Browse Source

NetApp cDOT: Fix security style for CIFS shares

If the backing FlexVol security style is configured
incorrectly, end users cannot write to their manila
shares.

Change-Id: I12c85c54c7318592ac0b34efe3624d175d2e6976
Closes-Bug: #1696000
tags/5.0.0.0rc1
Goutham Pacha Ravi 1 year ago
parent
commit
5e8df296ab

+ 30
- 0
manila/share/drivers/netapp/dataontap/client/client_cmode.py View File

@@ -1566,6 +1566,36 @@ class NetAppCmodeClient(client_base.NetAppBaseClient):
1566 1566
                     errors[0].get_child_content('error-code'),
1567 1567
                     errors[0].get_child_content('error-message'))
1568 1568
 
1569
+    @na_utils.trace
1570
+    def set_volume_security_style(self, volume_name, security_style='unix'):
1571
+        """Set volume security style"""
1572
+        api_args = {
1573
+            'query': {
1574
+                'volume-attributes': {
1575
+                    'volume-id-attributes': {
1576
+                        'name': volume_name,
1577
+                    },
1578
+                },
1579
+            },
1580
+            'attributes': {
1581
+                'volume-attributes': {
1582
+                    'volume-security-attributes': {
1583
+                        'style': security_style,
1584
+                    },
1585
+                },
1586
+            },
1587
+        }
1588
+        result = self.send_request('volume-modify-iter', api_args)
1589
+        failures = result.get_child_content('num-failed')
1590
+        if failures and int(failures) > 0:
1591
+            failure_list = result.get_child_by_name(
1592
+                'failure-list') or netapp_api.NaElement('none')
1593
+            errors = failure_list.get_children()
1594
+            if errors:
1595
+                raise netapp_api.NaApiError(
1596
+                    errors[0].get_child_content('error-code'),
1597
+                    errors[0].get_child_content('error-message'))
1598
+
1569 1599
     @na_utils.trace
1570 1600
     def set_volume_name(self, volume_name, new_volume_name):
1571 1601
         """Set flexvol name."""

+ 4
- 0
manila/share/drivers/netapp/dataontap/protocols/cifs_cmode.py View File

@@ -35,6 +35,10 @@ class NetAppCmodeCIFSHelper(base.NetAppBaseHelper):
35 35
         if clear_current_export_policy:
36 36
             self._client.remove_cifs_share_access(share_name, 'Everyone')
37 37
 
38
+        # Ensure 'ntfs' security style
39
+        self._client.set_volume_security_style(share_name,
40
+                                               security_style='ntfs')
41
+
38 42
         # Return a callback that may be used for generating export paths
39 43
         # for this share.
40 44
         return (lambda export_address, share_name=share_name:

+ 43
- 0
manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py View File

@@ -2831,6 +2831,49 @@ class NetAppClientCmodeTestCase(test.TestCase):
2831 2831
                           fake.SHARE_NAME,
2832 2832
                           10)
2833 2833
 
2834
+    @ddt.data(None, 'ntfs')
2835
+    def test_set_volume_security_style(self, security_style):
2836
+
2837
+        api_response = netapp_api.NaElement(fake.VOLUME_MODIFY_ITER_RESPONSE)
2838
+        self.mock_object(self.client,
2839
+                         'send_request',
2840
+                         mock.Mock(return_value=api_response))
2841
+        kwargs = {'security_style': security_style} if security_style else {}
2842
+
2843
+        self.client.set_volume_security_style(fake.SHARE_NAME, **kwargs)
2844
+
2845
+        volume_modify_iter_args = {
2846
+            'query': {
2847
+                'volume-attributes': {
2848
+                    'volume-id-attributes': {
2849
+                        'name': fake.SHARE_NAME
2850
+                    }
2851
+                }
2852
+            },
2853
+            'attributes': {
2854
+                'volume-attributes': {
2855
+                    'volume-security-attributes': {
2856
+                        'style': security_style or 'unix',
2857
+                    },
2858
+                },
2859
+            },
2860
+        }
2861
+        self.client.send_request.assert_called_once_with(
2862
+            'volume-modify-iter', volume_modify_iter_args)
2863
+
2864
+    def test_set_volume_security_style_api_error(self):
2865
+
2866
+        api_response = netapp_api.NaElement(
2867
+            fake.VOLUME_MODIFY_ITER_ERROR_RESPONSE)
2868
+        self.mock_object(self.client,
2869
+                         'send_request',
2870
+                         mock.Mock(return_value=api_response))
2871
+
2872
+        self.assertRaises(netapp_api.NaApiError,
2873
+                          self.client.set_volume_security_style,
2874
+                          fake.SHARE_NAME,
2875
+                          'ntfs')
2876
+
2834 2877
     def test_volume_exists(self):
2835 2878
 
2836 2879
         api_response = netapp_api.NaElement(fake.VOLUME_GET_NAME_RESPONSE)

+ 2
- 0
manila/tests/share/drivers/netapp/dataontap/protocols/test_cifs_cmode.py View File

@@ -55,6 +55,8 @@ class NetAppClusteredCIFSHelperTestCase(test.TestCase):
55 55
             fake.SHARE_NAME)
56 56
         self.mock_client.remove_cifs_share_access.assert_called_once_with(
57 57
             fake.SHARE_NAME, 'Everyone')
58
+        self.mock_client.set_volume_security_style.assert_called_once_with(
59
+            fake.SHARE_NAME, security_style='ntfs')
58 60
 
59 61
     def test_delete_share(self):
60 62
 

+ 4
- 0
releasenotes/notes/bug-1696000-netapp-fix-security-style-on-cifs-shares-cbdd557a27d11961.yaml View File

@@ -0,0 +1,4 @@
1
+---
2
+fixes:
3
+  - The NetApp ONTAP driver has been fixed to ensure the "security style" on
4
+    CIFS shares is always "ntfs".

Loading…
Cancel
Save