[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authenticatio
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme |
Date: |
Wed, 18 Apr 2018 08:26:39 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 |
On 04/05/2018 12:06 PM, Kevin Wolf wrote:
> The legacy command line syntax supports a "password-secret" option that
> allows to pass an authentication key to Ceph. This was not supported in
> QMP so far.
>
> This patch introduces authentication options in the QAPI schema, makes
> them do the corresponding rados_conf_set() calls and adds compatibility
> code that translates the old "password-secret" option both for opening
> and creating images to the new set of options.
>
> Note that the old option didn't allow to explicitly specify the set of
> allowed authentication schemes. The compatibility code assumes that if
> "password-secret" is given, only the cephx scheme is allowed. If it's
> missing, both none and cephx are allowed because the configuration file
> could still provide a key.
>
> Signed-off-by: Kevin Wolf <address@hidden>
> ---
> Any thoughts on the proposed QAPI schema or the two implementation
> problems are welcome.
>
> qapi/block-core.json | 22 +++++++++++
> block/rbd.c | 102
> ++++++++++++++++++++++++++++++++++++++-------------
> 2 files changed, 99 insertions(+), 25 deletions(-)
>
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index c50517bff3..d5ce588add 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -3170,6 +3170,19 @@
>
>
> ##
> +# @RbdAuthCephx:
> +#
> +# @key-secret: ID of a QCryptoSecret object providing a key for cephx
> +# authentication. If not specified, a key from the
> +# specified configuration file, or the system default
> +# configuration is used, if present.
> +#
> +# Since: 2.13
> +##
> +{ 'struct': 'RbdAuthCephx',
> + 'data': { '*key-secret': 'str' } }
> +
> +##
> # @BlockdevOptionsRbd:
> #
> # @pool: Ceph pool name.
> @@ -3184,6 +3197,13 @@
> #
> # @user: Ceph id name.
> #
> +# @auth-none: true if connecting to a server without authentication
> +# should be allowed (default: false; since 2.13)
> +#
> +# @auth-cephx: Configuration for cephx authentication if specified.
> If
> +# not specified, cephx authentication is not allowed.
> +# (since 2.13)
> +#
> # @server: Monitor host address and port. This maps
> # to the "mon_host" Ceph option.
> #
> @@ -3195,6 +3215,8 @@
> '*conf': 'str',
> '*snapshot': 'str',
> '*user': 'str',
> + '*auth-none': 'bool',
> + '*auth-cephx': 'RbdAuthCephx',
> '*server': ['InetSocketAddressBase'] } }
Would it be better to have this be a flat union with 'auth' with enum
values 'none', 'cephx', 'both' as a discriminator that determines which
additional fields can be present? Or does that require that we first
fix the QAPI generator to allow nesting a flat union within another flat
union (probably doable, just no one has needed it before now)? Is it
also time to improve the QAPI generator to allow a default value to the
discriminator field, rather than requiring the field to be present?
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
- [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Kevin Wolf, 2018/04/05
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Markus Armbruster, 2018/04/18
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Kevin Wolf, 2018/04/18
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Daniel P . Berrangé, 2018/04/18
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Kevin Wolf, 2018/04/18
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Daniel P . Berrangé, 2018/04/18
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Markus Armbruster, 2018/04/20
- Re: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme, Daniel P . Berrangé, 2018/04/20