change permission of targetpath

setting the permission of  targetpath to 777
will allow non-root user to write to pv.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
Madhu Rajanna 2019-06-11 18:10:31 +05:30 committed by mergify[bot]
parent 9d27b6b425
commit 69662e63ed
6 changed files with 119 additions and 16 deletions

View File

@ -70,6 +70,10 @@ var _ = Describe("cephfs", func() {
}) })
By("create a PVC and Bind it to an app with normal user", func() {
pvcPath := cephfsExamplePath + "pvc.yaml"
validateNormalUserPVCAccess(pvcPath, f)
})
}) })
}) })
}) })

View File

@ -69,6 +69,11 @@ var _ = Describe("RBD", func() {
appPath := rbdExamplePath + "pod.yaml" appPath := rbdExamplePath + "pod.yaml"
validatePVCAndAppBinding(pvcPath, appPath, f) validatePVCAndAppBinding(pvcPath, appPath, f)
}) })
By("create a PVC and Bind it to an app with normal user", func() {
pvcPath := rbdExamplePath + "pvc.yaml"
validateNormalUserPVCAccess(pvcPath, f)
})
}) })
}) })

View File

@ -103,13 +103,10 @@ func waitForDeploymentComplete(name, ns string, c clientset.Interface, t int) er
return nil return nil
} }
func execCommandInToolBox(f *framework.Framework, c string) string { func execCommandInPod(f *framework.Framework, c, ns string, opt *metav1.ListOptions) string {
cmd := []string{"/bin/sh", "-c", c} cmd := []string{"/bin/sh", "-c", c}
opt := metav1.ListOptions{ podList, err := f.PodClientNS(ns).List(*opt)
LabelSelector: "app=rook-ceph-tools",
}
podList, err := f.PodClientNS(rookNS).List(opt)
framework.ExpectNoError(err) framework.ExpectNoError(err)
Expect(podList.Items).NotTo(BeNil()) Expect(podList.Items).NotTo(BeNil())
Expect(err).Should(BeNil()) Expect(err).Should(BeNil())
@ -117,7 +114,7 @@ func execCommandInToolBox(f *framework.Framework, c string) string {
podPot := framework.ExecOptions{ podPot := framework.ExecOptions{
Command: cmd, Command: cmd,
PodName: podList.Items[0].Name, PodName: podList.Items[0].Name,
Namespace: rookNS, Namespace: ns,
ContainerName: podList.Items[0].Spec.Containers[0].Name, ContainerName: podList.Items[0].Spec.Containers[0].Name,
Stdin: nil, Stdin: nil,
CaptureStdout: true, CaptureStdout: true,
@ -159,7 +156,10 @@ func createCephfsStorageClass(c kubernetes.Interface, f *framework.Framework) {
sc := getStorageClass(c, scPath) sc := getStorageClass(c, scPath)
sc.Parameters["pool"] = "myfs-data0" sc.Parameters["pool"] = "myfs-data0"
sc.Parameters["fsName"] = "myfs" sc.Parameters["fsName"] = "myfs"
fsID := execCommandInToolBox(f, "ceph fsid") opt := metav1.ListOptions{
LabelSelector: "app=rook-ceph-tools",
}
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
// remove new line present in fsID // remove new line present in fsID
fsID = strings.Trim(fsID, "\n") fsID = strings.Trim(fsID, "\n")
@ -173,8 +173,10 @@ func createRBDStorageClass(c kubernetes.Interface, f *framework.Framework) {
sc := getStorageClass(c, scPath) sc := getStorageClass(c, scPath)
delete(sc.Parameters, "userid") delete(sc.Parameters, "userid")
sc.Parameters["pool"] = "replicapool" sc.Parameters["pool"] = "replicapool"
opt := metav1.ListOptions{
fsID := execCommandInToolBox(f, "ceph fsid") LabelSelector: "app=rook-ceph-tools",
}
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
// remove new line present in fsID // remove new line present in fsID
fsID = strings.Trim(fsID, "\n") fsID = strings.Trim(fsID, "\n")
@ -188,8 +190,10 @@ func createConfigMap(c kubernetes.Interface, f *framework.Framework) {
cm := v1.ConfigMap{} cm := v1.ConfigMap{}
err := unmarshal(path, &cm) err := unmarshal(path, &cm)
Expect(err).Should(BeNil()) Expect(err).Should(BeNil())
opt := metav1.ListOptions{
fsID := execCommandInToolBox(f, "ceph fsid") LabelSelector: "app=rook-ceph-tools",
}
fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
// remove new line present in fsID // remove new line present in fsID
fsID = strings.Trim(fsID, "\n") fsID = strings.Trim(fsID, "\n")
// get mon list // get mon list
@ -225,7 +229,10 @@ func getSecret(path string) v1.Secret {
func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) { func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
scPath := fmt.Sprintf("%s/%s", cephfsExamplePath, "secret.yaml") scPath := fmt.Sprintf("%s/%s", cephfsExamplePath, "secret.yaml")
sc := getSecret(scPath) sc := getSecret(scPath)
adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin") opt := metav1.ListOptions{
LabelSelector: "app=rook-ceph-tools",
}
adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
sc.Data["adminID"] = []byte("admin") sc.Data["adminID"] = []byte("admin")
sc.Data["adminKey"] = []byte(adminKey) sc.Data["adminKey"] = []byte(adminKey)
delete(sc.Data, "userID") delete(sc.Data, "userID")
@ -237,7 +244,10 @@ func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
func createRBDSecret(c kubernetes.Interface, f *framework.Framework) { func createRBDSecret(c kubernetes.Interface, f *framework.Framework) {
scPath := fmt.Sprintf("%s/%s", rbdExamplePath, "secret.yaml") scPath := fmt.Sprintf("%s/%s", rbdExamplePath, "secret.yaml")
sc := getSecret(scPath) sc := getSecret(scPath)
adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin") opt := metav1.ListOptions{
LabelSelector: "app=rook-ceph-tools",
}
adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
sc.Data["admin"] = []byte(adminKey) sc.Data["admin"] = []byte(adminKey)
delete(sc.Data, "kubernetes") delete(sc.Data, "kubernetes")
_, err := c.CoreV1().Secrets("default").Create(&sc) _, err := c.CoreV1().Secrets("default").Create(&sc)
@ -486,3 +496,76 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) {
Fail(err.Error()) Fail(err.Error())
} }
} }
func validateNormalUserPVCAccess(pvcPath string, f *framework.Framework) {
pvc := loadPVC(pvcPath)
pvc.Namespace = f.UniqueName
pvc.Name = f.UniqueName
framework.Logf("The PVC template %+v", pvc)
err := createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
if err != nil {
Fail(err.Error())
}
var user int64 = 2000
app := &v1.Pod{
TypeMeta: metav1.TypeMeta{
Kind: "Pod",
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "pod-run-as-non-root",
Namespace: f.UniqueName,
Labels: map[string]string{
"app": "pod-run-as-non-root",
},
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "write-pod",
Image: "alpine",
Command: []string{"/bin/sleep", "999999"},
SecurityContext: &v1.SecurityContext{
RunAsUser: &user,
},
VolumeMounts: []v1.VolumeMount{
{
MountPath: "/target",
Name: "target",
},
},
},
},
Volumes: []v1.Volume{
{
Name: "target",
VolumeSource: v1.VolumeSource{
PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
ClaimName: pvc.Name,
ReadOnly: false},
},
},
},
},
}
err = createApp(f.ClientSet, app, deployTimeout)
if err != nil {
Fail(err.Error())
}
opt := metav1.ListOptions{
LabelSelector: "app=pod-run-as-non-root",
}
execCommandInPod(f, "echo testing > /target/testing", app.Namespace, &opt)
err = deletePod(app.Name, app.Namespace, f.ClientSet, deployTimeout)
if err != nil {
Fail(err.Error())
}
err = deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
if err != nil {
Fail(err.Error())
}
}

View File

@ -237,12 +237,18 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
if err := volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil { if err = volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil {
klog.Warningf("mount-cache: failed to publish volume %s %s: %v", volID, targetPath, err) klog.Warningf("mount-cache: failed to publish volume %s %s: %v", volID, targetPath, err)
} }
klog.Infof("cephfs: successfully bind-mounted volume %s to %s", volID, targetPath) klog.Infof("cephfs: successfully bind-mounted volume %s to %s", volID, targetPath)
err = os.Chmod(targetPath, 0777)
if err != nil {
klog.Errorf("failed to change targetpath permission for volume %s: %v", volID, err)
return nil, status.Error(codes.Internal, err.Error())
}
return &csi.NodePublishVolumeResponse{}, nil return &csi.NodePublishVolumeResponse{}, nil
} }

View File

@ -20,6 +20,8 @@ import (
"fmt" "fmt"
"strconv" "strconv"
"github.com/pkg/errors"
"github.com/ceph/ceph-csi/pkg/util" "github.com/ceph/ceph-csi/pkg/util"
) )
@ -189,8 +191,7 @@ func newVolumeOptionsFromVolID(volID string, volOpt, secrets map[string]string)
volOptions.FscID = vi.LocationID volOptions.FscID = vi.LocationID
if volOptions.Monitors, err = util.Mons(csiConfigFile, vi.ClusterID); err != nil { if volOptions.Monitors, err = util.Mons(csiConfigFile, vi.ClusterID); err != nil {
err = fmt.Errorf("failed to fetch monitor list using clusterID (%s)", vi.ClusterID) return nil, nil, errors.Wrapf(err, "failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
return nil, nil, err
} }
cr, err := getAdminCredentials(secrets) cr, err := getAdminCredentials(secrets)

View File

@ -108,6 +108,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
if err != nil { if err != nil {
return nil, err return nil, err
} }
err = os.Chmod(targetPath, 0777)
if err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
return &csi.NodePublishVolumeResponse{}, nil return &csi.NodePublishVolumeResponse{}, nil
} }