From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 21/26] rbd: New parameter auth-client-required
Date: Fri, 15 Jun 2018 16:21:03 +0200 [thread overview]
Message-ID: <20180615142108.27814-22-kwolf@redhat.com> (raw)
In-Reply-To: <20180615142108.27814-1-kwolf@redhat.com>
From: Markus Armbruster <armbru@redhat.com>
Parameter auth-client-required lets you configure authentication
methods. We tried to provide that in v2.9.0, but backed out due to
interface design doubts (commit 464444fcc16).
This commit is similar to what we backed out, but simpler: we use a
list of enumeration values instead of a list of objects with a member
of enumeration type.
Let's review our reasons for backing out the first try, as stated in
the commit message:
* The implementation uses deprecated rados_conf_set() key
"auth_supported". No biggie.
Fixed: we use "auth-client-required".
* The implementation makes -drive silently ignore invalid parameters
"auth" and "auth-supported.*.X" where X isn't "auth". Fixable (in
fact I'm going to fix similar bugs around parameter server), so
again no biggie.
That fix is commit 2836284db60. This commit doesn't bring the bugs
back.
* BlockdevOptionsRbd member @password-secret applies only to
authentication method cephx. Should it be a variant member of
RbdAuthMethod?
We've had time to ponder, and we decided to stick to the way Ceph
configuration works: the key configured separately, and silently
ignored if the authentication method doesn't use it.
* BlockdevOptionsRbd member @user could apply to both methods cephx
and none, but I'm not sure it's actually used with none. If it
isn't, should it be a variant member of RbdAuthMethod?
Likewise.
* The client offers a *set* of authentication methods, not a list.
Should the methods be optional members of BlockdevOptionsRbd instead
of members of list @auth-supported? The latter begs the question
what multiple entries for the same method mean. Trivial question
now that RbdAuthMethod contains nothing but @type, but less so when
RbdAuthMethod acquires other members, such the ones discussed above.
Again, we decided to stick to the way Ceph configuration works, except
we make auth-client-required a list of enumeration values instead of a
string containing keywords separated by delimiters.
* How BlockdevOptionsRbd member @auth-supported interacts with
settings from a configuration file specified with @conf is
undocumented. I suspect it's untested, too.
Not actually true, the documentation for @conf says "Values in the
configuration file will be overridden by options specified via QAPI",
and we've tested this.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
qapi/block-core.json | 13 +++++++++++++
block/rbd.c | 42 ++++++++++++++++++++++++++++++++----------
2 files changed, 45 insertions(+), 10 deletions(-)
diff --git a/qapi/block-core.json b/qapi/block-core.json
index fff23fc82b..0f68ca56f3 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3178,6 +3178,14 @@
##
+# @RbdAuthMode:
+#
+# Since: 3.0
+##
+{ 'enum': 'RbdAuthMode',
+ 'data': [ 'cephx', 'none' ] }
+
+##
# @BlockdevOptionsRbd:
#
# @pool: Ceph pool name.
@@ -3192,6 +3200,10 @@
#
# @user: Ceph id name.
#
+# @auth-client-required: Acceptable authentication modes.
+# This maps to Ceph configuration option
+# "auth_client_required". (Since 3.0)
+#
# @server: Monitor host address and port. This maps
# to the "mon_host" Ceph option.
#
@@ -3203,6 +3215,7 @@
'*conf': 'str',
'*snapshot': 'str',
'*user': 'str',
+ '*auth-client-required': ['RbdAuthMode'],
'*server': ['InetSocketAddressBase'] } }
##
diff --git a/block/rbd.c b/block/rbd.c
index 82346a2a5e..ea0575d068 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -240,20 +240,42 @@ static void qemu_rbd_refresh_limits(BlockDriverState *bs, Error **errp)
static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
+ BlockdevOptionsRbd *opts,
Error **errp)
{
- if (secretid == 0) {
- return 0;
- }
+ char *acr;
+ int r;
+ GString *accu;
+ RbdAuthModeList *auth;
+
+ if (secretid) {
+ gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
+ errp);
+ if (!secret) {
+ return -1;
+ }
- gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
- errp);
- if (!secret) {
- return -1;
+ rados_conf_set(cluster, "key", secret);
+ g_free(secret);
}
- rados_conf_set(cluster, "key", secret);
- g_free(secret);
+ if (opts->has_auth_client_required) {
+ accu = g_string_new("");
+ for (auth = opts->auth_client_required; auth; auth = auth->next) {
+ if (accu->str[0]) {
+ g_string_append_c(accu, ';');
+ }
+ g_string_append(accu, RbdAuthMode_str(auth->value));
+ }
+ acr = g_string_free(accu, FALSE);
+ r = rados_conf_set(cluster, "auth_client_required", acr);
+ g_free(acr);
+ if (r < 0) {
+ error_setg_errno(errp, -r,
+ "Could not set 'auth_client_required'");
+ return r;
+ }
+ }
return 0;
}
@@ -585,7 +607,7 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
}
}
- if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) {
+ if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
r = -EIO;
goto failed_shutdown;
}
--
2.13.6
next prev parent reply other threads:[~2018-06-15 14:21 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-15 14:20 [Qemu-devel] [PULL 00/26] Block layer patches Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 01/26] qemu-img: Fix assert when mapping unaligned raw file Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 02/26] iotests: Add test 221 to catch qemu-img map regression Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 03/26] jobs: fix stale wording Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 04/26] jobs: fix verb references in docs Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 05/26] rbd: Drop deprecated -drive parameter "filename" Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 06/26] iscsi: " Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 07/26] block: Add block-specific QDict header Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 08/26] qobject: Move block-specific qdict code to block-qdict.c Kevin Wolf
2018-06-19 19:29 ` Eric Blake
2018-06-15 14:20 ` [Qemu-devel] [PULL 09/26] block: Fix -blockdev for certain non-string scalars Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 10/26] block: Fix -drive " Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 11/26] block: Clean up a misuse of qobject_to() in .bdrv_co_create_opts() Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 12/26] block: Factor out qobject_input_visitor_new_flat_confused() Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 13/26] block: Make remaining uses of qobject input visitor more robust Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 14/26] block-qdict: Simplify qdict_flatten_qdict() Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 15/26] block-qdict: Tweak qdict_flatten_qdict(), qdict_flatten_qlist() Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 16/26] block-qdict: Clean up qdict_crumple() a bit Kevin Wolf
2018-06-15 14:20 ` [Qemu-devel] [PULL 17/26] block-qdict: Simplify qdict_is_list() some Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 18/26] check-block-qdict: Rename qdict_flatten()'s variables for clarity Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 19/26] check-block-qdict: Cover flattening of empty lists and dictionaries Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 20/26] block: Fix -blockdev / blockdev-add for empty objects and arrays Kevin Wolf
2018-06-15 14:21 ` Kevin Wolf [this message]
2018-06-15 14:21 ` [Qemu-devel] [PULL 22/26] rbd: New parameter key-secret Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 23/26] block: Remove deprecated -drive geometry options Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 24/26] block: Remove deprecated -drive option addr Kevin Wolf
2018-06-15 14:21 ` [Qemu-devel] [PULL 25/26] block: Remove deprecated -drive option serial Kevin Wolf
2018-06-22 11:38 ` Christian Borntraeger
2018-06-22 12:51 ` [Qemu-devel] request a revert for "block: Remove deprecated -drive option serial" (was block: Remove deprecated -drive option serial) Christian Borntraeger
2018-06-22 20:08 ` [Qemu-devel] [qemu-s390x] " Thomas Huth
2018-06-22 12:55 ` [Qemu-devel] [PULL 25/26] block: Remove deprecated -drive option serial Kevin Wolf
2018-06-22 13:36 ` Christian Borntraeger
2018-06-22 14:00 ` Christian Borntraeger
2018-06-22 14:02 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé
2018-06-22 14:25 ` [Qemu-devel] " Kevin Wolf
2018-06-22 14:31 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé
2018-06-25 9:53 ` Daniel P. Berrangé
2018-06-25 11:41 ` Kevin Wolf
2018-06-25 11:45 ` Peter Krempa
2018-07-02 8:04 ` Kevin Wolf
2018-07-03 10:53 ` Christian Borntraeger
2018-07-03 11:22 ` Daniel P. Berrangé
2018-07-03 11:32 ` Kevin Wolf
2018-07-03 11:35 ` Peter Maydell
2018-07-03 12:38 ` Christian Borntraeger
2018-07-03 11:35 ` Daniel P. Berrangé
2018-07-04 13:02 ` Cornelia Huck
2018-07-04 13:34 ` Kevin Wolf
2018-07-04 13:43 ` Daniel P. Berrangé
2018-07-04 14:23 ` Kevin Wolf
2018-07-04 13:52 ` Christian Borntraeger
2018-07-04 13:58 ` Cornelia Huck
2018-07-04 16:14 ` Peter Maydell
2018-07-06 11:11 ` Cornelia Huck
2018-07-06 14:56 ` Kevin Wolf
2018-07-06 15:05 ` Daniel P. Berrangé
2018-07-06 15:10 ` Peter Maydell
2018-07-09 6:33 ` Markus Armbruster
2018-07-09 11:08 ` Cornelia Huck
2018-07-09 11:17 ` Daniel P. Berrangé
2018-07-12 6:32 ` Markus Armbruster
2018-07-12 15:47 ` Thomas Huth
2018-07-13 11:35 ` Cornelia Huck
2018-07-16 10:06 ` Kashyap Chamarthy
2018-07-16 9:33 ` Daniel P. Berrangé
2018-07-09 7:29 ` Peter Krempa
2018-07-10 5:59 ` Markus Armbruster
2018-07-10 14:22 ` Cornelia Huck
2018-07-10 14:38 ` Kevin Wolf
2018-07-12 6:38 ` Markus Armbruster
2018-07-12 6:51 ` Markus Armbruster
2018-07-12 7:48 ` Cornelia Huck
2018-07-12 9:05 ` Kevin Wolf
2018-07-12 11:14 ` Markus Armbruster
2018-07-12 7:00 ` Peter Krempa
2018-07-12 11:19 ` Markus Armbruster
2018-07-10 14:39 ` Peter Krempa
2018-07-10 15:01 ` Cornelia Huck
2018-07-10 15:24 ` Peter Krempa
2018-07-11 6:53 ` Thomas Huth
2018-07-11 7:24 ` Cornelia Huck
2018-07-12 6:40 ` Markus Armbruster
2018-07-12 6:59 ` Markus Armbruster
2018-07-12 7:19 ` Peter Krempa
2018-07-12 11:33 ` Markus Armbruster
2018-07-10 17:01 ` Daniel P. Berrangé
2018-07-11 13:48 ` Kashyap Chamarthy
2018-07-10 15:09 ` Peter Maydell
2018-07-10 16:59 ` Daniel P. Berrangé
2018-07-09 6:58 ` Thomas Huth
2018-07-09 11:58 ` Cornelia Huck
2018-06-22 14:38 ` [Qemu-devel] " Christian Borntraeger
2018-06-22 14:47 ` Peter Maydell
2018-06-22 15:01 ` Kevin Wolf
2018-06-22 15:50 ` Christian Borntraeger
2018-06-22 15:40 ` Daniel P. Berrangé
2018-06-22 17:54 ` Kevin Wolf
2018-06-25 11:18 ` Daniel P. Berrangé
2018-06-25 10:01 ` Peter Maydell
2018-06-25 10:31 ` Peter Krempa
2018-06-25 10:35 ` Peter Maydell
2018-06-25 7:44 ` Thomas Huth
2018-06-22 14:19 ` Markus Armbruster
2018-06-22 14:25 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé
2018-06-22 14:30 ` Daniel P. Berrangé
2018-06-22 15:00 ` Eric Blake
2018-06-25 7:16 ` Peter Krempa
2018-06-25 8:23 ` Thomas Huth
2018-06-25 9:04 ` Daniel P. Berrangé
2018-06-15 14:21 ` [Qemu-devel] [PULL 26/26] block: Remove dead deprecation warning code Kevin Wolf
2018-06-15 16:28 ` [Qemu-devel] [PULL 00/26] Block layer patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180615142108.27814-22-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.