]> git.proxmox.com Git - ceph.git/blob - ceph/qa/workunits/rbd/permissions.sh
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 18.2.2-pve1
[ceph.git] / ceph / qa / workunits / rbd / permissions.sh
1 #!/usr/bin/env bash
2 set -ex
3
4 IMAGE_FEATURES="layering,exclusive-lock,object-map,fast-diff"
5
6 clone_v2_enabled() {
7 image_spec=$1
8 rbd info $image_spec | grep "clone-parent"
9 }
10
11 create_pools() {
12 ceph osd pool create images 32
13 rbd pool init images
14 ceph osd pool create volumes 32
15 rbd pool init volumes
16 }
17
18 delete_pools() {
19 (ceph osd pool delete images images --yes-i-really-really-mean-it || true) >/dev/null 2>&1
20 (ceph osd pool delete volumes volumes --yes-i-really-really-mean-it || true) >/dev/null 2>&1
21
22 }
23
24 recreate_pools() {
25 delete_pools
26 create_pools
27 }
28
29 delete_users() {
30 (ceph auth del client.volumes || true) >/dev/null 2>&1
31 (ceph auth del client.images || true) >/dev/null 2>&1
32
33 (ceph auth del client.snap_none || true) >/dev/null 2>&1
34 (ceph auth del client.snap_all || true) >/dev/null 2>&1
35 (ceph auth del client.snap_pool || true) >/dev/null 2>&1
36 (ceph auth del client.snap_profile_all || true) >/dev/null 2>&1
37 (ceph auth del client.snap_profile_pool || true) >/dev/null 2>&1
38
39 (ceph auth del client.mon_write || true) >/dev/null 2>&1
40 }
41
42 create_users() {
43 ceph auth get-or-create client.volumes \
44 mon 'profile rbd' \
45 osd 'profile rbd pool=volumes, profile rbd-read-only pool=images' \
46 mgr 'profile rbd pool=volumes, profile rbd-read-only pool=images' >> $KEYRING
47 ceph auth get-or-create client.images mon 'profile rbd' osd 'profile rbd pool=images' >> $KEYRING
48
49 ceph auth get-or-create client.snap_none mon 'allow r' >> $KEYRING
50 ceph auth get-or-create client.snap_all mon 'allow r' osd 'allow w' >> $KEYRING
51 ceph auth get-or-create client.snap_pool mon 'allow r' osd 'allow w pool=images' >> $KEYRING
52 ceph auth get-or-create client.snap_profile_all mon 'allow r' osd 'profile rbd' >> $KEYRING
53 ceph auth get-or-create client.snap_profile_pool mon 'allow r' osd 'profile rbd pool=images' >> $KEYRING
54
55 ceph auth get-or-create client.mon_write mon 'allow *' >> $KEYRING
56 }
57
58 expect() {
59
60 set +e
61
62 local expected_ret=$1
63 local ret
64
65 shift
66 cmd=$@
67
68 eval $cmd
69 ret=$?
70
71 set -e
72
73 if [[ $ret -ne $expected_ret ]]; then
74 echo "ERROR: running \'$cmd\': expected $expected_ret got $ret"
75 return 1
76 fi
77
78 return 0
79 }
80
81 test_images_access() {
82 rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
83 rbd -k $KEYRING --id images snap create images/foo@snap
84 rbd -k $KEYRING --id images snap protect images/foo@snap
85 rbd -k $KEYRING --id images snap unprotect images/foo@snap
86 rbd -k $KEYRING --id images snap protect images/foo@snap
87 rbd -k $KEYRING --id images export images/foo@snap - >/dev/null
88 expect 16 rbd -k $KEYRING --id images snap rm images/foo@snap
89
90 rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
91
92 if ! clone_v2_enabled images/foo; then
93 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
94 fi
95
96 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
97 expect 1 rbd -k $KEYRING --id images flatten volumes/child
98 rbd -k $KEYRING --id volumes flatten volumes/child
99 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
100 rbd -k $KEYRING --id images snap unprotect images/foo@snap
101
102 expect 39 rbd -k $KEYRING --id images rm images/foo
103 rbd -k $KEYRING --id images snap rm images/foo@snap
104 rbd -k $KEYRING --id images rm images/foo
105 rbd -k $KEYRING --id volumes rm volumes/child
106 }
107
108 test_volumes_access() {
109 rbd -k $KEYRING --id images create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 images/foo
110 rbd -k $KEYRING --id images snap create images/foo@snap
111 rbd -k $KEYRING --id images snap protect images/foo@snap
112
113 # commands that work with read-only access
114 rbd -k $KEYRING --id volumes info images/foo@snap
115 rbd -k $KEYRING --id volumes snap ls images/foo
116 rbd -k $KEYRING --id volumes export images/foo - >/dev/null
117 rbd -k $KEYRING --id volumes cp images/foo volumes/foo_copy
118 rbd -k $KEYRING --id volumes rm volumes/foo_copy
119 rbd -k $KEYRING --id volumes children images/foo@snap
120 rbd -k $KEYRING --id volumes lock list images/foo
121
122 # commands that fail with read-only access
123 expect 1 rbd -k $KEYRING --id volumes resize -s 2 images/foo --allow-shrink
124 expect 1 rbd -k $KEYRING --id volumes snap create images/foo@2
125 expect 1 rbd -k $KEYRING --id volumes snap rollback images/foo@snap
126 expect 1 rbd -k $KEYRING --id volumes snap remove images/foo@snap
127 expect 1 rbd -k $KEYRING --id volumes snap purge images/foo
128 expect 1 rbd -k $KEYRING --id volumes snap unprotect images/foo@snap
129 expect 1 rbd -k $KEYRING --id volumes flatten images/foo
130 expect 1 rbd -k $KEYRING --id volumes lock add images/foo test
131 expect 1 rbd -k $KEYRING --id volumes lock remove images/foo test locker
132 expect 1 rbd -k $KEYRING --id volumes ls rbd
133
134 # create clone and snapshot
135 rbd -k $KEYRING --id volumes clone --image-feature $IMAGE_FEATURES images/foo@snap volumes/child
136 rbd -k $KEYRING --id volumes snap create volumes/child@snap1
137 rbd -k $KEYRING --id volumes snap protect volumes/child@snap1
138 rbd -k $KEYRING --id volumes snap create volumes/child@snap2
139
140 # make sure original snapshot stays protected
141 if clone_v2_enabled images/foo; then
142 rbd -k $KEYRING --id volumes flatten volumes/child
143 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
144 rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
145 else
146 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
147 rbd -k $KEYRING --id volumes flatten volumes/child
148 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
149 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
150 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
151 expect 2 rbd -k $KEYRING --id volumes snap rm volumes/child@snap2
152 rbd -k $KEYRING --id volumes snap unprotect volumes/child@snap1
153 expect 16 rbd -k $KEYRING --id images snap unprotect images/foo@snap
154 fi
155
156 # clean up
157 rbd -k $KEYRING --id volumes snap rm volumes/child@snap1
158 rbd -k $KEYRING --id images snap unprotect images/foo@snap
159 rbd -k $KEYRING --id images snap rm images/foo@snap
160 rbd -k $KEYRING --id images rm images/foo
161 rbd -k $KEYRING --id volumes rm volumes/child
162 }
163
164 create_self_managed_snapshot() {
165 ID=$1
166 POOL=$2
167
168 cat << EOF | CEPH_ARGS="-k $KEYRING" python3
169 import rados
170
171 with rados.Rados(conffile="", rados_id="${ID}") as cluster:
172 ioctx = cluster.open_ioctx("${POOL}")
173
174 snap_id = ioctx.create_self_managed_snap()
175 print ("Created snap id {}".format(snap_id))
176 EOF
177 }
178
179 remove_self_managed_snapshot() {
180 ID=$1
181 POOL=$2
182
183 cat << EOF | CEPH_ARGS="-k $KEYRING" python3
184 import rados
185
186 with rados.Rados(conffile="", rados_id="mon_write") as cluster1, \
187 rados.Rados(conffile="", rados_id="${ID}") as cluster2:
188 ioctx1 = cluster1.open_ioctx("${POOL}")
189
190 snap_id = ioctx1.create_self_managed_snap()
191 print ("Created snap id {}".format(snap_id))
192
193 ioctx2 = cluster2.open_ioctx("${POOL}")
194
195 ioctx2.remove_self_managed_snap(snap_id)
196 print ("Removed snap id {}".format(snap_id))
197 EOF
198 }
199
200 test_remove_self_managed_snapshots() {
201 # Ensure users cannot create self-managed snapshots w/o permissions
202 expect 1 create_self_managed_snapshot snap_none images
203 expect 1 create_self_managed_snapshot snap_none volumes
204
205 create_self_managed_snapshot snap_all images
206 create_self_managed_snapshot snap_all volumes
207
208 create_self_managed_snapshot snap_pool images
209 expect 1 create_self_managed_snapshot snap_pool volumes
210
211 create_self_managed_snapshot snap_profile_all images
212 create_self_managed_snapshot snap_profile_all volumes
213
214 create_self_managed_snapshot snap_profile_pool images
215 expect 1 create_self_managed_snapshot snap_profile_pool volumes
216
217 # Ensure users cannot delete self-managed snapshots w/o permissions
218 expect 1 remove_self_managed_snapshot snap_none images
219 expect 1 remove_self_managed_snapshot snap_none volumes
220
221 remove_self_managed_snapshot snap_all images
222 remove_self_managed_snapshot snap_all volumes
223
224 remove_self_managed_snapshot snap_pool images
225 expect 1 remove_self_managed_snapshot snap_pool volumes
226
227 remove_self_managed_snapshot snap_profile_all images
228 remove_self_managed_snapshot snap_profile_all volumes
229
230 remove_self_managed_snapshot snap_profile_pool images
231 expect 1 remove_self_managed_snapshot snap_profile_pool volumes
232 }
233
234 test_rbd_support() {
235 # read-only commands should work on both pools
236 ceph -k $KEYRING --id volumes rbd perf image stats volumes
237 ceph -k $KEYRING --id volumes rbd perf image stats images
238
239 # read/write commands should only work on 'volumes'
240 rbd -k $KEYRING --id volumes create --image-format 2 --image-feature $IMAGE_FEATURES -s 1 volumes/foo
241 ceph -k $KEYRING --id volumes rbd task add remove volumes/foo
242 expect 13 ceph -k $KEYRING --id volumes rbd task add remove images/foo
243 }
244
245 cleanup() {
246 rm -f $KEYRING
247 }
248
249 KEYRING=$(mktemp)
250 trap cleanup EXIT ERR HUP INT QUIT
251
252 delete_users
253 create_users
254
255 recreate_pools
256 test_images_access
257
258 recreate_pools
259 test_volumes_access
260
261 test_remove_self_managed_snapshots
262
263 test_rbd_support
264
265 delete_pools
266 delete_users
267
268 echo OK
269 exit 0
Ceph