From a956c6b9d87ee43c769b2669569b46efbaa23df1 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Fri, 15 Dec 2017 07:16:52 +0000
Subject: [PATCH] Request class-read object_prefix rbd_children perm

When using ceph as a backend request the additional privilege
class-read on rbd_children. This fixes bug 1696073.

Change-Id: Ia5f092255f1ff75796fc24a8bbd94dd1831e6807
Closes-Bug: #1696073
Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59
---
 hooks/charmhelpers/contrib/openstack/utils.py | 15 +++++++++--
 .../contrib/storage/linux/ceph.py             | 25 ++++++++++++++-----
 hooks/cinder_hooks.py                         | 18 ++++++++-----
 3 files changed, 44 insertions(+), 14 deletions(-)

diff --git a/hooks/charmhelpers/contrib/openstack/utils.py b/hooks/charmhelpers/contrib/openstack/utils.py
index 9e5af342..e1d852db 100644
--- a/hooks/charmhelpers/contrib/openstack/utils.py
+++ b/hooks/charmhelpers/contrib/openstack/utils.py
@@ -2045,14 +2045,25 @@ def token_cache_pkgs(source=None, release=None):
 
 def update_json_file(filename, items):
     """Updates the json `filename` with a given dict.
-    :param filename: json filename (i.e.: /etc/glance/policy.json)
+    :param filename: path to json file (e.g. /etc/glance/policy.json)
     :param items: dict of items to update
     """
+    if not items:
+        return
+
     with open(filename) as fd:
         policy = json.load(fd)
+
+    # Compare before and after and if nothing has changed don't write the file
+    # since that could cause unnecessary service restarts.
+    before = json.dumps(policy, indent=4, sort_keys=True)
     policy.update(items)
+    after = json.dumps(policy, indent=4, sort_keys=True)
+    if before == after:
+        return
+
     with open(filename, "w") as fd:
-        fd.write(json.dumps(policy, indent=4))
+        fd.write(after)
 
 
 @cached
diff --git a/hooks/charmhelpers/contrib/storage/linux/ceph.py b/hooks/charmhelpers/contrib/storage/linux/ceph.py
index 0d9bacfd..87621c47 100644
--- a/hooks/charmhelpers/contrib/storage/linux/ceph.py
+++ b/hooks/charmhelpers/contrib/storage/linux/ceph.py
@@ -1064,14 +1064,24 @@ class CephBrokerRq(object):
         self.ops = []
 
     def add_op_request_access_to_group(self, name, namespace=None,
-                                       permission=None, key_name=None):
+                                       permission=None, key_name=None,
+                                       object_prefix_permissions=None):
         """
         Adds the requested permissions to the current service's Ceph key,
-        allowing the key to access only the specified pools
+        allowing the key to access only the specified pools or
+        object prefixes. object_prefix_permissions should be a dictionary
+        keyed on the permission with the corresponding value being a list
+        of prefixes to apply that permission to.
+            {
+                'rwx': ['prefix1', 'prefix2'],
+                'class-read': ['prefix3']}
         """
-        self.ops.append({'op': 'add-permissions-to-key', 'group': name,
-                         'namespace': namespace, 'name': key_name or service_name(),
-                         'group-permission': permission})
+        self.ops.append({
+            'op': 'add-permissions-to-key', 'group': name,
+            'namespace': namespace,
+            'name': key_name or service_name(),
+            'group-permission': permission,
+            'object-prefix-permissions': object_prefix_permissions})
 
     def add_op_create_pool(self, name, replica_count=3, pg_num=None,
                            weight=None, group=None, namespace=None):
@@ -1107,7 +1117,10 @@ class CephBrokerRq(object):
     def _ops_equal(self, other):
         if len(self.ops) == len(other.ops):
             for req_no in range(0, len(self.ops)):
-                for key in ['replicas', 'name', 'op', 'pg_num', 'weight']:
+                for key in [
+                        'replicas', 'name', 'op', 'pg_num', 'weight',
+                        'group', 'group-namespace', 'group-permission',
+                        'object-prefix-permissions']:
                     if self.ops[req_no].get(key) != other.ops[req_no].get(key):
                         return False
         else:
diff --git a/hooks/cinder_hooks.py b/hooks/cinder_hooks.py
index 09682f54..e34d3b1d 100755
--- a/hooks/cinder_hooks.py
+++ b/hooks/cinder_hooks.py
@@ -416,12 +416,18 @@ def get_ceph_request():
                           replica_count=replicas,
                           group="volumes")
     if config('restrict-ceph-pools'):
-        rq.add_op_request_access_to_group(name="volumes",
-                                          permission='rwx')
-        rq.add_op_request_access_to_group(name="images",
-                                          permission='rwx')
-        rq.add_op_request_access_to_group(name="vms",
-                                          permission='rwx')
+        rq.add_op_request_access_to_group(
+            name="volumes",
+            object_prefix_permissions={'class-read': ['rbd_children']},
+            permission='rwx')
+        rq.add_op_request_access_to_group(
+            name="images",
+            object_prefix_permissions={'class-read': ['rbd_children']},
+            permission='rwx')
+        rq.add_op_request_access_to_group(
+            name="vms",
+            object_prefix_permissions={'class-read': ['rbd_children']},
+            permission='rwx')
     return rq