Request class-read object_prefix rbd_children perm
When using ceph as a backend request the additional privilege class-read on rbd_children. This fixes bug 1696073. Change-Id: Ia5f092255f1ff75796fc24a8bbd94dd1831e6807 Closes-Bug: #1696073 Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59
This commit is contained in:
parent
cf6cd15b24
commit
a956c6b9d8
|
@ -2045,14 +2045,25 @@ def token_cache_pkgs(source=None, release=None):
|
|||
|
||||
def update_json_file(filename, items):
|
||||
"""Updates the json `filename` with a given dict.
|
||||
:param filename: json filename (i.e.: /etc/glance/policy.json)
|
||||
:param filename: path to json file (e.g. /etc/glance/policy.json)
|
||||
:param items: dict of items to update
|
||||
"""
|
||||
if not items:
|
||||
return
|
||||
|
||||
with open(filename) as fd:
|
||||
policy = json.load(fd)
|
||||
|
||||
# Compare before and after and if nothing has changed don't write the file
|
||||
# since that could cause unnecessary service restarts.
|
||||
before = json.dumps(policy, indent=4, sort_keys=True)
|
||||
policy.update(items)
|
||||
after = json.dumps(policy, indent=4, sort_keys=True)
|
||||
if before == after:
|
||||
return
|
||||
|
||||
with open(filename, "w") as fd:
|
||||
fd.write(json.dumps(policy, indent=4))
|
||||
fd.write(after)
|
||||
|
||||
|
||||
@cached
|
||||
|
|
|
@ -1064,14 +1064,24 @@ class CephBrokerRq(object):
|
|||
self.ops = []
|
||||
|
||||
def add_op_request_access_to_group(self, name, namespace=None,
|
||||
permission=None, key_name=None):
|
||||
permission=None, key_name=None,
|
||||
object_prefix_permissions=None):
|
||||
"""
|
||||
Adds the requested permissions to the current service's Ceph key,
|
||||
allowing the key to access only the specified pools
|
||||
allowing the key to access only the specified pools or
|
||||
object prefixes. object_prefix_permissions should be a dictionary
|
||||
keyed on the permission with the corresponding value being a list
|
||||
of prefixes to apply that permission to.
|
||||
{
|
||||
'rwx': ['prefix1', 'prefix2'],
|
||||
'class-read': ['prefix3']}
|
||||
"""
|
||||
self.ops.append({'op': 'add-permissions-to-key', 'group': name,
|
||||
'namespace': namespace, 'name': key_name or service_name(),
|
||||
'group-permission': permission})
|
||||
self.ops.append({
|
||||
'op': 'add-permissions-to-key', 'group': name,
|
||||
'namespace': namespace,
|
||||
'name': key_name or service_name(),
|
||||
'group-permission': permission,
|
||||
'object-prefix-permissions': object_prefix_permissions})
|
||||
|
||||
def add_op_create_pool(self, name, replica_count=3, pg_num=None,
|
||||
weight=None, group=None, namespace=None):
|
||||
|
@ -1107,7 +1117,10 @@ class CephBrokerRq(object):
|
|||
def _ops_equal(self, other):
|
||||
if len(self.ops) == len(other.ops):
|
||||
for req_no in range(0, len(self.ops)):
|
||||
for key in ['replicas', 'name', 'op', 'pg_num', 'weight']:
|
||||
for key in [
|
||||
'replicas', 'name', 'op', 'pg_num', 'weight',
|
||||
'group', 'group-namespace', 'group-permission',
|
||||
'object-prefix-permissions']:
|
||||
if self.ops[req_no].get(key) != other.ops[req_no].get(key):
|
||||
return False
|
||||
else:
|
||||
|
|
|
@ -416,12 +416,18 @@ def get_ceph_request():
|
|||
replica_count=replicas,
|
||||
group="volumes")
|
||||
if config('restrict-ceph-pools'):
|
||||
rq.add_op_request_access_to_group(name="volumes",
|
||||
permission='rwx')
|
||||
rq.add_op_request_access_to_group(name="images",
|
||||
permission='rwx')
|
||||
rq.add_op_request_access_to_group(name="vms",
|
||||
permission='rwx')
|
||||
rq.add_op_request_access_to_group(
|
||||
name="volumes",
|
||||
object_prefix_permissions={'class-read': ['rbd_children']},
|
||||
permission='rwx')
|
||||
rq.add_op_request_access_to_group(
|
||||
name="images",
|
||||
object_prefix_permissions={'class-read': ['rbd_children']},
|
||||
permission='rwx')
|
||||
rq.add_op_request_access_to_group(
|
||||
name="vms",
|
||||
object_prefix_permissions={'class-read': ['rbd_children']},
|
||||
permission='rwx')
|
||||
return rq
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue