rbd: add support for getting password from QCryptoSecret object
Currently RBD passwords must be provided on the command line via $QEMU -drive file=rbd:pool/image:id=myname:\ key=QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=:\ auth_supported=cephx This is insecure because the key is visible in the OS process listing. This adds support for an 'password-secret' parameter in the RBD parameters that can be used with the QCryptoSecret object to provide the password via a file: echo "QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=" > poolkey.b64 $QEMU -object secret,id=secret0,file=poolkey.b64,format=base64 \ -drive driver=rbd,filename=rbd:pool/image:id=myname:\ auth_supported=cephx,password-secret=secret0 Reviewed-by: Josh Durgin <jdurgin@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 1453385961-10718-2-git-send-email-berrange@redhat.com Signed-off-by: Jeff Cody <jcody@redhat.com>
This commit is contained in:
parent
eab8eb8db3
commit
60390a2192
47
block/rbd.c
47
block/rbd.c
|
@ -16,6 +16,7 @@
|
||||||
#include "qemu-common.h"
|
#include "qemu-common.h"
|
||||||
#include "qemu/error-report.h"
|
#include "qemu/error-report.h"
|
||||||
#include "block/block_int.h"
|
#include "block/block_int.h"
|
||||||
|
#include "crypto/secret.h"
|
||||||
|
|
||||||
#include <rbd/librbd.h>
|
#include <rbd/librbd.h>
|
||||||
|
|
||||||
|
@ -228,6 +229,27 @@ static char *qemu_rbd_parse_clientname(const char *conf, char *clientname)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
|
||||||
|
Error **errp)
|
||||||
|
{
|
||||||
|
if (secretid == 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
||||||
|
errp);
|
||||||
|
if (!secret) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
rados_conf_set(cluster, "key", secret);
|
||||||
|
g_free(secret);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int qemu_rbd_set_conf(rados_t cluster, const char *conf,
|
static int qemu_rbd_set_conf(rados_t cluster, const char *conf,
|
||||||
bool only_read_conf_file,
|
bool only_read_conf_file,
|
||||||
Error **errp)
|
Error **errp)
|
||||||
|
@ -299,10 +321,13 @@ static int qemu_rbd_create(const char *filename, QemuOpts *opts, Error **errp)
|
||||||
char conf[RBD_MAX_CONF_SIZE];
|
char conf[RBD_MAX_CONF_SIZE];
|
||||||
char clientname_buf[RBD_MAX_CONF_SIZE];
|
char clientname_buf[RBD_MAX_CONF_SIZE];
|
||||||
char *clientname;
|
char *clientname;
|
||||||
|
const char *secretid;
|
||||||
rados_t cluster;
|
rados_t cluster;
|
||||||
rados_ioctx_t io_ctx;
|
rados_ioctx_t io_ctx;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
|
secretid = qemu_opt_get(opts, "password-secret");
|
||||||
|
|
||||||
if (qemu_rbd_parsename(filename, pool, sizeof(pool),
|
if (qemu_rbd_parsename(filename, pool, sizeof(pool),
|
||||||
snap_buf, sizeof(snap_buf),
|
snap_buf, sizeof(snap_buf),
|
||||||
name, sizeof(name),
|
name, sizeof(name),
|
||||||
|
@ -350,6 +375,11 @@ static int qemu_rbd_create(const char *filename, QemuOpts *opts, Error **errp)
|
||||||
return -EIO;
|
return -EIO;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemu_rbd_set_auth(cluster, secretid, errp) < 0) {
|
||||||
|
rados_shutdown(cluster);
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
|
||||||
if (rados_connect(cluster) < 0) {
|
if (rados_connect(cluster) < 0) {
|
||||||
error_setg(errp, "error connecting");
|
error_setg(errp, "error connecting");
|
||||||
rados_shutdown(cluster);
|
rados_shutdown(cluster);
|
||||||
|
@ -423,6 +453,11 @@ static QemuOptsList runtime_opts = {
|
||||||
.type = QEMU_OPT_STRING,
|
.type = QEMU_OPT_STRING,
|
||||||
.help = "Specification of the rbd image",
|
.help = "Specification of the rbd image",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.name = "password-secret",
|
||||||
|
.type = QEMU_OPT_STRING,
|
||||||
|
.help = "ID of secret providing the password",
|
||||||
|
},
|
||||||
{ /* end of list */ }
|
{ /* end of list */ }
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
@ -436,6 +471,7 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
|
||||||
char conf[RBD_MAX_CONF_SIZE];
|
char conf[RBD_MAX_CONF_SIZE];
|
||||||
char clientname_buf[RBD_MAX_CONF_SIZE];
|
char clientname_buf[RBD_MAX_CONF_SIZE];
|
||||||
char *clientname;
|
char *clientname;
|
||||||
|
const char *secretid;
|
||||||
QemuOpts *opts;
|
QemuOpts *opts;
|
||||||
Error *local_err = NULL;
|
Error *local_err = NULL;
|
||||||
const char *filename;
|
const char *filename;
|
||||||
|
@ -450,6 +486,7 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
|
||||||
}
|
}
|
||||||
|
|
||||||
filename = qemu_opt_get(opts, "filename");
|
filename = qemu_opt_get(opts, "filename");
|
||||||
|
secretid = qemu_opt_get(opts, "password-secret");
|
||||||
|
|
||||||
if (qemu_rbd_parsename(filename, pool, sizeof(pool),
|
if (qemu_rbd_parsename(filename, pool, sizeof(pool),
|
||||||
snap_buf, sizeof(snap_buf),
|
snap_buf, sizeof(snap_buf),
|
||||||
|
@ -488,6 +525,11 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *options, int flags,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemu_rbd_set_auth(s->cluster, secretid, errp) < 0) {
|
||||||
|
r = -EIO;
|
||||||
|
goto failed_shutdown;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Fallback to more conservative semantics if setting cache
|
* Fallback to more conservative semantics if setting cache
|
||||||
* options fails. Ignore errors from setting rbd_cache because the
|
* options fails. Ignore errors from setting rbd_cache because the
|
||||||
|
@ -919,6 +961,11 @@ static QemuOptsList qemu_rbd_create_opts = {
|
||||||
.type = QEMU_OPT_SIZE,
|
.type = QEMU_OPT_SIZE,
|
||||||
.help = "RBD object size"
|
.help = "RBD object size"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.name = "password-secret",
|
||||||
|
.type = QEMU_OPT_STRING,
|
||||||
|
.help = "ID of secret providing the password",
|
||||||
|
},
|
||||||
{ /* end of list */ }
|
{ /* end of list */ }
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue