From af51b46b1e08b26c07bd32019e54b9c521cb7813 Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Mon, 15 Oct 2012 13:21:55 +0100
Subject: Allow local rbd user and secret_uuid configuration

By default, the rbd_user and rbd_secret_uuid are specified in the
nova-volume/cinder configuration and passed to nova-compute when
volumes are attached to instances.

This change allows these values to be specified locally in
nova-compute which means access control to RADOS devices in ceph
can be managed independently from nova-volume/cinder with no
requirement for consistent uuid's for libvirt secrets.

Fixes bug 1065883.

Change-Id: I9f07d040ae267bfbe8f794a5d22d327106314cc6
---
 nova/tests/test_libvirt.py  | 66 +++++++++++++++++++++++++++++++++++++++++++++
 nova/virt/libvirt/volume.py | 15 ++++++++---
 2 files changed, 78 insertions(+), 3 deletions(-)

(limited to 'nova')

diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index 7de72266b..43b4d4813 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -299,6 +299,38 @@ class LibvirtVolumeTestCase(test.TestCase):
         libvirt_driver.disconnect_volume(connection_info, mount_device)
         connection_info = vol_driver.terminate_connection(vol, self.connr)
 
+    def test_libvirt_rbd_driver_auth_enabled_flags_override(self):
+        vol_driver = volume_driver.RBDDriver()
+        libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
+        name = 'volume-00000001'
+        vol = {'id': 1, 'name': name}
+        connection_info = vol_driver.initialize_connection(vol, self.connr)
+        uuid = '875a8070-d0b9-4949-8b31-104d125c9a64'
+        user = 'foo'
+        secret_type = 'ceph'
+        connection_info['data']['auth_enabled'] = True
+        connection_info['data']['auth_username'] = user
+        connection_info['data']['secret_type'] = secret_type
+        connection_info['data']['secret_uuid'] = uuid
+
+        flags_uuid = '37152720-1785-11e2-a740-af0c1d8b8e4b'
+        flags_user = 'bar'
+        self.flags(rbd_user=flags_user,
+                   rbd_secret_uuid=flags_uuid)
+
+        mount_device = "vde"
+        conf = libvirt_driver.connect_volume(connection_info, mount_device)
+        tree = conf.format_dom()
+        self.assertEqual(tree.get('type'), 'network')
+        self.assertEqual(tree.find('./source').get('protocol'), 'rbd')
+        rbd_name = '%s/%s' % (FLAGS.rbd_pool, name)
+        self.assertEqual(tree.find('./source').get('name'), rbd_name)
+        self.assertEqual(tree.find('./auth').get('username'), flags_user)
+        self.assertEqual(tree.find('./auth/secret').get('type'), secret_type)
+        self.assertEqual(tree.find('./auth/secret').get('uuid'), flags_uuid)
+        libvirt_driver.disconnect_volume(connection_info, mount_device)
+        connection_info = vol_driver.terminate_connection(vol, self.connr)
+
     def test_libvirt_rbd_driver_auth_disabled(self):
         vol_driver = volume_driver.RBDDriver()
         libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
@@ -324,6 +356,40 @@ class LibvirtVolumeTestCase(test.TestCase):
         libvirt_driver.disconnect_volume(connection_info, mount_device)
         connection_info = vol_driver.terminate_connection(vol, self.connr)
 
+    def test_libvirt_rbd_driver_auth_disabled_flags_override(self):
+        vol_driver = volume_driver.RBDDriver()
+        libvirt_driver = volume.LibvirtNetVolumeDriver(self.fake_conn)
+        name = 'volume-00000001'
+        vol = {'id': 1, 'name': name}
+        connection_info = vol_driver.initialize_connection(vol, self.connr)
+        uuid = '875a8070-d0b9-4949-8b31-104d125c9a64'
+        user = 'foo'
+        secret_type = 'ceph'
+        connection_info['data']['auth_enabled'] = False
+        connection_info['data']['auth_username'] = user
+        connection_info['data']['secret_type'] = secret_type
+        connection_info['data']['secret_uuid'] = uuid
+
+        # NOTE: Supplying the rbd_secret_uuid will enable authentication
+        # locally in nova-compute even if not enabled in nova-volume/cinder
+        flags_uuid = '37152720-1785-11e2-a740-af0c1d8b8e4b'
+        flags_user = 'bar'
+        self.flags(rbd_user=flags_user,
+                   rbd_secret_uuid=flags_uuid)
+
+        mount_device = "vde"
+        conf = libvirt_driver.connect_volume(connection_info, mount_device)
+        tree = conf.format_dom()
+        self.assertEqual(tree.get('type'), 'network')
+        self.assertEqual(tree.find('./source').get('protocol'), 'rbd')
+        rbd_name = '%s/%s' % (FLAGS.rbd_pool, name)
+        self.assertEqual(tree.find('./source').get('name'), rbd_name)
+        self.assertEqual(tree.find('./auth').get('username'), flags_user)
+        self.assertEqual(tree.find('./auth/secret').get('type'), secret_type)
+        self.assertEqual(tree.find('./auth/secret').get('uuid'), flags_uuid)
+        libvirt_driver.disconnect_volume(connection_info, mount_device)
+        connection_info = vol_driver.terminate_connection(vol, self.connr)
+
     def test_libvirt_lxc_volume(self):
         self.stubs.Set(os.path, 'exists', lambda x: True)
         vol_driver = volume_driver.ISCSIDriver()
diff --git a/nova/virt/libvirt/volume.py b/nova/virt/libvirt/volume.py
index cf08ea85e..2a018c724 100644
--- a/nova/virt/libvirt/volume.py
+++ b/nova/virt/libvirt/volume.py
@@ -87,10 +87,19 @@ class LibvirtNetVolumeDriver(LibvirtVolumeDriver):
         conf.target_bus = "virtio"
         conf.serial = connection_info.get('serial')
         netdisk_properties = connection_info['data']
-        if netdisk_properties.get('auth_enabled'):
-            conf.auth_username = netdisk_properties['auth_username']
+        auth_enabled = netdisk_properties.get('auth_enabled')
+        if (conf.source_protocol == 'rbd' and
+            FLAGS.rbd_secret_uuid):
+            conf.auth_secret_uuid = FLAGS.rbd_secret_uuid
+            auth_enabled = True  # Force authentication locally
+            if FLAGS.rbd_user:
+                conf.auth_username = FLAGS.rbd_user
+        if auth_enabled:
+            conf.auth_username = (conf.auth_username or
+                                  netdisk_properties['auth_username'])
             conf.auth_secret_type = netdisk_properties['secret_type']
-            conf.auth_secret_uuid = netdisk_properties['secret_uuid']
+            conf.auth_secret_uuid = (conf.auth_secret_uuid or
+                                     netdisk_properties['secret_uuid'])
         return conf
 
 
-- 
cgit