[ceph.git] / ceph / qa / workunits / rbd / permissions.sh

#!/bin/bash -ex

IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"

create_pools() {
    ceph osd pool create images 100
    ceph osd pool create volumes 100
}

delete_pools() {
    (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
    (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1

}

recreate_pools() {
    delete_pools
    create_pools
}

delete_users() {
    (ceph auth del client.volumes || true) >/dev/null 2>&1
    (ceph auth del client.images || true) >/dev/null 2>&1
}

create_users() {
    ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
    ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
}

expect() {

  set +e

  local expected_ret=$1
  local ret

  shift
  cmd=$@

  eval $cmd
  ret=$?

  set -e

  if [[ $ret -ne $expected_ret ]]; then
    echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
    return 1
  fi

  return 0
}

test_images_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
    expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap

    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id images flatten volumes/child
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap

    expect 39 rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

test_volumes_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap

    # commands that work with read-only access
    rbd -k $KEYRING --id volumes info images/foo@snap
    rbd -k $KEYRING --id volumes snap ls images/foo
    rbd -k $KEYRING --id volumes export images/foo - >/dev/null
    rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
    rbd -k $KEYRING --id volumes rm volumes/foo_copy
    rbd -k $KEYRING --id volumes children images/foo@snap
    rbd -k $KEYRING --id volumes lock list images/foo

    # commands that fail with read-only access
    expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
    expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
    expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes flatten images/foo
    expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
    expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
    expect 1 rbd -k $KEYRING --id volumes ls rbd

    # create clone and snapshot
    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    rbd -k $KEYRING --id volumes snap create volumes/child@snap1
    rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
    rbd -k $KEYRING --id volumes snap create volumes/child@snap2

    # make sure original snapshot stays protected
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap

    # clean up
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

cleanup() {
    rm -f $KEYRING
}
KEYRING=$(mktemp)
trap cleanup EXIT ERR HUP INT QUIT

delete_users
create_users

recreate_pools
test_images_access

recreate_pools
test_volumes_access

delete_pools
delete_users

echo OK
exit 0
Commit	Line	Data
7c673cae FG	1	#!/bin/bash -ex
	2
	3	IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
	4
	5	create_pools() {
	6	ceph osd pool create images 100
	7	ceph osd pool create volumes 100
	8	}
	9
	10	delete_pools() {
	11	(ceph osd pool delete images images --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	12	(ceph osd pool delete volumes volumes --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	13
	14	}
	15
	16	recreate_pools() {
	17	delete_pools
	18	create_pools
	19	}
	20
	21	delete_users() {
	22	(ceph auth del client.volumes \|\| true) >/dev/null 2>&1
	23	(ceph auth del client.images \|\| true) >/dev/null 2>&1
	24	}
	25
	26	create_users() {
	27	ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
	28	ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
	29	}
	30
	31	expect() {
	32
	33	set +e
	34
	35	local expected_ret=$1
	36	local ret
	37
	38	shift
	39	cmd=$@
	40
	41	eval $cmd
	42	ret=$?
	43
	44	set -e
	45
	46	if [[ $ret -ne $expected_ret ]]; then
	47	echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
	48	return 1
	49	fi
	50
	51	return 0
	52	}
	53
	54	test_images_access() {
	55	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	56	rbd -k $KEYRING --id images snap create images/foo@snap
	57	rbd -k $KEYRING --id images snap protect images/foo@snap
	58	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	59	rbd -k $KEYRING --id images snap protect images/foo@snap
	60	rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
	61	expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
	62
	63	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
	64	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
65	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
66	expect 1 rbd -k $KEYRING --id images flatten volumes/child
67	rbd -k $KEYRING --id volumes flatten volumes/child
68	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
69	rbd -k $KEYRING --id images snap unprotect images/foo@snap
70
71	expect 39 rbd -k $KEYRING --id images rm images/foo
72	rbd -k $KEYRING --id images snap rm images/foo@snap
73	rbd -k $KEYRING --id images rm images/foo
74	rbd -k $KEYRING --id volumes rm volumes/child
75	}
76
77	test_volumes_access() {
78	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
79	rbd -k $KEYRING --id images snap create images/foo@snap
80	rbd -k $KEYRING --id images snap protect images/foo@snap
81
82	# commands that work with read-only access
83	rbd -k $KEYRING --id volumes info images/foo@snap
84	rbd -k $KEYRING --id volumes snap ls images/foo
85	rbd -k $KEYRING --id volumes export images/foo - >/dev/null
86	rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
87	rbd -k $KEYRING --id volumes rm volumes/foo_copy
88	rbd -k $KEYRING --id volumes children images/foo@snap
89	rbd -k $KEYRING --id volumes lock list images/foo
90
91	# commands that fail with read-only access
92	expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
93	expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
94	expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
95	expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
96	expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
97	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
98	expect 1 rbd -k $KEYRING --id volumes flatten images/foo
99	expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
100	expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
101	expect 1 rbd -k $KEYRING --id volumes ls rbd
102
103	# create clone and snapshot
104	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
105	rbd -k $KEYRING --id volumes snap create volumes/child@snap1
106	rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
107	rbd -k $KEYRING --id volumes snap create volumes/child@snap2
108
109	# make sure original snapshot stays protected
110	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
111	rbd -k $KEYRING --id volumes flatten volumes/child
112	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
113	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
114	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
115	expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
116	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
117	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
118
119	# clean up
120	rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
121	rbd -k $KEYRING --id images snap unprotect images/foo@snap
122	rbd -k $KEYRING --id images snap rm images/foo@snap
123	rbd -k $KEYRING --id images rm images/foo
124	rbd -k $KEYRING --id volumes rm volumes/child
125	}
126
127	cleanup() {
128	rm -f $KEYRING
129	}
130	KEYRING=$(mktemp)
131	trap cleanup EXIT ERR HUP INT QUIT
132
133	delete_users
134	create_users
135
136	recreate_pools
137	test_images_access
138
139	recreate_pools
140	test_volumes_access
141
142	delete_pools
143	delete_users
144
145	echo OK
146	exit 0