""" Copyright (C) 2015 Red Hat, Inc. LGPL2. See file COPYING. """ from contextlib import contextmanager import errno import fcntl import json import logging import os import re import struct import sys import threading import time import uuid from ceph_argparse import json_command import cephfs import rados class RadosError(Exception): """ Something went wrong talking to Ceph with librados """ pass RADOS_TIMEOUT = 10 log = logging.getLogger(__name__) # Reserved volume group name which we use in paths for volumes # that are not assigned to a group (i.e. created with group=None) NO_GROUP_NAME = "_nogroup" # Filename extensions for meta files. META_FILE_EXT = ".meta" class VolumePath(object): """ Identify a volume's path as group->volume The Volume ID is a unique identifier, but this is a much more helpful thing to pass around. """ def __init__(self, group_id, volume_id): self.group_id = group_id self.volume_id = volume_id assert self.group_id != NO_GROUP_NAME assert self.volume_id != "" and self.volume_id is not None def __str__(self): return "{0}/{1}".format(self.group_id, self.volume_id) class ClusterTimeout(Exception): """ Exception indicating that we timed out trying to talk to the Ceph cluster, either to the mons, or to any individual daemon that the mons indicate ought to be up but isn't responding to us. """ pass class ClusterError(Exception): """ Exception indicating that the cluster returned an error to a command that we thought should be successful based on our last knowledge of the cluster state. """ def __init__(self, action, result_code, result_str): self._action = action self._result_code = result_code self._result_str = result_str def __str__(self): return "Error {0} (\"{1}\") while {2}".format( self._result_code, self._result_str, self._action) class RankEvicter(threading.Thread): """ Thread for evicting client(s) from a particular MDS daemon instance. This is more complex than simply sending a command, because we have to handle cases where MDS daemons might not be fully up yet, and/or might be transiently unresponsive to commands. """ class GidGone(Exception): pass POLL_PERIOD = 5 def __init__(self, volume_client, client_spec, rank, gid, mds_map, ready_timeout): """ :param client_spec: list of strings, used as filter arguments to "session evict" pass ["id=123"] to evict a single client with session id 123. """ self.rank = rank self.gid = gid self._mds_map = mds_map self._client_spec = client_spec self._volume_client = volume_client self._ready_timeout = ready_timeout self._ready_waited = 0 self.success = False self.exception = None super(RankEvicter, self).__init__() def _ready_to_evict(self): if self._mds_map['up'].get("mds_{0}".format(self.rank), None) != self.gid: log.info("Evicting {0} from {1}/{2}: rank no longer associated with gid, done.".format( self._client_spec, self.rank, self.gid )) raise RankEvicter.GidGone() info = self._mds_map['info']["gid_{0}".format(self.gid)] log.debug("_ready_to_evict: state={0}".format(info['state'])) return info['state'] in ["up:active", "up:clientreplay"] def _wait_for_ready(self): """ Wait for that MDS rank to reach an active or clientreplay state, and not be laggy. """ while not self._ready_to_evict(): if self._ready_waited > self._ready_timeout: raise ClusterTimeout() time.sleep(self.POLL_PERIOD) self._ready_waited += self.POLL_PERIOD self._mds_map = self._volume_client._rados_command("mds dump", {}) def _evict(self): """ Run the eviction procedure. Return true on success, false on errors. """ # Wait til the MDS is believed by the mon to be available for commands try: self._wait_for_ready() except self.GidGone: return True # Then send it an evict ret = errno.ETIMEDOUT while ret == errno.ETIMEDOUT: log.debug("mds_command: {0}, {1}".format( "%s" % self.gid, ["session", "evict"] + self._client_spec )) ret, outb, outs = self._volume_client.fs.mds_command( "%s" % self.gid, [json.dumps({ "prefix": "session evict", "filters": self._client_spec })], "") log.debug("mds_command: complete {0} {1}".format(ret, outs)) # If we get a clean response, great, it's gone from that rank. if ret == 0: return True elif ret == errno.ETIMEDOUT: # Oh no, the MDS went laggy (that's how libcephfs knows to emit this error) self._mds_map = self._volume_client._rados_command("mds dump", {}) try: self._wait_for_ready() except self.GidGone: return True else: raise ClusterError("Sending evict to mds.{0}".format(self.gid), ret, outs) def run(self): try: self._evict() except Exception as e: self.success = False self.exception = e else: self.success = True class EvictionError(Exception): pass class CephFSVolumeClientError(Exception): """ Something went wrong talking to Ceph using CephFSVolumeClient. """ pass CEPHFSVOLUMECLIENT_VERSION_HISTORY = """ CephFSVolumeClient Version History: * 1 - Initial version * 2 - Added get_object, put_object, delete_object methods to CephFSVolumeClient """ class CephFSVolumeClient(object): """ Combine libcephfs and librados interfaces to implement a 'Volume' concept implemented as a cephfs directory and client capabilities which restrict mount access to this directory. Additionally, volumes may be in a 'Group'. Conveniently, volumes are a lot like manila shares, and groups are a lot like manila consistency groups. Refer to volumes with VolumePath, which specifies the volume and group IDs (both strings). The group ID may be None. In general, functions in this class are allowed raise rados.Error or cephfs.Error exceptions in unexpected situations. """ # Current version version = 2 # Where shall we create our volumes? POOL_PREFIX = "fsvolume_" DEFAULT_VOL_PREFIX = "/volumes" DEFAULT_NS_PREFIX = "fsvolumens_" def __init__(self, auth_id, conf_path, cluster_name, volume_prefix=None, pool_ns_prefix=None): self.fs = None self.rados = None self.connected = False self.conf_path = conf_path self.cluster_name = cluster_name self.auth_id = auth_id self.volume_prefix = volume_prefix if volume_prefix else self.DEFAULT_VOL_PREFIX self.pool_ns_prefix = pool_ns_prefix if pool_ns_prefix else self.DEFAULT_NS_PREFIX # For flock'ing in cephfs, I want a unique ID to distinguish me # from any other manila-share services that are loading this module. # We could use pid, but that's unnecessary weak: generate a # UUID self._id = struct.unpack(">Q", uuid.uuid1().get_bytes()[0:8])[0] # TODO: version the on-disk structures def recover(self): # Scan all auth keys to see if they're dirty: if they are, they have # state that might not have propagated to Ceph or to the related # volumes yet. # Important: we *always* acquire locks in the order auth->volume # That means a volume can never be dirty without the auth key # we're updating it with being dirty at the same time. # First list the auth IDs that have potentially dirty on-disk metadata log.debug("Recovering from partial auth updates (if any)...") try: dir_handle = self.fs.opendir(self.volume_prefix) except cephfs.ObjectNotFound: log.debug("Nothing to recover. No auth meta files.") return d = self.fs.readdir(dir_handle) auth_ids = [] if not d: log.debug("Nothing to recover. No auth meta files.") while d: # Identify auth IDs from auth meta filenames. The auth meta files # are named as, "$" regex = "^\$(.*){0}$".format(re.escape(META_FILE_EXT)) match = re.search(regex, d.d_name) if match: auth_ids.append(match.group(1)) d = self.fs.readdir(dir_handle) self.fs.closedir(dir_handle) # Key points based on ordering: # * Anything added in VMeta is already added in AMeta # * Anything added in Ceph is already added in VMeta # * Anything removed in VMeta is already removed in Ceph # * Anything removed in AMeta is already removed in VMeta # Deauthorization: because I only update metadata AFTER the # update of the next level down, I have the same ordering of # -> things which exist in the AMeta should also exist # in the VMeta, should also exist in Ceph, and the same # recovery procedure that gets me consistent after crashes # during authorization will also work during deauthorization # Now for each auth ID, check for dirty flag and apply updates # if dirty flag is found for auth_id in auth_ids: with self._auth_lock(auth_id): auth_meta = self._auth_metadata_get(auth_id) if not auth_meta or not auth_meta['volumes']: # Clean up auth meta file self.fs.unlink(self._auth_metadata_path(auth_id)) continue if not auth_meta['dirty']: continue self._recover_auth_meta(auth_id, auth_meta) log.debug("Recovered from partial auth updates (if any).") def _recover_auth_meta(self, auth_id, auth_meta): """ Call me after locking the auth meta file. """ remove_volumes = [] for volume, volume_data in auth_meta['volumes'].items(): if not volume_data['dirty']: continue (group_id, volume_id) = volume.split('/') group_id = group_id if group_id is not 'None' else None volume_path = VolumePath(group_id, volume_id) access_level = volume_data['access_level'] with self._volume_lock(volume_path): vol_meta = self._volume_metadata_get(volume_path) # No VMeta update indicates that there was no auth update # in Ceph either. So it's safe to remove corresponding # partial update in AMeta. if not vol_meta or auth_id not in vol_meta['auths']: remove_volumes.append(volume) continue want_auth = { 'access_level': access_level, 'dirty': False, } # VMeta update looks clean. Ceph auth update must have been # clean. if vol_meta['auths'][auth_id] == want_auth: continue readonly = True if access_level is 'r' else False self._authorize_volume(volume_path, auth_id, readonly) # Recovered from partial auth updates for the auth ID's access # to a volume. auth_meta['volumes'][volume]['dirty'] = False self._auth_metadata_set(auth_id, auth_meta) for volume in remove_volumes: del auth_meta['volumes'][volume] if not auth_meta['volumes']: # Clean up auth meta file self.fs.unlink(self._auth_metadata_path(auth_id)) return # Recovered from all partial auth updates for the auth ID. auth_meta['dirty'] = False self._auth_metadata_set(auth_id, auth_meta) def evict(self, auth_id, timeout=30, volume_path=None): """ Evict all clients based on the authorization ID and optionally based on the volume path mounted. Assumes that the authorization key has been revoked prior to calling this function. This operation can throw an exception if the mon cluster is unresponsive, or any individual MDS daemon is unresponsive for longer than the timeout passed in. """ client_spec = ["auth_name={0}".format(auth_id), ] if volume_path: client_spec.append("client_metadata.root={0}". format(self._get_path(volume_path))) log.info("evict clients with {0}".format(', '.join(client_spec))) mds_map = self._rados_command("mds dump", {}) up = {} for name, gid in mds_map['up'].items(): # Quirk of the MDSMap JSON dump: keys in the up dict are like "mds_0" assert name.startswith("mds_") up[int(name[4:])] = gid # For all MDS ranks held by a daemon # Do the parallelism in python instead of using "tell mds.*", because # the latter doesn't give us per-mds output threads = [] for rank, gid in up.items(): thread = RankEvicter(self, client_spec, rank, gid, mds_map, timeout) thread.start() threads.append(thread) for t in threads: t.join() log.info("evict: joined all") for t in threads: if not t.success: msg = ("Failed to evict client with {0} from mds {1}/{2}: {3}". format(', '.join(client_spec), t.rank, t.gid, t.exception) ) log.error(msg) raise EvictionError(msg) def _get_path(self, volume_path): """ Determine the path within CephFS where this volume will live :return: absolute path (string) """ return os.path.join( self.volume_prefix, volume_path.group_id if volume_path.group_id is not None else NO_GROUP_NAME, volume_path.volume_id) def _get_group_path(self, group_id): if group_id is None: raise ValueError("group_id may not be None") return os.path.join( self.volume_prefix, group_id ) def connect(self, premount_evict = None): """ :param premount_evict: Optional auth_id to evict before mounting the filesystem: callers may want to use this to specify their own auth ID if they expect to be a unique instance and don't want to wait for caps to time out after failure of another instance of themselves. """ log.debug("Connecting to RADOS with config {0}...".format(self.conf_path)) self.rados = rados.Rados( name="client.{0}".format(self.auth_id), clustername=self.cluster_name, conffile=self.conf_path, conf={} ) self.rados.connect() log.debug("Connection to RADOS complete") log.debug("Connecting to cephfs...") self.fs = cephfs.LibCephFS(rados_inst=self.rados) log.debug("CephFS initializing...") self.fs.init() if premount_evict is not None: log.debug("Premount eviction of {0} starting".format(premount_evict)) self.evict(premount_evict) log.debug("Premount eviction of {0} completes".format(premount_evict)) log.debug("CephFS mounting...") self.fs.mount() log.debug("Connection to cephfs complete") # Recover from partial auth updates due to a previous # crash. self.recover() def get_mon_addrs(self): log.info("get_mon_addrs") result = [] mon_map = self._rados_command("mon dump") for mon in mon_map['mons']: ip_port = mon['addr'].split("/")[0] result.append(ip_port) return result def disconnect(self): log.info("disconnect") if self.fs: log.debug("Disconnecting cephfs...") self.fs.shutdown() self.fs = None log.debug("Disconnecting cephfs complete") if self.rados: log.debug("Disconnecting rados...") self.rados.shutdown() self.rados = None log.debug("Disconnecting rados complete") def __del__(self): self.disconnect() def _get_pool_id(self, osd_map, pool_name): # Maybe borrow the OSDMap wrapper class from calamari if more helpers # like this are needed. for pool in osd_map['pools']: if pool['pool_name'] == pool_name: return pool['pool'] return None def _create_volume_pool(self, pool_name): """ Idempotently create a pool for use as a CephFS data pool, with the given name :return The ID of the created pool """ osd_map = self._rados_command('osd dump', {}) existing_id = self._get_pool_id(osd_map, pool_name) if existing_id is not None: log.info("Pool {0} already exists".format(pool_name)) return existing_id osd_count = len(osd_map['osds']) # We can't query the actual cluster config remotely, but since this is # just a heuristic we'll assume that the ceph.conf we have locally reflects # that in use in the rest of the cluster. pg_warn_max_per_osd = int(self.rados.conf_get('mon_max_pg_per_osd')) other_pgs = 0 for pool in osd_map['pools']: if not pool['pool_name'].startswith(self.POOL_PREFIX): other_pgs += pool['pg_num'] # A basic heuristic for picking pg_num: work out the max number of # PGs we can have without tripping a warning, then subtract the number # of PGs already created by non-manila pools, then divide by ten. That'll # give you a reasonable result on a system where you have "a few" manila # shares. pg_num = ((pg_warn_max_per_osd * osd_count) - other_pgs) / 10 # TODO Alternatively, respect an override set by the user. self._rados_command( 'osd pool create', { 'pool': pool_name, 'pg_num': pg_num } ) osd_map = self._rados_command('osd dump', {}) pool_id = self._get_pool_id(osd_map, pool_name) if pool_id is None: # If the pool isn't there, that's either a ceph bug, or it's some outside influence # removing it right after we created it. log.error("OSD map doesn't contain expected pool '{0}':\n{1}".format( pool_name, json.dumps(osd_map, indent=2) )) raise RuntimeError("Pool '{0}' not present in map after creation".format(pool_name)) else: return pool_id def create_group(self, group_id): # Prevent craftily-named volume groups from colliding with the meta # files. if group_id.endswith(META_FILE_EXT): raise ValueError("group ID cannot end with '{0}'.".format( META_FILE_EXT)) path = self._get_group_path(group_id) self._mkdir_p(path) def destroy_group(self, group_id): path = self._get_group_path(group_id) try: self.fs.stat(self.volume_prefix) except cephfs.ObjectNotFound: pass else: self.fs.rmdir(path) def _mkdir_p(self, path): try: self.fs.stat(path) except cephfs.ObjectNotFound: pass else: return parts = path.split(os.path.sep) for i in range(1, len(parts) + 1): subpath = os.path.join(*parts[0:i]) try: self.fs.stat(subpath) except cephfs.ObjectNotFound: self.fs.mkdir(subpath, 0o755) def create_volume(self, volume_path, size=None, data_isolated=False): """ Set up metadata, pools and auth for a volume. This function is idempotent. It is safe to call this again for an already-created volume, even if it is in use. :param volume_path: VolumePath instance :param size: In bytes, or None for no size limit :param data_isolated: If true, create a separate OSD pool for this volume :return: """ path = self._get_path(volume_path) log.info("create_volume: {0}".format(path)) self._mkdir_p(path) if size is not None: self.fs.setxattr(path, 'ceph.quota.max_bytes', size.__str__(), 0) # data_isolated means create a separate pool for this volume if data_isolated: pool_name = "{0}{1}".format(self.POOL_PREFIX, volume_path.volume_id) log.info("create_volume: {0}, create pool {1} as data_isolated =True.".format(volume_path, pool_name)) pool_id = self._create_volume_pool(pool_name) mds_map = self._rados_command("mds dump", {}) if pool_id not in mds_map['data_pools']: self._rados_command("mds add_data_pool", { 'pool': pool_name }) self.fs.setxattr(path, 'ceph.dir.layout.pool', pool_name, 0) # enforce security isolation, use seperate namespace for this volume namespace = "{0}{1}".format(self.pool_ns_prefix, volume_path.volume_id) log.info("create_volume: {0}, using rados namespace {1} to isolate data.".format(volume_path, namespace)) self.fs.setxattr(path, 'ceph.dir.layout.pool_namespace', namespace, 0) # Create a volume meta file, if it does not already exist, to store # data about auth ids having access to the volume fd = self.fs.open(self._volume_metadata_path(volume_path), os.O_CREAT, 0o755) self.fs.close(fd) return { 'mount_path': path } def delete_volume(self, volume_path, data_isolated=False): """ Make a volume inaccessible to guests. This function is idempotent. This is the fast part of tearing down a volume: you must also later call purge_volume, which is the slow part. :param volume_path: Same identifier used in create_volume :return: """ path = self._get_path(volume_path) log.info("delete_volume: {0}".format(path)) # Create the trash folder if it doesn't already exist trash = os.path.join(self.volume_prefix, "_deleting") self._mkdir_p(trash) # We'll move it to here trashed_volume = os.path.join(trash, volume_path.volume_id) # Move the volume's data to the trash folder try: self.fs.stat(path) except cephfs.ObjectNotFound: log.warning("Trying to delete volume '{0}' but it's already gone".format( path)) else: self.fs.rename(path, trashed_volume) # Delete the volume meta file, if it's not already deleted vol_meta_path = self._volume_metadata_path(volume_path) try: self.fs.unlink(vol_meta_path) except cephfs.ObjectNotFound: pass def purge_volume(self, volume_path, data_isolated=False): """ Finish clearing up a volume that was previously passed to delete_volume. This function is idempotent. """ trash = os.path.join(self.volume_prefix, "_deleting") trashed_volume = os.path.join(trash, volume_path.volume_id) try: self.fs.stat(trashed_volume) except cephfs.ObjectNotFound: log.warning("Trying to purge volume '{0}' but it's already been purged".format( trashed_volume)) return def rmtree(root_path): log.debug("rmtree {0}".format(root_path)) dir_handle = self.fs.opendir(root_path) d = self.fs.readdir(dir_handle) while d: if d.d_name not in [".", ".."]: # Do not use os.path.join because it is sensitive # to string encoding, we just pass through dnames # as byte arrays d_full = "{0}/{1}".format(root_path, d.d_name) if d.is_dir(): rmtree(d_full) else: self.fs.unlink(d_full) d = self.fs.readdir(dir_handle) self.fs.closedir(dir_handle) self.fs.rmdir(root_path) rmtree(trashed_volume) if data_isolated: pool_name = "{0}{1}".format(self.POOL_PREFIX, volume_path.volume_id) osd_map = self._rados_command("osd dump", {}) pool_id = self._get_pool_id(osd_map, pool_name) mds_map = self._rados_command("mds dump", {}) if pool_id in mds_map['data_pools']: self._rados_command("mds remove_data_pool", { 'pool': pool_name }) self._rados_command("osd pool delete", { "pool": pool_name, "pool2": pool_name, "sure": "--yes-i-really-really-mean-it" }) def _get_ancestor_xattr(self, path, attr): """ Helper for reading layout information: if this xattr is missing on the requested path, keep checking parents until we find it. """ try: result = self.fs.getxattr(path, attr) if result == "": # Annoying! cephfs gives us empty instead of an error when attr not found raise cephfs.NoData() else: return result except cephfs.NoData: if path == "/": raise else: return self._get_ancestor_xattr(os.path.split(path)[0], attr) def _check_compat_version(self, compat_version): if self.version < compat_version: msg = ("The current version of CephFSVolumeClient, version {0} " "does not support the required feature. Need version {1} " "or greater".format(self.version, compat_version) ) log.error(msg) raise CephFSVolumeClientError(msg) def _metadata_get(self, path): """ Return a deserialized JSON object, or None """ fd = self.fs.open(path, "r") # TODO iterate instead of assuming file < 4MB read_bytes = self.fs.read(fd, 0, 4096 * 1024) self.fs.close(fd) if read_bytes: return json.loads(read_bytes) else: return None def _metadata_set(self, path, data): serialized = json.dumps(data) fd = self.fs.open(path, "w") try: self.fs.write(fd, serialized, 0) self.fs.fsync(fd, 0) finally: self.fs.close(fd) def _lock(self, path): @contextmanager def fn(): while(1): fd = self.fs.open(path, os.O_CREAT, 0o755) self.fs.flock(fd, fcntl.LOCK_EX, self._id) # The locked file will be cleaned up sometime. It could be # unlinked e.g., by an another manila share instance, before # lock was applied on it. Perform checks to ensure that this # does not happen. try: statbuf = self.fs.stat(path) except cephfs.ObjectNotFound: self.fs.close(fd) continue fstatbuf = self.fs.fstat(fd) if statbuf.st_ino == fstatbuf.st_ino: break try: yield finally: self.fs.flock(fd, fcntl.LOCK_UN, self._id) self.fs.close(fd) return fn() def _auth_metadata_path(self, auth_id): return os.path.join(self.volume_prefix, "${0}{1}".format( auth_id, META_FILE_EXT)) def _auth_lock(self, auth_id): return self._lock(self._auth_metadata_path(auth_id)) def _auth_metadata_get(self, auth_id): """ Call me with the metadata locked! Check whether a auth metadata structure can be decoded by the current version of CephFSVolumeClient. Return auth metadata that the current version of CephFSVolumeClient can decode. """ auth_metadata = self._metadata_get(self._auth_metadata_path(auth_id)) if auth_metadata: self._check_compat_version(auth_metadata['compat_version']) return auth_metadata def _auth_metadata_set(self, auth_id, data): """ Call me with the metadata locked! Fsync the auth metadata. Add two version attributes to the auth metadata, 'compat_version', the minimum CephFSVolumeClient version that can decode the metadata, and 'version', the CephFSVolumeClient version that encoded the metadata. """ data['compat_version'] = 1 data['version'] = self.version return self._metadata_set(self._auth_metadata_path(auth_id), data) def _volume_metadata_path(self, volume_path): return os.path.join(self.volume_prefix, "_{0}:{1}{2}".format( volume_path.group_id if volume_path.group_id else "", volume_path.volume_id, META_FILE_EXT )) def _volume_lock(self, volume_path): """ Return a ContextManager which locks the authorization metadata for a particular volume, and persists a flag to the metadata indicating that it is currently locked, so that we can detect dirty situations during recovery. This lock isn't just to make access to the metadata safe: it's also designed to be used over the two-step process of checking the metadata and then responding to an authorization request, to ensure that at the point we respond the metadata hasn't changed in the background. It's key to how we avoid security holes resulting from races during that problem , """ return self._lock(self._volume_metadata_path(volume_path)) def _volume_metadata_get(self, volume_path): """ Call me with the metadata locked! Check whether a volume metadata structure can be decoded by the current version of CephFSVolumeClient. Return a volume_metadata structure that the current version of CephFSVolumeClient can decode. """ volume_metadata = self._metadata_get(self._volume_metadata_path(volume_path)) if volume_metadata: self._check_compat_version(volume_metadata['compat_version']) return volume_metadata def _volume_metadata_set(self, volume_path, data): """ Call me with the metadata locked! Add two version attributes to the volume metadata, 'compat_version', the minimum CephFSVolumeClient version that can decode the metadata and 'version', the CephFSVolumeClient version that encoded the metadata. """ data['compat_version'] = 1 data['version'] = self.version return self._metadata_set(self._volume_metadata_path(volume_path), data) def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None): """ Get-or-create a Ceph auth identity for `auth_id` and grant them access to :param volume_path: :param auth_id: :param readonly: :param tenant_id: Optionally provide a stringizable object to restrict any created cephx IDs to other callers passing the same tenant ID. :return: """ with self._auth_lock(auth_id): # Existing meta, or None, to be updated auth_meta = self._auth_metadata_get(auth_id) # volume data to be inserted volume_path_str = str(volume_path) volume = { volume_path_str : { # The access level at which the auth_id is authorized to # access the volume. 'access_level': 'r' if readonly else 'rw', 'dirty': True, } } if auth_meta is None: sys.stderr.write("Creating meta for ID {0} with tenant {1}\n".format( auth_id, tenant_id )) log.debug("Authorize: no existing meta") auth_meta = { 'dirty': True, 'tenant_id': tenant_id.__str__() if tenant_id else None, 'volumes': volume } # Note: this is *not* guaranteeing that the key doesn't already # exist in Ceph: we are allowing VolumeClient tenants to # 'claim' existing Ceph keys. In order to prevent VolumeClient # tenants from reading e.g. client.admin keys, you need to # have configured your VolumeClient user (e.g. Manila) to # have mon auth caps that prevent it from accessing those keys # (e.g. limit it to only access keys with a manila.* prefix) else: # Disallow tenants to share auth IDs if auth_meta['tenant_id'].__str__() != tenant_id.__str__(): msg = "auth ID: {0} is already in use".format(auth_id) log.error(msg) raise CephFSVolumeClientError(msg) if auth_meta['dirty']: self._recover_auth_meta(auth_id, auth_meta) log.debug("Authorize: existing tenant {tenant}".format( tenant=auth_meta['tenant_id'] )) auth_meta['dirty'] = True auth_meta['volumes'].update(volume) self._auth_metadata_set(auth_id, auth_meta) with self._volume_lock(volume_path): key = self._authorize_volume(volume_path, auth_id, readonly) auth_meta['dirty'] = False auth_meta['volumes'][volume_path_str]['dirty'] = False self._auth_metadata_set(auth_id, auth_meta) if tenant_id: return { 'auth_key': key } else: # Caller wasn't multi-tenant aware: be safe and don't give # them a key return { 'auth_key': None } def _authorize_volume(self, volume_path, auth_id, readonly): vol_meta = self._volume_metadata_get(volume_path) access_level = 'r' if readonly else 'rw' auth = { auth_id: { 'access_level': access_level, 'dirty': True, } } if vol_meta is None: vol_meta = { 'auths': auth } else: vol_meta['auths'].update(auth) self._volume_metadata_set(volume_path, vol_meta) key = self._authorize_ceph(volume_path, auth_id, readonly) vol_meta['auths'][auth_id]['dirty'] = False self._volume_metadata_set(volume_path, vol_meta) return key def _authorize_ceph(self, volume_path, auth_id, readonly): path = self._get_path(volume_path) log.debug("Authorizing Ceph id '{0}' for path '{1}'".format( auth_id, path )) # First I need to work out what the data pool is for this share: # read the layout pool_name = self._get_ancestor_xattr(path, "ceph.dir.layout.pool") namespace = self.fs.getxattr(path, "ceph.dir.layout.pool_namespace") # Now construct auth capabilities that give the guest just enough # permissions to access the share client_entity = "client.{0}".format(auth_id) want_access_level = 'r' if readonly else 'rw' want_mds_cap = 'allow {0} path={1}'.format(want_access_level, path) want_osd_cap = 'allow {0} pool={1} namespace={2}'.format( want_access_level, pool_name, namespace) try: existing = self._rados_command( 'auth get', { 'entity': client_entity } ) # FIXME: rados raising Error instead of ObjectNotFound in auth get failure except rados.Error: caps = self._rados_command( 'auth get-or-create', { 'entity': client_entity, 'caps': [ 'mds', want_mds_cap, 'osd', want_osd_cap, 'mon', 'allow r'] }) else: # entity exists, update it cap = existing[0] # Construct auth caps that if present might conflict with the desired # auth caps. unwanted_access_level = 'r' if want_access_level is 'rw' else 'rw' unwanted_mds_cap = 'allow {0} path={1}'.format(unwanted_access_level, path) unwanted_osd_cap = 'allow {0} pool={1} namespace={2}'.format( unwanted_access_level, pool_name, namespace) def cap_update(orig, want, unwanted): # Updates the existing auth caps such that there is a single # occurrence of wanted auth caps and no occurrence of # conflicting auth caps. if not orig: return want cap_tokens = set(orig.split(",")) cap_tokens.discard(unwanted) cap_tokens.add(want) return ",".join(cap_tokens) osd_cap_str = cap_update(cap['caps'].get('osd', ""), want_osd_cap, unwanted_osd_cap) mds_cap_str = cap_update(cap['caps'].get('mds', ""), want_mds_cap, unwanted_mds_cap) caps = self._rados_command( 'auth caps', { 'entity': client_entity, 'caps': [ 'mds', mds_cap_str, 'osd', osd_cap_str, 'mon', cap['caps'].get('mon', 'allow r')] }) caps = self._rados_command( 'auth get', { 'entity': client_entity } ) # Result expected like this: # [ # { # "entity": "client.foobar", # "key": "AQBY0\/pViX\/wBBAAUpPs9swy7rey1qPhzmDVGQ==", # "caps": { # "mds": "allow *", # "mon": "allow *" # } # } # ] assert len(caps) == 1 assert caps[0]['entity'] == client_entity return caps[0]['key'] def deauthorize(self, volume_path, auth_id): with self._auth_lock(auth_id): # Existing meta, or None, to be updated auth_meta = self._auth_metadata_get(auth_id) volume_path_str = str(volume_path) if (auth_meta is None) or (not auth_meta['volumes']): log.warn("deauthorized called for already-removed auth" "ID '{auth_id}' for volume ID '{volume}'".format( auth_id=auth_id, volume=volume_path.volume_id )) # Clean up the auth meta file of an auth ID self.fs.unlink(self._auth_metadata_path(auth_id)) return if volume_path_str not in auth_meta['volumes']: log.warn("deauthorized called for already-removed auth" "ID '{auth_id}' for volume ID '{volume}'".format( auth_id=auth_id, volume=volume_path.volume_id )) return if auth_meta['dirty']: self._recover_auth_meta(auth_id, auth_meta) auth_meta['dirty'] = True auth_meta['volumes'][volume_path_str]['dirty'] = True self._auth_metadata_set(auth_id, auth_meta) self._deauthorize_volume(volume_path, auth_id) # Filter out the volume we're deauthorizing del auth_meta['volumes'][volume_path_str] # Clean up auth meta file if not auth_meta['volumes']: self.fs.unlink(self._auth_metadata_path(auth_id)) return auth_meta['dirty'] = False self._auth_metadata_set(auth_id, auth_meta) def _deauthorize_volume(self, volume_path, auth_id): with self._volume_lock(volume_path): vol_meta = self._volume_metadata_get(volume_path) if (vol_meta is None) or (auth_id not in vol_meta['auths']): log.warn("deauthorized called for already-removed auth" "ID '{auth_id}' for volume ID '{volume}'".format( auth_id=auth_id, volume=volume_path.volume_id )) return vol_meta['auths'][auth_id]['dirty'] = True self._volume_metadata_set(volume_path, vol_meta) self._deauthorize(volume_path, auth_id) # Remove the auth_id from the metadata *after* removing it # from ceph, so that if we crashed here, we would actually # recreate the auth ID during recovery (i.e. end up with # a consistent state). # Filter out the auth we're removing del vol_meta['auths'][auth_id] self._volume_metadata_set(volume_path, vol_meta) def _deauthorize(self, volume_path, auth_id): """ The volume must still exist. """ client_entity = "client.{0}".format(auth_id) path = self._get_path(volume_path) pool_name = self._get_ancestor_xattr(path, "ceph.dir.layout.pool") namespace = self.fs.getxattr(path, "ceph.dir.layout.pool_namespace") # The auth_id might have read-only or read-write mount access for the # volume path. access_levels = ('r', 'rw') want_mds_caps = {'allow {0} path={1}'.format(access_level, path) for access_level in access_levels} want_osd_caps = {'allow {0} pool={1} namespace={2}'.format( access_level, pool_name, namespace) for access_level in access_levels} try: existing = self._rados_command( 'auth get', { 'entity': client_entity } ) def cap_remove(orig, want): cap_tokens = set(orig.split(",")) return ",".join(cap_tokens.difference(want)) cap = existing[0] osd_cap_str = cap_remove(cap['caps'].get('osd', ""), want_osd_caps) mds_cap_str = cap_remove(cap['caps'].get('mds', ""), want_mds_caps) if (not osd_cap_str) and (not mds_cap_str): self._rados_command('auth del', {'entity': client_entity}, decode=False) else: self._rados_command( 'auth caps', { 'entity': client_entity, 'caps': [ 'mds', mds_cap_str, 'osd', osd_cap_str, 'mon', cap['caps'].get('mon', 'allow r')] }) # FIXME: rados raising Error instead of ObjectNotFound in auth get failure except rados.Error: # Already gone, great. return def get_authorized_ids(self, volume_path): """ Expose a list of auth IDs that have access to a volume. return: a list of (auth_id, access_level) tuples, where the access_level can be 'r' , or 'rw'. None if no auth ID is given access to the volume. """ with self._volume_lock(volume_path): meta = self._volume_metadata_get(volume_path) auths = [] if not meta or not meta['auths']: return None for auth, auth_data in meta['auths'].items(): # Skip partial auth updates. if not auth_data['dirty']: auths.append((auth, auth_data['access_level'])) return auths def _rados_command(self, prefix, args=None, decode=True): """ Safer wrapper for ceph_argparse.json_command, which raises Error exception instead of relying on caller to check return codes. Error exception can result from: * Timeout * Actual legitimate errors * Malformed JSON output return: Decoded object from ceph, or None if empty string returned. If decode is False, return a string (the data returned by ceph command) """ if args is None: args = {} argdict = args.copy() argdict['format'] = 'json' ret, outbuf, outs = json_command(self.rados, prefix=prefix, argdict=argdict, timeout=RADOS_TIMEOUT) if ret != 0: raise rados.Error(outs) else: if decode: if outbuf: try: return json.loads(outbuf) except (ValueError, TypeError): raise RadosError("Invalid JSON output for command {0}".format(argdict)) else: return None else: return outbuf def get_used_bytes(self, volume_path): return int(self.fs.getxattr(self._get_path(volume_path), "ceph.dir.rbytes")) def set_max_bytes(self, volume_path, max_bytes): self.fs.setxattr(self._get_path(volume_path), 'ceph.quota.max_bytes', max_bytes.__str__() if max_bytes is not None else "0", 0) def _snapshot_path(self, dir_path, snapshot_name): return os.path.join( dir_path, self.rados.conf_get('client_snapdir'), snapshot_name ) def _snapshot_create(self, dir_path, snapshot_name): # TODO: raise intelligible exception for clusters where snaps are disabled self.fs.mkdir(self._snapshot_path(dir_path, snapshot_name), 0o755) def _snapshot_destroy(self, dir_path, snapshot_name): """ Remove a snapshot, or do nothing if it already doesn't exist. """ try: self.fs.rmdir(self._snapshot_path(dir_path, snapshot_name)) except cephfs.ObjectNotFound: log.warn("Snapshot was already gone: {0}".format(snapshot_name)) def create_snapshot_volume(self, volume_path, snapshot_name): self._snapshot_create(self._get_path(volume_path), snapshot_name) def destroy_snapshot_volume(self, volume_path, snapshot_name): self._snapshot_destroy(self._get_path(volume_path), snapshot_name) def create_snapshot_group(self, group_id, snapshot_name): if group_id is None: raise RuntimeError("Group ID may not be None") return self._snapshot_create(self._get_group_path(group_id), snapshot_name) def destroy_snapshot_group(self, group_id, snapshot_name): if group_id is None: raise RuntimeError("Group ID may not be None") if snapshot_name is None: raise RuntimeError("Snapshot name may not be None") return self._snapshot_destroy(self._get_group_path(group_id), snapshot_name) def _cp_r(self, src, dst): # TODO raise NotImplementedError() def clone_volume_to_existing(self, dest_volume_path, src_volume_path, src_snapshot_name): dest_fs_path = self._get_path(dest_volume_path) src_snapshot_path = self._snapshot_path(self._get_path(src_volume_path), src_snapshot_name) self._cp_r(src_snapshot_path, dest_fs_path) def put_object(self, pool_name, object_name, data): """ Synchronously write data to an object. :param pool_name: name of the pool :type pool_name: str :param object_name: name of the object :type object_name: str :param data: data to write :type data: bytes """ ioctx = self.rados.open_ioctx(pool_name) max_size = int(self.rados.conf_get('osd_max_write_size')) * 1024 * 1024 if len(data) > max_size: msg = ("Data to be written to object '{0}' exceeds " "{1} bytes".format(object_name, max_size)) log.error(msg) raise CephFSVolumeClientError(msg) try: ioctx.write_full(object_name, data) finally: ioctx.close() def get_object(self, pool_name, object_name): """ Synchronously read data from object. :param pool_name: name of the pool :type pool_name: str :param object_name: name of the object :type object_name: str :returns: bytes - data read from object """ ioctx = self.rados.open_ioctx(pool_name) max_size = int(self.rados.conf_get('osd_max_write_size')) * 1024 * 1024 try: bytes_read = ioctx.read(object_name, max_size) if ((len(bytes_read) == max_size) and (ioctx.read(object_name, 1, offset=max_size))): log.warning("Size of object {0} exceeds '{1}' bytes " "read".format(object_name, max_size)) finally: ioctx.close() return bytes_read def delete_object(self, pool_name, object_name): ioctx = self.rados.open_ioctx(pool_name) try: ioctx.remove_object(object_name) except rados.ObjectNotFound: log.warn("Object '{0}' was already removed".format(object_name)) finally: ioctx.close()