openstack/charm-glance
Code Issues Proposed changes

Request class-read object_prefix rbd_children perm

Browse Source 
When using ceph as a backend request the additional privilege
class-read on rbd_children. This fixes bug 1696073.

Change-Id: Ie4341eb834ae6fe02424c75e31f16f1cf5411f21
Closes-Bug: #1696073
Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59
This commit is contained in:
Liam Young 2017-12-14 14:15:32 +00:00
parent b95ad9c023
commit 4b9e5c393b
4 changed files with 28 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,3 +11,4 @@ trusty
.idea .idea
.stestr .stestr
func-results.json func-results.json
__pycache__

25
charmhelpers/contrib/storage/linux/ceph.py
View File

@ -1064,14 +1064,24 @@ class CephBrokerRq(object):
self.ops = [] self.ops = []
def add_op_request_access_to_group(self, name, namespace=None, def add_op_request_access_to_group(self, name, namespace=None,
permission=None, key_name=None): permission=None, key_name=None,
object_prefix_permissions=None):
""" """
Adds the requested permissions to the current service's Ceph key, Adds the requested permissions to the current service's Ceph key,
allowing the key to access only the specified pools allowing the key to access only the specified pools or
object prefixes. object_prefix_permissions should be a dictionary
keyed on the permission with the corresponding value being a list
of prefixes to apply that permission to.
{
'rwx': ['prefix1', 'prefix2'],
'class-read': ['prefix3']}
""" """
self.ops.append({'op': 'add-permissions-to-key', 'group': name, self.ops.append({
'namespace': namespace, 'name': key_name or service_name(), 'op': 'add-permissions-to-key', 'group': name,
'group-permission': permission}) 'namespace': namespace,
'name': key_name or service_name(),
'group-permission': permission,
'object-prefix-permissions': object_prefix_permissions})
def add_op_create_pool(self, name, replica_count=3, pg_num=None, def add_op_create_pool(self, name, replica_count=3, pg_num=None,
weight=None, group=None, namespace=None): weight=None, group=None, namespace=None):
@ -1107,7 +1117,10 @@ class CephBrokerRq(object):
def _ops_equal(self, other): def _ops_equal(self, other):
if len(self.ops) == len(other.ops): if len(self.ops) == len(other.ops):
for req_no in range(0, len(self.ops)): for req_no in range(0, len(self.ops)):
for key in ['replicas', 'name', 'op', 'pg_num', 'weight']: for key in [
'replicas', 'name', 'op', 'pg_num', 'weight',
'group', 'group-namespace', 'group-permission',
'object-prefix-permissions']:
if self.ops[req_no].get(key) != other.ops[req_no].get(key): if self.ops[req_no].get(key) != other.ops[req_no].get(key):
return False return False
else: else:

6
hooks/glance_relations.py
View File

@ -307,8 +307,10 @@ def get_ceph_request():
rq.add_op_create_pool(name=service, replica_count=replicas, rq.add_op_create_pool(name=service, replica_count=replicas,
weight=weight, group='images') weight=weight, group='images')
if config('restrict-ceph-pools'): if config('restrict-ceph-pools'):
rq.add_op_request_access_to_group(name="images", rq.add_op_request_access_to_group(
permission='rwx') name="images",
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx')
return rq return rq

5
unit_tests/test_glance_relations.py
View File

@ -485,7 +485,10 @@ class GlanceRelationTests(CharmTestCase):
mock_create_pool.assert_called_with(name='glance', replica_count=3, mock_create_pool.assert_called_with(name='glance', replica_count=3,
weight=6, group='images') weight=6, group='images')
mock_request_access.assert_has_calls([ mock_request_access.assert_has_calls([
call(name='images', permission='rwx'), call(
name='images',
object_prefix_permissions={'class-read': ['rbd_children']},
permission='rwx'),
]) ])
@patch.object(relations, 'get_ceph_request') @patch.object(relations, 'get_ceph_request')