From e1fd12fb29dc54e4a67fdb0a4909a1b4cac933f2 Mon Sep 17 00:00:00 2001
From: Madhu Rajanna <madhupr007@gmail.com>
Date: Tue, 16 Jun 2020 13:08:37 +0530
Subject: [PATCH] cephfs: do chmod on stagingpath

instead of doing chmod on the targetpath always
do it once at the stagintpath.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
---
 internal/cephfs/nodeserver.go | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/internal/cephfs/nodeserver.go b/internal/cephfs/nodeserver.go
index 9d734f504..81c491527 100644
--- a/internal/cephfs/nodeserver.go
+++ b/internal/cephfs/nodeserver.go
@@ -151,17 +151,22 @@ func (*NodeServer) mount(ctx context.Context, volOptions *volumeOptions, req *cs
 
 	klog.V(4).Infof(util.Log(ctx, "cephfs: mounting volume %s with %s"), volID, m.name())
 
+	readOnly := "ro"
+	fuseMountOptions := strings.Split(volOptions.FuseMountOptions, ",")
+	kernelMountOptions := strings.Split(volOptions.KernelMountOptions, ",")
+
 	if req.VolumeCapability.AccessMode.Mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
 		req.VolumeCapability.AccessMode.Mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY {
-		readOnly := "ro"
 		switch m.(type) {
 		case *fuseMounter:
 			if !csicommon.MountOptionContains(strings.Split(volOptions.FuseMountOptions, ","), readOnly) {
 				volOptions.FuseMountOptions = util.MountOptionsAdd(volOptions.FuseMountOptions, readOnly)
+				fuseMountOptions = append(fuseMountOptions, readOnly)
 			}
 		case *kernelMounter:
 			if !csicommon.MountOptionContains(strings.Split(volOptions.KernelMountOptions, ","), readOnly) {
 				volOptions.KernelMountOptions = util.MountOptionsAdd(volOptions.KernelMountOptions, readOnly)
+				kernelMountOptions = append(kernelMountOptions, readOnly)
 			}
 		}
 	}
@@ -173,6 +178,18 @@ func (*NodeServer) mount(ctx context.Context, volOptions *volumeOptions, req *cs
 			err)
 		return status.Error(codes.Internal, err.Error())
 	}
+	if !csicommon.MountOptionContains(kernelMountOptions, readOnly) && !csicommon.MountOptionContains(fuseMountOptions, readOnly) {
+		// #nosec - allow anyone to write inside the stagingtarget path
+		err = os.Chmod(stagingTargetPath, 0777)
+		if err != nil {
+			klog.Errorf(util.Log(ctx, "failed to change stagingtarget path %s permission for volume %s: %v"), stagingTargetPath, volID, err)
+			uErr := unmountVolume(ctx, stagingTargetPath)
+			if uErr != nil {
+				klog.Errorf(util.Log(ctx, "failed to umount stagingtarget path %s for volume %s: %v"), stagingTargetPath, volID, uErr)
+			}
+			return status.Error(codes.Internal, err.Error())
+		}
+	}
 	return nil
 }
 
@@ -227,13 +244,6 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 
 	klog.V(4).Infof(util.Log(ctx, "cephfs: successfully bind-mounted volume %s to %s"), volID, targetPath)
 
-	// #nosec - allow anyone to write inside the target path
-	err = os.Chmod(targetPath, 0777)
-	if err != nil {
-		klog.Errorf(util.Log(ctx, "failed to change targetpath permission for volume %s: %v"), volID, err)
-		return nil, status.Error(codes.Internal, err.Error())
-	}
-
 	return &csi.NodePublishVolumeResponse{}, nil
 }