]> git.proxmox.com Git - ceph.git/blob - ceph/qa/workunits/rbd/permissions.sh
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update sources to 12.2.7
[ceph.git] / ceph / qa / workunits / rbd / permissions.sh
1 #!/bin/bash -ex
2
3 IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
4
5 create_pools() {
6 ceph osd pool create images 100
7 rbd pool init images
8 ceph osd pool create volumes 100
9 rbd pool init volumes
10 }
11
12 delete_pools() {
13 (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
14 (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1
15
16 }
17
18 recreate_pools() {
19 delete_pools
20 create_pools
21 }
22
23 delete_users() {
24 (ceph auth del client.volumes || true) >/dev/null 2>&1
25 (ceph auth del client.images || true) >/dev/null 2>&1
26
27 (ceph auth del client.snap_none || true) >/dev/null 2>&1
28 (ceph auth del client.snap_all || true) >/dev/null 2>&1
29 (ceph auth del client.snap_pool || true) >/dev/null 2>&1
30 (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
31 (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1
32
33 (ceph auth del client.mon_write || true) >/dev/null 2>&1
34 }
35
36 create_users() {
37 ceph auth get-or-create client.volumes mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow r class-read pool images, allow rwx pool volumes' >> $KEYRING
38 ceph auth get-or-create client.images mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool images' >> $KEYRING
39
40 ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
41 ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
42 ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
43 ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
44 ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
45
46 ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
47 }
48
49 expect() {
50
51 set +e
52
53 local expected_ret=$1
54 local ret
55
56 shift
57 cmd=$@
58
59 eval $cmd
60 ret=$?
61
62 set -e
63
64 if [[ $ret -ne $expected_ret ]]; then
65 echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
66 return 1
67 fi
68
69 return 0
70 }
71
72 test_images_access() {
73 rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
74 rbd -k $KEYRING --id images snap create images/foo@snap
75 rbd -k $KEYRING --id images snap protect images/foo@snap
76 rbd -k $KEYRING --id images snap unprotect images/foo@snap
77 rbd -k $KEYRING --id images snap protect images/foo@snap
78 rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
79 expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
80
81 rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
82 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
83 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
84 expect 1 rbd -k $KEYRING --id images flatten volumes/child
85 rbd -k $KEYRING --id volumes flatten volumes/child
86 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
87 rbd -k $KEYRING --id images snap unprotect images/foo@snap
88
89 expect 39 rbd -k $KEYRING --id images rm images/foo
90 rbd -k $KEYRING --id images snap rm images/foo@snap
91 rbd -k $KEYRING --id images rm images/foo
92 rbd -k $KEYRING --id volumes rm volumes/child
93 }
94
95 test_volumes_access() {
96 rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
97 rbd -k $KEYRING --id images snap create images/foo@snap
98 rbd -k $KEYRING --id images snap protect images/foo@snap
99
100 # commands that work with read-only access
101 rbd -k $KEYRING --id volumes info images/foo@snap
102 rbd -k $KEYRING --id volumes snap ls images/foo
103 rbd -k $KEYRING --id volumes export images/foo - >/dev/null
104 rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
105 rbd -k $KEYRING --id volumes rm volumes/foo_copy
106 rbd -k $KEYRING --id volumes children images/foo@snap
107 rbd -k $KEYRING --id volumes lock list images/foo
108
109 # commands that fail with read-only access
110 expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
111 expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
112 expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
113 expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
114 expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
115 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
116 expect 1 rbd -k $KEYRING --id volumes flatten images/foo
117 expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
118 expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
119 expect 1 rbd -k $KEYRING --id volumes ls rbd
120
121 # create clone and snapshot
122 rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
123 rbd -k $KEYRING --id volumes snap create volumes/child@snap1
124 rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
125 rbd -k $KEYRING --id volumes snap create volumes/child@snap2
126
127 # make sure original snapshot stays protected
128 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
129 rbd -k $KEYRING --id volumes flatten volumes/child
130 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
131 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
132 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
133 expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
134 rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
135 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
136
137 # clean up
138 rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
139 rbd -k $KEYRING --id images snap unprotect images/foo@snap
140 rbd -k $KEYRING --id images snap rm images/foo@snap
141 rbd -k $KEYRING --id images rm images/foo
142 rbd -k $KEYRING --id volumes rm volumes/child
143 }
144
145 create_self_managed_snapshot() {
146 ID=$1
147 POOL=$2
148
149 cat << EOF | CEPH_KEYRING="$KEYRING" python
150 import rados
151
152 cluster = rados.Rados(conffile="", rados_id="${ID}")
153 cluster.connect()
154 ioctx = cluster.open_ioctx("${POOL}")
155
156 snap_id = ioctx.create_self_managed_snap()
157 print ("Created snap id {}".format(snap_id))
158 EOF
159 }
160
161 remove_self_managed_snapshot() {
162 ID=$1
163 POOL=$2
164
165 cat << EOF | CEPH_KEYRING="$KEYRING" python
166 import rados
167
168 cluster1 = rados.Rados(conffile="", rados_id="mon_write")
169 cluster1.connect()
170 ioctx1 = cluster1.open_ioctx("${POOL}")
171
172 snap_id = ioctx1.create_self_managed_snap()
173 print ("Created snap id {}".format(snap_id))
174
175 cluster2 = rados.Rados(conffile="", rados_id="${ID}")
176 cluster2.connect()
177 ioctx2 = cluster2.open_ioctx("${POOL}")
178
179 ioctx2.remove_self_managed_snap(snap_id)
180 print ("Removed snap id {}".format(snap_id))
181 EOF
182 }
183
184 test_remove_self_managed_snapshots() {
185 # Ensure users cannot create self-managed snapshots w/o permissions
186 expect 1 create_self_managed_snapshot snap_none images
187 expect 1 create_self_managed_snapshot snap_none volumes
188
189 create_self_managed_snapshot snap_all images
190 create_self_managed_snapshot snap_all volumes
191
192 create_self_managed_snapshot snap_pool images
193 expect 1 create_self_managed_snapshot snap_pool volumes
194
195 create_self_managed_snapshot snap_profile_all images
196 create_self_managed_snapshot snap_profile_all volumes
197
198 create_self_managed_snapshot snap_profile_pool images
199 expect 1 create_self_managed_snapshot snap_profile_pool volumes
200
201 # Ensure users cannot delete self-managed snapshots w/o permissions
202 expect 1 remove_self_managed_snapshot snap_none images
203 expect 1 remove_self_managed_snapshot snap_none volumes
204
205 remove_self_managed_snapshot snap_all images
206 remove_self_managed_snapshot snap_all volumes
207
208 remove_self_managed_snapshot snap_pool images
209 expect 1 remove_self_managed_snapshot snap_pool volumes
210
211 remove_self_managed_snapshot snap_profile_all images
212 remove_self_managed_snapshot snap_profile_all volumes
213
214 remove_self_managed_snapshot snap_profile_pool images
215 expect 1 remove_self_managed_snapshot snap_profile_pool volumes
216 }
217
218 cleanup() {
219 rm -f $KEYRING
220 }
221
222 KEYRING=$(mktemp)
223 trap cleanup EXIT ERR HUP INT QUIT
224
225 delete_users
226 create_users
227
228 recreate_pools
229 test_images_access
230
231 recreate_pools
232 test_volumes_access
233
234 test_remove_self_managed_snapshots
235
236 delete_pools
237 delete_users
238
239 echo OK
240 exit 0
Ceph