NetApp cDOT: Fix security style for CIFS shares

If the backing FlexVol security style is configured incorrectly, end users cannot write to their manila shares. Change-Id: I12c85c54c7318592ac0b34efe3624d175d2e6976 Closes-Bug: #1696000
2017-07-11 11:03:45 -07:00 · 2017-07-11 11:03:45 -07:00 · 5e8df296ab
commit 5e8df296ab
parent 50e8c5a42d
5 changed files with 83 additions and 0 deletions
--- a/manila/share/drivers/netapp/dataontap/client/client_cmode.py
+++ b/manila/share/drivers/netapp/dataontap/client/client_cmode.py
@ -1566,6 +1566,36 @@ class NetAppCmodeClient(client_base.NetAppBaseClient):
                    errors[0].get_child_content('error-code'),
                    errors[0].get_child_content('error-message'))

+    @na_utils.trace
+    def set_volume_security_style(self, volume_name, security_style='unix'):
+        """Set volume security style"""
+        api_args = {
+            'query': {
+                'volume-attributes': {
+                    'volume-id-attributes': {
+                        'name': volume_name,
+                    },
+                },
+            },
+            'attributes': {
+                'volume-attributes': {
+                    'volume-security-attributes': {
+                        'style': security_style,
+                    },
+                },
+            },
+        }
+        result = self.send_request('volume-modify-iter', api_args)
+        failures = result.get_child_content('num-failed')
+        if failures and int(failures) > 0:
+            failure_list = result.get_child_by_name(
+                'failure-list') or netapp_api.NaElement('none')
+            errors = failure_list.get_children()
+            if errors:
+                raise netapp_api.NaApiError(
+                    errors[0].get_child_content('error-code'),
+                    errors[0].get_child_content('error-message'))
+
    @na_utils.trace
    def set_volume_name(self, volume_name, new_volume_name):
        """Set flexvol name."""
--- a/manila/share/drivers/netapp/dataontap/protocols/cifs_cmode.py
+++ b/manila/share/drivers/netapp/dataontap/protocols/cifs_cmode.py
@ -35,6 +35,10 @@ class NetAppCmodeCIFSHelper(base.NetAppBaseHelper):
        if clear_current_export_policy:
            self._client.remove_cifs_share_access(share_name, 'Everyone')

+        # Ensure 'ntfs' security style
+        self._client.set_volume_security_style(share_name,
+                                               security_style='ntfs')
+
        # Return a callback that may be used for generating export paths
        # for this share.
        return (lambda export_address, share_name=share_name:
--- a/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py
+++ b/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py
@ -2831,6 +2831,49 @@ class NetAppClientCmodeTestCase(test.TestCase):
                          fake.SHARE_NAME,
                          10)

+    @ddt.data(None, 'ntfs')
+    def test_set_volume_security_style(self, security_style):
+
+        api_response = netapp_api.NaElement(fake.VOLUME_MODIFY_ITER_RESPONSE)
+        self.mock_object(self.client,
+                         'send_request',
+                         mock.Mock(return_value=api_response))
+        kwargs = {'security_style': security_style} if security_style else {}
+
+        self.client.set_volume_security_style(fake.SHARE_NAME, **kwargs)
+
+        volume_modify_iter_args = {
+            'query': {
+                'volume-attributes': {
+                    'volume-id-attributes': {
+                        'name': fake.SHARE_NAME
+                    }
+                }
+            },
+            'attributes': {
+                'volume-attributes': {
+                    'volume-security-attributes': {
+                        'style': security_style or 'unix',
+                    },
+                },
+            },
+        }
+        self.client.send_request.assert_called_once_with(
+            'volume-modify-iter', volume_modify_iter_args)
+
+    def test_set_volume_security_style_api_error(self):
+
+        api_response = netapp_api.NaElement(
+            fake.VOLUME_MODIFY_ITER_ERROR_RESPONSE)
+        self.mock_object(self.client,
+                         'send_request',
+                         mock.Mock(return_value=api_response))
+
+        self.assertRaises(netapp_api.NaApiError,
+                          self.client.set_volume_security_style,
+                          fake.SHARE_NAME,
+                          'ntfs')
+
    def test_volume_exists(self):

        api_response = netapp_api.NaElement(fake.VOLUME_GET_NAME_RESPONSE)
--- a/manila/tests/share/drivers/netapp/dataontap/protocols/test_cifs_cmode.py
+++ b/manila/tests/share/drivers/netapp/dataontap/protocols/test_cifs_cmode.py
@ -55,6 +55,8 @@ class NetAppClusteredCIFSHelperTestCase(test.TestCase):
            fake.SHARE_NAME)
        self.mock_client.remove_cifs_share_access.assert_called_once_with(
            fake.SHARE_NAME, 'Everyone')
+        self.mock_client.set_volume_security_style.assert_called_once_with(
+            fake.SHARE_NAME, security_style='ntfs')

    def test_delete_share(self):

--- a/releasenotes/notes/bug-1696000-netapp-fix-security-style-on-cifs-shares-cbdd557a27d11961.yaml
+++ b/releasenotes/notes/bug-1696000-netapp-fix-security-style-on-cifs-shares-cbdd557a27d11961.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - The NetApp ONTAP driver has been fixed to ensure the "security style" on
+    CIFS shares is always "ntfs".