glusterfs_native corrupts GlusterFS backend

Bug #1439198 reported by Csaba Henk
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
High
Csaba Henk

Bug Description

The access control logic of the glusterfs_native driver claims exclusive management of the TLS auth functionality of the backing GlusterFS volumes, and deletes common names from the list of authorized common names ("ssl-allow" volume option) that are not known by it.

However, GlusterFS uses TLS auth internally too (for example, to allow access to gluster bricks for the quota management agent) and that mechanism is corrupted by glusterfs_native's access control logic. In consequence, errant behavior like the following can be observed on the GlusterFS cluster:

# gluster volume quota gv1 limit-usage / 2GB
quota command failed : Failed to find the directory /var/run/gluster/gv1/. Reason : Transport endpoint is not connected

See the detailed case report (from which above error message is quoted): http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/8108

We need to change allow_access / deny_access methods of gluster_native to retain foreign content.

Changed in manila:
milestone: none → kilo-rc1
importance: Undecided → High
status: New → Triaged
assignee: nobody → Csaba Henk (chenk)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/170753

Changed in manila:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.openstack.org/170753
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=0ab34e42b2e81d9d1903b87efe51570fc326acb5
Submitter: Jenkins
Branch: master

commit 0ab34e42b2e81d9d1903b87efe51570fc326acb5
Author: Csaba Henk <email address hidden>
Date: Mon Apr 6 02:05:29 2015 +0200

    glusterfs_native: make {allow,deny}_access non-destructive

    With this patch the allow_access and deny_access methods of
    glusterfs_native will keep preexisting common names in the
    affected GlusterFS volume 'auth.ssl-allow' option.

    Also check in _setup_gluster_vol if 'auth.ssl-allow' is
    set to a non-empty value to avoid semantically problematic
    (and from Manila POV, useless) edge cases.

    Change-Id: I952049d694509a338c7f56b45c5ef0872c3e7d70
    Closes-Bug: #1439198

Changed in manila:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in manila:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in manila:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.