From ce97c275087f97e9cd5cc0c87f22552282f04ad1 Mon Sep 17 00:00:00 2001 From: subhamkrai Date: Wed, 17 Nov 2021 10:09:47 +0530 Subject: [PATCH] security: add dry run mode for external cluster script Adding dry run mode for external cluster script. This will add cli argument `--dry-run`. By default `dry-run` option will be `False` which means it will only print something like below. ``` The script will do some write operations like: 1. The script will be fetching/creating Ceph CSI keyring for cephFS provisioner 2. The script will be fetching/creating Ceph CSI keyring for cephFS node 3. The script will be fetching/creating Ceph CSI keyring for RBD provisioner 4. The script will be fetching/creating Ceph CSI keyring for RBD node 5. The script will be fetching/creating key for rook external user 6. The script will be fetching/creating ragdos admin user to get access key and secret key ``` Signed-off-by: subhamkrai --- .../create-external-cluster-resources.py | 48 ++++++++++++++----- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/deploy/examples/create-external-cluster-resources.py b/deploy/examples/create-external-cluster-resources.py index 465ccab2218bd..778744fa65057 100644 --- a/deploy/examples/create-external-cluster-resources.py +++ b/deploy/examples/create-external-cluster-resources.py @@ -193,6 +193,8 @@ def gen_arg_parser(cls, args_to_parse=None): help="Ceph Manager prometheus exporter endpoints (comma separated list of entries of active and standby mgrs)") output_group.add_argument("--monitoring-endpoint-port", default="", required=False, help="Ceph Manager prometheus exporter port") + output_group.add_argument("--dry-run", default=False, required=False, + help="Dry run the python script") upgrade_group = argP.add_argument_group('upgrade') upgrade_group.add_argument("--upgrade", action='store_true', default=False, @@ -212,7 +214,7 @@ def validate_rgw_endpoint_tls_cert(self): return contents.rstrip() def _check_conflicting_options(self): - if not self._arg_parser.upgrade and not self._arg_parser.rbd_data_pool_name: + if not self._arg_parser.upgrade and not self._arg_parser.rbd_data_pool_name and not self._arg_parser.dry_run: raise ExecutionFailureException( "Either '--upgrade' or '--rbd-data-pool-name ' should be specified") if self._arg_parser.upgrade and self._arg_parser.rbd_data_pool_name: @@ -458,7 +460,7 @@ def create_cephCSIKeyring_cephFSProvisioner(self): if self._arg_parser.restricted_auth_permission: if metadata_pool == "": raise ExecutionFailureException( - "'cephfs_metadata_pool_name' not found, please set the '--cephfs-metadata-pool-name' flag") + "'cephfs_metadata_pool_name' not found, please set the '--cephfs-metadata-pool-name' flag") cmd_json = {"prefix": "auth get-or-create", "entity": entity, "caps": ["mon", "allow r", "mgr", "allow rw", @@ -492,9 +494,10 @@ def create_cephCSIKeyring_cephFSNode(self): cmd_json = {"prefix": "auth get-or-create", "entity": entity, "caps": ["mon", "allow r", - "mgr", "allow rw", - "osd", "allow rw tag cephfs data={}".format(data_pool), - "mds", "allow rw"], + "mgr", "allow rw", + "osd", "allow rw tag cephfs data={}".format( + data_pool), + "mds", "allow rw"], "format": "json"} else: cmd_json = {"prefix": "auth get-or-create", @@ -518,7 +521,7 @@ def create_cephCSIKeyring_RBDProvisioner(self): entity = "client.csi-rbd-provisioner" if cluster_name: entity = "client.csi-rbd-provisioner-{}".format(cluster_name) - cmd_json={} + cmd_json = {} if self._arg_parser.restricted_auth_permission: if rbd_pool_name == "": raise ExecutionFailureException( @@ -597,8 +600,10 @@ def get_cephfs_data_pool_details(self): return if matching_json_out: - self._arg_parser.cephfs_filesystem_name = str(matching_json_out['name']) - self._arg_parser.cephfs_metadata_pool_name = str(matching_json_out['metadata_pool']) + self._arg_parser.cephfs_filesystem_name = str( + matching_json_out['name']) + self._arg_parser.cephfs_metadata_pool_name = str( + matching_json_out['metadata_pool']) if type(matching_json_out['data_pools']) == list: # if the user has already provided data-pool-name, @@ -635,7 +640,7 @@ def create_cephCSIKeyring_RBDNode(self): entity = "client.csi-rbd-node" if cluster_name: entity = "client.csi-rbd-node-{}".format(cluster_name) - cmd_json={} + cmd_json = {} if self._arg_parser.restricted_auth_permission: if rbd_pool_name == "": raise ExecutionFailureException( @@ -729,7 +734,7 @@ def _gen_output_map(self): pools_to_validate.extend(rgw_pool_to_validate) for pool in pools_to_validate: - if not self.cluster.pool_exists(pool): + if not self.cluster.pool_exists(pool) and not self._arg_parser.dry_run: raise ExecutionFailureException( "The provided pool, '{}', does not exist".format(pool)) self._excluded_keys.add('CLUSTER_NAME') @@ -751,7 +756,8 @@ def _gen_output_map(self): self.out_map['CSI_CEPHFS_PROVISIONER_SECRET'] = '' # create CephFS node and provisioner keyring only when MDS exists if self.out_map['CEPHFS_FS_NAME'] and self.out_map['CEPHFS_POOL_NAME']: - self.out_map['CSI_CEPHFS_NODE_SECRET'] = self.create_cephCSIKeyring_cephFSNode() + self.out_map['CSI_CEPHFS_NODE_SECRET'] = self.create_cephCSIKeyring_cephFSNode( + ) self.out_map['CSI_CEPHFS_PROVISIONER_SECRET'] = self.create_cephCSIKeyring_cephFSProvisioner() self.out_map['RGW_ENDPOINT'] = self._arg_parser.rgw_endpoint self.out_map['RGW_TLS_CERT'] = '' @@ -775,6 +781,20 @@ def gen_shell_out(self): return shOut def gen_json_out(self): + if self._arg_parser.dry_run: + message = """ +The script will do some write operations like: + +1. The script will be fetching/creating Ceph CSI keyring for cephFS provisioner +2. The script will be fetching/creating Ceph CSI keyring for cephFS node +3. The script will be fetching/creating Ceph CSI keyring for RBD provisioner +4. The script will be fetching/creating Ceph CSI keyring for RBD node +5. The script will be fetching/creating key for rook external user +6. The script will be fetching/creating ragdos admin user to get access key and secret key +""" + + return message + self._gen_output_map() json_out = [ { @@ -1035,14 +1055,16 @@ def test_method_main_output(self): def test_method_create_cephCSIKeyring_cephFSProvisioner(self): csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner() - print("cephCSIKeyring without restricting it to a metadata pool. {}".format(csiKeyring)) + print("cephCSIKeyring without restricting it to a metadata pool. {}".format( + csiKeyring)) self.rjObj._arg_parser.restricted_auth_permission = True self.rjObj._arg_parser.cephfs_metadata_pool_name = "myfs-metadata" csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner() print("cephCSIKeyring for a specific metadata pool. {}".format(csiKeyring)) self.rjObj._arg_parser.cluster_name = "openshift-storage" csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner() - print("cephCSIKeyring for a specific metadata pool and cluster. {}".format(csiKeyring)) + print("cephCSIKeyring for a specific metadata pool and cluster. {}".format( + csiKeyring)) def test_non_zero_return_and_error(self): self.rjObj.cluster.return_val = 1