From: Kotresh HR <khiremat@redhat.com>
Date: Sun, 6 Dec 2020 07:10:20 +0000 (+0530)
Subject: pybind/ceph_volume_client: Optionally authorize existing auth-ids
X-Git-Tag: archive/raspbian/12.2.11+dfsg1-2.1+rpi1+deb10u1^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e1afb53d969f98e3a954ef0980dac4dbd0b6ca15;p=ceph.git

pybind/ceph_volume_client: Optionally authorize existing auth-ids

Optionally allow authorizing auth-ids not created by ceph_volume_client
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.

Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 77b42496e25cbd4af2e80a064ddf26221b53733f)

Origin: upstream, https://github.com/ceph/ceph/commit/ae1889014e5becb774b69ca52ed7465a33873a3f

Gbp-Pq: Name CVE-2020-27781-4.patch
---

diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index c9e3eaf0c..da52b73a2 100644
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -957,7 +957,7 @@ class CephFSVolumeClient(object):
 
         return caps_list
 
-    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
+    def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None, allow_existing_id=False):
         """
         Get-or-create a Ceph auth identity for `auth_id` and grant them access
         to
@@ -967,6 +967,8 @@ class CephFSVolumeClient(object):
         :param tenant_id: Optionally provide a stringizable object to
                           restrict any created cephx IDs to other callers
                           passing the same tenant ID.
+        :allow_existing_id: Optionally authorize existing auth-ids not
+                            created by ceph_volume_client
         :return:
         """
 
@@ -998,7 +1000,7 @@ class CephFSVolumeClient(object):
             }
 
             if auth_meta is None:
-                if existing_caps is not None:
+                if not allow_existing_id and existing_caps is not None:
                     msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
                     log.error(msg)
                     raise CephFSVolumeClientError(msg)