1598
         """Set flexvol name."""

+ 4
- 0
manila/share/drivers/netapp/dataontap/protocols/cifs_cmode.py View File

@@ -35,6 +35,10 @@ class NetAppCmodeCIFSHelper(base.NetAppBaseHelper):
35 35
         if clear_current_export_policy:
36 36
             self._client.remove_cifs_share_access(share_name, 'Everyone')
37 37
 
38
+        # Ensure 'ntfs' security style
39
+        self._client.set_volume_security_style(share_name,
40
+                                               security_style='ntfs')
41
+
38 42
         # Return a callback that may be used for generating export paths
39 43
         # for this share.
40 44
         return (lambda export_address, share_name=share_name:

+ 43
- 0
manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py View File

@@ -2821,6 +2821,49 @@ class NetAppClientCmodeTestCase(test.TestCase):
2821 2821
                           fake.SHARE_NAME,
2822 2822
                           10)
2823 2823
 
2824
+    @ddt.data(None, 'ntfs')
2825
+    def test_set_volume_security_style(self, security_style):
2826
+
2827
+        api_response = netapp_api.NaElement(fake.VOLUME_MODIFY_ITER_RESPONSE)
2828
+        self.mock_object(self.client,
2829
+                         'send_request',
2830
+                         mock.Mock(return_value=api_response))
2831
+        kwargs = {'security_style': security_style} if security_style else {}
2832
+
2833
+        self.client.set_volume_security_style(fake.SHARE_NAME, **kwargs)
2834
+
2835
+        volume_modify_iter_args = {
2836
+            'query': {
2837
+                'volume-attributes': {
2838
+                    'volume-id-attributes': {
2839
+                        'name': fake.SHARE_NAME
2840
+                    }
2841
+                }
2842
+            },
2843
+            'attributes': {
2844
+                'volume-attributes': {
2845
+                    'volume-security-attributes': {
2846
+                        'style': security_style or 'unix',
2847
+                    },
2848
+                },
2849
+            },
2850
+        }
2851
+        self.client.send_request.assert_called_once_with(
2852
+            'volume-modify-iter', volume_modify_iter_args)
2853
+
2854
+    def test_set_volume_security_style_api_error(self):
2855
+
2856
+        api_response = netapp_api.NaElement(
2857
+            fake.VOLUME_MODIFY_ITER_ERROR_RESPONSE)
2858
+        self.mock_object(self.client,
2859
+                         'send_request',
2860
+                         mock.Mock(return_value=api_response))
2861
+
2862
+        self.assertRaises(netapp_api.NaApiError,
2863
+                          self.client.set_volume_security_style,
2864
+                          fake.SHARE_NAME,
2865
+                          'ntfs')
2866
+
2824 2867
     def test_volume_exists(self):
2825 2868
 
2826 2869
         api_response = netapp_api.NaElement(fake.VOLUME_GET_NAME_RESPONSE)

+ 2
- 0
manila/tests/share/drivers/netapp/dataontap/protocols/test_cifs_cmode.py View File

@@ -55,6 +55,8 @@ class NetAppClusteredCIFSHelperTestCase(test.TestCase):
55 55
             fake.SHARE_NAME)
56 56
         self.mock_client.remove_cifs_share_access.assert_called_once_with(
57 57
             fake.SHARE_NAME, 'Everyone')
58
+        self.mock_client.set_volume_security_style.assert_called_once_with(
59
+            fake.SHARE_NAME, security_style='ntfs')
58 60
 
59 61
     def test_delete_share(self):
60 62
 

+ 4
- 0
releasenotes/notes/bug-1696000-netapp-fix-security-style-on-cifs-shares-cbdd557a27d11961.yaml View File

@@ -0,0 +1,4 @@
1
+---
2
+fixes:
3
+  - The NetApp ONTAP driver has been fixed to ensure the "security style" on
4
+    CIFS shares is always "ntfs".

Loading…
Cancel
Save