163 lines
5.4 KiB
Diff
163 lines
5.4 KiB
Diff
From f560f687deba14702f4a8f6987168e2d51c5088a Mon Sep 17 00:00:00 2001
|
|
From: Markus Armbruster <armbru@redhat.com>
|
|
Date: Mon, 18 Jun 2018 08:43:30 +0200
|
|
Subject: [PATCH 032/268] rbd: New parameter key-secret
|
|
|
|
RH-Author: Markus Armbruster <armbru@redhat.com>
|
|
Message-id: <20180618084330.30009-24-armbru@redhat.com>
|
|
Patchwork-id: 80727
|
|
O-Subject: [RHEL-7.6 qemu-kvm-rhev PATCH 23/23] rbd: New parameter key-secret
|
|
Bugzilla: 1557995
|
|
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
|
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
|
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
|
Legacy -drive supports "password-secret" parameter that isn't
|
|
available with -blockdev / blockdev-add. That's because we backed out
|
|
our first try to provide it there due to interface design doubts, in
|
|
commit 577d8c9a811, v2.9.0.
|
|
|
|
This is the second try. It brings back the parameter, except it's
|
|
named "key-secret" now.
|
|
|
|
Let's review our reasons for backing out the first try, as stated in
|
|
the commit message:
|
|
|
|
* BlockdevOptionsRbd member @password-secret isn't actually a
|
|
password, it's a key generated by Ceph.
|
|
|
|
Addressed by the rename.
|
|
|
|
* We're not sure where member @password-secret belongs (see the
|
|
previous commit).
|
|
|
|
See previous commit.
|
|
|
|
* How @password-secret interacts with settings from a configuration
|
|
file specified with @conf is undocumented.
|
|
|
|
Not actually true, the documentation for @conf says "Values in the
|
|
configuration file will be overridden by options specified via QAPI",
|
|
and we've tested this.
|
|
|
|
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
(cherry picked from commit d083f954a95d37b460df0c2fbfe46ad7eb207b10)
|
|
[Conflict due to lack of commit e8e16d4baff "rbd: Switch to byte-based
|
|
callbacks" trivially resolved]
|
|
|
|
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
---
|
|
block/rbd.c | 41 +++++++++++++++++++++++++----------------
|
|
qapi/block-core.json | 6 ++++++
|
|
2 files changed, 31 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/block/rbd.c b/block/rbd.c
|
|
index 9c0903f..3242bcd 100644
|
|
--- a/block/rbd.c
|
|
+++ b/block/rbd.c
|
|
@@ -232,24 +232,25 @@ done:
|
|
}
|
|
|
|
|
|
-static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
|
|
- BlockdevOptionsRbd *opts,
|
|
+static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
|
|
Error **errp)
|
|
{
|
|
- char *acr;
|
|
+ char *key, *acr;
|
|
int r;
|
|
GString *accu;
|
|
RbdAuthModeList *auth;
|
|
|
|
- if (secretid) {
|
|
- gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
|
- errp);
|
|
- if (!secret) {
|
|
- return -1;
|
|
+ if (opts->key_secret) {
|
|
+ key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
|
|
+ if (!key) {
|
|
+ return -EIO;
|
|
+ }
|
|
+ r = rados_conf_set(cluster, "key", key);
|
|
+ g_free(key);
|
|
+ if (r < 0) {
|
|
+ error_setg_errno(errp, -r, "Could not set 'key'");
|
|
+ return r;
|
|
}
|
|
-
|
|
- rados_conf_set(cluster, "key", secret);
|
|
- g_free(secret);
|
|
}
|
|
|
|
if (opts->has_auth_client_required) {
|
|
@@ -360,9 +361,7 @@ static QemuOptsList runtime_opts = {
|
|
},
|
|
};
|
|
|
|
-/* FIXME Deprecate and remove keypairs or make it available in QMP.
|
|
- * password_secret should eventually be configurable in opts->location. Support
|
|
- * for it in .bdrv_open will make it work here as well. */
|
|
+/* FIXME Deprecate and remove keypairs or make it available in QMP. */
|
|
static int qemu_rbd_do_create(BlockdevCreateOptions *options,
|
|
const char *keypairs, const char *password_secret,
|
|
Error **errp)
|
|
@@ -568,6 +567,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|
Error *local_err = NULL;
|
|
int r;
|
|
|
|
+ if (secretid) {
|
|
+ if (opts->key_secret) {
|
|
+ error_setg(errp,
|
|
+ "Legacy 'password-secret' clashes with 'key-secret'");
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ opts->key_secret = g_strdup(secretid);
|
|
+ opts->has_key_secret = true;
|
|
+ }
|
|
+
|
|
mon_host = qemu_rbd_mon_host(opts, &local_err);
|
|
if (local_err) {
|
|
error_propagate(errp, local_err);
|
|
@@ -600,8 +609,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|
}
|
|
}
|
|
|
|
- if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
|
|
- r = -EIO;
|
|
+ r = qemu_rbd_set_auth(*cluster, opts, errp);
|
|
+ if (r < 0) {
|
|
goto failed_shutdown;
|
|
}
|
|
|
|
diff --git a/qapi/block-core.json b/qapi/block-core.json
|
|
index d1da7d1..51eafdd 100644
|
|
--- a/qapi/block-core.json
|
|
+++ b/qapi/block-core.json
|
|
@@ -3196,6 +3196,11 @@
|
|
# This maps to Ceph configuration option
|
|
# "auth_client_required". (Since 3.0)
|
|
#
|
|
+# @key-secret: ID of a QCryptoSecret object providing a key
|
|
+# for cephx authentication.
|
|
+# This maps to Ceph configuration option
|
|
+# "key". (Since 3.0)
|
|
+#
|
|
# @server: Monitor host address and port. This maps
|
|
# to the "mon_host" Ceph option.
|
|
#
|
|
@@ -3208,6 +3213,7 @@
|
|
'*snapshot': 'str',
|
|
'*user': 'str',
|
|
'*auth-client-required': ['RbdAuthMode'],
|
|
+ '*key-secret': 'str',
|
|
'*server': ['InetSocketAddressBase'] } }
|
|
|
|
##
|
|
--
|
|
1.8.3.1
|
|
|