[ceph.git] / ceph / qa / workunits / rbd / permissions.sh

#!/bin/bash -ex

IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"

create_pools() {
    ceph osd pool create images 100
    rbd pool init images
    ceph osd pool create volumes 100
    rbd pool init volumes
}

delete_pools() {
    (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
    (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1

}

recreate_pools() {
    delete_pools
    create_pools
}

delete_users() {
    (ceph auth del client.volumes || true) >/dev/null 2>&1
    (ceph auth del client.images || true) >/dev/null 2>&1

    (ceph auth del client.snap_none || true) >/dev/null 2>&1
    (ceph auth del client.snap_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_pool || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
    (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1

    (ceph auth del client.mon_write || true) >/dev/null 2>&1
}

create_users() {
    ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
    ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING

    ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
    ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
    ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
    ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
    ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING

    ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
}

expect() {

  set +e

  local expected_ret=$1
  local ret

  shift
  cmd=$@

  eval $cmd
  ret=$?

  set -e

  if [[ $ret -ne $expected_ret ]]; then
    echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
    return 1
  fi

  return 0
}

test_images_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap
    rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
    expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap

    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id images flatten volumes/child
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap unprotect images/foo@snap

    expect 39 rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

test_volumes_access() {
    rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
    rbd -k $KEYRING --id images snap create images/foo@snap
    rbd -k $KEYRING --id images snap protect images/foo@snap

    # commands that work with read-only access
    rbd -k $KEYRING --id volumes info images/foo@snap
    rbd -k $KEYRING --id volumes snap ls images/foo
    rbd -k $KEYRING --id volumes export images/foo - >/dev/null
    rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
    rbd -k $KEYRING --id volumes rm volumes/foo_copy
    rbd -k $KEYRING --id volumes children images/foo@snap
    rbd -k $KEYRING --id volumes lock list images/foo

    # commands that fail with read-only access
    expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
    expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
    expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
    expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
    expect 1 rbd -k $KEYRING --id volumes flatten images/foo
    expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
    expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
    expect 1 rbd -k $KEYRING --id volumes ls rbd

    # create clone and snapshot
    rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
    rbd -k $KEYRING --id volumes snap create volumes/child@snap1
    rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
    rbd -k $KEYRING --id volumes snap create volumes/child@snap2

    # make sure original snapshot stays protected
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes flatten volumes/child
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
    expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
    rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
    expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap

    # clean up
    rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
    rbd -k $KEYRING --id images snap unprotect images/foo@snap
    rbd -k $KEYRING --id images snap rm images/foo@snap
    rbd -k $KEYRING --id images rm images/foo
    rbd -k $KEYRING --id volumes rm volumes/child
}

create_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_KEYRING="$KEYRING" python
import rados

cluster = rados.Rados(conffile="", rados_id="${ID}")
cluster.connect()
ioctx = cluster.open_ioctx("${POOL}")

snap_id = ioctx.create_self_managed_snap()
print ("Created snap id {}".format(snap_id))
EOF
}

remove_self_managed_snapshot() {
  ID=$1
  POOL=$2

  cat << EOF | CEPH_KEYRING="$KEYRING" python
import rados

cluster1 = rados.Rados(conffile="", rados_id="mon_write")
cluster1.connect()
ioctx1 = cluster1.open_ioctx("${POOL}")

snap_id = ioctx1.create_self_managed_snap()
print ("Created snap id {}".format(snap_id))

cluster2 = rados.Rados(conffile="", rados_id="${ID}")
cluster2.connect()
ioctx2 = cluster2.open_ioctx("${POOL}")

ioctx2.remove_self_managed_snap(snap_id)
print ("Removed snap id {}".format(snap_id))
EOF
}

test_remove_self_managed_snapshots() {
    # Ensure users cannot create self-managed snapshots w/o permissions
    expect 1 create_self_managed_snapshot snap_none images
    expect 1 create_self_managed_snapshot snap_none volumes

    create_self_managed_snapshot snap_all images
    create_self_managed_snapshot snap_all volumes

    create_self_managed_snapshot snap_pool images
    expect 1 create_self_managed_snapshot snap_pool volumes

    create_self_managed_snapshot snap_profile_all images
    create_self_managed_snapshot snap_profile_all volumes

    create_self_managed_snapshot snap_profile_pool images
    expect 1 create_self_managed_snapshot snap_profile_pool volumes

    # Ensure users cannot delete self-managed snapshots w/o permissions
    expect 1 remove_self_managed_snapshot snap_none images
    expect 1 remove_self_managed_snapshot snap_none volumes

    remove_self_managed_snapshot snap_all images
    remove_self_managed_snapshot snap_all volumes

    remove_self_managed_snapshot snap_pool images
    expect 1 remove_self_managed_snapshot snap_pool volumes

    remove_self_managed_snapshot snap_profile_all images
    remove_self_managed_snapshot snap_profile_all volumes

    remove_self_managed_snapshot snap_profile_pool images
    expect 1 remove_self_managed_snapshot snap_profile_pool volumes
}

cleanup() {
    rm -f $KEYRING
}

KEYRING=$(mktemp)
trap cleanup EXIT ERR HUP INT QUIT

delete_users
create_users

recreate_pools
test_images_access

recreate_pools
test_volumes_access

test_remove_self_managed_snapshots

delete_pools
delete_users

echo OK
exit 0
Commit	Line	Data
7c673cae FG	1	#!/bin/bash -ex
	2
	3	IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
	4
	5	create_pools() {
	6	ceph osd pool create images 100
c07f9fc5	7	rbd pool init images
7c673cae	8	ceph osd pool create volumes 100
c07f9fc5	9	rbd pool init volumes
7c673cae FG	10	}
	11
	12	delete_pools() {
	13	(ceph osd pool delete images images --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	14	(ceph osd pool delete volumes volumes --yes-i-really-really-mean-it \|\| true) >/dev/null 2>&1
	15
	16	}
	17
	18	recreate_pools() {
	19	delete_pools
	20	create_pools
	21	}
	22
	23	delete_users() {
	24	(ceph auth del client.volumes \|\| true) >/dev/null 2>&1
	25	(ceph auth del client.images \|\| true) >/dev/null 2>&1
28e407b8 AA	26
	27	(ceph auth del client.snap_none \|\| true) >/dev/null 2>&1
	28	(ceph auth del client.snap_all \|\| true) >/dev/null 2>&1
	29	(ceph auth del client.snap_pool \|\| true) >/dev/null 2>&1
	30	(ceph auth del client.snap_profile_all \|\| true) >/dev/null 2>&1
	31	(ceph auth del client.snap_profile_pool \|\| true) >/dev/null 2>&1
	32
	33	(ceph auth del client.mon_write \|\| true) >/dev/null 2>&1
7c673cae FG	34	}
	35
	36	create_users() {
	37	ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
	38	ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
28e407b8 AA	39
	40	ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
	41	ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
	42	ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
	43	ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
	44	ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
	45
	46	ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
7c673cae FG	47	}
	48
	49	expect() {
	50
	51	set +e
	52
	53	local expected_ret=$1
	54	local ret
	55
	56	shift
	57	cmd=$@
	58
	59	eval $cmd
	60	ret=$?
	61
	62	set -e
	63
	64	if [[ $ret -ne $expected_ret ]]; then
	65	echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
	66	return 1
	67	fi
	68
	69	return 0
	70	}
	71
	72	test_images_access() {
	73	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	74	rbd -k $KEYRING --id images snap create images/foo@snap
	75	rbd -k $KEYRING --id images snap protect images/foo@snap
	76	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	77	rbd -k $KEYRING --id images snap protect images/foo@snap
	78	rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
	79	expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
	80
	81	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
	82	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
	83	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	84	expect 1 rbd -k $KEYRING --id images flatten volumes/child
	85	rbd -k $KEYRING --id volumes flatten volumes/child
	86	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
	87	rbd -k $KEYRING --id images snap unprotect images/foo@snap
	88
	89	expect 39 rbd -k $KEYRING --id images rm images/foo
	90	rbd -k $KEYRING --id images snap rm images/foo@snap
	91	rbd -k $KEYRING --id images rm images/foo
	92	rbd -k $KEYRING --id volumes rm volumes/child
	93	}
	94
	95	test_volumes_access() {
	96	rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
	97	rbd -k $KEYRING --id images snap create images/foo@snap
	98	rbd -k $KEYRING --id images snap protect images/foo@snap
	99
	100	# commands that work with read-only access
	101	rbd -k $KEYRING --id volumes info images/foo@snap
	102	rbd -k $KEYRING --id volumes snap ls images/foo
	103	rbd -k $KEYRING --id volumes export images/foo - >/dev/null
	104	rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
	105	rbd -k $KEYRING --id volumes rm volumes/foo_copy
	106	rbd -k $KEYRING --id volumes children images/foo@snap
	107	rbd -k $KEYRING --id volumes lock list images/foo
	108
	109	# commands that fail with read-only access
	110	expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
111	expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
112	expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
113	expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
114	expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
115	expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
116	expect 1 rbd -k $KEYRING --id volumes flatten images/foo
117	expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
118	expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
119	expect 1 rbd -k $KEYRING --id volumes ls rbd
120
121	# create clone and snapshot
122	rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
123	rbd -k $KEYRING --id volumes snap create volumes/child@snap1
124	rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
125	rbd -k $KEYRING --id volumes snap create volumes/child@snap2
126
127	# make sure original snapshot stays protected
128	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
129	rbd -k $KEYRING --id volumes flatten volumes/child
130	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
131	rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
132	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
133	expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
134	rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
135	expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
136
137	# clean up
138	rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
139	rbd -k $KEYRING --id images snap unprotect images/foo@snap
140	rbd -k $KEYRING --id images snap rm images/foo@snap
141	rbd -k $KEYRING --id images rm images/foo
142	rbd -k $KEYRING --id volumes rm volumes/child
143	}
144
28e407b8 AA	145	create_self_managed_snapshot() {
	146	ID=$1
	147	POOL=$2
	148
	149	cat << EOF \| CEPH_KEYRING="$KEYRING" python
	150	import rados
	151
	152	cluster = rados.Rados(conffile="", rados_id="${ID}")
	153	cluster.connect()
	154	ioctx = cluster.open_ioctx("${POOL}")
	155
	156	snap_id = ioctx.create_self_managed_snap()
	157	print ("Created snap id {}".format(snap_id))
	158	EOF
	159	}
	160
	161	remove_self_managed_snapshot() {
	162	ID=$1
	163	POOL=$2
	164
	165	cat << EOF \| CEPH_KEYRING="$KEYRING" python
	166	import rados
	167
	168	cluster1 = rados.Rados(conffile="", rados_id="mon_write")
	169	cluster1.connect()
	170	ioctx1 = cluster1.open_ioctx("${POOL}")
	171
	172	snap_id = ioctx1.create_self_managed_snap()
	173	print ("Created snap id {}".format(snap_id))
	174
	175	cluster2 = rados.Rados(conffile="", rados_id="${ID}")
	176	cluster2.connect()
	177	ioctx2 = cluster2.open_ioctx("${POOL}")
	178
	179	ioctx2.remove_self_managed_snap(snap_id)
	180	print ("Removed snap id {}".format(snap_id))
	181	EOF
	182	}
	183
	184	test_remove_self_managed_snapshots() {
	185	# Ensure users cannot create self-managed snapshots w/o permissions
	186	expect 1 create_self_managed_snapshot snap_none images
	187	expect 1 create_self_managed_snapshot snap_none volumes
	188
	189	create_self_managed_snapshot snap_all images
	190	create_self_managed_snapshot snap_all volumes
	191
	192	create_self_managed_snapshot snap_pool images
	193	expect 1 create_self_managed_snapshot snap_pool volumes
	194
	195	create_self_managed_snapshot snap_profile_all images
	196	create_self_managed_snapshot snap_profile_all volumes
	197
	198	create_self_managed_snapshot snap_profile_pool images
	199	expect 1 create_self_managed_snapshot snap_profile_pool volumes
	200
	201	# Ensure users cannot delete self-managed snapshots w/o permissions
	202	expect 1 remove_self_managed_snapshot snap_none images
	203	expect 1 remove_self_managed_snapshot snap_none volumes
	204
	205	remove_self_managed_snapshot snap_all images
	206	remove_self_managed_snapshot snap_all volumes
	207
	208	remove_self_managed_snapshot snap_pool images
209	expect 1 remove_self_managed_snapshot snap_pool volumes
210
211	remove_self_managed_snapshot snap_profile_all images
212	remove_self_managed_snapshot snap_profile_all volumes
213
214	remove_self_managed_snapshot snap_profile_pool images
215	expect 1 remove_self_managed_snapshot snap_profile_pool volumes
216	}
217
7c673cae FG	218	cleanup() {
	219	rm -f $KEYRING
	220	}
28e407b8	221
7c673cae FG	222	KEYRING=$(mktemp)
	223	trap cleanup EXIT ERR HUP INT QUIT
	224
	225	delete_users
	226	create_users
	227
	228	recreate_pools
	229	test_images_access
	230
	231	recreate_pools
	232	test_volumes_access
	233
28e407b8 AA	234	test_remove_self_managed_snapshots
28e407b8 AA	235
7c673cae FG	236	delete_pools
	237	delete_users
	238
	239	echo OK
	240	exit 0