Merge "glusterfs_native: Hardwire Manila Host CN pattern"

2015-09-20 02:24:50 +00:00 · 2015-09-20 02:24:50 +00:00 · 5704fa6aa3
commit 5704fa6aa3
parent 027cb4fa42 69d06d7c5f
2 changed files with 18 additions and 11 deletions
--- a/manila/share/drivers/glusterfs_native.py
+++ b/manila/share/drivers/glusterfs_native.py
@ -98,20 +98,26 @@ class GlusterfsNativeShareDriver(driver.ExecuteMixin,

        gluster_actions = []
        if gluster_mgr_parent:
-            # The clone of the snapshot, the new volume, retains the authorized
-            # access list of the snapshotted volume/share, which includes
-            # identities of the backend servers and Manila clients. So only
-            # retain the identities of the GlusterFS servers volume in the
-            # authorized access list of the new volume. The identities of
-            # GlusterFS are easy to figure as they're pre-fixed by
-            # "glusterfs-server".
-            #
+            # The clone of the snapshot, a new volume, retains the authorized
+            # access list of the snapshotted volume/share, which includes TLS
+            # identities of the backend servers, Manila hosts and clients.
+            # Retain the identities of the GlusterFS servers and Manila host,
+            # and exclude those of the clients in the authorized access list of
+            # the new volume. The TLS identities of GlusterFS servers are
+            # determined as those that are prefixed by 'glusterfs-server'.
+            # And the TLS identity of the Manila host is identified as the
+            # one that has 'manila-host' as the prefix.
            # Wrt. GlusterFS' parsing of auth.ssl-allow, please see code from
            # https://github.com/gluster/glusterfs/blob/v3.6.2/
            # xlators/protocol/auth/login/src/login.c#L80
            # until end of gf_auth() function
            old_access_list = re.split('[ ,]', ssl_allow_opt)
-            regex = re.compile('\Aglusterfs-server*')
+            glusterfs_server_CN_pattern = '\Aglusterfs-server'
+            manila_host_CN_pattern = '\Amanila-host'
+            regex = re.compile(
+                '%(pattern1)s|%(pattern2)s' % {
+                    'pattern1': glusterfs_server_CN_pattern,
+                    'pattern2': manila_host_CN_pattern})
            access_to = ','.join(filter(regex.match, old_access_list))
            gluster_actions.append(('set', AUTH_SSL_ALLOW, access_to))

--- a/manila/tests/share/drivers/test_glusterfs_native.py
+++ b/manila/tests/share/drivers/test_glusterfs_native.py
@ -127,7 +127,8 @@ class GlusterfsNativeShareDriverTestCase(test.TestCase):
        gmgr.export = 'fakehost:/fakevol'
        gmgr_parent = mock.Mock()
        gmgr_parent.get_gluster_vol_option = mock.Mock(
-            return_value='glusterfs-server-name,some-other-name')
+            return_value=(
+                'glusterfs-server-name,some-other-name,manila-host.com'))
        share = mock.Mock()
        share_parent = mock.Mock()

@ -139,7 +140,7 @@ class GlusterfsNativeShareDriverTestCase(test.TestCase):
            'auth.ssl-allow')
        args = (
            ('volume', 'set', 'fakevol', 'auth.ssl-allow',
-             'glusterfs-server-name'),
+             'glusterfs-server-name,manila-host.com'),
            ('volume', 'set', 'fakevol', 'nfs.export-volumes', 'off'),
            ('volume', 'set', 'fakevol', 'client.ssl', 'on'),
            ('volume', 'set', 'fakevol', 'server.ssl', 'on'),