summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLiam Young <liam.young@canonical.com>2017-12-12 15:43:36 +0000
committerLiam Young <liam.young@canonical.com>2017-12-13 13:54:06 +0000
commitd94dc3e7b93ed013497b0d1329480e55fd7dc077 (patch)
tree5ae0740422a1bd8771aaccc7b16ccc4fa2403b40
parent6ea5e98786cf144d2bb92c0edebcfa10bb938e6a (diff)
Add support for object_prefix permissions
The grammer for ceph osd capabilities shows that permissions can be applied to a pool or to a object_prefix: match := [pool[=]<poolname> | object_prefix <prefix>] This patch adds support for requesting object_prefix permissions on a given set of prefixes. http://docs.ceph.com/docs/firefly/man/8/ceph-authtool/#osd-capabilities Partial-Bug: #1696073 Change-Id: I799f87fe2178ed7d3e44f14e2fa0683f917d2f0d
Notes
Notes (review): Code-Review+2: James Page <james.page@canonical.com> Workflow+1: James Page <james.page@canonical.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 13 Dec 2017 17:16:32 +0000 Reviewed-on: https://review.openstack.org/527690 Project: openstack/charms.ceph Branch: refs/heads/master
-rw-r--r--ceph/broker.py10
-rw-r--r--unit_tests/test_broker.py98
2 files changed, 107 insertions, 1 deletions
diff --git a/ceph/broker.py b/ceph/broker.py
index cb1968d..1c0b928 100644
--- a/ceph/broker.py
+++ b/ceph/broker.py
@@ -187,6 +187,9 @@ def handle_add_permissions_to_key(request, service):
187 group = get_group(group_name=group_name) 187 group = get_group(group_name=group_name)
188 service_obj = get_service_groups(service=service_name, 188 service_obj = get_service_groups(service=service_name,
189 namespace=group_namespace) 189 namespace=group_namespace)
190 if request.get('object-prefix-permissions'):
191 service_obj['object_prefix_perms'] = request.get(
192 'object-prefix-permissions')
190 format("Service object: {}".format(service_obj)) 193 format("Service object: {}".format(service_obj))
191 permission = request.get('group-permission') or "rwx" 194 permission = request.get('group-permission') or "rwx"
192 if service_name not in group['services']: 195 if service_name not in group['services']:
@@ -241,8 +244,13 @@ def pool_permission_list_for_service(service):
241 for permission, groups in permission_types.items(): 244 for permission, groups in permission_types.items():
242 permission = "allow {}".format(permission) 245 permission = "allow {}".format(permission)
243 for group in groups: 246 for group in groups:
244 for pool in service['groups'][group]['pools']: 247 for pool in service['groups'][group].get('pools', []):
245 permissions.append("{} pool={}".format(permission, pool)) 248 permissions.append("{} pool={}".format(permission, pool))
249 for permission, prefixes in sorted(
250 service.get("object_prefix_perms", {}).items()):
251 for prefix in prefixes:
252 permissions.append("allow {} object_prefix {}".format(permission,
253 prefix))
246 return ["mon", "allow r", "osd", ', '.join(permissions)] 254 return ["mon", "allow r", "osd", ', '.join(permissions)]
247 255
248 256
diff --git a/unit_tests/test_broker.py b/unit_tests/test_broker.py
index 9e78b5a..864a2e3 100644
--- a/unit_tests/test_broker.py
+++ b/unit_tests/test_broker.py
@@ -531,3 +531,101 @@ class CephBrokerTestCase(unittest.TestCase):
531 expect_service_name, 531 expect_service_name,
532 expect_service_obj, 532 expect_service_obj,
533 expect_group_namespace) 533 expect_group_namespace)
534
535 @patch.object(ceph.broker, 'save_service')
536 @patch.object(ceph.broker, 'save_group')
537 @patch.object(ceph.broker, 'monitor_key_get')
538 @patch.object(ceph.broker, 'update_service_permissions')
539 def test_handle_add_permissions_to_key_obj_prefs(self,
540 mock_update_serv_perms,
541 mock_monitor_key_get,
542 mock_save_group,
543 mock_save_service):
544 mkey = {
545 'cephx.services.glance': ('{"groups": {}, "group_names": '
546 '{"rwx": ["images"]}}'),
547 'cephx.groups.images': ('{"services": ["glance", "cinder-ceph", '
548 '"nova-compute"], "pools": ["glance"]}')}
549 mock_monitor_key_get.side_effect = lambda service, key: mkey[key]
550 expect_service_name = u'glance'
551 expected_group = {
552 u'services': [
553 u'glance',
554 u'cinder-ceph',
555 u'nova-compute'],
556 u'pools': [u'glance']}
557 expect_service_obj = {
558 u'groups': {
559 u'images': expected_group},
560 u'group_names': {
561 u'rwx': [u'images']},
562 u'object_prefix_perms': {
563 u'rwx': [u'rbd_children'], u'r': ['another']}}
564 expect_group_namespace = None
565 ceph.broker.handle_add_permissions_to_key(
566 request={
567 u'namespace': None,
568 u'group-permission': u'rwx',
569 u'group': u'images',
570 u'name': u'glance',
571 u'object-prefix-permissions': {
572 u'rwx': [u'rbd_children'], u'r': ['another']},
573 u'op': u'add-permissions-to-key'},
574 service='admin')
575 mock_save_group.assert_called_once_with(
576 group=expected_group,
577 group_name='images')
578 mock_save_service.assert_called_once_with(
579 service=expect_service_obj,
580 service_name=expect_service_name)
581 mock_update_serv_perms.assert_called_once_with(
582 expect_service_name,
583 expect_service_obj,
584 expect_group_namespace)
585
586 def test_pool_permission_list_for_service_obj_pref(self):
587 expected_group = {
588 u'services': [
589 u'glance',
590 u'cinder-ceph',
591 u'nova-compute'],
592 u'pools': [u'glance']}
593 expect_service_obj = {
594 u'groups': {
595 u'images': expected_group},
596 u'group_names': {
597 u'rwx': [u'images']},
598 u'object_prefix_perms': {
599 u'rwx': [u'rbd_children'], u'r': ['another']}}
600 self.assertEqual(ceph.broker.pool_permission_list_for_service(
601 expect_service_obj),
602 [
603 'mon',
604 'allow r',
605 'osd',
606 ('allow rwx pool=glance, '
607 'allow r object_prefix another, '
608 'allow rwx object_prefix rbd_children')])
609
610 def test_pool_permission_list_for_glance(self):
611 expected_group = {
612 u'services': [
613 u'glance',
614 u'cinder-ceph',
615 u'nova-compute'],
616 u'pools': [u'glance']}
617 expect_service_obj = {
618 u'groups': {
619 u'images': expected_group},
620 u'group_names': {
621 u'rwx': [u'images']},
622 u'object_prefix_perms': {
623 u'class-read': [u'rbd_children']}}
624 self.assertEqual(ceph.broker.pool_permission_list_for_service(
625 expect_service_obj),
626 [
627 'mon',
628 'allow r',
629 'osd',
630 ('allow rwx pool=glance, '
631 'allow class-read object_prefix rbd_children')])