Request class-read object_prefix rbd_children perm

When using ceph as a backend request the additional privilege
class-read on rbd_children. This fixes bug 1696073.

Change-Id: I468cfb5026751b96feba013b4e6ae74ff8da38ca
Closes-Bug: #1696073
This commit is contained in:
Marian Gasparovic 2018-05-31 17:04:33 +02:00
parent f751b88746
commit d8de6b6642
2 changed files with 21 additions and 9 deletions

View File

@ -353,12 +353,18 @@ def get_ceph_request():
rq.add_op_create_pool(name=name, replica_count=replicas, weight=weight,
group='vms')
if config('restrict-ceph-pools'):
rq.add_op_request_access_to_group(name="volumes",
permission='rwx')
rq.add_op_request_access_to_group(name="images",
permission='rwx')
rq.add_op_request_access_to_group(name="vms",
permission='rwx')
rq.add_op_request_access_to_group(
name="volumes",
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
rq.add_op_request_access_to_group(
name="images",
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
rq.add_op_request_access_to_group(
name="vms",
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
return rq

View File

@ -509,9 +509,15 @@ class NovaComputeRelationsTests(CharmTestCase):
weight=28,
group='vms')
mock_request_access.assert_has_calls([
call(name='volumes', permission='rwx'),
call(name='images', permission='rwx'),
call(name='vms', permission='rwx'),
call(name='volumes',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx'),
call(name='images',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx'),
call(name='vms',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx'),
])
@patch.object(hooks, 'service_restart_handler')