github/zfssa-csi-driver
1
0
Fork 0
mirror of https://github.com/oracle/zfssa-csi-driver.git synced 2025-07-14 13:54:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8 from oracle/zfssa-7

Browse Source 
zfssa-7 - proliferate logging to identify credential rotation and ena…
This commit is contained in:
Paul Monday 2022-08-01 12:31:54 -06:00 committed by GitHub
commit 01afd3ee01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/service/controller.go
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. * Copyright (c) 2021, 2022, Oracle.
* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
*/ */
@ -44,7 +44,7 @@ func (zd *ZFSSADriver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRe
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
// Validate the parameters // Validate the parameters
if err := validateCreateVolumeReq(ctx, token, req); err != nil { if err := validateCreateVolumeReq(ctx, token, req); err != nil {
@ -181,7 +181,7 @@ func (zd *ZFSSADriver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRe
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
volumeID := req.GetVolumeId() volumeID := req.GetVolumeId()
if len(volumeID) == 0 { if len(volumeID) == 0 {
@ -249,7 +249,7 @@ func (zd *ZFSSADriver) ControllerPublishVolume(ctx context.Context, req *csi.Con
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
zvol, err := zd.lookupVolume(ctx, token, volumeID) zvol, err := zd.lookupVolume(ctx, token, volumeID)
if err != nil { if err != nil {
@ -280,7 +280,7 @@ func (zd *ZFSSADriver) ControllerUnpublishVolume(ctx context.Context, req *csi.C
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
zvol, err := zd.lookupVolume(ctx, token, volumeID) zvol, err := zd.lookupVolume(ctx, token, volumeID)
if err != nil { if err != nil {
@ -317,7 +317,7 @@ func (zd *ZFSSADriver) ValidateVolumeCapabilities(ctx context.Context, req *csi.
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
zvol, err := zd.lookupVolume(ctx, token, volumeID) zvol, err := zd.lookupVolume(ctx, token, volumeID)
if err != nil { if err != nil {
@ -409,7 +409,7 @@ func (zd *ZFSSADriver) GetCapacity(ctx context.Context, req *csi.GetCapacityRequ
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
parameters := req.GetParameters() parameters := req.GetParameters()
projectName, ok := parameters["project"] projectName, ok := parameters["project"]
@ -487,7 +487,7 @@ func (zd *ZFSSADriver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapsh
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
zsnap, err := zd.newSnapshot(ctx, token, snapName, sourceId) zsnap, err := zd.newSnapshot(ctx, token, snapName, sourceId)
if err != nil { if err != nil {
@ -514,7 +514,7 @@ func (zd *ZFSSADriver) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapsh
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
// Get exclusive access to the snapshot. // Get exclusive access to the snapshot.
zsnap, err := zd.lookupSnapshot(ctx, token, req.SnapshotId) zsnap, err := zd.lookupSnapshot(ctx, token, req.SnapshotId)
@ -566,7 +566,7 @@ func (zd *ZFSSADriver) ListSnapshots(ctx context.Context, req *csi.ListSnapshots
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
var entries []*csi.ListSnapshotsResponse_Entry var entries []*csi.ListSnapshotsResponse_Entry
@ -646,7 +646,7 @@ func (zd *ZFSSADriver) ControllerExpandVolume(ctx context.Context, req *csi.Cont
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
zvol, err := zd.lookupVolume(ctx, token, volumeID) zvol, err := zd.lookupVolume(ctx, token, volumeID)
if err != nil { if err != nil {

4
pkg/service/identity.go
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. * Copyright (c) 2021, 2022, Oracle.
* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
*/ */
@ -69,7 +69,7 @@ func (zd *ZFSSADriver) Probe(ctx context.Context, req *csi.ProbeRequest) (
if err != nil { if err != nil {
return nil, grpcStatus.Error(codes.Unauthenticated, "Invalid credentials") return nil, grpcStatus.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
_, err = zfssarest.GetServices(ctx, token) _, err = zfssarest.GetServices(ctx, token)
if err != nil { if err != nil {
return &csi.ProbeResponse{ return &csi.ProbeResponse{

6
pkg/service/node.go
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. * Copyright (c) 2021, 2022, Oracle.
* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
*/ */
@ -165,7 +165,7 @@ func (zd *ZFSSADriver) NodePublishVolume(ctx context.Context, req *csi.NodePubli
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
var mountOptions []string var mountOptions []string
if req.GetReadonly() { if req.GetReadonly() {
@ -217,7 +217,7 @@ func (zd *ZFSSADriver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnp
if err != nil { if err != nil {
return nil, status.Error(codes.Unauthenticated, "Invalid credentials") return nil, status.Error(codes.Unauthenticated, "Invalid credentials")
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
if zVolumeId.IsBlock() { if zVolumeId.IsBlock() {
return zd.nodeUnpublishBlockVolume(ctx, token, req, zVolumeId) return zd.nodeUnpublishBlockVolume(ctx, token, req, zVolumeId)
} else { } else {

8
pkg/service/volumes.go
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. * Copyright (c) 2021, 2022, Oracle.
* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
*/ */
@ -435,7 +435,7 @@ func (zd *ZFSSADriver) updateFilesystemList(ctx context.Context, out chan<- erro
if err != nil { if err != nil {
out <- err out <- err
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
fsList, err := zfssarest.GetFilesystems(ctx, token, "", "") fsList, err := zfssarest.GetFilesystems(ctx, token, "", "")
if err != nil { if err != nil {
utils.GetLogCTRL(ctx, 2).Println("zd.updateFilesystemList failed", "error", err.Error()) utils.GetLogCTRL(ctx, 2).Println("zd.updateFilesystemList failed", "error", err.Error())
@ -461,7 +461,7 @@ func (zd *ZFSSADriver) updateLunList(ctx context.Context, out chan<- error) {
if err != nil { if err != nil {
out <- err out <- err
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
lunList, err := zfssarest.GetLuns(ctx, token, "", "") lunList, err := zfssarest.GetLuns(ctx, token, "", "")
if err != nil { if err != nil {
@ -520,7 +520,7 @@ func (zd *ZFSSADriver) updateSnapshotList(ctx context.Context) error {
return err return err
} }
token := zfssarest.LookUpToken(user, password) token := zfssarest.LookUpToken(ctx, user, password)
snapList, err := zfssarest.GetSnapshots(ctx, token, "") snapList, err := zfssarest.GetSnapshots(ctx, token, "")
if err != nil { if err != nil {
utils.GetLogCTRL(ctx, 2).Println("zd.updateSnapshotList failed", "error", err.Error()) utils.GetLogCTRL(ctx, 2).Println("zd.updateSnapshotList failed", "error", err.Error())

19
pkg/zfssarest/zfssa_rest.go
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. * Copyright (c) 2021, 2022, Oracle.
* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
*/ */
@ -56,7 +56,6 @@ const (
zProperty = zProperties + "/%s" zProperty = zProperties + "/%s"
) )
// State of a ZFSSA token
const ( const (
zfssaTokenInvalid = iota zfssaTokenInvalid = iota
zfssaTokenCreating zfssaTokenCreating
@ -128,10 +127,13 @@ func InitREST(name string, certs []byte, secure bool) error {
// Looks up a token context based on the user name passed in. If one doesn't exist // Looks up a token context based on the user name passed in. If one doesn't exist
// yet, it is created. // yet, it is created.
func LookUpToken(user, password string) *Token { func LookUpToken(ctx context.Context, user, password string) *Token {
tokens.mtx.Lock() tokens.mtx.Lock()
if token, ok := tokens.list[user]; ok { if token, ok := tokens.list[user]; ok {
if password != "" && password != token.password {
utils.GetLogREST(ctx, 2).Println("Target ZFSSA password updated for session")
token.password = password
}
tokens.mtx.Unlock() tokens.mtx.Unlock()
return token return token
} }
@ -173,11 +175,12 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
switch token.state { switch token.state {
case zfssaTokenInvalid: case zfssaTokenInvalid:
// No token available. We create one. // No token available. We create one.
utils.GetLogREST(ctx, 2).Println("Creating new ZFSSA session for token")
token.state = zfssaTokenCreating token.state = zfssaTokenCreating
token.mtx.Unlock() token.mtx.Unlock()
var err error var err error
token.xAuthSession, token.xAuthName, err = createToken(ctx, token) token.xAuthSession, token.xAuthName, err = createZfssaSession(ctx, token)
xAuthSession := token.xAuthSession xAuthSession := token.xAuthSession
token.mtx.Lock() token.mtx.Lock()
@ -202,6 +205,7 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
token.mtx.Unlock() token.mtx.Unlock()
return xAuthSession, nil return xAuthSession, nil
} }
utils.GetLogREST(ctx, 2).Println("ZFSSA session transitioning to invalid")
token.state = zfssaTokenInvalid token.state = zfssaTokenInvalid
continue continue
@ -211,11 +215,11 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro
} }
} }
// Send an HTTP request to the ZFSSA to create a non-persistent token. // Send an HTTP request to the ZFSSA to create a non-persistent, reusable session.
// //
// A non-persistent token is specific to the cluster node on which the ID was // A non-persistent token is specific to the cluster node on which the ID was
// created and is not synchronized between the cluster peers. // created and is not synchronized between the cluster peers.
func createToken(ctx context.Context, token *Token) (string, string, error) { func createZfssaSession(ctx context.Context, token *Token) (string, string, error) {
httpReq, err := http.NewRequest("POST", zServicesURL, bytes.NewBuffer(nil)) httpReq, err := http.NewRequest("POST", zServicesURL, bytes.NewBuffer(nil))
if err != nil { if err != nil {
@ -325,6 +329,7 @@ func makeRequest(ctx context.Context, token *Token, method, url string, reqbody
// We check here whether the token may have expired and renew it if needed. // We check here whether the token may have expired and renew it if needed.
if rsphttp.StatusCode == http.StatusUnauthorized { if rsphttp.StatusCode == http.StatusUnauthorized {
// Refresh token and secret
_, err = getToken(ctx, token, &xAuthSession) _, err = getToken(ctx, token, &xAuthSession)
return nil, http.StatusUnauthorized, err return nil, http.StatusUnauthorized, err
} }