Add request_access_to_group method

Add request_access_to_group method to allow a client to request
ceph permissions.

Change-Id: I8a7f0bf47c39509eec71a286bd51ec53c58d7e0d
This commit is contained in:
Liam Young 2019-01-08 13:59:39 +00:00
parent e4997e5ab8
commit 288bab66dd
2 changed files with 82 additions and 0 deletions

View File

@ -113,6 +113,35 @@ class CephClientRequires(RelationBase):
self.set_local(key='broker_req', value=current_request.request)
send_request_if_needed(current_request, relation=self.relation_name)
def request_access_to_group(self, name, namespace=None, permission=None,
key_name=None, object_prefix_permissions=None):
"""
Adds the requested permissions to service's Ceph key
Adds the requested permissions to the current service's Ceph key,
allowing the key to access only the specified pools or
object prefixes. object_prefix_permissions should be a dictionary
keyed on the permission with the corresponding value being a list
of prefixes to apply that permission to.
{
'rwx': ['prefix1', 'prefix2'],
'class-read': ['prefix3']}
@param name: Target group name for permissions request.
@param namespace: namespace to further restrict pool access.
@param permission: Permission to be requested against pool
@param key_name: userid to grant permission to
@param object_prefix_permissions: Add object_prefix permissions.
"""
current_request = self.get_current_request()
current_request.add_op_request_access_to_group(
name,
namespace=namespace,
permission=permission,
key_name=key_name,
object_prefix_permissions=object_prefix_permissions)
self.set_local(key='broker_req', value=current_request.request)
send_request_if_needed(current_request, relation=self.relation_name)
def get_remote_all(self, key, default=None):
"""Return a list of all values presented by remote units for key"""
# TODO: might be a nicer way todo this - written a while back!

View File

@ -264,6 +264,59 @@ class TestCephClientRequires(unittest.TestCase):
'pg_num': None,
'weight': None}])
def test_request_access_to_group_new_request(self):
self.patch_kr('get_local', '{"ops": []}')
self.patch_kr('set_local')
self.cr.request_access_to_group(
'volumes',
key_name='cinder',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
ceph_broker_rq = self.send_request_if_needed.mock_calls[0][1][0]
self.assertEqual(
ceph_broker_rq.ops,
[{
'group': 'volumes',
'group-permission': 'rwx',
'name': 'cinder',
'namespace': None,
'object-prefix-permissions': {'class-read': ['rbd_children']},
'op': 'add-permissions-to-key'}])
def test_request_access_to_group_existing_request(self):
req = (
'{"api-version": 1, '
'"ops": [{"op": "create-pool", "name": "volumes", "replicas": 3, '
'"pg_num": null, "weight": null, "group": null, '
'"group-namespace": null}], '
'"request-id": "9e34123e-fa0c-11e8-ad9c-fa163ed1cc55"}')
self.patch_kr('get_local', req)
self.cr.request_access_to_group(
'volumes',
key_name='cinder',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
ceph_broker_rq = self.send_request_if_needed.mock_calls[0][1][0]
self.assertEqual(
ceph_broker_rq.ops,
[
{
'op': 'create-pool',
'name': 'volumes',
'replicas': 3,
'group': None,
'group-namespace': None,
'pg_num': None,
'weight': None},
{
'group': 'volumes',
'group-permission': 'rwx',
'name': 'cinder',
'namespace': None,
'object-prefix-permissions': {
'class-read': ['rbd_children']},
'op': 'add-permissions-to-key'}])
@mock.patch.object(requires.hookenv, 'related_units')
@mock.patch.object(requires.hookenv, 'relation_get')
def test_get_remote_all(self, relation_get, related_units):