New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: use correct osd tags for restricted caps with external cluster script #9410
Conversation
@@ -168,7 +168,7 @@ def gen_arg_parser(cls, args_to_parse=None): | |||
common_group.add_argument("--rgw-pool-prefix", default="", | |||
help="RGW Pool prefix") | |||
common_group.add_argument("--restricted-auth-permission", default=False, | |||
help="Restricted cephCSIKeyrings auth permissions to specific pools and cluster. Mandatory flags that are needed to be set --cephfs-metadata-pool-name, --cephfs-data-pool-name and --rbd-data-pool-name. Note: Restricting the users per pool and per cluster will require to create new users and new secrets for that users.") | |||
help="Restricted cephCSIKeyrings auth permissions to specific pools and cluster. Mandatory flag that needes to be set is --rbd-data-pool-name. Note: Restricting the users per pool and per cluster will require to create new users and new secrets for that users.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz mention --cephfs-filesystem-name
flag that would be mandatory to be set.
cmd_json = {"prefix": "auth get-or-create", | ||
"entity": entity, | ||
"caps": ["mon", "allow r", "mgr", "allow rw", | ||
"osd", "allow rw tag cephfs metadata={}".format(metadata_pool)], | ||
"osd", "allow rw tag cephfs metadata={}".format(cephfs_filesystem)], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And can you also verify once if the PVC created can bind to the deployment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm this works. I created a new deployment with a new PVC and the volume gets successfully mounted inside the container
@@ -1037,7 +1037,7 @@ def test_method_create_cephCSIKeyring_cephFSProvisioner(self): | |||
csiKeyring = self.rjObj.create_cephCSIKeyring_cephFSProvisioner() | |||
print("cephCSIKeyring without restricting it to a metadata pool. {}".format(csiKeyring)) | |||
self.rjObj._arg_parser.restricted_auth_permission = True | |||
self.rjObj._arg_parser.cephfs_metadata_pool_name = "myfs-metadata" | |||
self.rjObj._arg_parser.cephfs_fs_name = "myfs" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this would be like self.rjObj._arg_parser.cephfs_filesystem_name = "myfs"
The create-external-cluster-resources.py with --create-external-cluster-resources set to true sets a wrong osd application tag. It should use the fs name and not the fs pools. Closes: rook#9227 Signed-off-by: Lennart Hagemann <lennart.hagemann@continum.net>
3a76a8f
to
7507790
Compare
@parth-gr I addressed the comments you made, can you confirm? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
security: use correct osd tags for restricted caps with external cluster script (backport #9410)
Description of your changes:
The create-external-cluster-resources.py with
--create-external-cluster-resources set to true
sets a wrong osd application tag. It should use
the fs name and not the fs pools.
Which issue is resolved by this Pull Request:
Resolves #9227
Signed-off-by: Lennart Hagemann lennart.hagemann@continum.net
Checklist:
make codegen
) has been run to update object specifications, if necessary.