From 7ea4e1dc455e7de9131ac7e81cb7e033f21a8bd8 Mon Sep 17 00:00:00 2001
From: Lennart Hagemann <lennart.hagemann@continum.net>
Date: Mon, 13 Dec 2021 12:51:02 +0100
Subject: [PATCH] security: use correct osd tags for restricted caps

The create-external-cluster-resources.py with
--create-external-cluster-resources set to true
sets a wrong osd application tag. It should use
the fs name and not the fs pools.

Closes: https://github.com/rook/rook/issues/9227
Signed-off-by: Lennart Hagemann <lennart.hagemann@continum.net>
(cherry picked from commit 7507790375cd2ae261dcc9adf6ea4af7ad893fbd)
---
 .../create-external-cluster-resources.py      | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/deploy/examples/create-external-cluster-resources.py b/deploy/examples/create-external-cluster-resources.py
index 465ccab2218b..a53e643f74c9 100644
--- a/deploy/examples/create-external-cluster-resources.py
+++ b/deploy/examples/create-external-cluster-resources.py
@@ -92,8 +92,8 @@ def _init_cmd_output_map(self):
         self.cmd_output_map['''{"caps": ["mon", "profile rbd", "mgr", "allow rw", "osd", "profile rbd"], "entity": "client.csi-rbd-provisioner", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-rbd-provisioner","key":"AQBNgrNe1geyKxAA8ekViRdE+hss5OweYBkwNg==","caps":{"mgr":"allow rw","mon":"profile rbd","osd":"profile rbd"}}]'''
         self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs *=*", "mds", "allow rw"], "entity": "client.csi-cephfs-node", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-node","key":"AQBOgrNeENunKxAAPCmgE7R6G8DcXnaJ1F32qg==","caps":{"mds":"allow rw","mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs *=*"}}]'''
         self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs metadata=*"], "entity": "client.csi-cephfs-provisioner", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-provisioner","key":"AQBOgrNeAFgcGBAAvGqKOAD0D3xxmVY0R912dg==","caps":{"mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs metadata=*"}}]'''
-        self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs metadata=myfs-metadata"], "entity": "client.csi-cephfs-provisioner", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-provisioner","key":"BQBOgrNeAFgcGBAAvGqKOAD0D3xxmVY0R912dg==","caps":{"mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs metadata=myfs-metadata"}}]'''
-        self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs metadata=myfs-metadata"], "entity": "client.csi-cephfs-provisioner-openshift-storage", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-provisioner-openshift-storage","key":"CQBOgrNeAFgcGBAAvGqKOAD0D3xxmVY0R912dg==","caps":{"mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs metadata=myfs-metadata"}}]'''
+        self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs metadata=myfs"], "entity": "client.csi-cephfs-provisioner", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-provisioner","key":"BQBOgrNeAFgcGBAAvGqKOAD0D3xxmVY0R912dg==","caps":{"mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs metadata=myfs"}}]'''
+        self.cmd_output_map['''{"caps": ["mon", "allow r", "mgr", "allow rw", "osd", "allow rw tag cephfs metadata=myfs"], "entity": "client.csi-cephfs-provisioner-openshift-storage", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.csi-cephfs-provisioner-openshift-storage","key":"CQBOgrNeAFgcGBAAvGqKOAD0D3xxmVY0R912dg==","caps":{"mgr":"allow rw","mon":"allow r","osd":"allow rw tag cephfs metadata=myfs"}}]'''
         self.cmd_output_map['''{"caps": ["mon", "allow r, allow command quorum_status, allow command version", "mgr", "allow command config", "osd", "allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index"], "entity": "client.healthchecker", "format": "json", "prefix": "auth get-or-create"}'''] = '''[{"entity":"client.healthchecker","key":"AQDFkbNeft5bFRAATndLNUSEKruozxiZi3lrdA==","caps":{"mon": "allow r, allow command quorum_status, allow command version", "mgr": "allow command config", "osd": "allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index"}}]'''
         self.cmd_output_map['''{"format": "json", "prefix": "mgr services"}'''] = '''{"dashboard": "http://rook-ceph-mgr-a-57cf9f84bc-f4jnl:7000/", "prometheus": "http://rook-ceph-mgr-a-57cf9f84bc-f4jnl:9283/"}'''
         self.cmd_output_map['''{"entity": "client.healthchecker", "format": "json", "prefix": "auth get"}'''] = '''{"dashboard": "http://rook-ceph-mgr-a-57cf9f84bc-f4jnl:7000/", "prometheus": "http://rook-ceph-mgr-a-57cf9f84bc-f4jnl:9283/"}'''
@@ -168,7 +168,7 @@ def gen_arg_parser(cls, args_to_parse=None):
         common_group.add_argument("--rgw-pool-prefix", default="",
                                   help="RGW Pool prefix")
         common_group.add_argument("--restricted-auth-permission", default=False,
-                                  help="Restricted cephCSIKeyrings auth permissions to specific pools and cluster. Mandatory flags that are needed to be set --cephfs-metadata-pool-name, --cephfs-data-pool-name and --rbd-data-pool-name. Note: Restricting the users per pool and per cluster will require to create new users and new secrets for that users.")
+                                  help="Restricted cephCSIKeyrings auth permissions to specific pools and cluster. Mandatory flags that need to be set are --cephfs-filesystem-name and --rbd-data-pool-name. Note: Restricting the users per pool and per cluster will require to create new users and new secrets for that users.")
 
         output_group = argP.add_argument_group('output')
         output_group.add_argument("--format", "-t", choices=["json", "bash"],
@@ -449,20 +449,20 @@ def create_cephCSIKeyring_cephFSProvisioner(self):
         '''
         command: ceph auth get-or-create client.csi-cephfs-provisioner mon 'allow r' mgr 'allow rw' osd 'allow rw tag cephfs metadata=*'
         '''
-        metadata_pool = self._arg_parser.cephfs_metadata_pool_name
         cluster_name = self._arg_parser.cluster_name
+        cephfs_filesystem = self._arg_parser.cephfs_filesystem_name
         entity = "client.csi-cephfs-provisioner"
         if cluster_name:
             entity = "client.csi-cephfs-provisioner-{}".format(cluster_name)
         cmd_json = {}
         if self._arg_parser.restricted_auth_permission:
-            if metadata_pool == "":
+            if cephfs_filesystem == "":
                 raise ExecutionFailureException(
-                 "'cephfs_metadata_pool_name' not found, please set the '--cephfs-metadata-pool-name' flag")
+                 "'cephfs_filesystem_name' not found, please set the '--cephfs-filesystem-name' flag")
             cmd_json = {"prefix": "auth get-or-create",
                         "entity": entity,
                         "caps": ["mon", "allow r", "mgr", "allow rw",
-                                 "osd", "allow rw tag cephfs metadata={}".format(metadata_pool)],
+                                 "osd", "allow rw tag cephfs metadata={}".format(cephfs_filesystem)],
                         "format": "json"}
         else:
             cmd_json = {"prefix": "auth get-or-create",
@@ -479,21 +479,21 @@ def create_cephCSIKeyring_cephFSProvisioner(self):
         return str(json_out[0]['key'])
 
     def create_cephCSIKeyring_cephFSNode(self):
-        data_pool = self._arg_parser.cephfs_data_pool_name
         cluster_name = self._arg_parser.cluster_name
+        cephfs_filesystem = self._arg_parser.cephfs_filesystem_name
         entity = "client.csi-cephfs-node"
         if cluster_name:
             entity = "client.csi-cephfs-node-{}".format(cluster_name)
         cmd_json = {}
         if self._arg_parser.restricted_auth_permission:
-            if data_pool == "":
+            if cephfs_filesystem == "":
                 raise ExecutionFailureException(
-                    "'cephfs_data_pool_name' not found, please set the '--cephfs-data-pool-name' flag")
+                    "'cephfs_filesystem_name' not found, please set the '--cephfs-filesystem-name' flag")
             cmd_json = {"prefix": "auth get-or-create",
                         "entity": entity,
                         "caps": ["mon", "allow r",
                         "mgr", "allow rw",
-                        "osd", "allow rw tag cephfs data={}".format(data_pool),
+                        "osd", "allow rw tag cephfs data={}".format(cephfs_filesystem),
                         "mds", "allow rw"],
                         "format": "json"}
         else:
@@ -1037,7 +1037,7 @@ def test_method_create_cephCSIKeyring_cephFSProvisioner(self):
         csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner()
         print("cephCSIKeyring without restricting it to a metadata pool. {}".format(csiKeyring))
         self.rjObj._arg_parser.restricted_auth_permission = True
-        self.rjObj._arg_parser.cephfs_metadata_pool_name = "myfs-metadata"
+        self.rjObj._arg_parser.cephfs_filesystem_name = "myfs"
         csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner()
         print("cephCSIKeyring for a specific metadata pool. {}".format(csiKeyring))
         self.rjObj._arg_parser.cluster_name = "openshift-storage"