rbd: New parameter key-secret
Legacy -drive supports "password-secret" parameter that isn't
available with -blockdev / blockdev-add. That's because we backed out
our first try to provide it there due to interface design doubts, in
commit 577d8c9a81
, v2.9.0.
This is the second try. It brings back the parameter, except it's
named "key-secret" now.
Let's review our reasons for backing out the first try, as stated in
the commit message:
* BlockdevOptionsRbd member @password-secret isn't actually a
password, it's a key generated by Ceph.
Addressed by the rename.
* We're not sure where member @password-secret belongs (see the
previous commit).
See previous commit.
* How @password-secret interacts with settings from a configuration
file specified with @conf is undocumented.
Not actually true, the documentation for @conf says "Values in the
configuration file will be overridden by options specified via QAPI",
and we've tested this.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
a3699de4dd
commit
d083f954a9
41
block/rbd.c
41
block/rbd.c
@ -239,24 +239,25 @@ static void qemu_rbd_refresh_limits(BlockDriverState *bs, Error **errp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int qemu_rbd_set_auth(rados_t cluster, const char *secretid,
|
static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
|
||||||
BlockdevOptionsRbd *opts,
|
|
||||||
Error **errp)
|
Error **errp)
|
||||||
{
|
{
|
||||||
char *acr;
|
char *key, *acr;
|
||||||
int r;
|
int r;
|
||||||
GString *accu;
|
GString *accu;
|
||||||
RbdAuthModeList *auth;
|
RbdAuthModeList *auth;
|
||||||
|
|
||||||
if (secretid) {
|
if (opts->key_secret) {
|
||||||
gchar *secret = qcrypto_secret_lookup_as_base64(secretid,
|
key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
|
||||||
errp);
|
if (!key) {
|
||||||
if (!secret) {
|
return -EIO;
|
||||||
return -1;
|
}
|
||||||
|
r = rados_conf_set(cluster, "key", key);
|
||||||
|
g_free(key);
|
||||||
|
if (r < 0) {
|
||||||
|
error_setg_errno(errp, -r, "Could not set 'key'");
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
rados_conf_set(cluster, "key", secret);
|
|
||||||
g_free(secret);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (opts->has_auth_client_required) {
|
if (opts->has_auth_client_required) {
|
||||||
@ -367,9 +368,7 @@ static QemuOptsList runtime_opts = {
|
|||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
/* FIXME Deprecate and remove keypairs or make it available in QMP.
|
/* FIXME Deprecate and remove keypairs or make it available in QMP. */
|
||||||
* password_secret should eventually be configurable in opts->location. Support
|
|
||||||
* for it in .bdrv_open will make it work here as well. */
|
|
||||||
static int qemu_rbd_do_create(BlockdevCreateOptions *options,
|
static int qemu_rbd_do_create(BlockdevCreateOptions *options,
|
||||||
const char *keypairs, const char *password_secret,
|
const char *keypairs, const char *password_secret,
|
||||||
Error **errp)
|
Error **errp)
|
||||||
@ -575,6 +574,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|||||||
Error *local_err = NULL;
|
Error *local_err = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
if (secretid) {
|
||||||
|
if (opts->key_secret) {
|
||||||
|
error_setg(errp,
|
||||||
|
"Legacy 'password-secret' clashes with 'key-secret'");
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
opts->key_secret = g_strdup(secretid);
|
||||||
|
opts->has_key_secret = true;
|
||||||
|
}
|
||||||
|
|
||||||
mon_host = qemu_rbd_mon_host(opts, &local_err);
|
mon_host = qemu_rbd_mon_host(opts, &local_err);
|
||||||
if (local_err) {
|
if (local_err) {
|
||||||
error_propagate(errp, local_err);
|
error_propagate(errp, local_err);
|
||||||
@ -607,8 +616,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) {
|
r = qemu_rbd_set_auth(*cluster, opts, errp);
|
||||||
r = -EIO;
|
if (r < 0) {
|
||||||
goto failed_shutdown;
|
goto failed_shutdown;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3204,6 +3204,11 @@
|
|||||||
# This maps to Ceph configuration option
|
# This maps to Ceph configuration option
|
||||||
# "auth_client_required". (Since 3.0)
|
# "auth_client_required". (Since 3.0)
|
||||||
#
|
#
|
||||||
|
# @key-secret: ID of a QCryptoSecret object providing a key
|
||||||
|
# for cephx authentication.
|
||||||
|
# This maps to Ceph configuration option
|
||||||
|
# "key". (Since 3.0)
|
||||||
|
#
|
||||||
# @server: Monitor host address and port. This maps
|
# @server: Monitor host address and port. This maps
|
||||||
# to the "mon_host" Ceph option.
|
# to the "mon_host" Ceph option.
|
||||||
#
|
#
|
||||||
@ -3216,6 +3221,7 @@
|
|||||||
'*snapshot': 'str',
|
'*snapshot': 'str',
|
||||||
'*user': 'str',
|
'*user': 'str',
|
||||||
'*auth-client-required': ['RbdAuthMode'],
|
'*auth-client-required': ['RbdAuthMode'],
|
||||||
|
'*key-secret': 'str',
|
||||||
'*server': ['InetSocketAddressBase'] } }
|
'*server': ['InetSocketAddressBase'] } }
|
||||||
|
|
||||||
##
|
##
|
||||||
|
Loading…
Reference in New Issue
Block a user