501 lines
20 KiB
Python
501 lines
20 KiB
Python
# Copyright 2015 Mirantis Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import os
|
|
import re
|
|
|
|
from oslo_log import log
|
|
|
|
from manila.common import constants as const
|
|
from manila import exception
|
|
from manila.i18n import _
|
|
from manila.i18n import _LW
|
|
from manila import utils
|
|
|
|
LOG = log.getLogger(__name__)
|
|
|
|
|
|
class NASHelperBase(object):
|
|
"""Interface to work with share."""
|
|
|
|
def __init__(self, execute, ssh_execute, config_object):
|
|
self.configuration = config_object
|
|
self._execute = execute
|
|
self._ssh_exec = ssh_execute
|
|
|
|
def init_helper(self, server):
|
|
pass
|
|
|
|
def create_export(self, server, share_name, recreate=False):
|
|
"""Create new export, delete old one if exists."""
|
|
raise NotImplementedError()
|
|
|
|
def remove_export(self, server, share_name):
|
|
"""Remove export."""
|
|
raise NotImplementedError()
|
|
|
|
def configure_access(self, server, share_name):
|
|
"""Configure server before allowing access."""
|
|
pass
|
|
|
|
def update_access(self, server, share_name, access_rules, add_rules=None,
|
|
delete_rules=None):
|
|
"""Update access rules for given share.
|
|
|
|
This driver has two different behaviors according to parameters:
|
|
1. Recovery after error - 'access_rules' contains all access_rules,
|
|
'add_rules' and 'delete_rules' shall be None. Previously existing
|
|
access rules are cleared and then added back according
|
|
to 'access_rules'.
|
|
|
|
2. Adding/Deleting of several access rules - 'access_rules' contains
|
|
all access_rules, 'add_rules' and 'delete_rules' contain rules which
|
|
should be added/deleted. Rules in 'access_rules' are ignored and
|
|
only rules from 'add_rules' and 'delete_rules' are applied.
|
|
|
|
:param server: None or Share server's backend details
|
|
:param share_name: Share's path according to id.
|
|
:param access_rules: All access rules for given share
|
|
:param add_rules: None or List of access rules which should be added
|
|
access_rules already contains these rules.
|
|
:param delete_rules: None or List of access rules which should be
|
|
removed. access_rules doesn't contain these rules.
|
|
"""
|
|
raise NotImplementedError()
|
|
|
|
@staticmethod
|
|
def _verify_server_has_public_address(server):
|
|
if 'public_address' not in server:
|
|
raise exception.ManilaException(
|
|
_("Can not get 'public_address' for generation of export."))
|
|
|
|
def get_exports_for_share(self, server, old_export_location):
|
|
"""Returns list of exports based on server info."""
|
|
raise NotImplementedError()
|
|
|
|
def get_share_path_by_export_location(self, server, export_location):
|
|
"""Returns share path by its export location."""
|
|
raise NotImplementedError()
|
|
|
|
def disable_access_for_maintenance(self, server, share_name):
|
|
"""Disables access to share to perform maintenance operations."""
|
|
|
|
def restore_access_after_maintenance(self, server, share_name):
|
|
"""Enables access to share after maintenance operations were done."""
|
|
|
|
@staticmethod
|
|
def validate_access_rules(access_rules, allowed_types, allowed_levels):
|
|
"""Validates access rules according to access_type and access_level.
|
|
|
|
:param access_rules: List of access rules to be validated.
|
|
:param allowed_types: tuple of allowed type values.
|
|
:param allowed_levels: tuple of allowed level values.
|
|
"""
|
|
for access in (access_rules or []):
|
|
access_type = access['access_type']
|
|
access_level = access['access_level']
|
|
if access_type not in allowed_types:
|
|
reason = _("Only %s access type allowed.") % (
|
|
', '.join(tuple(["'%s'" % x for x in allowed_types])))
|
|
raise exception.InvalidShareAccess(reason=reason)
|
|
if access_level not in allowed_levels:
|
|
raise exception.InvalidShareAccessLevel(level=access_level)
|
|
|
|
def _get_maintenance_file_path(self, share_name):
|
|
return os.path.join(self.configuration.share_mount_path,
|
|
"%s.maintenance" % share_name)
|
|
|
|
|
|
def nfs_synchronized(f):
|
|
|
|
def wrapped_func(self, *args, **kwargs):
|
|
key = "nfs-%s" % args[0]["public_address"]
|
|
|
|
@utils.synchronized(key)
|
|
def source_func(self, *args, **kwargs):
|
|
return f(self, *args, **kwargs)
|
|
|
|
return source_func(self, *args, **kwargs)
|
|
|
|
return wrapped_func
|
|
|
|
|
|
class NFSHelper(NASHelperBase):
|
|
"""Interface to work with share."""
|
|
|
|
def create_export(self, server, share_name, recreate=False):
|
|
"""Create new export, delete old one if exists."""
|
|
return ':'.join((server['public_address'],
|
|
os.path.join(
|
|
self.configuration.share_mount_path, share_name)))
|
|
|
|
def init_helper(self, server):
|
|
try:
|
|
self._ssh_exec(server, ['sudo', 'exportfs'])
|
|
except exception.ProcessExecutionError as e:
|
|
if 'command not found' in e.stderr:
|
|
raise exception.ManilaException(
|
|
_('NFS server is not installed on %s')
|
|
% server['instance_id'])
|
|
LOG.error(e.stderr)
|
|
|
|
def remove_export(self, server, share_name):
|
|
"""Remove export."""
|
|
|
|
@nfs_synchronized
|
|
def update_access(self, server, share_name, access_rules, add_rules=None,
|
|
delete_rules=None):
|
|
"""Update access rules for given share.
|
|
|
|
Please refer to base class for a more in-depth description.
|
|
"""
|
|
local_path = os.path.join(self.configuration.share_mount_path,
|
|
share_name)
|
|
out, err = self._ssh_exec(server, ['sudo', 'exportfs'])
|
|
# Recovery mode
|
|
if not (add_rules or delete_rules):
|
|
|
|
self.validate_access_rules(
|
|
access_rules, ('ip',),
|
|
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
|
|
|
|
hosts = self._get_host_list(out, local_path)
|
|
for host in hosts:
|
|
self._ssh_exec(server, ['sudo', 'exportfs', '-u',
|
|
':'.join((host, local_path))])
|
|
self._sync_nfs_temp_and_perm_files(server)
|
|
for access in access_rules:
|
|
self._ssh_exec(
|
|
server,
|
|
['sudo', 'exportfs', '-o',
|
|
'%s,no_subtree_check' % access['access_level'],
|
|
':'.join((access['access_to'], local_path))])
|
|
self._sync_nfs_temp_and_perm_files(server)
|
|
# Adding/Deleting specific rules
|
|
else:
|
|
|
|
self.validate_access_rules(
|
|
add_rules, ('ip',),
|
|
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
|
|
|
|
for access in (delete_rules or []):
|
|
try:
|
|
self.validate_access_rules(
|
|
[access], ('ip',),
|
|
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
|
|
except (exception.InvalidShareAccess,
|
|
exception.InvalidShareAccessLevel):
|
|
LOG.warning(_LW(
|
|
"Unsupported access level %(level)s or access type "
|
|
"%(type)s, skipping removal of access rule to "
|
|
"%(to)s.") % {'level': access['access_level'],
|
|
'type': access['access_type'],
|
|
'to': access['access_to']})
|
|
continue
|
|
self._ssh_exec(server, ['sudo', 'exportfs', '-u',
|
|
':'.join((access['access_to'], local_path))])
|
|
if delete_rules:
|
|
self._sync_nfs_temp_and_perm_files(server)
|
|
for access in (add_rules or []):
|
|
access_to, access_type = (access['access_to'],
|
|
access['access_type'])
|
|
found_item = re.search(
|
|
re.escape(local_path) + '[\s\n]*' + re.escape(access_to),
|
|
out)
|
|
if found_item is not None:
|
|
LOG.warning(_LW("Access rule %(type)s:%(to)s already "
|
|
"exists for share %(name)s") % {
|
|
'to': access_to,
|
|
'type': access_type,
|
|
'name': share_name
|
|
})
|
|
else:
|
|
self._ssh_exec(
|
|
server,
|
|
['sudo', 'exportfs', '-o',
|
|
'%s,no_subtree_check' % access['access_level'],
|
|
':'.join((access['access_to'], local_path))])
|
|
if add_rules:
|
|
self._sync_nfs_temp_and_perm_files(server)
|
|
|
|
def _get_host_list(self, output, local_path):
|
|
entries = []
|
|
output = output.replace('\n\t\t', ' ')
|
|
lines = output.split('\n')
|
|
for line in lines:
|
|
items = line.split(' ')
|
|
if local_path == items[0]:
|
|
entries.append(items[1])
|
|
return entries
|
|
|
|
def _sync_nfs_temp_and_perm_files(self, server):
|
|
"""Sync changes of exports with permanent NFS config file.
|
|
|
|
This is required to ensure, that after share server reboot, exports
|
|
still exist.
|
|
"""
|
|
sync_cmd = [
|
|
'sudo', 'cp', const.NFS_EXPORTS_FILE_TEMP, const.NFS_EXPORTS_FILE
|
|
]
|
|
self._ssh_exec(server, sync_cmd)
|
|
self._ssh_exec(server, ['sudo', 'exportfs', '-a'])
|
|
out, _ = self._ssh_exec(
|
|
server, ['sudo', 'service', 'nfs-kernel-server', 'status'],
|
|
check_exit_code=False)
|
|
if "not" in out:
|
|
self._ssh_exec(
|
|
server, ['sudo', 'service', 'nfs-kernel-server', 'restart'])
|
|
|
|
def get_exports_for_share(self, server, old_export_location):
|
|
self._verify_server_has_public_address(server)
|
|
path = old_export_location.split(':')[-1]
|
|
return [':'.join((server['public_address'], path))]
|
|
|
|
def get_share_path_by_export_location(self, server, export_location):
|
|
return export_location.split(':')[-1]
|
|
|
|
@nfs_synchronized
|
|
def disable_access_for_maintenance(self, server, share_name):
|
|
maintenance_file = self._get_maintenance_file_path(share_name)
|
|
backup_exports = [
|
|
'cat', const.NFS_EXPORTS_FILE,
|
|
'| grep', share_name,
|
|
'| sudo tee', maintenance_file
|
|
]
|
|
self._ssh_exec(server, backup_exports)
|
|
|
|
local_path = os.path.join(self.configuration.share_mount_path,
|
|
share_name)
|
|
self._ssh_exec(server, ['sudo', 'exportfs', '-u', local_path])
|
|
self._sync_nfs_temp_and_perm_files(server)
|
|
|
|
@nfs_synchronized
|
|
def restore_access_after_maintenance(self, server, share_name):
|
|
maintenance_file = self._get_maintenance_file_path(share_name)
|
|
restore_exports = [
|
|
'cat', maintenance_file,
|
|
'| sudo tee -a', const.NFS_EXPORTS_FILE,
|
|
'&& sudo exportfs -r',
|
|
'&& sudo rm -f', maintenance_file
|
|
]
|
|
self._ssh_exec(server, restore_exports)
|
|
|
|
|
|
class CIFSHelperIPAccess(NASHelperBase):
|
|
"""Manage shares in samba server by net conf tool.
|
|
|
|
Class provides functionality to operate with CIFS shares.
|
|
Samba server should be configured to use registry as configuration
|
|
backend to allow dynamically share managements. This class allows
|
|
to define access to shares by IPs with RW access level.
|
|
"""
|
|
def __init__(self, *args):
|
|
super(CIFSHelperIPAccess, self).__init__(*args)
|
|
self.export_format = '\\\\%s\\%s'
|
|
self.parameters = {
|
|
'browseable': 'yes',
|
|
'\"create mask\"': '0755',
|
|
'\"hosts deny\"': '0.0.0.0/0', # deny all by default
|
|
'\"hosts allow\"': '127.0.0.1',
|
|
'\"read only\"': 'no',
|
|
}
|
|
|
|
def init_helper(self, server):
|
|
# This is smoke check that we have required dependency
|
|
self._ssh_exec(server, ['sudo', 'net', 'conf', 'list'])
|
|
|
|
def create_export(self, server, share_name, recreate=False):
|
|
"""Create share at samba server."""
|
|
share_path = os.path.join(self.configuration.share_mount_path,
|
|
share_name)
|
|
create_cmd = [
|
|
'sudo', 'net', 'conf', 'addshare', share_name, share_path,
|
|
'writeable=y', 'guest_ok=y',
|
|
]
|
|
try:
|
|
self._ssh_exec(
|
|
server, ['sudo', 'net', 'conf', 'showshare', share_name, ])
|
|
except exception.ProcessExecutionError:
|
|
# Share does not exist, create it
|
|
try:
|
|
self._ssh_exec(server, create_cmd)
|
|
except Exception as child_e:
|
|
msg = _("Could not create CIFS export %s.") % share_name
|
|
LOG.exception(child_e)
|
|
LOG.error(msg)
|
|
raise exception.ManilaException(reason=msg)
|
|
else:
|
|
# Share exists
|
|
if recreate:
|
|
self._ssh_exec(
|
|
server, ['sudo', 'net', 'conf', 'delshare', share_name, ])
|
|
try:
|
|
self._ssh_exec(server, create_cmd)
|
|
except Exception as e:
|
|
msg = _("Could not create CIFS export %s.") % share_name
|
|
LOG.exception(e)
|
|
LOG.error(msg)
|
|
raise exception.ManilaException(reason=msg)
|
|
else:
|
|
msg = _('Share section %s already defined.') % share_name
|
|
raise exception.ShareBackendException(msg=msg)
|
|
|
|
for param, value in self.parameters.items():
|
|
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm',
|
|
share_name, param, value])
|
|
|
|
return self.export_format % (server['public_address'], share_name)
|
|
|
|
def remove_export(self, server, share_name):
|
|
"""Remove share definition from samba server."""
|
|
try:
|
|
self._ssh_exec(
|
|
server, ['sudo', 'net', 'conf', 'delshare', share_name])
|
|
except exception.ProcessExecutionError as e:
|
|
LOG.warning(_LW("Caught error trying delete share: %(error)s, try"
|
|
"ing delete it forcibly."), {'error': e.stderr})
|
|
self._ssh_exec(server, ['sudo', 'smbcontrol', 'all', 'close-share',
|
|
share_name])
|
|
|
|
def update_access(self, server, share_name, access_rules, add_rules=None,
|
|
delete_rules=None):
|
|
"""Update access rules for given share.
|
|
|
|
Please refer to base class for a more in-depth description. For this
|
|
specific implementation, add_rules and delete_rules parameters are not
|
|
used.
|
|
"""
|
|
hosts = []
|
|
|
|
self.validate_access_rules(
|
|
access_rules, ('ip',), (const.ACCESS_LEVEL_RW,))
|
|
|
|
for access in access_rules:
|
|
hosts.append(access['access_to'])
|
|
self._set_allow_hosts(server, hosts, share_name)
|
|
|
|
def _get_allow_hosts(self, server, share_name):
|
|
(out, _) = self._ssh_exec(server, ['sudo', 'net', 'conf', 'getparm',
|
|
share_name, '\"hosts allow\"'])
|
|
return out.split()
|
|
|
|
def _set_allow_hosts(self, server, hosts, share_name):
|
|
value = "\"" + ' '.join(hosts) + "\""
|
|
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm', share_name,
|
|
'\"hosts allow\"', value])
|
|
|
|
@staticmethod
|
|
def _get_share_group_name_from_export_location(export_location):
|
|
if '/' in export_location and '\\' in export_location:
|
|
pass
|
|
elif export_location.startswith('\\\\'):
|
|
return export_location.split('\\')[-1]
|
|
elif export_location.startswith('//'):
|
|
return export_location.split('/')[-1]
|
|
|
|
msg = _("Got incorrect CIFS export location '%s'.") % export_location
|
|
raise exception.InvalidShare(reason=msg)
|
|
|
|
def get_exports_for_share(self, server, old_export_location):
|
|
self._verify_server_has_public_address(server)
|
|
group_name = self._get_share_group_name_from_export_location(
|
|
old_export_location)
|
|
data = dict(ip=server['public_address'], share=group_name)
|
|
return ['\\\\%(ip)s\\%(share)s' % data]
|
|
|
|
def get_share_path_by_export_location(self, server, export_location):
|
|
# Get name of group that contains share data on CIFS server
|
|
group_name = self._get_share_group_name_from_export_location(
|
|
export_location)
|
|
|
|
# Get parameter 'path' from group that belongs to current share
|
|
(out, __) = self._ssh_exec(
|
|
server, ['sudo', 'net', 'conf', 'getparm', group_name, 'path'])
|
|
|
|
# Remove special symbols from response and return path
|
|
return out.strip()
|
|
|
|
def disable_access_for_maintenance(self, server, share_name):
|
|
maintenance_file = self._get_maintenance_file_path(share_name)
|
|
allowed_hosts = " ".join(self._get_allow_hosts(server, share_name))
|
|
|
|
backup_exports = [
|
|
'echo', "'%s'" % allowed_hosts, '| sudo tee', maintenance_file
|
|
]
|
|
self._ssh_exec(server, backup_exports)
|
|
self._set_allow_hosts(server, [], share_name)
|
|
|
|
def restore_access_after_maintenance(self, server, share_name):
|
|
maintenance_file = self._get_maintenance_file_path(share_name)
|
|
(exports, __) = self._ssh_exec(server, ['cat', maintenance_file])
|
|
self._set_allow_hosts(server, exports.split(), share_name)
|
|
self._ssh_exec(server, ['sudo rm -f', maintenance_file])
|
|
|
|
|
|
class CIFSHelperUserAccess(CIFSHelperIPAccess):
|
|
"""Manage shares in samba server by net conf tool.
|
|
|
|
Class provides functionality to operate with CIFS shares.
|
|
Samba server should be configured to use registry as configuration
|
|
backend to allow dynamically share managements. This class allows
|
|
to define access to shares by usernames with either RW or RO access levels.
|
|
"""
|
|
def __init__(self, *args):
|
|
super(CIFSHelperUserAccess, self).__init__(*args)
|
|
self.export_format = '//%s/%s'
|
|
self.parameters = {
|
|
'browseable': 'yes',
|
|
'create mask': '0755',
|
|
'hosts allow': '0.0.0.0/0',
|
|
'read only': 'no',
|
|
}
|
|
|
|
def update_access(self, server, share_name, access_rules, add_rules=None,
|
|
delete_rules=None):
|
|
"""Update access rules for given share.
|
|
|
|
Please refer to base class for a more in-depth description. For this
|
|
specific implementation, add_rules and delete_rules parameters are not
|
|
used.
|
|
"""
|
|
all_users_rw = []
|
|
all_users_ro = []
|
|
|
|
self.validate_access_rules(
|
|
access_rules, ('user',),
|
|
(const.ACCESS_LEVEL_RO, const.ACCESS_LEVEL_RW))
|
|
|
|
for access in access_rules:
|
|
if access['access_level'] == const.ACCESS_LEVEL_RW:
|
|
all_users_rw.append(access['access_to'])
|
|
else:
|
|
all_users_ro.append(access['access_to'])
|
|
self._set_valid_users(
|
|
server, all_users_rw, share_name, const.ACCESS_LEVEL_RW)
|
|
self._set_valid_users(
|
|
server, all_users_ro, share_name, const.ACCESS_LEVEL_RO)
|
|
|
|
def _get_conf_param(self, access_level):
|
|
if access_level == const.ACCESS_LEVEL_RW:
|
|
return 'valid users'
|
|
else:
|
|
return 'read list'
|
|
|
|
def _set_valid_users(self, server, users, share_name, access_level):
|
|
value = "\"" + ' '.join(users) + "\""
|
|
param = self._get_conf_param(access_level)
|
|
self._ssh_exec(server, ['sudo', 'net', 'conf', 'setparm', share_name,
|
|
param, value])
|