Disable insecure global-id reclamation

Closes-Bug: #1929262 Change-Id: Id9f4cfdd70bab0090b66cbc8aeb258936cbf909e
2021-08-19 16:05:34 -05:00 · 2021-08-19 16:05:34 -05:00 · a1d0518c80
parent dfbda68e1a
commit a1d0518c80
4 changed files with 36 additions and 2 deletions
--- a/hooks/ceph_hooks.py
+++ b/hooks/ceph_hooks.py
@ -103,6 +103,7 @@ from utils import (
    mgr_enable_module,
    is_mgr_module_enabled,
    set_balancer_mode,
+    try_disable_insecure_reclaim,
 )

 from charmhelpers.contrib.charmsupport import nrpe
@ -325,10 +326,9 @@ def config_changed():
        if cmp_pkgrevno('ceph', '12.0.0') >= 0:
            status_set('maintenance', 'Bootstrapping single Ceph MGR')
            ceph.bootstrap_manager()
-
+        try_disable_insecure_reclaim()
    for relid in relation_ids('dashboard'):
        dashboard_relation(relid)
-
    # Update client relations
    notify_client()

@ -528,6 +528,8 @@ def attempt_mon_cluster_bootstrap():
        except subprocess.CalledProcessError:
            log("Failed to initialize autoscaler, it must be "
                "initialized on the last monitor", level='info')
+
+    try_disable_insecure_reclaim()
    # If we can and want to
    if is_leader() and config('customize-failure-domain'):
        # But only if the environment supports it
--- a/hooks/utils.py
+++ b/hooks/utils.py
@ -23,6 +23,7 @@ from charmhelpers.core.hookenv import (
    cached,
    config,
    goal_state,
+    is_leader,
    log,
    network_get_primary_address,
    related_units,
@ -296,6 +297,24 @@ def get_ceph_osd_releases():
    return list(ceph_osd_releases)


+def try_disable_insecure_reclaim():
+    """Disable insecure global-id reclaim on supported versions.
+
+    This function will disable insecure global-id reclaim on versions
+    of ceph that are supported. Running this on a healthy cluster or
+    a cluster that doesn't support the option won't have any effect.
+    """
+    if is_leader():
+        try:
+            subprocess.check_call([
+                'ceph', '--id', 'admin',
+                'config', 'set', 'mon',
+                'auth_allow_insecure_global_id_reclaim', 'false'])
+        except subprocess.CalledProcessError as e:
+            log("Could not disable insecure reclaim: {}".format(e),
+                level='ERROR')
+
+
 def execute_post_osd_upgrade_steps(ceph_osd_release):
    """Executes post-upgrade steps.

--- a/unit_tests/test_ceph_hooks.py
+++ b/unit_tests/test_ceph_hooks.py
@ -32,6 +32,7 @@ TO_PATCH = [
    'relation_get',
    'relations_of_type',
    'status_set',
+    'try_disable_insecure_reclaim',
 ]

 CHARM_CONFIG = {'config-flags': '',
--- a/unit_tests/test_ceph_utils.py
+++ b/unit_tests/test_ceph_utils.py
@ -388,3 +388,15 @@ class CephUtilsTestCase(test_utils.CharmTestCase):
        is_mgr_module_enabled.return_value = False
        utils.set_balancer_mode('upmap')
        check_call.assert_not_called()
+
+    @mock.patch.object(utils.subprocess, 'check_call')
+    @mock.patch.object(utils, 'is_leader')
+    def test_disable_insecure_reclaim(self,
+                                      is_leader,
+                                      check_call):
+        is_leader.return_value = True
+        utils.try_disable_insecure_reclaim()
+        check_call.assert_called_once_with([
+            'ceph', '--id', 'admin',
+            'config', 'set', 'mon',
+            'auth_allow_insecure_global_id_reclaim', 'false'])