projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5091ef5)
pybind/ceph_volume_client: Optionally authorize existing auth-ids
authorKotresh HR <khiremat@redhat.com>
Sun, 6 Dec 2020 07:10:20 +0000 (12:40 +0530)
committerBastien Roucariès <rouca@debian.org>
Sat, 21 Oct 2023 16:42:26 +0000 (17:42 +0100)
Optionally allow authorizing auth-ids not created by ceph_volume_client
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 77b42496e25cbd4af2e80a064ddf26221b53733f)

Origin: upstream, https://github.com/ceph/ceph/commit/ae1889014e5becb774b69ca52ed7465a33873a3f

Gbp-Pq: Name CVE-2020-27781-4.patch

src/pybind/ceph_volume_client.py patch | blob | history

diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index c9e3eaf0c793c1f37428deb2ee07fae2653ff6bd..da52b73a2aae54cbf74019cdd1e9d931028b7ca7 100644 (file)
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -957,7 +957,7 @@ class CephFSVolumeClient(object):
 
         return caps_list
 
-    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
+    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None, allow_existing_id=False):
         """
         Get-or-create a Ceph auth identity for `auth_id` and grant them access
         to
@@ -967,6 +967,8 @@ class CephFSVolumeClient(object):
         :param tenant_id: Optionally provide a stringizable object to
                           restrict any created cephx IDs to other callers
                           passing the same tenant ID.
+        :allow_existing_id: Optionally authorize existing auth-ids not
+                            created by ceph_volume_client
         :return:
         """
 
@@ -998,7 +1000,7 @@ class CephFSVolumeClient(object):
             }
 
             if auth_meta is None:
-                if existing_caps is not None:
+                if not allow_existing_id and existing_caps is not None:
                     msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
                     log.error(msg)
                     raise CephFSVolumeClientError(msg)
Unnamed repository; edit this file 'description' to name the repository.