Suggested changes to ID and key requirements for rbd CSI plugin #270
Comments
|
From the point-of-view of the ceph-rbd CSI, I agree that the current usage of admin vs user doesn't make much sense. The CSI would only need a user w/ caps similar to the following:
There isn't currently any need for full Cluster "admin"-level permissions (i.e. ceph.admin) for any RBD operations at the CSI level. A higher-level orchestration tool like Rook would need more permissions to create/delete pools. There also isn't any plans in place for per-image permissions. Instead, starting w/ the Ceph Nautilus release, RBD now supports pool namespaces. This allows a storage admin to grant R/W permissions to a user for only a specific namespace within a pool. If a k8s admin wanted to only provide a user (project) with access to a specific namespace, they could create a new StorageClass that points to a different credential secret that it locked down to a specific namespace. Of course the ceph-rbd CSI would also need to add support for a |
|
@dillaman if we use namespaces, can we still maintain pool level RADOS omaps and keys. Assuming we are removing the |
|
@ShyamsundarR Technically you could grant additional access to the default ('') namespace on specific objects like |
|
@dillaman anything added to the Storage Class that specializes where the volume (image) will land, will need encoding into the volume/snap ID. So, if we decide in the future to add namespace support into the StorageClass then this would need to be added to the returned ID. Is it not feasible to query and determine which namespace a user has access to in a pool, and use an appropriate namespace in the CLI arguments? Thus, avoiding specifying the same in the Storage Class itself? Further I assume the namespace "enhancement" is a logical next step post addressing the dual user issue cleanup, right? |
Agreed (given the assumption that the CSI driver cannot pull the StorageClass or additional Secret metedata from k8s).
Negative, it's not realistically feasible. You would need to pull their caps from the MONs (which would require high privilege) and then parse out the caps to determine which ones apply to which pool and namespace -- possibly multiple).
Right, it doesn't stall current stateless PR -- but the stateless PR should be able to "gracefully" handle v2 of the encoded vol/snap ID (i.e. not crash upon seeing a v2). |
|
@dillaman require some clarifications/confirmation as I start part of the implementation here, as follows,
|
Correct -- the "admin" vs "user" split doesn't currently make sense (at least for RBD). I'd actually vote for calling it
Make sense to me. |
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
… secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes ceph#270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com>
rebase: bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3
Syncing red-hat-storage/ceph-csi:devel up to commit 28bc4d1. Pull-Request ceph#270 introduced a conflict that the resync automation job could not address. This manual merge should make it possible for the automation to continue again. Closes: ceph#279 ceph#280 Signed-off-by: Niels de Vos <ndevos@ibm.com>
Currently the CSI rbd plugin requires 2 IDs and its respective keys in secrets. Each ID seems to serve the following purpose,
There are a few issues with the same, some of which is related to lack of documentation as stated in #80 but some others need consideration as follows,
I can see the following hierarchy of secrets (with some further granularity possible) that maybe used, and the question is, if we need to separate the admin from the mounter as in the following list,
Either-way, the ID and key can move into the secret, rather than mentioning the ID in the StorageClass and the key as a secret in the secret. This makes it easier to configure for a user, than having to do the same in 2 places. IOW, make this similar to a secret in CephFS plugin, where the secret carries both the ID and the key.
Further make the secret a single ID/key pair, such that if required the same can be used as the provisioner and the publisher secret, rather than repeating the pair of user.key within the secret and also repeating the same in the StorageClass
Ideally, if we needed to separate the provisioner secret from the node secret, these should not be placed in the same secret file, as otherwise the nodes get both secrets and that sort of defeats the purpose? I would suggest that we pass the secrets in different files as examples, instead of a single file (and if we choose to do (3) this would be handled automatically)
The text was updated successfully, but these errors were encountered: