[ceph.git] / ceph / qa / workunits / rbd / permissions.sh

#!/usr/bin/env bash
set -ex

IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"

clone_v2_enabled() {
    image_spec=$1
    rbd info $image_spec | grep "clone-parent"
}

create_pools() {
    ceph osd pool create images 32
    rbd pool init images
    ceph osd pool create volumes 32
    rbd pool init volumes
}

delete_pools() {
    (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
    (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1

}

recreate_pools() {
    delete_pools
    create_pools
}

delete_users() {
    (ceph auth del client.volumes || true) >/dev/null 2>&1
    (ceph auth del client.images || true) >/dev/null 2>&1

    (ceph auth del client.snap_none || true) >/dev/null 2>&1
    (ceph auth del client.snap_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_pool || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1

    (ceph auth del client.mon_write || true) >/dev/null 2>&1
}

create_users() {
    ceph auth get-or-create client.volumes \
	mon 'profile rbd' \
	osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' \
	mgr 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
    ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING

    ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
    ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
    ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
    ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
    ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING

    ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
}

expect() {

  set +e

  local expected_ret=$1
  local ret

  shift
  cmd=$@

  eval $cmd
  ret=$?

  set -e

  if [[ $ret -ne $expected_ret ]]; then
    echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
    return 1
  fi

  return 0
}

test_images_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
    expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap

    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child

    if ! clone_v2_enabled images/foo; then
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    fi

    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id images flatten volumes/child
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap

    expect 39 rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

test_volumes_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap

    # commands that work with read-only access
    rbd -k $KEYRING --id volumes info images/foo@snap
    rbd -k $KEYRING --id volumes snap ls images/foo
    rbd -k $KEYRING --id volumes export images/foo - >/dev/null
    rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
    rbd -k $KEYRING --id volumes rm volumes/foo_copy
    rbd -k $KEYRING --id volumes children images/foo@snap
    rbd -k $KEYRING --id volumes lock list images/foo

    # commands that fail with read-only access
    expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
    expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
    expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes flatten images/foo
    expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
    expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
    expect 1 rbd -k $KEYRING --id volumes ls rbd

    # create clone and snapshot
    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    rbd -k $KEYRING --id volumes snap create volumes/child@snap1
    rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
    rbd -k $KEYRING --id volumes snap create volumes/child@snap2

    # make sure original snapshot stays protected
    if clone_v2_enabled images/foo; then
        rbd -k $KEYRING --id volumes flatten volumes/child
        rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
    else
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        rbd -k $KEYRING --id volumes flatten volumes/child
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    fi

    # clean up
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

create_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_ARGS="-k $KEYRING" python3
import rados

with rados.Rados(conffile="", rados_id="${ID}") as cluster:
  ioctx = cluster.open_ioctx("${POOL}")

  snap_id = ioctx.create_self_managed_snap()
  print ("Created snap id {}".format(snap_id))
EOF
}

remove_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_ARGS="-k $KEYRING" python3
import rados

with rados.Rados(conffile="", rados_id="mon_write") as cluster1, \
     rados.Rados(conffile="", rados_id="${ID}") as cluster2:
  ioctx1 = cluster1.open_ioctx("${POOL}")

  snap_id = ioctx1.create_self_managed_snap()
  print ("Created snap id {}".format(snap_id))

  ioctx2 = cluster2.open_ioctx("${POOL}")

  ioctx2.remove_self_managed_snap(snap_id)
  print ("Removed snap id {}".format(snap_id))
EOF
}

test_remove_self_managed_snapshots() {
    # Ensure users cannot create self-managed snapshots w/o permissions
    expect 1 create_self_managed_snapshot snap_none images
    expect 1 create_self_managed_snapshot snap_none volumes

    create_self_managed_snapshot snap_all images
    create_self_managed_snapshot snap_all volumes

    create_self_managed_snapshot snap_pool images
    expect 1 create_self_managed_snapshot snap_pool volumes

    create_self_managed_snapshot snap_profile_all images
    create_self_managed_snapshot snap_profile_all volumes

    create_self_managed_snapshot snap_profile_pool images
    expect 1 create_self_managed_snapshot snap_profile_pool volumes

    # Ensure users cannot delete self-managed snapshots w/o permissions
    expect 1 remove_self_managed_snapshot snap_none images
    expect 1 remove_self_managed_snapshot snap_none volumes

    remove_self_managed_snapshot snap_all images
    remove_self_managed_snapshot snap_all volumes

    remove_self_managed_snapshot snap_pool images
    expect 1 remove_self_managed_snapshot snap_pool volumes

    remove_self_managed_snapshot snap_profile_all images
    remove_self_managed_snapshot snap_profile_all volumes

    remove_self_managed_snapshot snap_profile_pool images
    expect 1 remove_self_managed_snapshot snap_profile_pool volumes
}

test_rbd_support() {
    # read-only commands should work on both pools
    ceph -k $KEYRING --id volumes rbd perf image stats volumes
    ceph -k $KEYRING --id volumes rbd perf image stats images

    # read/write commands should only work on 'volumes'
    rbd -k $KEYRING --id volumes create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 volumes/foo
    ceph -k $KEYRING --id volumes rbd task add remove volumes/foo
    expect 13 ceph -k $KEYRING --id volumes rbd task add remove images/foo
}

cleanup() {
    rm -f $KEYRING
}

KEYRING=$(mktemp)
trap cleanup EXIT ERR HUP INT QUIT

delete_users
create_users

recreate_pools
test_images_access

recreate_pools
test_volumes_access

test_remove_self_managed_snapshots

test_rbd_support

delete_pools
delete_users

echo OK
exit 0
Commit	Line	Data
11fdf7f2 TL	1	#!/usr/bin/env bash
11fdf7f2 TL	2	set -ex
7c673cae FG	3
	4	IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
	5
11fdf7f2 TL	6	clone_v2_enabled() {
	7	image_spec=$1
	8	rbd info $image_spec \| grep "clone-parent"
	9	}
	10
7c673cae	11	create_pools() {
11fdf7f2	12	ceph osd pool create images 32
c07f9fc5	13	rbd pool init images
11fdf7f2	14	ceph osd pool create volumes 32
c07f9fc5	15	rbd pool init volumes
7c673cae FG	16	}
	17
	18	delete_pools() {
	19	(ceph osd pool delete images images --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	20	(ceph osd pool delete volumes volumes --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	21
	22	}
	23
	24	recreate_pools() {
	25	delete_pools
	26	create_pools
	27	}
	28
	29	delete_users() {
	30	(ceph auth del client.volumes \|\| true) >/dev/null 2>&1
	31	(ceph auth del client.images \|\| true) >/dev/null 2>&1
28e407b8 AA	32
	33	(ceph auth del client.snap_none \|\| true) >/dev/null 2>&1
	34	(ceph auth del client.snap_all \|\| true) >/dev/null 2>&1
	35	(ceph auth del client.snap_pool \|\| true) >/dev/null 2>&1
	36	(ceph auth del client.snap_profile_all \|\| true) >/dev/null 2>&1
	37	(ceph auth del client.snap_profile_pool \|\| true) >/dev/null 2>&1
	38
	39	(ceph auth del client.mon_write \|\| true) >/dev/null 2>&1
7c673cae FG	40	}
	41
	42	create_users() {
92f5a8d4 TL	43	ceph auth get-or-create client.volumes \
	44	mon 'profile rbd' \
	45	osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' \
	46	mgr 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
11fdf7f2	47	ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING
28e407b8 AA	48
	49	ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
	50	ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
	51	ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
	52	ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
	53	ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
	54
	55	ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
7c673cae FG	56	}
	57
	58	expect() {
	59
	60	set +e
	61
	62	local expected_ret=$1
	63	local ret
	64
	65	shift
	66	cmd=$@
	67
	68	eval $cmd
	69	ret=$?
	70
	71	set -e
	72
	73	if [[ $ret -ne $expected_ret ]]; then
	74	echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
	75	return 1
	76	fi
	77
	78	return 0
	79	}
	80
	81	test_images_access() {
	82	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	83	rbd -k $KEYRING --id images snap create images/foo@snap
	84	rbd -k $KEYRING --id images snap protect images/foo@snap
	85	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	86	rbd -k $KEYRING --id images snap protect images/foo@snap
	87	rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
	88	expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
	89
	90	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
11fdf7f2 TL	91
	92	if ! clone_v2_enabled images/foo; then
	93	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	94	fi
	95
7c673cae FG	96	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	97	expect 1 rbd -k $KEYRING --id images flatten volumes/child
	98	rbd -k $KEYRING --id volumes flatten volumes/child
	99	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	100	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	101
	102	expect 39 rbd -k $KEYRING --id images rm images/foo
	103	rbd -k $KEYRING --id images snap rm images/foo@snap
	104	rbd -k $KEYRING --id images rm images/foo
	105	rbd -k $KEYRING --id volumes rm volumes/child
	106	}
	107
	108	test_volumes_access() {
	109	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	110	rbd -k $KEYRING --id images snap create images/foo@snap
	111	rbd -k $KEYRING --id images snap protect images/foo@snap
	112
	113	# commands that work with read-only access
	114	rbd -k $KEYRING --id volumes info images/foo@snap
	115	rbd -k $KEYRING --id volumes snap ls images/foo
	116	rbd -k $KEYRING --id volumes export images/foo - >/dev/null
	117	rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
	118	rbd -k $KEYRING --id volumes rm volumes/foo_copy
	119	rbd -k $KEYRING --id volumes children images/foo@snap
	120	rbd -k $KEYRING --id volumes lock list images/foo
	121
	122	# commands that fail with read-only access
	123	expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
	124	expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
	125	expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
	126	expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
	127	expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
	128	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	129	expect 1 rbd -k $KEYRING --id volumes flatten images/foo
	130	expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
	131	expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
	132	expect 1 rbd -k $KEYRING --id volumes ls rbd
	133
	134	# create clone and snapshot
	135	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
	136	rbd -k $KEYRING --id volumes snap create volumes/child@snap1
	137	rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
	138	rbd -k $KEYRING --id volumes snap create volumes/child@snap2
	139
	140	# make sure original snapshot stays protected
11fdf7f2 TL	141	if clone_v2_enabled images/foo; then
	142	rbd -k $KEYRING --id volumes flatten volumes/child
	143	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	144	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
	145	else
	146	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	147	rbd -k $KEYRING --id volumes flatten volumes/child
	148	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	149	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	150	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	151	expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	152	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
	153	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	154	fi
7c673cae FG	155
	156	# clean up
	157	rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
	158	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	159	rbd -k $KEYRING --id images snap rm images/foo@snap
	160	rbd -k $KEYRING --id images rm images/foo
	161	rbd -k $KEYRING --id volumes rm volumes/child
	162	}
	163
28e407b8 AA	164	create_self_managed_snapshot() {
	165	ID=$1
	166	POOL=$2
	167
9f95a23c	168	cat << EOF \| CEPH_ARGS="-k $KEYRING" python3
28e407b8 AA	169	import rados
28e407b8 AA	170
9f95a23c TL	171	with rados.Rados(conffile="", rados_id="${ID}") as cluster:
9f95a23c TL	172	ioctx = cluster.open_ioctx("${POOL}")
28e407b8	173
9f95a23c TL	174	snap_id = ioctx.create_self_managed_snap()
9f95a23c TL	175	print ("Created snap id {}".format(snap_id))
28e407b8 AA	176	EOF
	177	}
	178
	179	remove_self_managed_snapshot() {
	180	ID=$1
	181	POOL=$2
	182
9f95a23c	183	cat << EOF \| CEPH_ARGS="-k $KEYRING" python3
28e407b8 AA	184	import rados
28e407b8 AA	185
9f95a23c TL	186	with rados.Rados(conffile="", rados_id="mon_write") as cluster1, \
	187	rados.Rados(conffile="", rados_id="${ID}") as cluster2:
	188	ioctx1 = cluster1.open_ioctx("${POOL}")
28e407b8	189
9f95a23c TL	190	snap_id = ioctx1.create_self_managed_snap()
9f95a23c TL	191	print ("Created snap id {}".format(snap_id))
28e407b8	192
9f95a23c	193	ioctx2 = cluster2.open_ioctx("${POOL}")
28e407b8	194
9f95a23c TL	195	ioctx2.remove_self_managed_snap(snap_id)
9f95a23c TL	196	print ("Removed snap id {}".format(snap_id))
28e407b8 AA	197	EOF
	198	}
	199
	200	test_remove_self_managed_snapshots() {
	201	# Ensure users cannot create self-managed snapshots w/o permissions
	202	expect 1 create_self_managed_snapshot snap_none images
	203	expect 1 create_self_managed_snapshot snap_none volumes
	204
	205	create_self_managed_snapshot snap_all images
	206	create_self_managed_snapshot snap_all volumes
	207
	208	create_self_managed_snapshot snap_pool images
	209	expect 1 create_self_managed_snapshot snap_pool volumes
	210
	211	create_self_managed_snapshot snap_profile_all images
	212	create_self_managed_snapshot snap_profile_all volumes
	213
	214	create_self_managed_snapshot snap_profile_pool images
	215	expect 1 create_self_managed_snapshot snap_profile_pool volumes
	216
	217	# Ensure users cannot delete self-managed snapshots w/o permissions
	218	expect 1 remove_self_managed_snapshot snap_none images
	219	expect 1 remove_self_managed_snapshot snap_none volumes
	220
	221	remove_self_managed_snapshot snap_all images
	222	remove_self_managed_snapshot snap_all volumes
	223
	224	remove_self_managed_snapshot snap_pool images
	225	expect 1 remove_self_managed_snapshot snap_pool volumes
	226
	227	remove_self_managed_snapshot snap_profile_all images
	228	remove_self_managed_snapshot snap_profile_all volumes
	229
	230	remove_self_managed_snapshot snap_profile_pool images
	231	expect 1 remove_self_managed_snapshot snap_profile_pool volumes
	232	}
	233
92f5a8d4 TL	234	test_rbd_support() {
	235	# read-only commands should work on both pools
	236	ceph -k $KEYRING --id volumes rbd perf image stats volumes
	237	ceph -k $KEYRING --id volumes rbd perf image stats images
	238
	239	# read/write commands should only work on 'volumes'
	240	rbd -k $KEYRING --id volumes create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 volumes/foo
	241	ceph -k $KEYRING --id volumes rbd task add remove volumes/foo
	242	expect 13 ceph -k $KEYRING --id volumes rbd task add remove images/foo
	243	}
	244
7c673cae FG	245	cleanup() {
	246	rm -f $KEYRING
	247	}
28e407b8	248
7c673cae FG	249	KEYRING=$(mktemp)
	250	trap cleanup EXIT ERR HUP INT QUIT
	251
	252	delete_users
	253	create_users
	254
	255	recreate_pools
	256	test_images_access
	257
	258	recreate_pools
	259	test_volumes_access
	260
28e407b8 AA	261	test_remove_self_managed_snapshots
28e407b8 AA	262
92f5a8d4 TL	263	test_rbd_support
92f5a8d4 TL	264
7c673cae FG	265	delete_pools
	266	delete_users
	267
	268	echo OK
	269	exit 0