mon, cephfs: Add auth caps for CephFS fsids#32581
Conversation
87c6368 to
99e732c
Compare
|
Hi Rishabh, This will need a test associated with it. |
batrick
left a comment
There was a problem hiding this comment.
Also need to address especially: #26855 (comment)
@gregsfortytwo @liewegas do you have a suggestion on how that would look? mon allow r fscid=<fscid>?
Yes, that looks right to me if you're trying to restrict a user to reading only from fscid 1. As you note in the previous comment, an "allow rw" would supersede any separate "allow fscid=N" clause, so they'd need to be stuck together in any case. |
Yes, I think so. Thanks! |
99e732c to
ac535aa
Compare
|
Needs rebase |
78c6eb8 to
5a6df79
Compare
|
Testing bits of my patch in that applies in qa that can't be tested with vstart_runner.py |
a3d13e4 to
1b02da6
Compare
|
Teuthology testing fails with both kernel as well as FUSE client. Here's the links to the tests - Here's the failure of kernel client - Looks like I need to modify some file And, here's the failure for FUSE client - Looks like the command to mount was executed successfully but the mount itself failed for some reason. I've got not idea what's the reason behind this. The remounting is different from any remounting in the sense that this time mounting happens with a different client ID and keyring, FYI: These tests ran successfully when I tested with vstart_runner.py. |
This commit introduces following two set of changes - First, make client keyring path, mountpoint on host FS and CephFS and CephFS's name attributes of the object representing the mount and update all the mount object creation calls accordingly. Also, rewrite all the mount object creation to use keyword arguments instead of positional arguments to avoid mistakes, especially since a new argument was added in this commit. Second, add remount method to mount.py so that it's possible to unmount safely, modify the attributes of the object representing the mount and mount again based on new state of the object *in a single call*. The method is placed in mount.py to avoid duplication. This change has two leads to two more changes: upgrading interface of mount() and mount_wait() and upgrading testsuites to adapt to these change. Signed-off-by: Rishabh Dave <ridave@redhat.com>
This commit adds a new argument check_status to mount methods of KernelMount, FuseMount, LocalKernelMount and LocalFuseMount. When value of this argument is False, these methods would catch the CommandFailedError exception and would return a tuple consisting of the exception itself, and stdout and stderr of the mount command. This allows reusing these mount methods while running negative tests for commands. The name "check_status" is selected so since teuthology's run() and vstart_runner's run() use a variable with same name for the very same purpose. Signed-off-by: Rishabh Dave <ridave@redhat.com>
And reset_obj_attrs parameter to it so that the caller of the method can choose to destroy the Ceph FS represented by the object without disturbing the object attributes. Signed-off-by: Rishabh Dave <ridave@redhat.com>
Modify cephfs.filesystem.Filesystem.recreate() method to delete only the FS represented by the object instead of deleting the every FS on the Ceph cluster. Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
Added DNM to test changes the fix for ceph API tests. |
Modify filesystem.Filesystem.delete_all_filesystems() method to make it more succinct, move it to class MDSCluster instead and update every call to it accordingly. Signed-off-by: Rishabh Dave <ridave@redhat.com>
Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
ceph API tests passed - https://jenkins.ceph.com/job/ceph-api/2802/ |
|
jenkins test make check |
|
jenkins render docs |
|
Doc render available at http://docs.ceph.com/ceph-prs/32581/ |
Add testsuite for testing authorization on Ceph cluster with multiple file systems and enable it to be executable with Teuthology framework. Also add helper methods required to setup the test environment for multi-FS tests. Signed-off-by: Rishabh Dave <ridave@redhat.com>
Right now, only client IDs are stashed and restored but with the recent changes (addition of more attributes to mount objects, specifically), this is not enough. Saving and restoring these details before and after tests respectively ensures that mount commands rus smoothly. Not doing this typically leads to mount command failure for the second test in the testsuite under execution since the client IDs are saved and restored in CephFSTestCase.setUp and CephFSTestCase.tearDown respectively but the rest of the details are not. Signed-off-by: Rishabh Dave <ridave@redhat.com>
Make caps FS-specific affects "fs authorize" subcommand. Let's add few tests to verify its behaviour. Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
jenkins test make check |
|
Thanks, Rishabh! |
Fixes: https://tracker.ceph.com/issues/15070
First 3 commits are rebased and modified version of PR #26855.
fsnames.fsnames and paths in same cap.fs authorizesubcommand assign MON cap specific to that FSfilesystem.pyFilesytem.recreate()andmds_cluster.delete_all_filesystems()fs authorizesubcommand.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard backendjenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume tox