Add support for Cinder "NAS secure" driver params

Add ability to set Cinder's nas_secure_file_operations and nas_secure_file_permissions driver parameters. Two sets of identically named parameters are implemented by Cinder's NFS and NetApp back end drivers. The ability to control these parameters is crucial for supporting deployments that require non-default values. Partial-Bug: #1688332 Change-Id: Id92cfd4190de8687d4731cf301f2df0bde1ba7d9
2017-05-04 12:09:14 -04:00 · 2017-05-04 12:09:14 -04:00 · 02e29ba67d
commit 02e29ba67d
parent 2107003c44
5 changed files with 88 additions and 31 deletions
--- a/manifests/backend/netapp.pp
+++ b/manifests/backend/netapp.pp
@ -147,6 +147,23 @@
 #   application.
 #   Defaults to '/devmgr/v2'
 #
+# [*nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*manage_volume_type*]
 #   (Optional) Whether or not manage Cinder Volume type.
 #   If set to true, a Cinde Volume type will be created
@ -228,6 +245,8 @@ define cinder::backend::netapp (
  $manage_volume_type               = false,
  $extra_options                    = {},
  $netapp_pool_name_search_pattern  = '(.+)',
+  $nas_secure_file_operations       = $::os_service_default,
+  $nas_secure_file_permissions      = $::os_service_default,
  # DEPRECATED PARAMETERS
  $netapp_eseries_host_type         = undef,
  $netapp_storage_pools             = undef,
@ -290,6 +309,8 @@ define cinder::backend::netapp (
    "${name}/netapp_pool_name_search_pattern":  value => $netapp_pool_name_search_pattern_real;
    "${name}/netapp_host_type":                 value => $netapp_host_type_real;
    "${name}/netapp_webservice_path":           value => $netapp_webservice_path;
+    "${name}/nas_secure_file_operations":       value => $nas_secure_file_operations;
+    "${name}/nas_secure_file_permissions":      value => $nas_secure_file_permissions;
  }

  if $manage_volume_type {
--- a/manifests/backend/nfs.pp
+++ b/manifests/backend/nfs.pp
@ -49,6 +49,23 @@
 #   longer be valid.
 #   Defaults to $::os_service_default
 #
+# [*nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*manage_volume_type*]
 #   (Optional) Whether or not manage Cinder Volume type.
 #   If set to true, a Cinde Volume type will be created
@ -62,18 +79,20 @@
 #     { 'nfs_backend/param1' => { 'value' => value1 } }
 #
 define cinder::backend::nfs (
-  $volume_backend_name  = $name,
-  $nfs_servers          = [],
-  $nfs_mount_attempts   = $::os_service_default,
-  $nfs_mount_options    = $::os_service_default,
-  $nfs_disk_util        = $::os_service_default,
-  $nfs_sparsed_volumes  = $::os_service_default,
-  $nfs_mount_point_base = $::os_service_default,
-  $nfs_shares_config    = '/etc/cinder/shares.conf',
-  $nfs_used_ratio       = $::os_service_default,
-  $nfs_oversub_ratio    = $::os_service_default,
-  $manage_volume_type   = false,
-  $extra_options        = {},
+  $volume_backend_name         = $name,
+  $nfs_servers                 = [],
+  $nfs_mount_attempts          = $::os_service_default,
+  $nfs_mount_options           = $::os_service_default,
+  $nfs_disk_util               = $::os_service_default,
+  $nfs_sparsed_volumes         = $::os_service_default,
+  $nfs_mount_point_base        = $::os_service_default,
+  $nfs_shares_config           = '/etc/cinder/shares.conf',
+  $nfs_used_ratio              = $::os_service_default,
+  $nfs_oversub_ratio           = $::os_service_default,
+  $nas_secure_file_operations  = $::os_service_default,
+  $nas_secure_file_permissions = $::os_service_default,
+  $manage_volume_type          = false,
+  $extra_options               = {},
 ) {

  include ::cinder::deps
@ -85,17 +104,21 @@ define cinder::backend::nfs (
  }

  cinder_config {
-    "${name}/volume_backend_name":  value => $volume_backend_name;
-    "${name}/volume_driver":        value =>
+    "${name}/volume_backend_name":         value => $volume_backend_name;
+    "${name}/volume_driver":               value =>
      'cinder.volume.drivers.nfs.NfsDriver';
-    "${name}/nfs_shares_config":    value => $nfs_shares_config;
-    "${name}/nfs_mount_attempts":   value => $nfs_mount_attempts;
-    "${name}/nfs_mount_options":    value => $nfs_mount_options;
-    "${name}/nfs_disk_util":        value => $nfs_disk_util;
-    "${name}/nfs_sparsed_volumes":  value => $nfs_sparsed_volumes;
-    "${name}/nfs_mount_point_base": value => $nfs_mount_point_base;
-    "${name}/nfs_used_ratio":       value => $nfs_used_ratio;
-    "${name}/nfs_oversub_ratio":    value => $nfs_oversub_ratio;
+    "${name}/nfs_shares_config":           value => $nfs_shares_config;
+    "${name}/nfs_mount_attempts":          value => $nfs_mount_attempts;
+    "${name}/nfs_mount_options":           value => $nfs_mount_options;
+    "${name}/nfs_disk_util":               value => $nfs_disk_util;
+    "${name}/nfs_sparsed_volumes":         value => $nfs_sparsed_volumes;
+    "${name}/nfs_mount_point_base":        value => $nfs_mount_point_base;
+    "${name}/nfs_used_ratio":              value => $nfs_used_ratio;
+    "${name}/nfs_oversub_ratio":           value => $nfs_oversub_ratio;
+    "${name}/nas_secure_file_operations":  value =>
+      $nas_secure_file_operations;
+    "${name}/nas_secure_file_permissions": value =>
+      $nas_secure_file_permissions;
  }

  if $manage_volume_type {
--- a/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml
+++ b/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Add new "nas_secure_file_operations" and "nas_secure_file_permissions"
+    parameters for controlling the similarly named settings in the NFS and
+    NetApp driver back ends.
--- a/spec/defines/cinder_backend_netapp_spec.rb
+++ b/spec/defines/cinder_backend_netapp_spec.rb
@ -36,6 +36,8 @@ describe 'cinder::backend::netapp' do
      :nfs_shares_config            => '/etc/cinder/shares.conf',
      :nfs_mount_options            => '<SERVICE DEFAULT>',
      :netapp_webservice_path       => '/devmgr/v2',
+      :nas_secure_file_operations   => '<SERVICE DEFAULT>',
+      :nas_secure_file_permissions  => '<SERVICE DEFAULT>',
    }
  end

--- a/spec/defines/cinder_backend_nfs_spec.rb
+++ b/spec/defines/cinder_backend_nfs_spec.rb
@ -6,15 +6,17 @@ describe 'cinder::backend::nfs' do

  let :params do
    {
-      :nfs_servers          => ['10.10.10.10:/shares', '10.10.10.10:/shares2'],
-      :nfs_mount_attempts   => '4',
-      :nfs_mount_options    => 'vers=3',
-      :nfs_shares_config    => '/etc/cinder/other_shares.conf',
-      :nfs_disk_util        => 'du',
-      :nfs_sparsed_volumes  => true,
-      :nfs_mount_point_base => '/cinder_mount_point',
-      :nfs_used_ratio       => '0.7',
-      :nfs_oversub_ratio    => '0.9'
+      :nfs_servers                 => ['10.10.10.10:/shares', '10.10.10.10:/shares2'],
+      :nfs_mount_attempts          => '4',
+      :nfs_mount_options           => 'vers=3',
+      :nfs_shares_config           => '/etc/cinder/other_shares.conf',
+      :nfs_disk_util               => 'du',
+      :nfs_sparsed_volumes         => true,
+      :nfs_mount_point_base        => '/cinder_mount_point',
+      :nfs_used_ratio              => '0.7',
+      :nfs_oversub_ratio           => '0.9',
+      :nas_secure_file_operations  => 'auto',
+      :nas_secure_file_permissions => 'false',
    }
  end

@ -41,6 +43,10 @@ describe 'cinder::backend::nfs' do
        '0.7')
      is_expected.to contain_cinder_config('hippo/nfs_oversub_ratio').with_value(
        '0.9')
+      is_expected.to contain_cinder_config('hippo/nas_secure_file_operations').with_value(
+        'auto')
+      is_expected.to contain_cinder_config('hippo/nas_secure_file_permissions').with_value(
+        'false')
      is_expected.to contain_file('/etc/cinder/other_shares.conf').with(
        :content => "10.10.10.10:/shares\n10.10.10.10:/shares2",
        :require => 'Anchor[cinder::install::end]',