rbd: New parameter key-secret

Legacy -drive supports "password-secret" parameter that isn't
available with -blockdev / blockdev-add.  That's because we backed out
our first try to provide it there due to interface design doubts, in
commit 577d8c9a81, v2.9.0.

This is the second try.  It brings back the parameter, except it's
named "key-secret" now.

Let's review our reasons for backing out the first try, as stated in
the commit message:

    * BlockdevOptionsRbd member @password-secret isn't actually a
      password, it's a key generated by Ceph.

Addressed by the rename.

    * We're not sure where member @password-secret belongs (see the
      previous commit).

See previous commit.

    * How @password-secret interacts with settings from a configuration
      file specified with @conf is undocumented.

Not actually true, the documentation for @conf says "Values in the
configuration file will be overridden by options specified via QAPI",
and we've tested this.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
Markus Armbruster 2018-06-14 21:14:43 +02:00 committed by Kevin Wolf
parent a3699de4dd
commit d083f954a9
2 changed files with 31 additions and 16 deletions

View File

@ -239,24 +239,25 @@ static void qemu_rbd_refresh_limits(BlockDriverState *bs, Error **errp)
} }
static int qemu_rbd_set_auth(rados_t cluster, const char *secretid, static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts,
BlockdevOptionsRbd *opts,
Error **errp) Error **errp)
{ {
char *acr; char *key, *acr;
int r; int r;
GString *accu; GString *accu;
RbdAuthModeList *auth; RbdAuthModeList *auth;
if (secretid) { if (opts->key_secret) {
gchar *secret = qcrypto_secret_lookup_as_base64(secretid, key = qcrypto_secret_lookup_as_base64(opts->key_secret, errp);
errp); if (!key) {
if (!secret) { return -EIO;
return -1; }
r = rados_conf_set(cluster, "key", key);
g_free(key);
if (r < 0) {
error_setg_errno(errp, -r, "Could not set 'key'");
return r;
} }
rados_conf_set(cluster, "key", secret);
g_free(secret);
} }
if (opts->has_auth_client_required) { if (opts->has_auth_client_required) {
@ -367,9 +368,7 @@ static QemuOptsList runtime_opts = {
}, },
}; };
/* FIXME Deprecate and remove keypairs or make it available in QMP. /* FIXME Deprecate and remove keypairs or make it available in QMP. */
* password_secret should eventually be configurable in opts->location. Support
* for it in .bdrv_open will make it work here as well. */
static int qemu_rbd_do_create(BlockdevCreateOptions *options, static int qemu_rbd_do_create(BlockdevCreateOptions *options,
const char *keypairs, const char *password_secret, const char *keypairs, const char *password_secret,
Error **errp) Error **errp)
@ -575,6 +574,16 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
Error *local_err = NULL; Error *local_err = NULL;
int r; int r;
if (secretid) {
if (opts->key_secret) {
error_setg(errp,
"Legacy 'password-secret' clashes with 'key-secret'");
return -EINVAL;
}
opts->key_secret = g_strdup(secretid);
opts->has_key_secret = true;
}
mon_host = qemu_rbd_mon_host(opts, &local_err); mon_host = qemu_rbd_mon_host(opts, &local_err);
if (local_err) { if (local_err) {
error_propagate(errp, local_err); error_propagate(errp, local_err);
@ -607,8 +616,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
} }
} }
if (qemu_rbd_set_auth(*cluster, secretid, opts, errp) < 0) { r = qemu_rbd_set_auth(*cluster, opts, errp);
r = -EIO; if (r < 0) {
goto failed_shutdown; goto failed_shutdown;
} }

View File

@ -3204,6 +3204,11 @@
# This maps to Ceph configuration option # This maps to Ceph configuration option
# "auth_client_required". (Since 3.0) # "auth_client_required". (Since 3.0)
# #
# @key-secret: ID of a QCryptoSecret object providing a key
# for cephx authentication.
# This maps to Ceph configuration option
# "key". (Since 3.0)
#
# @server: Monitor host address and port. This maps # @server: Monitor host address and port. This maps
# to the "mon_host" Ceph option. # to the "mon_host" Ceph option.
# #
@ -3216,6 +3221,7 @@
'*snapshot': 'str', '*snapshot': 'str',
'*user': 'str', '*user': 'str',
'*auth-client-required': ['RbdAuthMode'], '*auth-client-required': ['RbdAuthMode'],
'*key-secret': 'str',
'*server': ['InetSocketAddressBase'] } } '*server': ['InetSocketAddressBase'] } }
## ##