Rename a number of APIs to use singular, rather than plural, like every
other API uses:
- share_instances_status_update ->
share_instance_status_update
- share_instances_get_all ->
share_instance_get_all
- share_instances_get_all_by_host ->
share_instance_get_all_by_host
- share_instances_get_all_by_share_network ->
share_instance_get_all_by_share_network
- share_instances_get_all_by_share_server ->
share_instance_get_all_by_share_server
- share_instances_get_all_by_share ->
share_instance_get_all_by_share
- share_instances_get_all_by_share_group_id ->
share_instance_get_all_by_share_group_id
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Change-Id: Ic48fe0d1631a6e1a8ee9a50741cc1b31c9187c37
This is an internal change in the share manager's
"ensure_driver_resources" method, and isn't invoked
by any code path yet. The idea is to allow drivers
to opt into running "update_access" on shares that
they are ensuring.
Only drivers that implement "ensure_shares" can
take advantage of this feature.
Change-Id: Ieb7b0dedd98dc02b593078d08d4c0bdf4a1af2bf
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
This patch implements the update of security service's association
with in-use share networks. The following changes were added:
- New share network APIs: `share_network_security_service_update`
and `share_network_reset_state`.
- A new `status` attribute was added to share network model to
identify when it's in a modification state, called 'network_change'.
Other supported status that were added: 'active' and 'error'.
- New 'security_service_update_support' property was added to both
share server and share network models, to identify when this resources
are able to process security service update for in-use share networks.
- New driver interface was added to support update of security service's
configuration of a given share server.
DocImpact
APIImpact
Partially Implements: bp add-security-service-in-use-share-networks
Co-Authored-By: Carlos Eduardo <ces.eduardo98@gmail.com>
Co-Authored-By: Douglas Viroel <viroel@gmail.com>
Co-Authored-By: Andre Beltrami <debeltrami@gmail.com>
Change-Id: I129a794dfd2d179fa2b9a2fed050459d6f00b0de
We cannot deny ipv6 access rules because we remove the ipv6
access rules from global delete rules, not just remove the
ipv6 access rules from driver update_access interface parameters.
So the ipv6 access rules cannot be deleted in db.
Now, changed to only remove the ipv6 access rules
from the driver update_access interface parameters(add_rules,
delete_rules, access_rules_to_be_on_share).
Closes-bug: 1707066
Depends-On: Ifea1799e1d2e3963fec7e90ce3f9cb47b9f02f4f
Change-Id: Idd0014d898d5468922625e62f9e649926dc04e35
Please read spec for design detail [1].
Support IPv6 in IP drivers, networks and share
type extra specs.
Co-Authored-By: TommyLikeHu(tommylikehu@gmail.com)
Co-Authored-By: Ben Swartzlander <ben@swartzlander.org>
[1] f7202a6cfe32a057f752a4e393f848f8a0211c36
DocImpact
Partial-Implements: blueprint support-ipv6-access
Change-Id: I96d3389262e9829b8b4344870cdf5c76abd22828
In order to revert to a snapshot in the LVM driver (and
very likely other drivers) the list of access rules is
needed, so this change modifies the driver interface to
provide this extra information.
This change requires preventing a revert to snapshot
operation while access rules on the affected share are
out of sync.
Closes bug: 1658133
Change-Id: Ia6678bb0e484f9c8f8b05d90e514801ae9baa94b
- Add Database migration to introduce the column on the
share instances model.
- Set the field to True if creating read-only secondary
replicas, unset while promoting them.
- Set the field to True if drivers don't support writable access
to migrating shares, or if using host assisted migration.
Unset if migration fails, or is canceled.
- Expose the field via share-instances and share-replicas
APIs to administrators.
Supporting read only-access rules is part of the minimum
driver requirements in manila.
APIImpact
DocImpact
Implements: bp fix-and-improve-access-rules
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@fit-tecnologia.org.br>
Change-Id: Ie8425f36f02cbcede0aaa9f3fe1f5f3cf23df8b8
- Pull up policy check to beginning of the APIs.
- Avoid making access rules changes when one or
more instances of the share are in an invalid state.
- Add back the per rule share instance access status.
This restoration provides better visibility for which
rules were applied successfully.
- Remove 'updating' and 'updating_multiple' as valid
states for the share instance access rules status.
- Deprecate the access rule state 'new' in favor of
'queued_to_apply' and the share instance access rules
status 'out_of_sync' in favor of 'syncing'.
In a new API micro-version:
- Allow access rule changes irrespective of the share's
access_rules_status.
- Expose new access rule states and share's
access_rules_status values.
Access rules for each share instance now transition
from 'queued_to_apply' to 'applying' to 'active' or 'error';
and from 'active', 'queued_to_apply', 'applying' or 'error'
to 'queued_to_deny' to 'denying' to 'deleted'.
APIImpact
DocImpact
Partially-implements: bp fix-and-improve-access-rules
Co-Authored-By: Mike Rooney <rooneym@netapp.com>
Change-Id: Ic25e63215b5ba723cbc8cab7c51789c698e76f28
For drivers that implement update_access always through recovery
mode, access rules previously set to read-only were being reset
to read-write when the Data Service was adding/removing its access
rule.
Fixed it by integrating the logic that casts DB rules to read-only
into access helper class.
Change-Id: Ife35dcdb99dffa2f266b5c2f6a68fe163da7edd3
Closes-bug: #1626523
For backends with internal authentication system,
e.g. Ceph, that return ``access_key`` (credential) for
client identities that are granted share access:
* Retrieve ``access_key`` as return value of driver's
update_access()
* Store ``access_key`` in ShareAccessMapping model
* Expose it in access_list API
APIImpact
DocImpact
Partially implements bp auth-access-keys
Co-Authored-By: John Spray <jspray@redhat.com>
Change-Id: I486064f117cf3001dba7735ca92a7d89aee3ce5b
In mitaka, update_access merged with a known concurrency issue.
This concurrency has been randomly failing in our CIs. This change
adds a lock mechanism to prevent that, while rules are being removed
by a thread, a parallel thread adds back or handle the same rules
that are being removed.
Also, a late mitaka update_access patch [1] broke share migration access
rules consistency, thus leaving stale access rule data on share server
that hosted the share prior to its migration. This patch addresses this
by preventing the refresh mechanism from adding back rules
that are removed.
[1] I0f863cbae4d8af0660114161deda7bf7aa60d71d
Change-Id: Ief3b15eefc0fc325a2a5418fc7ac2724c315cc21
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
Co-Authored-By: Goutham Pacha Ravi <gouthamr@netapp.com>
Closes-Bug: #1566815
Closes-Bug: #1609414
... by preserving the error state of the share
instance's ``access_rules_status``.
Closes-Bug: #1605203
Change-Id: Ib0b01ee4b52e6c05d36484bdf3faa1b4db4b849a
With the new update_access interface, concurrent requests to allow
access might get lost when the driver takes a long time to process
the new rules. This patch fixes this issue by verifying for the
existence of new unprocessed rules at the end of the update_access
method.
APIImpact
access_allow action on shares with access_rules_status 'out_of_sync'
was previously disallowed with HTTPBadRequest. Now, the action is
disallowed only for shares with access_rules_status set to 'error'.
Change-Id: I0f863cbae4d8af0660114161deda7bf7aa60d71d
Closes-bug: #1550295
Whenever drivers throw exceptions during update_access,
share cannot be deleted, not even with force-delete.
Some drivers already do not throw exception in delete_share
in such cases, but update_access should still throw exception
if share is not found when allow_access or deny_access
are called.
This patch adds possibility for driver throwing a
ShareResourceNotFound exception to let the manager
know share does not exist in backend anymore.
Drivers that already handle this case in delete_share
(by not throwing exception) only need to change update_access.
Additionally, adding possibility of share being completely
deletable if force-delete is specified in API call.
Closes-bug: #1550377
Change-Id: Iccce421f60234bc031f01370319a8918104b099b
- Add update_access() method to driver interface
- Move all code related to access operations to ShareInstanceAccess
class
- Statuses from individual access rules are now mapped to
share_instance's access_rules_status
- Add 'access_rules_status' field to share instance, which indicates
current status of applying access rules
APIImpact
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@fit-tecnologia.org.br>
Co-Authored-By: Tiago Pasqualini da Silva <tiago.pasqualini@gmail.com>
Implements: bp new-share-access-driver-interface
Change-Id: Iff1ec2e3176a46e9f6bd383b38ffc5d838aa8bb8
Stephen Finucane