mgr/nfs: use bucket owner creds for rgw bucket export

The bucket owner can always read/write to the bucket, so use those creds for the export. This is less complicated than setting up a dedicated user anyway. Signed-off-by: Sage Weil <sage@newdream.net>
2025-02-24 03:27:10 +00:00 · 2021-07-19 13:46:38 -04:00 · 2021-07-19 13:46:38 -04:00 · 7d2f7efe3f
commit 7d2f7efe3f
parent deaff0c42c
2 changed files with 16 additions and 18 deletions
--- a/src/pybind/mgr/nfs/export.py
+++ b/src/pybind/mgr/nfs/export.py
@ -181,10 +181,8 @@ class ExportMgr:
            })
            log.info(f"Deleted export user {export.fsal.user_id}")
        elif isinstance(export.fsal, RGWFSAL):
-            assert export.fsal.user_id
-            uid = f'nfs.{export.cluster_id}.{export.path}'
-            self._exec(['radosgw-admin', 'user', 'rm', '--uid', uid])
-            log.info(f"Deleted export RGW user {uid}")
+            # do nothing; we're using the bucket owner creds.
+            pass

    def _create_export_user(self, export: Export) -> None:
        if isinstance(export.fsal, CephFSFSAL):
@ -205,16 +203,22 @@ class ExportMgr:

        elif isinstance(export.fsal, RGWFSAL):
            rgwfsal = cast(RGWFSAL, export.fsal)
-            rgwfsal.user_id = f'nfs.{export.cluster_id}.{export.path}'
-            ret, out, err = self._exec(['radosgw-admin', 'user', 'info', '--uid',
-                                        rgwfsal.user_id])
+            ret, out, err = self._exec(['radosgw-admin', 'bucket', 'stats', '--bucket',
+                                        export.path])
            if ret:
-                ret, out, err = self._exec(['radosgw-admin', 'user', 'create',
-                                            '--uid', rgwfsal.user_id,
-                                            '--display-name', rgwfsal.user_id])
-                if ret:
-                    raise NFSException(f'Failed to create user {rgwfsal.user_id}')
+                raise NFSException(f'Failed to fetch owner for bucket {export.path}')
            j = json.loads(out)
+            owner = j.get('owner', '')
+            rgwfsal.user_id = owner
+            ret, out, err = self._exec([
+                'radosgw-admin', 'user', 'info', '--uid', owner
+            ])
+            if ret:
+                raise NFSException(
+                    f'Failed to fetch key for bucket {export.path} owner {owner}'
+                )
+            j = json.loads(out)
+
            # FIXME: make this more tolerate of unexpected output?
            rgwfsal.access_key_id = j['keys'][0]['access_key']
            rgwfsal.secret_access_key = j['keys'][0]['secret_key']
--- a/src/pybind/mgr/nfs/tests/test_nfs.py
+++ b/src/pybind/mgr/nfs/tests/test_nfs.py
@ -662,7 +662,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4, 3]
        assert export.transports == ["TCP", "UDP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1
@ -706,7 +705,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4]
        assert export.transports == ["TCP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.newbucket"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1
@ -749,7 +747,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4]
        assert export.transports == ["TCP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.newestbucket"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1
@ -835,7 +832,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4]
        assert export.transports == ["TCP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1
@ -852,7 +848,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4]
        assert export.transports == ["TCP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket2"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1
@ -914,7 +909,6 @@ NFS_CORE_PARAM {
        assert export.protocols == [4]
        assert export.transports == ["TCP"]
        assert export.fsal.name == "RGW"
-        assert export.fsal.user_id == "nfs.foo.bucket"
        assert export.fsal.access_key_id == "the_access_key"
        assert export.fsal.secret_access_key == "the_secret_key"
        assert len(export.clients) == 1