mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-09 16:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
devel
ceph-csi/internal/util/credentials.go

175 lines
5.2 KiB
Go
Raw Permalink Normal View History

added cephfs/credentials
2018-04-13 12:31:03 +00:00
/*
Replaces the references to the Kubernete Authors with the Ceph-CSI authors
2019-04-03 08:46:15 +00:00
Copyright 2018 The Ceph-CSI Authors.
added cephfs/credentials
2018-04-13 12:31:03 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
package util
added cephfs/credentials
2018-04-13 12:31:03 +00:00
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
import (
Add a check for nil secrets Improve the error message if secrets are not provided in request Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-25 14:45:19 +00:00
"errors"
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
"fmt"
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
"os"
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
)
added cephfs/credentials
2018-04-13 12:31:03 +00:00
const (
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
credUserID = "userID"
credUserKey = "userKey"
credAdminID = "adminID"
credAdminKey = "adminKey"
credMonitors = "monitors"
tmpKeyFileLocation = "/tmp/csi/keys"
tmpKeyFileNamePrefix = "keyfile-"
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
migUserName = "admin"
migUserID = "adminId"
migUserKey = "key"
added cephfs/credentials
2018-04-13 12:31:03 +00:00
)
cleanup: fix golint warnings in util, e2e util: golint warns about exported methods to have a comment or to unexport them. e2e: golint warns about package comment to be of the form "Package e2e ..." Reported-by: https://goreportcard.com/report/github.com/ceph/ceph-csi Updates: #975 Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-20 07:21:01 +00:00
// Credentials struct represents credentials to access the ceph cluster.
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
type Credentials struct {
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
ID string
KeyFile string
added cephfs/credentials
2018-04-13 12:31:03 +00:00
}
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
func storeKey(key string) (string, error) {
cleanup: fix static checks fix SA1019 static check to replace io/utils with os package Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2023-02-01 17:10:01 +00:00
tmpfile, err := os.CreateTemp(tmpKeyFileLocation, tmpKeyFileNamePrefix)
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
if err != nil {
cleanup: return error type in util.storeKey() Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 14:12:38 +00:00
return "", fmt.Errorf("error creating a temporary keyfile: %w", err)
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
}
defer func() {
if err != nil {
Address security concerns reported by 'gosec' gosec reports several issues, none of them looks very critical. With this change the following concerns have been addressed: [pkg/cephfs/nodeserver.go:229] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(targetPath, 0777) [pkg/cephfs/util.go:39] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/rbd/nodeserver.go:156] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(stagingTargetPath, 0777) [pkg/rbd/nodeserver.go:205] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.OpenFile(mountPath, os.O_CREATE|os.O_RDWR, 0750) [pkg/rbd/rbd_util.go:797] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > ioutil.ReadFile(fPath) [pkg/util/cephcmds.go:35] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/util/credentials.go:47] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(tmpfile.Name()) [pkg/util/credentials.go:92] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(cr.KeyFile) [pkg/util/pidlimit.go:74] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > os.Open(pidsMax) URL: https://github.com/securego/gosec Signed-off-by: Niels de Vos <ndevos@redhat.com>
2019-08-30 10:23:10 +00:00
// don't complain about unhandled error
_ = os.Remove(tmpfile.Name())
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
}
}()
cleanup: use WriteString instead of Write use WriteString instead of Write for the temp files. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-01-21 09:34:41 +00:00
if _, err = tmpfile.WriteString(key); err != nil {
cleanup: return error type in util.storeKey() Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 14:12:38 +00:00
return "", fmt.Errorf("error writing key to temporary keyfile: %w", err)
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
}
keyFile := tmpfile.Name()
if keyFile == "" {
cleanup: return error type in util.storeKey() Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 14:12:38 +00:00
err = fmt.Errorf("error reading temporary filename for key: %w", err)
cleanup: resolve nlreturn linter issues nlreturn linter requires a new line before return and branch statements except when the return is alone inside a statement group (such as an if statement) to increase code clarity. This commit addresses such issues. Updates: #1586 Signed-off-by: Rakshith R <rar@redhat.com>
2021-07-22 05:45:17 +00:00
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
return "", err
}
if err = tmpfile.Close(); err != nil {
cleanup: return error type in util.storeKey() Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 14:12:38 +00:00
return "", fmt.Errorf("error closing temporary filename: %w", err)
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
}
return keyFile, nil
}
func newCredentialsFromSecret(idField, keyField string, secrets map[string]string) (*Credentials, error) {
added cephfs/credentials
2018-04-13 12:31:03 +00:00
var (
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
c = &Credentials{}
added cephfs/credentials
2018-04-13 12:31:03 +00:00
ok bool
)
Add a check for nil secrets Improve the error message if secrets are not provided in request Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-25 14:45:19 +00:00
if len(secrets) == 0 {
return nil, errors.New("provided secret is empty")
}
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
if c.ID, ok = secrets[idField]; !ok {
added cephfs/credentials
2018-04-13 12:31:03 +00:00
return nil, fmt.Errorf("missing ID field '%s' in secrets", idField)
}
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
key := secrets[keyField]
if key == "" {
added cephfs/credentials
2018-04-13 12:31:03 +00:00
return nil, fmt.Errorf("missing key field '%s' in secrets", keyField)
}
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
keyFile, err := storeKey(key)
if err == nil {
c.KeyFile = keyFile
}
return c, err
added cephfs/credentials
2018-04-13 12:31:03 +00:00
}
cleanup: fix golint warnings in util, e2e util: golint warns about exported methods to have a comment or to unexport them. e2e: golint warns about package comment to be of the form "Package e2e ..." Reported-by: https://goreportcard.com/report/github.com/ceph/ceph-csi Updates: #975 Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-20 07:21:01 +00:00
// DeleteCredentials removes the KeyFile.
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
func (cr *Credentials) DeleteCredentials() {
Address security concerns reported by 'gosec' gosec reports several issues, none of them looks very critical. With this change the following concerns have been addressed: [pkg/cephfs/nodeserver.go:229] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(targetPath, 0777) [pkg/cephfs/util.go:39] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/rbd/nodeserver.go:156] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(stagingTargetPath, 0777) [pkg/rbd/nodeserver.go:205] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.OpenFile(mountPath, os.O_CREATE|os.O_RDWR, 0750) [pkg/rbd/rbd_util.go:797] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > ioutil.ReadFile(fPath) [pkg/util/cephcmds.go:35] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/util/credentials.go:47] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(tmpfile.Name()) [pkg/util/credentials.go:92] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(cr.KeyFile) [pkg/util/pidlimit.go:74] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > os.Open(pidsMax) URL: https://github.com/securego/gosec Signed-off-by: Niels de Vos <ndevos@redhat.com>
2019-08-30 10:23:10 +00:00
// don't complain about unhandled error
_ = os.Remove(cr.KeyFile)
added cephfs/credentials
2018-04-13 12:31:03 +00:00
}
cleanup: fix golint warnings in util, e2e util: golint warns about exported methods to have a comment or to unexport them. e2e: golint warns about package comment to be of the form "Package e2e ..." Reported-by: https://goreportcard.com/report/github.com/ceph/ceph-csi Updates: #975 Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-20 07:21:01 +00:00
// NewUserCredentials creates new user credentials from secret.
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
func NewUserCredentials(secrets map[string]string) (*Credentials, error) {
return newCredentialsFromSecret(credUserID, credUserKey, secrets)
}
cleanup: fix golint warnings in util, e2e util: golint warns about exported methods to have a comment or to unexport them. e2e: golint warns about package comment to be of the form "Package e2e ..." Reported-by: https://goreportcard.com/report/github.com/ceph/ceph-csi Updates: #975 Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-20 07:21:01 +00:00
// NewAdminCredentials creates new admin credentials from secret.
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-25 19:29:17 +00:00
func NewAdminCredentials(secrets map[string]string) (*Credentials, error) {
return newCredentialsFromSecret(credAdminID, credAdminKey, secrets)
}
cleanup: fix golint warnings in util, e2e util: golint warns about exported methods to have a comment or to unexport them. e2e: golint warns about package comment to be of the form "Package e2e ..." Reported-by: https://goreportcard.com/report/github.com/ceph/ceph-csi Updates: #975 Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-20 07:21:01 +00:00
// GetMonValFromSecret returns monitors from secret.
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-06-01 21:26:42 +00:00
func GetMonValFromSecret(secrets map[string]string) (string, error) {
allow ceph mon stored in secret so when mon changes, cephfs driver can get latest mons and override old ones Signed-off-by: Huamin Chen <hchen@redhat.com>
2019-01-18 15:27:48 +00:00
if mons, ok := secrets[credMonitors]; ok {
return mons, nil
}
cleanup: resolve nlreturn linter issues nlreturn linter requires a new line before return and branch statements except when the return is alone inside a statement group (such as an if statement) to increase code clarity. This commit addresses such issues. Updates: #1586 Signed-off-by: Rakshith R <rar@redhat.com>
2021-07-22 05:45:17 +00:00
allow ceph mon stored in secret so when mon changes, cephfs driver can get latest mons and override old ones Signed-off-by: Huamin Chen <hchen@redhat.com>
2019-01-18 15:27:48 +00:00
return "", fmt.Errorf("missing %q", credMonitors)
}
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
// ParseAndSetSecretMapFromMigSecret parse the secretmap from the migration request and return
// newsecretmap with the userID and userKey fields set.
func ParseAndSetSecretMapFromMigSecret(secretmap map[string]string) (map[string]string, error) {
newSecretMap := make(map[string]string)
// parse and set userKey
rbd: add migration secret support to controllerserver functions This commit adds the migration secret request validation to expand, create controller functions. Ref # https://github.com/ceph/ceph-csi/issues/2509 Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-11-19 04:40:12 +00:00
if !isMigrationSecret(secretmap) {
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
return nil, errors.New("passed secret map does not contain user key or it is nil")
}
newSecretMap[credUserKey] = secretmap[migUserKey]
// parse and set the userID
newSecretMap[credUserID] = migUserName
if secretmap[migUserID] != "" {
newSecretMap[credUserID] = secretmap[migUserID]
}
return newSecretMap, nil
}
rbd: add migration secret support to controllerserver functions This commit adds the migration secret request validation to expand, create controller functions. Ref # https://github.com/ceph/ceph-csi/issues/2509 Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-11-19 04:40:12 +00:00
// isMigrationSecret validates if the passed in secretmap is a secret
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
// of a migration volume request. The migration secret carry a field
// called `key` which is the equivalent of `userKey` which is what we
// check here for identifying the secret.
rbd: add migration secret support to controllerserver functions This commit adds the migration secret request validation to expand, create controller functions. Ref # https://github.com/ceph/ceph-csi/issues/2509 Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-11-19 04:40:12 +00:00
func isMigrationSecret(secrets map[string]string) bool {
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
// the below 'nil' check is an extra measure as the request validators like
// ValidateNodeStageVolumeRequest() already does the nil check, however considering
// this function can be called independently with a map of secret values
// it is good to have this check in place, also it gives clear error about this
// was hit on migration request compared to general one.
rbd: add migration secret support to controllerserver functions This commit adds the migration secret request validation to expand, create controller functions. Ref # https://github.com/ceph/ceph-csi/issues/2509 Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-11-19 04:40:12 +00:00
return len(secrets) != 0 && secrets[migUserKey] != ""
}
// NewUserCredentialsWithMigration takes secret map from the request and validate it is
// a migration secret, if yes, it continues to create CR from it after parsing the migration
// secret. If it is not a migration it will continue the attempt to create credentials from it
// without parsing the secret. This function returns credentials and error.
func NewUserCredentialsWithMigration(secrets map[string]string) (*Credentials, error) {
if isMigrationSecret(secrets) {
migSecret, err := ParseAndSetSecretMapFromMigSecret(secrets)
if err != nil {
return nil, err
}
secrets = migSecret
}
cr, cErr := NewUserCredentials(secrets)
if cErr != nil {
return nil, cErr
}
return cr, nil
rbd: parse migration secret and set it for controller server operations This commit adds a couple of helper functions to parse the migration request secret and set it for further csi driver operations. More details: The intree secret has a data field called "key" which is the base64 admin secret key. The ceph CSI driver currently expect the secret to contain data field "UserKey" for the equivalant. The CSI driver also expect the "UserID" field which is not available in the in-tree secret by deafult. This missing userID will be filled (if the username differ than 'admin') in the migration secret as 'adminId' field in the migration request, this commit adds the logic to parse this migration secret as below: "key" field value will be picked up from the migraion secret to "UserKey" field. "adminId" field value will be picked up from the migration secret to "UserID" field if `adminId` field is nil or not set, `UserID` field will be filled with default value ie `admin`.The above logic get activated only when the secret is a migration secret, otherwise skipped to the normal workflow as we have today. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-10-24 08:48:28 +00:00
}
Reference in New Issue Copy Permalink