From nobody Fri May 3 08:00:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1522948057380836.7098837197256; Thu, 5 Apr 2018 10:07:37 -0700 (PDT) Received: from localhost ([::1]:42769 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f48MK-0004sW-Cb for importer@patchew.org; Thu, 05 Apr 2018 13:07:36 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59875) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f48LN-0004Ss-KE for qemu-devel@nongnu.org; Thu, 05 Apr 2018 13:06:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f48LL-0001lj-L9 for qemu-devel@nongnu.org; Thu, 05 Apr 2018 13:06:37 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:44224 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f48LF-0001dZ-B6; Thu, 05 Apr 2018 13:06:29 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5419EBD9F; Thu, 5 Apr 2018 17:06:28 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-226.ams2.redhat.com [10.36.117.226]) by smtp.corp.redhat.com (Postfix) with ESMTP id C9A2A2026980; Thu, 5 Apr 2018 17:06:26 +0000 (UTC) From: Kevin Wolf To: qemu-block@nongnu.org Date: Thu, 5 Apr 2018 19:06:19 +0200 Message-Id: <20180405170619.20480-1-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 05 Apr 2018 17:06:28 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 05 Apr 2018 17:06:28 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'kwolf@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [RFC][BROKEN] rbd: Allow configuration of authentication scheme X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, jdurgin@redhat.com, qemu-devel@nongnu.org, jcody@redhat.com, armbru@redhat.com, mreitz@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The legacy command line syntax supports a "password-secret" option that allows to pass an authentication key to Ceph. This was not supported in QMP so far. This patch introduces authentication options in the QAPI schema, makes them do the corresponding rados_conf_set() calls and adds compatibility code that translates the old "password-secret" option both for opening and creating images to the new set of options. Note that the old option didn't allow to explicitly specify the set of allowed authentication schemes. The compatibility code assumes that if "password-secret" is given, only the cephx scheme is allowed. If it's missing, both none and cephx are allowed because the configuration file could still provide a key. Signed-off-by: Kevin Wolf --- This doesn't actually work correctly yet because the way that options are passed through the block layer (QAPI -> QemuOpts -> QDict). Before we fix or hack around this, let's make sure this is the schema that we want. The two known problems are: 1. QDict *options in qemu_rbd_open() may contain options either in their proper QObject types (if passed from blockdev-add) or as strings (-drive). Both forms can be mixed in the same options QDict. rbd uses the keyval visitor to convert the options into a QAPI object. This means that it requires all options to be strings. This patch, however, introduces a bool property, so the visitor breaks when it gets its input from blockdev-add. Options to hack around the problem: a. Do an extra conversion step or two and go through QemuOpts like some other block drivers. When I offered something like this to Markus a while ago in a similar case, he rejected the idea. b. Introduce a qdict_stringify_entries() that just does what its name says. It would be called before the running keyval visitor so that only strings will be present in the QDict. c. Do a local one-off hack that checks if the entry with the key "auth-none" is a QBool, and if so, overwrite it with a string. The problem will reappear with the next non-string option. (d. Get rid of the QDict detour and work only with QAPI objects everywhere. Support rbd authentication only in QEMU 4.0.) 2. The proposed schema allows 'auth-cephx': {} as a valid option with the meaning that the cephx authentication scheme is enabled, but no key is given (e.g. it is taken from the config file). However, an empty dict cannot currently be represented by flattened QDicts. We need to find a way to enable this. I think this will be externally visible because it directly translates into the dotted syntax of -blockdev, so we may want to be careful. Any thoughts on the proposed QAPI schema or the two implementation problems are welcome. qapi/block-core.json | 22 +++++++++++ block/rbd.c | 102 ++++++++++++++++++++++++++++++++++++++---------= ---- 2 files changed, 99 insertions(+), 25 deletions(-) diff --git a/qapi/block-core.json b/qapi/block-core.json index c50517bff3..d5ce588add 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3170,6 +3170,19 @@ =20 =20 ## +# @RbdAuthCephx: +# +# @key-secret: ID of a QCryptoSecret object providing a key for ce= phx +# authentication. If not specified, a key from the +# specified configuration file, or the system default +# configuration is used, if present. +# +# Since: 2.13 +## +{ 'struct': 'RbdAuthCephx', + 'data': { '*key-secret': 'str' } } + +## # @BlockdevOptionsRbd: # # @pool: Ceph pool name. @@ -3184,6 +3197,13 @@ # # @user: Ceph id name. # +# @auth-none: true if connecting to a server without authenticati= on +# should be allowed (default: false; since 2.13) +# +# @auth-cephx: Configuration for cephx authentication if specified= . If +# not specified, cephx authentication is not allowed. +# (since 2.13) +# # @server: Monitor host address and port. This maps # to the "mon_host" Ceph option. # @@ -3195,6 +3215,8 @@ '*conf': 'str', '*snapshot': 'str', '*user': 'str', + '*auth-none': 'bool', + '*auth-cephx': 'RbdAuthCephx', '*server': ['InetSocketAddressBase'] } } =20 ## diff --git a/block/rbd.c b/block/rbd.c index 5b64849dc6..c2a9a92dd5 100644 --- a/block/rbd.c +++ b/block/rbd.c @@ -105,8 +105,7 @@ typedef struct BDRVRBDState { =20 static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx, BlockdevOptionsRbd *opts, bool cache, - const char *keypairs, const char *secretid, - Error **errp); + const char *keypairs, Error **errp); =20 static char *qemu_rbd_next_tok(char *src, char delim, char **p) { @@ -231,21 +230,40 @@ done: } =20 =20 -static int qemu_rbd_set_auth(rados_t cluster, const char *secretid, +static int qemu_rbd_set_auth(rados_t cluster, BlockdevOptionsRbd *opts, Error **errp) { - if (secretid =3D=3D 0) { - return 0; - } + int r; =20 - gchar *secret =3D qcrypto_secret_lookup_as_base64(secretid, - errp); - if (!secret) { - return -1; + if (opts->auth_none && opts->has_auth_cephx) { + r =3D rados_conf_set(cluster, "auth_client_required", "none;cephx"= ); + } else if (opts->auth_none) { + r =3D rados_conf_set(cluster, "auth_client_required", "none"); + } else if (opts->has_auth_cephx) { + r =3D rados_conf_set(cluster, "auth_client_required", "cephx"); + } else { + error_setg(errp, "No authentication scheme allowed"); + return -EINVAL; + } + if (r < 0) { + error_setg_errno(errp, -r, "Could not set 'auth_client_required'"); + return r; } =20 - rados_conf_set(cluster, "key", secret); - g_free(secret); + if (opts->has_auth_cephx && opts->auth_cephx->has_key_secret) { + gchar *secret =3D + qcrypto_secret_lookup_as_base64(opts->auth_cephx->key_secret, = errp); + if (!secret) { + return -EIO; + } + + r =3D rados_conf_set(cluster, "key", secret); + g_free(secret); + if (r < 0) { + error_setg_errno(errp, -r, "Could not set 'key'"); + return r; + } + } =20 return 0; } @@ -337,12 +355,9 @@ static QemuOptsList runtime_opts =3D { }, }; =20 -/* FIXME Deprecate and remove keypairs or make it available in QMP. - * password_secret should eventually be configurable in opts->location. Su= pport - * for it in .bdrv_open will make it work here as well. */ +/* FIXME Deprecate and remove keypairs or make it available in QMP. */ static int qemu_rbd_do_create(BlockdevCreateOptions *options, - const char *keypairs, const char *password_s= ecret, - Error **errp) + const char *keypairs, Error **errp) { BlockdevCreateOptionsRbd *opts =3D &options->u.rbd; rados_t cluster; @@ -370,7 +385,7 @@ static int qemu_rbd_do_create(BlockdevCreateOptions *op= tions, } =20 ret =3D qemu_rbd_connect(&cluster, &io_ctx, opts->location, false, key= pairs, - password_secret, errp); + errp); if (ret < 0) { return ret; } @@ -390,7 +405,7 @@ out: =20 static int qemu_rbd_co_create(BlockdevCreateOptions *options, Error **errp) { - return qemu_rbd_do_create(options, NULL, NULL, errp); + return qemu_rbd_do_create(options, NULL, errp); } =20 static int coroutine_fn qemu_rbd_co_create_opts(const char *filename, @@ -443,7 +458,21 @@ static int coroutine_fn qemu_rbd_co_create_opts(const = char *filename, loc->image =3D g_strdup(qdict_get_try_str(options, "image")); keypairs =3D qdict_get_try_str(options, "=3Dkeyvalue-pairs"); =20 - ret =3D qemu_rbd_do_create(create_options, keypairs, password_secret, = errp); + /* Always allow the cephx authentication scheme, even if no password-s= ecret + * is given; the key might come from the config file. Without password= -secret, + * also allow none. */ + loc->has_auth_cephx =3D true; + loc->auth_cephx =3D g_new0(RbdAuthCephx, 1); + + if (password_secret) { + loc->auth_cephx->has_key_secret =3D true; + loc->auth_cephx->key_secret =3D g_strdup(password_secret); + } else { + loc->has_auth_none =3D true; + loc->auth_none =3D true; + } + + ret =3D qemu_rbd_do_create(create_options, keypairs, errp); if (ret < 0) { goto exit; } @@ -538,8 +567,7 @@ static char *qemu_rbd_mon_host(BlockdevOptionsRbd *opts= , Error **errp) =20 static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx, BlockdevOptionsRbd *opts, bool cache, - const char *keypairs, const char *secretid, - Error **errp) + const char *keypairs, Error **errp) { char *mon_host =3D NULL; Error *local_err =3D NULL; @@ -577,8 +605,8 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioc= tx_t *io_ctx, } } =20 - if (qemu_rbd_set_auth(*cluster, secretid, errp) < 0) { - r =3D -EIO; + r =3D qemu_rbd_set_auth(*cluster, opts, errp); + if (r < 0) { goto failed_shutdown; } =20 @@ -671,8 +699,32 @@ static int qemu_rbd_open(BlockDriverState *bs, QDict *= options, int flags, goto out; } =20 + /* Always allow the cephx authentication scheme, even if no password-s= ecret + * is given; the key might come from the config file. Without password= -secret, + * also allow none. If the new QAPI-style options are given, don't ove= rride + * them, though. */ + if (opts->auth_cephx =3D=3D NULL) { + opts->has_auth_cephx =3D true; + opts->auth_cephx =3D g_new0(RbdAuthCephx, 1); + } + + if (secretid) { + if (opts->auth_cephx->has_key_secret) { + error_setg(errp, "'auth-ceph.key-secret' and its alias " + "'password-secret' can't be used at the " + "same time"); + r =3D -EINVAL; + goto out; + } + opts->auth_cephx->has_key_secret =3D true; + opts->auth_cephx->key_secret =3D g_strdup(secretid); + } else if (!opts->has_auth_none) { + opts->has_auth_none =3D true; + opts->auth_none =3D true; + } + r =3D qemu_rbd_connect(&s->cluster, &s->io_ctx, opts, - !(flags & BDRV_O_NOCACHE), keypairs, secretid, er= rp); + !(flags & BDRV_O_NOCACHE), keypairs, errp); if (r < 0) { goto out; } --=20 2.13.6