OpenStack Shared File Systems Service (Manila)

glusterfs_native corrupts GlusterFS backend

Bug #1439198 reported by Csaba Henk on 2015-04-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	High	Csaba Henk	OpenStack Shared File Systems Service (Manila) 2015.1.0 "kilo"

Bug Description

The access control logic of the glusterfs_native driver claims exclusive management of the TLS auth functionality of the backing GlusterFS volumes, and deletes common names from the list of authorized common names ("ssl-allow" volume option) that are not known by it.

However, GlusterFS uses TLS auth internally too (for example, to allow access to gluster bricks for the quota management agent) and that mechanism is corrupted by glusterfs_native's access control logic. In consequence, errant behavior like the following can be observed on the GlusterFS cluster:

# gluster volume quota gv1 limit-usage / 2GB
quota command failed : Failed to find the directory /var/run/gluster/gv1/. Reason : Transport endpoint is not connected

See the detailed case report (from which above error message is quoted): http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/8108

We need to change allow_access / deny_access methods of gluster_native to retain foreign content.

Ben Swartzlander (bswartz) on 2015-04-02

Changed in manila:
milestone:	none → kilo-rc1
importance:	Undecided → High
status:	New → Triaged
assignee:	nobody → Csaba Henk (chenk)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-06: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/170753

Changed in manila:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-08: Fix merged to manila (master)

Reviewed: https://review.openstack.org/170753
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=0ab34e42b2e81d9d1903b87efe51570fc326acb5
Submitter: Jenkins
Branch: master

commit 0ab34e42b2e81d9d1903b87efe51570fc326acb5
Author: Csaba Henk <email address hidden>
Date: Mon Apr 6 02:05:29 2015 +0200

glusterfs_native: make {allow,deny}_access non-destructive

    With this patch the allow_access and deny_access methods of
    glusterfs_native will keep preexisting common names in the
    affected GlusterFS volume 'auth.ssl-allow' option.

    Also check in _setup_gluster_vol if 'auth.ssl-allow' is
    set to a non-empty value to avoid semantically problematic
    (and from Manila POV, useless) edge cases.

Change-Id: I952049d694509a338c7f56b45c5ef0872c3e7d70
Closes-Bug: #1439198

Changed in manila:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-04-13

Changed in manila:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in manila:
milestone:	kilo-rc1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.