Merge pull request #8 from oracle/zfssa-7

zfssa-7 - proliferate logging to identify credential rotation and ena…

pkg/service/controller.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2021, 2022, Oracle.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
  */
 
@@ -44,7 +44,7 @@ func (zd *ZFSSADriver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRe
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	// Validate the parameters
 	if err := validateCreateVolumeReq(ctx, token, req); err != nil {
@@ -181,7 +181,7 @@ func (zd *ZFSSADriver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRe
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
@@ -249,7 +249,7 @@ func (zd *ZFSSADriver) ControllerPublishVolume(ctx context.Context, req *csi.Con
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	zvol, err := zd.lookupVolume(ctx, token, volumeID)
 	if err != nil {
@@ -280,7 +280,7 @@ func (zd *ZFSSADriver) ControllerUnpublishVolume(ctx context.Context, req *csi.C
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	zvol, err := zd.lookupVolume(ctx, token, volumeID)
 	if err != nil {
@@ -317,7 +317,7 @@ func (zd *ZFSSADriver) ValidateVolumeCapabilities(ctx context.Context, req *csi.
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	zvol, err := zd.lookupVolume(ctx, token, volumeID)
 	if err != nil {
@@ -409,7 +409,7 @@ func (zd *ZFSSADriver) GetCapacity(ctx context.Context, req *csi.GetCapacityRequ
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	parameters := req.GetParameters()
 	projectName, ok := parameters["project"]
@@ -487,7 +487,7 @@ func (zd *ZFSSADriver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapsh
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	zsnap, err := zd.newSnapshot(ctx, token, snapName, sourceId)
 	if err != nil {
@@ -514,7 +514,7 @@ func (zd *ZFSSADriver) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapsh
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	// Get exclusive access to the snapshot.
 	zsnap, err := zd.lookupSnapshot(ctx, token, req.SnapshotId)
@@ -566,7 +566,7 @@ func (zd *ZFSSADriver) ListSnapshots(ctx context.Context, req *csi.ListSnapshots
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	var entries []*csi.ListSnapshotsResponse_Entry
 
@@ -646,7 +646,7 @@ func (zd *ZFSSADriver) ControllerExpandVolume(ctx context.Context, req *csi.Cont
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	zvol, err := zd.lookupVolume(ctx, token, volumeID)
 	if err != nil {

pkg/service/identity.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2021, 2022, Oracle.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
  */
 
@@ -69,7 +69,7 @@ func (zd *ZFSSADriver) Probe(ctx context.Context, req *csi.ProbeRequest) (
 	if err != nil {
 		return nil, grpcStatus.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 	_, err = zfssarest.GetServices(ctx, token)
 	if err != nil {
 		return &csi.ProbeResponse{

pkg/service/node.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2021, 2022, Oracle.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
  */
 
@@ -165,7 +165,7 @@ func (zd *ZFSSADriver) NodePublishVolume(ctx context.Context, req *csi.NodePubli
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	var mountOptions []string
 	if req.GetReadonly() {
@@ -217,7 +217,7 @@ func (zd *ZFSSADriver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnp
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 	if zVolumeId.IsBlock() {
 		return zd.nodeUnpublishBlockVolume(ctx, token, req, zVolumeId)
 	} else {

pkg/service/volumes.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2021, 2022, Oracle.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
  */
 
@@ -435,7 +435,7 @@ func (zd *ZFSSADriver) updateFilesystemList(ctx context.Context, out chan<- erro
 	if err != nil {
 		out <- err
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 	fsList, err := zfssarest.GetFilesystems(ctx, token, "", "")
 	if err != nil {
 		utils.GetLogCTRL(ctx, 2).Println("zd.updateFilesystemList failed", "error", err.Error())
@@ -461,7 +461,7 @@ func (zd *ZFSSADriver) updateLunList(ctx context.Context, out chan<- error) {
 	if err != nil {
 		out <- err
 	}
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 
 	lunList, err := zfssarest.GetLuns(ctx, token, "", "")
 	if err != nil {
@@ -520,7 +520,7 @@ func (zd *ZFSSADriver) updateSnapshotList(ctx context.Context) error {
 		return err
 	}
 
-	token := zfssarest.LookUpToken(user, password)
+	token := zfssarest.LookUpToken(ctx, user, password)
 	snapList, err := zfssarest.GetSnapshots(ctx, token, "")
 	if err != nil {
 		utils.GetLogCTRL(ctx, 2).Println("zd.updateSnapshotList failed", "error", err.Error())

pkg/zfssarest/zfssa_rest.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Oracle and/or its affiliates.
+ * Copyright (c) 2021, 2022, Oracle.
  * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
  */
 
@@ -56,7 +56,6 @@ const (
 	zProperty					= zProperties + "/%s"
 )
 
-// State of a ZFSSA token
 const (
 	zfssaTokenInvalid = iota
 	zfssaTokenCreating
@@ -128,10 +127,13 @@ func InitREST(name string, certs []byte, secure bool) error {
 
 // Looks up a token context based on the user name passed in. If one doesn't exist
 // yet, it is created.
-func LookUpToken(user, password string) *Token {
-
+func LookUpToken(ctx context.Context, user, password string) *Token {
 	tokens.mtx.Lock()
 	if token, ok := tokens.list[user]; ok {
+		if password != "" && password != token.password {
+			utils.GetLogREST(ctx, 2).Println("Target ZFSSA password updated for session")
+			token.password = password
+		}
 		tokens.mtx.Unlock()
 		return token
 	}
@@ -173,11 +175,12 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
 		switch token.state {
 		case zfssaTokenInvalid:
 			// No token available. We create one.
+			utils.GetLogREST(ctx, 2).Println("Creating new ZFSSA session for token")
 			token.state = zfssaTokenCreating
 			token.mtx.Unlock()
 
 			var err error
-			token.xAuthSession, token.xAuthName, err = createToken(ctx, token)
+			token.xAuthSession, token.xAuthName, err = createZfssaSession(ctx, token)
 			xAuthSession := token.xAuthSession
 
 			token.mtx.Lock()
@@ -202,6 +205,7 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
 				token.mtx.Unlock()
 				return xAuthSession, nil
 			}
+			utils.GetLogREST(ctx, 2).Println("ZFSSA session transitioning to invalid")
 			token.state = zfssaTokenInvalid
 			continue
 
@@ -211,11 +215,11 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
 	}
 }
 
-// Send an HTTP request to the ZFSSA to create a non-persistent token.
+// Send an HTTP request to the ZFSSA to create a non-persistent, reusable session.
 //
 // A non-persistent token is specific to the cluster node on which the ID was
 // created and is not synchronized between the cluster peers.
-func createToken(ctx context.Context, token *Token) (string, string, error) {
+func createZfssaSession(ctx context.Context, token *Token) (string, string, error) {
 
 	httpReq, err := http.NewRequest("POST", zServicesURL, bytes.NewBuffer(nil))
 	if err != nil {
@@ -325,6 +329,7 @@ func makeRequest(ctx context.Context, token *Token, method, url string, reqbody
 
 	// We check here whether the token may have expired and renew it if needed.
 	if rsphttp.StatusCode == http.StatusUnauthorized {
+		// Refresh token and secret
 		_, err = getToken(ctx, token, &xAuthSession)
 		return nil, http.StatusUnauthorized, err
 	}