rbd: fail fast in create volume for missmatch encryption

CreateVolume will fail in below cases

* If the snapshot is encrypted and requested volume
is not encrypted
* If the snapshot is not encrypted and requested
volume is encrypted

* If the parent volume is encrypted and requested volume
is not encrypted
* If the parent volume is not encrypted and requested
volume is encrypted

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 7b5c78ec7c)
This commit is contained in:
Madhu Rajanna 2021-06-01 17:03:29 +05:30 committed by mergify[bot]
parent a0ca713d79
commit f11722a472
2 changed files with 34 additions and 1 deletions

View File

@ -210,6 +210,27 @@ func validateRequestedVolumeSize(rbdVol, parentVol *rbdVolume, rbdSnap *rbdSnaps
return nil
}
func checkValidCreateVolumeRequest(rbdVol, parentVol *rbdVolume, rbdSnap *rbdSnapshot, cr *util.Credentials) error {
err := validateRequestedVolumeSize(rbdVol, parentVol, rbdSnap, cr)
if err != nil {
return err
}
switch {
case rbdSnap != nil:
err = rbdSnap.isCompatibleEncryption(&rbdVol.rbdImage)
if err != nil {
return status.Errorf(codes.InvalidArgument, "cannot restore from snapshot %s: %s", rbdSnap, err.Error())
}
case parentVol != nil:
err = parentVol.isCompatibleEncryption(&rbdVol.rbdImage)
if err != nil {
return status.Errorf(codes.InvalidArgument, "cannot clone from volume %s: %s", parentVol, err.Error())
}
}
return nil
}
// CreateVolume creates the volume in backend.
func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) {
if err := cs.validateVolumeReq(ctx, req); err != nil {
@ -254,7 +275,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
return cs.repairExistingVolume(ctx, req, cr, rbdVol, rbdSnap)
}
err = validateRequestedVolumeSize(rbdVol, parentVol, rbdSnap, cr)
err = checkValidCreateVolumeRequest(rbdVol, parentVol, rbdSnap, cr)
if err != nil {
return nil, err
}

View File

@ -1528,3 +1528,15 @@ func (rv *rbdVolume) getOrigSnapName(snapID uint64) (string, error) {
return origSnapName, nil
}
func (ri *rbdImage) isCompatibleEncryption(dst *rbdImage) error {
switch {
case ri.isEncrypted() && !dst.isEncrypted():
return fmt.Errorf("encrypted volume %q does not match unencrypted volume %q", ri, dst)
case !ri.isEncrypted() && dst.isEncrypted():
return fmt.Errorf("unencrypted volume %q does not match encrypted volume %q", ri, dst)
}
return nil
}