[ceph.git] / ceph / qa / workunits / rbd / permissions.sh

#!/bin/bash -ex

IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"

create_pools() {
    ceph osd pool create images 100
    rbd pool init images
    ceph osd pool create volumes 100
    rbd pool init volumes
}

delete_pools() {
    (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
    (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1

}

recreate_pools() {
    delete_pools
    create_pools
}

delete_users() {
    (ceph auth del client.volumes || true) >/dev/null 2>&1
    (ceph auth del client.images || true) >/dev/null 2>&1
}

create_users() {
    ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
    ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
}

expect() {

  set +e

  local expected_ret=$1
  local ret

  shift
  cmd=$@

  eval $cmd
  ret=$?

  set -e

  if [[ $ret -ne $expected_ret ]]; then
    echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
    return 1
  fi

  return 0
}

test_images_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
    expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap

    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id images flatten volumes/child
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap

    expect 39 rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

test_volumes_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap

    # commands that work with read-only access
    rbd -k $KEYRING --id volumes info images/foo@snap
    rbd -k $KEYRING --id volumes snap ls images/foo
    rbd -k $KEYRING --id volumes export images/foo - >/dev/null
    rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
    rbd -k $KEYRING --id volumes rm volumes/foo_copy
    rbd -k $KEYRING --id volumes children images/foo@snap
    rbd -k $KEYRING --id volumes lock list images/foo

    # commands that fail with read-only access
    expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
    expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
    expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes flatten images/foo
    expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
    expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
    expect 1 rbd -k $KEYRING --id volumes ls rbd

    # create clone and snapshot
    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    rbd -k $KEYRING --id volumes snap create volumes/child@snap1
    rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
    rbd -k $KEYRING --id volumes snap create volumes/child@snap2

    # make sure original snapshot stays protected
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap

    # clean up
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

cleanup() {
    rm -f $KEYRING
}
KEYRING=$(mktemp)
trap cleanup EXIT ERR HUP INT QUIT

delete_users
create_users

recreate_pools
test_images_access

recreate_pools
test_volumes_access

delete_pools
delete_users

echo OK
exit 0
Commit	Line	Data
7c673cae FG	1	#!/bin/bash -ex
	2
	3	IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
	4
	5	create_pools() {
	6	ceph osd pool create images 100
c07f9fc5	7	rbd pool init images
7c673cae	8	ceph osd pool create volumes 100
c07f9fc5	9	rbd pool init volumes
7c673cae FG	10	}
	11
	12	delete_pools() {
	13	(ceph osd pool delete images images --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	14	(ceph osd pool delete volumes volumes --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	15
	16	}
	17
	18	recreate_pools() {
	19	delete_pools
	20	create_pools
	21	}
	22
	23	delete_users() {
	24	(ceph auth del client.volumes \|\| true) >/dev/null 2>&1
	25	(ceph auth del client.images \|\| true) >/dev/null 2>&1
	26	}
	27
	28	create_users() {
	29	ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
	30	ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
	31	}
	32
	33	expect() {
	34
	35	set +e
	36
	37	local expected_ret=$1
	38	local ret
	39
	40	shift
	41	cmd=$@
	42
	43	eval $cmd
	44	ret=$?
	45
	46	set -e
	47
	48	if [[ $ret -ne $expected_ret ]]; then
	49	echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
	50	return 1
	51	fi
	52
	53	return 0
	54	}
	55
	56	test_images_access() {
	57	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	58	rbd -k $KEYRING --id images snap create images/foo@snap
	59	rbd -k $KEYRING --id images snap protect images/foo@snap
	60	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	61	rbd -k $KEYRING --id images snap protect images/foo@snap
	62	rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
	63	expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
	64
	65	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
	66	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	67	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	68	expect 1 rbd -k $KEYRING --id images flatten volumes/child
	69	rbd -k $KEYRING --id volumes flatten volumes/child
	70	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	71	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	72
	73	expect 39 rbd -k $KEYRING --id images rm images/foo
74	rbd -k $KEYRING --id images snap rm images/foo@snap
75	rbd -k $KEYRING --id images rm images/foo
76	rbd -k $KEYRING --id volumes rm volumes/child
77	}
78
79	test_volumes_access() {
80	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
81	rbd -k $KEYRING --id images snap create images/foo@snap
82	rbd -k $KEYRING --id images snap protect images/foo@snap
83
84	# commands that work with read-only access
85	rbd -k $KEYRING --id volumes info images/foo@snap
86	rbd -k $KEYRING --id volumes snap ls images/foo
87	rbd -k $KEYRING --id volumes export images/foo - >/dev/null
88	rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
89	rbd -k $KEYRING --id volumes rm volumes/foo_copy
90	rbd -k $KEYRING --id volumes children images/foo@snap
91	rbd -k $KEYRING --id volumes lock list images/foo
92
93	# commands that fail with read-only access
94	expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
95	expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
96	expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
97	expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
98	expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
99	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
100	expect 1 rbd -k $KEYRING --id volumes flatten images/foo
101	expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
102	expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
103	expect 1 rbd -k $KEYRING --id volumes ls rbd
104
105	# create clone and snapshot
106	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
107	rbd -k $KEYRING --id volumes snap create volumes/child@snap1
108	rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
109	rbd -k $KEYRING --id volumes snap create volumes/child@snap2
110
111	# make sure original snapshot stays protected
112	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
113	rbd -k $KEYRING --id volumes flatten volumes/child
114	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
115	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
116	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
117	expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
118	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
119	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
120
121	# clean up
122	rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
123	rbd -k $KEYRING --id images snap unprotect images/foo@snap
124	rbd -k $KEYRING --id images snap rm images/foo@snap
125	rbd -k $KEYRING --id images rm images/foo
126	rbd -k $KEYRING --id volumes rm volumes/child
127	}
128
129	cleanup() {
130	rm -f $KEYRING
131	}
132	KEYRING=$(mktemp)
133	trap cleanup EXIT ERR HUP INT QUIT
134
135	delete_users
136	create_users
137
138	recreate_pools
139	test_images_access
140
141	recreate_pools
142	test_volumes_access
143
144	delete_pools
145	delete_users
146
147	echo OK
148	exit 0