mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
change permission of targetpath
setting the permission of targetpath to 777 will allow non-root user to write to pv. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
parent
9d27b6b425
commit
69662e63ed
@ -70,6 +70,10 @@ var _ = Describe("cephfs", func() {
|
|||||||
|
|
||||||
})
|
})
|
||||||
|
|
||||||
|
By("create a PVC and Bind it to an app with normal user", func() {
|
||||||
|
pvcPath := cephfsExamplePath + "pvc.yaml"
|
||||||
|
validateNormalUserPVCAccess(pvcPath, f)
|
||||||
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
@ -69,6 +69,11 @@ var _ = Describe("RBD", func() {
|
|||||||
appPath := rbdExamplePath + "pod.yaml"
|
appPath := rbdExamplePath + "pod.yaml"
|
||||||
validatePVCAndAppBinding(pvcPath, appPath, f)
|
validatePVCAndAppBinding(pvcPath, appPath, f)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
By("create a PVC and Bind it to an app with normal user", func() {
|
||||||
|
pvcPath := rbdExamplePath + "pvc.yaml"
|
||||||
|
validateNormalUserPVCAccess(pvcPath, f)
|
||||||
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
109
e2e/utils.go
109
e2e/utils.go
@ -103,13 +103,10 @@ func waitForDeploymentComplete(name, ns string, c clientset.Interface, t int) er
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func execCommandInToolBox(f *framework.Framework, c string) string {
|
func execCommandInPod(f *framework.Framework, c, ns string, opt *metav1.ListOptions) string {
|
||||||
|
|
||||||
cmd := []string{"/bin/sh", "-c", c}
|
cmd := []string{"/bin/sh", "-c", c}
|
||||||
opt := metav1.ListOptions{
|
podList, err := f.PodClientNS(ns).List(*opt)
|
||||||
LabelSelector: "app=rook-ceph-tools",
|
|
||||||
}
|
|
||||||
podList, err := f.PodClientNS(rookNS).List(opt)
|
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
Expect(podList.Items).NotTo(BeNil())
|
Expect(podList.Items).NotTo(BeNil())
|
||||||
Expect(err).Should(BeNil())
|
Expect(err).Should(BeNil())
|
||||||
@ -117,7 +114,7 @@ func execCommandInToolBox(f *framework.Framework, c string) string {
|
|||||||
podPot := framework.ExecOptions{
|
podPot := framework.ExecOptions{
|
||||||
Command: cmd,
|
Command: cmd,
|
||||||
PodName: podList.Items[0].Name,
|
PodName: podList.Items[0].Name,
|
||||||
Namespace: rookNS,
|
Namespace: ns,
|
||||||
ContainerName: podList.Items[0].Spec.Containers[0].Name,
|
ContainerName: podList.Items[0].Spec.Containers[0].Name,
|
||||||
Stdin: nil,
|
Stdin: nil,
|
||||||
CaptureStdout: true,
|
CaptureStdout: true,
|
||||||
@ -159,7 +156,10 @@ func createCephfsStorageClass(c kubernetes.Interface, f *framework.Framework) {
|
|||||||
sc := getStorageClass(c, scPath)
|
sc := getStorageClass(c, scPath)
|
||||||
sc.Parameters["pool"] = "myfs-data0"
|
sc.Parameters["pool"] = "myfs-data0"
|
||||||
sc.Parameters["fsName"] = "myfs"
|
sc.Parameters["fsName"] = "myfs"
|
||||||
fsID := execCommandInToolBox(f, "ceph fsid")
|
opt := metav1.ListOptions{
|
||||||
|
LabelSelector: "app=rook-ceph-tools",
|
||||||
|
}
|
||||||
|
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
|
||||||
// remove new line present in fsID
|
// remove new line present in fsID
|
||||||
fsID = strings.Trim(fsID, "\n")
|
fsID = strings.Trim(fsID, "\n")
|
||||||
|
|
||||||
@ -173,8 +173,10 @@ func createRBDStorageClass(c kubernetes.Interface, f *framework.Framework) {
|
|||||||
sc := getStorageClass(c, scPath)
|
sc := getStorageClass(c, scPath)
|
||||||
delete(sc.Parameters, "userid")
|
delete(sc.Parameters, "userid")
|
||||||
sc.Parameters["pool"] = "replicapool"
|
sc.Parameters["pool"] = "replicapool"
|
||||||
|
opt := metav1.ListOptions{
|
||||||
fsID := execCommandInToolBox(f, "ceph fsid")
|
LabelSelector: "app=rook-ceph-tools",
|
||||||
|
}
|
||||||
|
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
|
||||||
// remove new line present in fsID
|
// remove new line present in fsID
|
||||||
fsID = strings.Trim(fsID, "\n")
|
fsID = strings.Trim(fsID, "\n")
|
||||||
|
|
||||||
@ -188,8 +190,10 @@ func createConfigMap(c kubernetes.Interface, f *framework.Framework) {
|
|||||||
cm := v1.ConfigMap{}
|
cm := v1.ConfigMap{}
|
||||||
err := unmarshal(path, &cm)
|
err := unmarshal(path, &cm)
|
||||||
Expect(err).Should(BeNil())
|
Expect(err).Should(BeNil())
|
||||||
|
opt := metav1.ListOptions{
|
||||||
fsID := execCommandInToolBox(f, "ceph fsid")
|
LabelSelector: "app=rook-ceph-tools",
|
||||||
|
}
|
||||||
|
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
|
||||||
// remove new line present in fsID
|
// remove new line present in fsID
|
||||||
fsID = strings.Trim(fsID, "\n")
|
fsID = strings.Trim(fsID, "\n")
|
||||||
// get mon list
|
// get mon list
|
||||||
@ -225,7 +229,10 @@ func getSecret(path string) v1.Secret {
|
|||||||
func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
|
func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
|
||||||
scPath := fmt.Sprintf("%s/%s", cephfsExamplePath, "secret.yaml")
|
scPath := fmt.Sprintf("%s/%s", cephfsExamplePath, "secret.yaml")
|
||||||
sc := getSecret(scPath)
|
sc := getSecret(scPath)
|
||||||
adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin")
|
opt := metav1.ListOptions{
|
||||||
|
LabelSelector: "app=rook-ceph-tools",
|
||||||
|
}
|
||||||
|
adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
|
||||||
sc.Data["adminID"] = []byte("admin")
|
sc.Data["adminID"] = []byte("admin")
|
||||||
sc.Data["adminKey"] = []byte(adminKey)
|
sc.Data["adminKey"] = []byte(adminKey)
|
||||||
delete(sc.Data, "userID")
|
delete(sc.Data, "userID")
|
||||||
@ -237,7 +244,10 @@ func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
|
|||||||
func createRBDSecret(c kubernetes.Interface, f *framework.Framework) {
|
func createRBDSecret(c kubernetes.Interface, f *framework.Framework) {
|
||||||
scPath := fmt.Sprintf("%s/%s", rbdExamplePath, "secret.yaml")
|
scPath := fmt.Sprintf("%s/%s", rbdExamplePath, "secret.yaml")
|
||||||
sc := getSecret(scPath)
|
sc := getSecret(scPath)
|
||||||
adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin")
|
opt := metav1.ListOptions{
|
||||||
|
LabelSelector: "app=rook-ceph-tools",
|
||||||
|
}
|
||||||
|
adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
|
||||||
sc.Data["admin"] = []byte(adminKey)
|
sc.Data["admin"] = []byte(adminKey)
|
||||||
delete(sc.Data, "kubernetes")
|
delete(sc.Data, "kubernetes")
|
||||||
_, err := c.CoreV1().Secrets("default").Create(&sc)
|
_, err := c.CoreV1().Secrets("default").Create(&sc)
|
||||||
@ -486,3 +496,76 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) {
|
|||||||
Fail(err.Error())
|
Fail(err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateNormalUserPVCAccess(pvcPath string, f *framework.Framework) {
|
||||||
|
pvc := loadPVC(pvcPath)
|
||||||
|
pvc.Namespace = f.UniqueName
|
||||||
|
pvc.Name = f.UniqueName
|
||||||
|
framework.Logf("The PVC template %+v", pvc)
|
||||||
|
err := createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
|
||||||
|
if err != nil {
|
||||||
|
Fail(err.Error())
|
||||||
|
}
|
||||||
|
var user int64 = 2000
|
||||||
|
app := &v1.Pod{
|
||||||
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
Kind: "Pod",
|
||||||
|
APIVersion: "v1",
|
||||||
|
},
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "pod-run-as-non-root",
|
||||||
|
Namespace: f.UniqueName,
|
||||||
|
Labels: map[string]string{
|
||||||
|
"app": "pod-run-as-non-root",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Spec: v1.PodSpec{
|
||||||
|
Containers: []v1.Container{
|
||||||
|
{
|
||||||
|
Name: "write-pod",
|
||||||
|
Image: "alpine",
|
||||||
|
Command: []string{"/bin/sleep", "999999"},
|
||||||
|
SecurityContext: &v1.SecurityContext{
|
||||||
|
RunAsUser: &user,
|
||||||
|
},
|
||||||
|
VolumeMounts: []v1.VolumeMount{
|
||||||
|
{
|
||||||
|
MountPath: "/target",
|
||||||
|
Name: "target",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Volumes: []v1.Volume{
|
||||||
|
{
|
||||||
|
Name: "target",
|
||||||
|
VolumeSource: v1.VolumeSource{
|
||||||
|
PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
|
||||||
|
ClaimName: pvc.Name,
|
||||||
|
ReadOnly: false},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
err = createApp(f.ClientSet, app, deployTimeout)
|
||||||
|
if err != nil {
|
||||||
|
Fail(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
opt := metav1.ListOptions{
|
||||||
|
LabelSelector: "app=pod-run-as-non-root",
|
||||||
|
}
|
||||||
|
execCommandInPod(f, "echo testing > /target/testing", app.Namespace, &opt)
|
||||||
|
|
||||||
|
err = deletePod(app.Name, app.Namespace, f.ClientSet, deployTimeout)
|
||||||
|
if err != nil {
|
||||||
|
Fail(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
err = deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
|
||||||
|
if err != nil {
|
||||||
|
Fail(err.Error())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -237,12 +237,18 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
|
|||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil {
|
if err = volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil {
|
||||||
klog.Warningf("mount-cache: failed to publish volume %s %s: %v", volID, targetPath, err)
|
klog.Warningf("mount-cache: failed to publish volume %s %s: %v", volID, targetPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
klog.Infof("cephfs: successfully bind-mounted volume %s to %s", volID, targetPath)
|
klog.Infof("cephfs: successfully bind-mounted volume %s to %s", volID, targetPath)
|
||||||
|
|
||||||
|
err = os.Chmod(targetPath, 0777)
|
||||||
|
if err != nil {
|
||||||
|
klog.Errorf("failed to change targetpath permission for volume %s: %v", volID, err)
|
||||||
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
return &csi.NodePublishVolumeResponse{}, nil
|
return &csi.NodePublishVolumeResponse{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -20,6 +20,8 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
"github.com/ceph/ceph-csi/pkg/util"
|
"github.com/ceph/ceph-csi/pkg/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -189,8 +191,7 @@ func newVolumeOptionsFromVolID(volID string, volOpt, secrets map[string]string)
|
|||||||
volOptions.FscID = vi.LocationID
|
volOptions.FscID = vi.LocationID
|
||||||
|
|
||||||
if volOptions.Monitors, err = util.Mons(csiConfigFile, vi.ClusterID); err != nil {
|
if volOptions.Monitors, err = util.Mons(csiConfigFile, vi.ClusterID); err != nil {
|
||||||
err = fmt.Errorf("failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
|
return nil, nil, errors.Wrapf(err, "failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
|
||||||
return nil, nil, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := getAdminCredentials(secrets)
|
cr, err := getAdminCredentials(secrets)
|
||||||
|
@ -108,6 +108,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
err = os.Chmod(targetPath, 0777)
|
||||||
|
if err != nil {
|
||||||
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
|
}
|
||||||
return &csi.NodePublishVolumeResponse{}, nil
|
return &csi.NodePublishVolumeResponse{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user