[ceph.git] / ceph / qa / workunits / rbd / permissions.sh

#!/usr/bin/env bash
set -ex

IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"

clone_v2_enabled() {
    image_spec=$1
    rbd info $image_spec | grep "clone-parent"
}

create_pools() {
    ceph osd pool create images 32
    rbd pool init images
    ceph osd pool create volumes 32
    rbd pool init volumes
}

delete_pools() {
    (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
    (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1

}

recreate_pools() {
    delete_pools
    create_pools
}

delete_users() {
    (ceph auth del client.volumes || true) >/dev/null 2>&1
    (ceph auth del client.images || true) >/dev/null 2>&1

    (ceph auth del client.snap_none || true) >/dev/null 2>&1
    (ceph auth del client.snap_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_pool || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1

    (ceph auth del client.mon_write || true) >/dev/null 2>&1
}

create_users() {
    ceph auth get-or-create client.volumes mon 'profile rbd' osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
    ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING

    ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
    ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
    ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
    ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
    ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING

    ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
}

expect() {

  set +e

  local expected_ret=$1
  local ret

  shift
  cmd=$@

  eval $cmd
  ret=$?

  set -e

  if [[ $ret -ne $expected_ret ]]; then
    echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
    return 1
  fi

  return 0
}

test_images_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
    expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap

    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child

    if ! clone_v2_enabled images/foo; then
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    fi

    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id images flatten volumes/child
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap

    expect 39 rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

test_volumes_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap

    # commands that work with read-only access
    rbd -k $KEYRING --id volumes info images/foo@snap
    rbd -k $KEYRING --id volumes snap ls images/foo
    rbd -k $KEYRING --id volumes export images/foo - >/dev/null
    rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
    rbd -k $KEYRING --id volumes rm volumes/foo_copy
    rbd -k $KEYRING --id volumes children images/foo@snap
    rbd -k $KEYRING --id volumes lock list images/foo

    # commands that fail with read-only access
    expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
    expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
    expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes flatten images/foo
    expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
    expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
    expect 1 rbd -k $KEYRING --id volumes ls rbd

    # create clone and snapshot
    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    rbd -k $KEYRING --id volumes snap create volumes/child@snap1
    rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
    rbd -k $KEYRING --id volumes snap create volumes/child@snap2

    # make sure original snapshot stays protected
    if clone_v2_enabled images/foo; then
        rbd -k $KEYRING --id volumes flatten volumes/child
        rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
    else
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        rbd -k $KEYRING --id volumes flatten volumes/child
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
        expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
        rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
        expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    fi

    # clean up
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

create_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_ARGS="-k $KEYRING" python
import rados

cluster = rados.Rados(conffile="", rados_id="${ID}")
cluster.connect()
ioctx = cluster.open_ioctx("${POOL}")

snap_id = ioctx.create_self_managed_snap()
print ("Created snap id {}".format(snap_id))
EOF
}

remove_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_ARGS="-k $KEYRING" python
import rados

cluster1 = rados.Rados(conffile="", rados_id="mon_write")
cluster1.connect()
ioctx1 = cluster1.open_ioctx("${POOL}")

snap_id = ioctx1.create_self_managed_snap()
print ("Created snap id {}".format(snap_id))

cluster2 = rados.Rados(conffile="", rados_id="${ID}")
cluster2.connect()
ioctx2 = cluster2.open_ioctx("${POOL}")

ioctx2.remove_self_managed_snap(snap_id)
print ("Removed snap id {}".format(snap_id))
EOF
}

test_remove_self_managed_snapshots() {
    # Ensure users cannot create self-managed snapshots w/o permissions
    expect 1 create_self_managed_snapshot snap_none images
    expect 1 create_self_managed_snapshot snap_none volumes

    create_self_managed_snapshot snap_all images
    create_self_managed_snapshot snap_all volumes

    create_self_managed_snapshot snap_pool images
    expect 1 create_self_managed_snapshot snap_pool volumes

    create_self_managed_snapshot snap_profile_all images
    create_self_managed_snapshot snap_profile_all volumes

    create_self_managed_snapshot snap_profile_pool images
    expect 1 create_self_managed_snapshot snap_profile_pool volumes

    # Ensure users cannot delete self-managed snapshots w/o permissions
    expect 1 remove_self_managed_snapshot snap_none images
    expect 1 remove_self_managed_snapshot snap_none volumes

    remove_self_managed_snapshot snap_all images
    remove_self_managed_snapshot snap_all volumes

    remove_self_managed_snapshot snap_pool images
    expect 1 remove_self_managed_snapshot snap_pool volumes

    remove_self_managed_snapshot snap_profile_all images
    remove_self_managed_snapshot snap_profile_all volumes

    remove_self_managed_snapshot snap_profile_pool images
    expect 1 remove_self_managed_snapshot snap_profile_pool volumes
}

cleanup() {
    rm -f $KEYRING
}

KEYRING=$(mktemp)
trap cleanup EXIT ERR HUP INT QUIT

delete_users
create_users

recreate_pools
test_images_access

recreate_pools
test_volumes_access

test_remove_self_managed_snapshots

delete_pools
delete_users

echo OK
exit 0
Commit	Line	Data
11fdf7f2 TL	1	#!/usr/bin/env bash
11fdf7f2 TL	2	set -ex
7c673cae FG	3
	4	IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
	5
11fdf7f2 TL	6	clone_v2_enabled() {
	7	image_spec=$1
	8	rbd info $image_spec \| grep "clone-parent"
	9	}
	10
7c673cae	11	create_pools() {
11fdf7f2	12	ceph osd pool create images 32
c07f9fc5	13	rbd pool init images
11fdf7f2	14	ceph osd pool create volumes 32
c07f9fc5	15	rbd pool init volumes
7c673cae FG	16	}
	17
	18	delete_pools() {
	19	(ceph osd pool delete images images --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	20	(ceph osd pool delete volumes volumes --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	21
	22	}
	23
	24	recreate_pools() {
	25	delete_pools
	26	create_pools
	27	}
	28
	29	delete_users() {
	30	(ceph auth del client.volumes \|\| true) >/dev/null 2>&1
	31	(ceph auth del client.images \|\| true) >/dev/null 2>&1
28e407b8 AA	32
	33	(ceph auth del client.snap_none \|\| true) >/dev/null 2>&1
	34	(ceph auth del client.snap_all \|\| true) >/dev/null 2>&1
	35	(ceph auth del client.snap_pool \|\| true) >/dev/null 2>&1
	36	(ceph auth del client.snap_profile_all \|\| true) >/dev/null 2>&1
	37	(ceph auth del client.snap_profile_pool \|\| true) >/dev/null 2>&1
	38
	39	(ceph auth del client.mon_write \|\| true) >/dev/null 2>&1
7c673cae FG	40	}
	41
	42	create_users() {
11fdf7f2 TL	43	ceph auth get-or-create client.volumes mon 'profile rbd' osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
11fdf7f2 TL	44	ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING
28e407b8 AA	45
	46	ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
	47	ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
	48	ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
	49	ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
	50	ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
	51
	52	ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
7c673cae FG	53	}
	54
	55	expect() {
	56
	57	set +e
	58
	59	local expected_ret=$1
	60	local ret
	61
	62	shift
	63	cmd=$@
	64
	65	eval $cmd
	66	ret=$?
	67
	68	set -e
	69
	70	if [[ $ret -ne $expected_ret ]]; then
	71	echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
	72	return 1
	73	fi
	74
	75	return 0
	76	}
	77
	78	test_images_access() {
	79	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	80	rbd -k $KEYRING --id images snap create images/foo@snap
	81	rbd -k $KEYRING --id images snap protect images/foo@snap
	82	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	83	rbd -k $KEYRING --id images snap protect images/foo@snap
	84	rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
	85	expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
	86
	87	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
11fdf7f2 TL	88
	89	if ! clone_v2_enabled images/foo; then
	90	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	91	fi
	92
7c673cae FG	93	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	94	expect 1 rbd -k $KEYRING --id images flatten volumes/child
	95	rbd -k $KEYRING --id volumes flatten volumes/child
	96	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	97	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	98
	99	expect 39 rbd -k $KEYRING --id images rm images/foo
	100	rbd -k $KEYRING --id images snap rm images/foo@snap
	101	rbd -k $KEYRING --id images rm images/foo
	102	rbd -k $KEYRING --id volumes rm volumes/child
	103	}
	104
	105	test_volumes_access() {
	106	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	107	rbd -k $KEYRING --id images snap create images/foo@snap
	108	rbd -k $KEYRING --id images snap protect images/foo@snap
	109
	110	# commands that work with read-only access
	111	rbd -k $KEYRING --id volumes info images/foo@snap
	112	rbd -k $KEYRING --id volumes snap ls images/foo
	113	rbd -k $KEYRING --id volumes export images/foo - >/dev/null
	114	rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
	115	rbd -k $KEYRING --id volumes rm volumes/foo_copy
	116	rbd -k $KEYRING --id volumes children images/foo@snap
	117	rbd -k $KEYRING --id volumes lock list images/foo
	118
	119	# commands that fail with read-only access
	120	expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
	121	expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
	122	expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
	123	expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
	124	expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
	125	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	126	expect 1 rbd -k $KEYRING --id volumes flatten images/foo
	127	expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
	128	expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
	129	expect 1 rbd -k $KEYRING --id volumes ls rbd
	130
	131	# create clone and snapshot
	132	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
	133	rbd -k $KEYRING --id volumes snap create volumes/child@snap1
	134	rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
	135	rbd -k $KEYRING --id volumes snap create volumes/child@snap2
	136
	137	# make sure original snapshot stays protected
11fdf7f2 TL	138	if clone_v2_enabled images/foo; then
	139	rbd -k $KEYRING --id volumes flatten volumes/child
	140	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	141	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
	142	else
	143	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	144	rbd -k $KEYRING --id volumes flatten volumes/child
	145	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	146	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	147	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	148	expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
	149	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
	150	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	151	fi
7c673cae FG	152
	153	# clean up
	154	rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
	155	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	156	rbd -k $KEYRING --id images snap rm images/foo@snap
	157	rbd -k $KEYRING --id images rm images/foo
	158	rbd -k $KEYRING --id volumes rm volumes/child
	159	}
	160
28e407b8 AA	161	create_self_managed_snapshot() {
	162	ID=$1
	163	POOL=$2
	164
11fdf7f2	165	cat << EOF \| CEPH_ARGS="-k $KEYRING" python
28e407b8 AA	166	import rados
	167
	168	cluster = rados.Rados(conffile="", rados_id="${ID}")
	169	cluster.connect()
	170	ioctx = cluster.open_ioctx("${POOL}")
	171
	172	snap_id = ioctx.create_self_managed_snap()
	173	print ("Created snap id {}".format(snap_id))
	174	EOF
	175	}
	176
	177	remove_self_managed_snapshot() {
	178	ID=$1
	179	POOL=$2
	180
11fdf7f2	181	cat << EOF \| CEPH_ARGS="-k $KEYRING" python
28e407b8 AA	182	import rados
	183
	184	cluster1 = rados.Rados(conffile="", rados_id="mon_write")
	185	cluster1.connect()
	186	ioctx1 = cluster1.open_ioctx("${POOL}")
	187
	188	snap_id = ioctx1.create_self_managed_snap()
	189	print ("Created snap id {}".format(snap_id))
	190
	191	cluster2 = rados.Rados(conffile="", rados_id="${ID}")
	192	cluster2.connect()
	193	ioctx2 = cluster2.open_ioctx("${POOL}")
	194
	195	ioctx2.remove_self_managed_snap(snap_id)
	196	print ("Removed snap id {}".format(snap_id))
	197	EOF
	198	}
	199
	200	test_remove_self_managed_snapshots() {
	201	# Ensure users cannot create self-managed snapshots w/o permissions
	202	expect 1 create_self_managed_snapshot snap_none images
	203	expect 1 create_self_managed_snapshot snap_none volumes
	204
	205	create_self_managed_snapshot snap_all images
	206	create_self_managed_snapshot snap_all volumes
	207
	208	create_self_managed_snapshot snap_pool images
	209	expect 1 create_self_managed_snapshot snap_pool volumes
	210
	211	create_self_managed_snapshot snap_profile_all images
	212	create_self_managed_snapshot snap_profile_all volumes
	213
	214	create_self_managed_snapshot snap_profile_pool images
	215	expect 1 create_self_managed_snapshot snap_profile_pool volumes
	216
	217	# Ensure users cannot delete self-managed snapshots w/o permissions
	218	expect 1 remove_self_managed_snapshot snap_none images
	219	expect 1 remove_self_managed_snapshot snap_none volumes
	220
	221	remove_self_managed_snapshot snap_all images
	222	remove_self_managed_snapshot snap_all volumes
	223
	224	remove_self_managed_snapshot snap_pool images
	225	expect 1 remove_self_managed_snapshot snap_pool volumes
	226
	227	remove_self_managed_snapshot snap_profile_all images
	228	remove_self_managed_snapshot snap_profile_all volumes
	229
	230	remove_self_managed_snapshot snap_profile_pool images
	231	expect 1 remove_self_managed_snapshot snap_profile_pool volumes
	232	}
	233
7c673cae FG	234	cleanup() {
	235	rm -f $KEYRING
	236	}
28e407b8	237
7c673cae FG	238	KEYRING=$(mktemp)
	239	trap cleanup EXIT ERR HUP INT QUIT
	240
	241	delete_users
	242	create_users
	243
	244	recreate_pools
	245	test_images_access
	246
	247	recreate_pools
	248	test_volumes_access
	249
28e407b8 AA	250	test_remove_self_managed_snapshots
28e407b8 AA	251
7c673cae FG	252	delete_pools
	253	delete_users
	254
	255	echo OK
	256	exit 0