Check for usage of same Cephx ID as manila service

There is an issue that happens when access is granted to a manila share
using the same Cephx ID that Manila uses when it is communicating with
the Ceph backend (e.g. the identity specified by the cephfs_auth_id
configuration option). When a request is made to revoke access to the
share with that Cephx ID, the share will become stuck in the
"deleting" state.

This commit adds logic to the _allow_access method in the CephFS Native
driver that checks to see if the Cephx ID given is the same that Manila
is using for its communication with the Ceph backend. If that is the
case, the creation of the access rule will fail with an error.

APIImpact
DocImpact

Change-Id: Ida89b0061db1c8780a19475510b830d013a5c154
Closes-Bug: #1608592
This commit is contained in:
Dustin Schoenbrun 2016-08-01 17:24:21 -04:00
parent d6637a43b8
commit bd21193dec
3 changed files with 26 additions and 0 deletions
manila
share/drivers/cephfs
tests/share/drivers/cephfs
releasenotes/notes

View File

@ -213,6 +213,17 @@ class CephFSNativeDriver(driver.ShareDriver,):
ceph_auth_id = access['access_to']
# We need to check here rather than the API or Manila Client to see
# if the ceph_auth_id is the same as the one specified for Manila's
# usage. This is due to the fact that the API and the Manila client
# cannot read the contents of the Manila configuration file. If it
# is the same, we need to error out.
if ceph_auth_id == CONF.cephfs_auth_id:
error_message = (_('Ceph authentication ID %s must be different '
'than the one the Manila service uses.') %
ceph_auth_id)
raise exception.InvalidInput(message=error_message)
auth_result = self.volume_client.authorize(self._share_path(share),
ceph_auth_id)

View File

@ -87,6 +87,7 @@ class CephFSNativeDriverTestCase(test.TestCase):
self._share = fake_share.fake_share(share_proto='CEPHFS')
self.fake_conf.set_default('driver_handles_share_servers', False)
self.fake_conf.set_default('cephfs_auth_id', 'manila')
self.mock_object(cephfs_native, "ceph_volume_client",
MockVolumeClientModule)
@ -190,6 +191,15 @@ class CephFSNativeDriverTestCase(test.TestCase):
'access_to': 'alice'
})
def test_allow_access_same_cephx_id_as_manila_service(self):
self.assertRaises(exception.InvalidInput,
self._driver._allow_access,
self._context, self._share, {
'access_level': constants.ACCESS_LEVEL_RW,
'access_type': 'cephx',
'access_to': 'manila',
})
def test_deny_access(self):
self._driver._deny_access(self._context, self._share, {
'access_level': 'rw',

View File

@ -0,0 +1,5 @@
---
fixes:
- Check the Cephx ID used when granting access to a CephFS share to make
sure it's not the same as the one Manila uses to communicate with the
Ceph backend.