Skip to content

Commit

Permalink
Merge pull request #9189 from subhamkrai/readonly-external-script
Browse files Browse the repository at this point in the history 
security: add dry run mode for external cluster script
  • Loading branch information
@leseb
leseb committed Dec 17, 2021
2 parents 517aff4 + c891ddb commit 97978b5
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/canary-integration-test.yml
View file
Expand Up @@ -59,6 +59,11 @@ jobs:
kubectl -n rook-ceph cp deploy/examples/create-external-cluster-resources.py $toolbox:/etc/ceph
timeout 10 sh -c "until kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name replicapool; do echo 'waiting for script to succeed' && sleep 1; done"
- name: dry run external script create-external-cluster-resources.py
run: |
toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name=replicapool --dry-run
- name: run external script create-external-cluster-resources.py unit tests
run: |
kubectl -n rook-ceph exec $(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[0].metadata.name}') -- python3 -m unittest /etc/ceph/create-external-cluster-resources.py
Expand Down
32 changes: 32 additions & 0 deletions deploy/examples/create-external-cluster-resources.py
View file
Expand Up @@ -195,6 +195,8 @@ def gen_arg_parser(cls, args_to_parse=None):
help="Ceph Manager prometheus exporter port")
output_group.add_argument("--rbd-metadata-ec-pool-name", default="", required=False,
help="Provides the name of erasure coded RBD metadata pool")
output_group.add_argument("--dry-run", default=False, action='store_true',
help="Dry run prints the executed commands without running them")

upgrade_group = argP.add_argument_group('upgrade')
upgrade_group.add_argument("--upgrade", action='store_true', default=False,
Expand Down Expand Up @@ -250,6 +252,10 @@ def validate_rgw_metadata_ec_pool_name(self):
"Provided rbd_data_pool name, {}, does not exist".format(rbd_pool_name))
return rbd_metadata_ec_pool_name

def dry_run(self, msg):
if self._arg_parser.dry_run:
print("Execute: " + "'" + msg + "'")

def validate_rgw_endpoint_tls_cert(self):
if self._arg_parser.rgw_tls_cert_path:
with open(self._arg_parser.rgw_tls_cert_path, encoding='utf8') as f:
Expand Down Expand Up @@ -352,6 +358,8 @@ def shutdown(self):
self.cluster.shutdown()

def get_fsid(self):
if self._arg_parser.dry_run:
return self.dry_run("ceph fsid")
return str(self.cluster.get_fsid())

def _common_cmd_json_gen(self, cmd_json):
Expand All @@ -370,6 +378,8 @@ def _common_cmd_json_gen(self, cmd_json):

def get_ceph_external_mon_data(self):
cmd_json = {"prefix": "quorum_status", "format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'])
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand Down Expand Up @@ -420,6 +430,8 @@ def _convert_hostname_to_ip(self, host_name):
return ip

def get_active_and_standby_mgrs(self):
if self._arg_parser.dry_run:
return "", self.dry_run("ceph status")
monitoring_endpoint_port = self._arg_parser.monitoring_endpoint_port
monitoring_endpoint_ip_list = self._arg_parser.monitoring_endpoint
standby_mgrs = []
Expand Down Expand Up @@ -515,6 +527,8 @@ def create_cephCSIKeyring_cephFSProvisioner(self):
"caps": ["mon", "allow r", "mgr", "allow rw",
"osd", "allow rw tag cephfs metadata=*"],
"format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'] + " " + cmd_json['entity'] + " " + " ".join(cmd_json['caps']))
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand Down Expand Up @@ -550,6 +564,8 @@ def create_cephCSIKeyring_cephFSNode(self):
"osd", "allow rw tag cephfs *=*",
"mds", "allow rw"],
"format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'] + " " + cmd_json['entity'] + " " + " ".join(cmd_json['caps']))
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand Down Expand Up @@ -582,6 +598,8 @@ def create_cephCSIKeyring_RBDProvisioner(self):
"mgr", "allow rw",
"osd", "profile rbd"],
"format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'] + " " + cmd_json['entity'] + " " + " ".join(cmd_json['caps']))
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand All @@ -592,6 +610,8 @@ def create_cephCSIKeyring_RBDProvisioner(self):

def get_cephfs_data_pool_details(self):
cmd_json = {"prefix": "fs ls", "format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'])
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt, report an error
if ret_val != 0:
Expand Down Expand Up @@ -699,6 +719,8 @@ def create_cephCSIKeyring_RBDNode(self):
"caps": ["mon", "profile rbd",
"osd", "profile rbd"],
"format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'] + " " + cmd_json['entity'] + " " + " ".join(cmd_json['caps']))
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand All @@ -714,6 +736,8 @@ def create_checkerKey(self):
"mgr", self.MIN_USER_CAP_PERMISSIONS['mgr'],
"osd", self.MIN_USER_CAP_PERMISSIONS['osd'].format(self._arg_parser.rgw_pool_prefix)],
"format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'] + " " + cmd_json['entity'] + " " + " ".join(cmd_json['caps']))
ret_val, json_out, err_msg = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand All @@ -724,6 +748,8 @@ def create_checkerKey(self):

def get_ceph_dashboard_link(self):
cmd_json = {"prefix": "mgr services", "format": "json"}
if self._arg_parser.dry_run:
return self.dry_run("ceph " + cmd_json['prefix'])
ret_val, json_out, _ = self._common_cmd_json_gen(cmd_json)
# if there is an unsuccessful attempt,
if ret_val != 0 or len(json_out) == 0:
Expand All @@ -735,6 +761,8 @@ def get_ceph_dashboard_link(self):
def create_rgw_admin_ops_user(self):
cmd = ['radosgw-admin', 'user', 'create', '--uid', self.EXTERNAL_RGW_ADMIN_OPS_USER_NAME, '--display-name',
'Rook RGW Admin Ops user', '--caps', 'buckets=*;users=*;usage=read;metadata=read;zone=read']
if self._arg_parser.dry_run:
return self.dry_run("ceph " + "".joing(cmd))
try:
output = subprocess.check_output(cmd,
stderr=subprocess.PIPE)
Expand Down Expand Up @@ -967,6 +995,10 @@ def gen_json_out(self):
"cert": self.out_map['RGW_TLS_CERT'],
}
})

if self._arg_parser.dry_run:
return ""

return json.dumps(json_out)+LINESEP

def upgrade_user_permissions(self):
Expand Down

0 comments on commit 97978b5

Please sign in to comment.