libvirt: prefer cinder rbd auth values over nova.conf

In the case that the ceph storage backing volumes is different
from the one backing ephemeral storage in nova, the auth values
in the rbd connection_info could be different and not work if
we are using the nova.conf values for ephemeral storage.

This change makes the volume connection config code for rbd
prefer the cinder connection_info values if they exist, and
only falls back to nova config values if cinder doesn't have
anything set.

Depends-On: I4655cae3212d589177d2570403b563a83aad529a

Change-Id: Idcbada705c1d38ac5fd7c600141c2de7020eae25
Closes-Bug: #1635008

diff --git a/nova/tests/unit/virt/libvirt/volume/test_net.py b/nova/tests/unit/virt/libvirt/volume/test_net.py
index 205b318e46f315b731e525645dfc34b43d407f4d..cec1a834febd7de0006e66b5bb189c7f589d5017 100644 (file)
--- a/nova/tests/unit/virt/libvirt/volume/test_net.py
+++ b/nova/tests/unit/virt/libvirt/volume/test_net.py
@@ -59,7 +59,7 @@ class LibvirtNetVolumeDriverTestCase(
             'driver_volume_type': 'rbd',
             'data': {
                 'name': '%s/%s' % ('rbd', volume['name']),
-                'auth_enabled': CONF.libvirt.rbd_secret_uuid is not None,
+                'auth_enabled': CONF.libvirt.rbd_user is not None,
                 'auth_username': CONF.libvirt.rbd_user,
                 'secret_type': 'ceph',
                 'secret_uuid': CONF.libvirt.rbd_secret_uuid,
@@ -114,7 +114,9 @@ class LibvirtNetVolumeDriverTestCase(
         self.assertEqual(self.uuid, tree.find('./auth/secret').get('uuid'))
         libvirt_driver.disconnect_volume(connection_info, "vde")
 
-    def test_libvirt_rbd_driver_auth_enabled_flags_override(self):
+    def test_libvirt_rbd_driver_auth_enabled_flags(self):
+        # The values from the cinder connection_info take precedence over
+        # nova.conf values.
         libvirt_driver = net.LibvirtNetVolumeDriver(self.fake_host)
         connection_info = self.rbd_connection(self.vol)
         secret_type = 'ceph'
@@ -132,9 +134,9 @@ class LibvirtNetVolumeDriverTestCase(
         conf = libvirt_driver.get_config(connection_info, self.disk_info)
         tree = conf.format_dom()
         self._assertNetworkAndProtocolEquals(tree)
-        self.assertEqual(flags_user, tree.find('./auth').get('username'))
+        self.assertEqual(self.user, tree.find('./auth').get('username'))
         self.assertEqual(secret_type, tree.find('./auth/secret').get('type'))
-        self.assertEqual(flags_uuid, tree.find('./auth/secret').get('uuid'))
+        self.assertEqual(self.uuid, tree.find('./auth/secret').get('uuid'))
         libvirt_driver.disconnect_volume(connection_info, "vde")
 
     def test_libvirt_rbd_driver_auth_disabled(self):

diff --git a/nova/virt/libvirt/volume/net.py b/nova/virt/libvirt/volume/net.py
index a7449f7e951919f9e7d8703ef288097df3448ae9..b915bc8ea37cff42cf4f78a385cccc5cd9751008 100644 (file)
--- a/nova/virt/libvirt/volume/net.py
+++ b/nova/virt/libvirt/volume/net.py
@@ -10,14 +10,17 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from oslo_log import log as logging
+
 import nova.conf
 from nova import exception
-from nova.i18n import _
+from nova.i18n import _, _LW
 from nova import utils
 from nova.virt.libvirt.volume import volume as libvirt_volume
 
 
 CONF = nova.conf.CONF
+LOG = logging.getLogger(__name__)
 
 
 class LibvirtNetVolumeDriver(libvirt_volume.LibvirtBaseVolumeDriver):
@@ -51,19 +54,30 @@ class LibvirtNetVolumeDriver(libvirt_volume.LibvirtBaseVolumeDriver):
             self.host.delete_secret(usage_type, usage_name)
 
     def _set_auth_config_rbd(self, conf, netdisk_properties):
+        # The rbd volume driver in cinder sets auth_enabled if the rbd_user is
+        # set in cinder. The rbd auth values from the cinder connection take
+        # precedence over any local nova config values in case the cinder ceph
+        # backend is configured differently than the nova rbd ephemeral storage
+        # configuration.
         auth_enabled = netdisk_properties.get('auth_enabled')
-        if CONF.libvirt.rbd_secret_uuid:
-            conf.auth_secret_uuid = CONF.libvirt.rbd_secret_uuid
-            auth_enabled = True  # Force authentication locally
-            if CONF.libvirt.rbd_user:
-                conf.auth_username = CONF.libvirt.rbd_user
         if auth_enabled:
-            conf.auth_username = (conf.auth_username or
-                                  netdisk_properties['auth_username'])
-            conf.auth_secret_type = (conf.auth_secret_type or
-                                     netdisk_properties['secret_type'])
-            conf.auth_secret_uuid = (conf.auth_secret_uuid or
-                                     netdisk_properties['secret_uuid'])
+            conf.auth_username = netdisk_properties['auth_username']
+            conf.auth_secret_uuid = netdisk_properties['secret_uuid']
+            # secret_type is always hard-coded to 'ceph' in cinder
+            conf.auth_secret_type = netdisk_properties['secret_type']
+        elif CONF.libvirt.rbd_secret_uuid:
+            # Anyone relying on falling back to nova config is probably having
+            # this work accidentally and we'll remove that support in the
+            # 16.0.0 Pike release.
+            LOG.warning(_LW('Falling back to Nova configuration values for '
+                            'RBD authentication. Cinder should be configured '
+                            'for auth with Ceph volumes. This fallback will '
+                            'be dropped in the Nova 16.0.0 Pike release.'))
+            # use the nova config values
+            conf.auth_username = CONF.libvirt.rbd_user
+            conf.auth_secret_uuid = CONF.libvirt.rbd_secret_uuid
+            # secret_type is always hard-coded to 'ceph' in cinder
+            conf.auth_secret_type = netdisk_properties['secret_type']
 
     def _set_auth_config_iscsi(self, conf, netdisk_properties):
         if netdisk_properties.get('auth_method') == 'CHAP':

diff --git a/releasenotes/notes/ocata-bug-1635008-rbd-vol-auth-83277b02ea87e16e.yaml b/releasenotes/notes/ocata-bug-1635008-rbd-vol-auth-83277b02ea87e16e.yaml
new file mode 100644 (file)
index 0000000..f7e00a1
--- /dev/null
+++ b/releasenotes/notes/ocata-bug-1635008-rbd-vol-auth-83277b02ea87e16e.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    When making connections to Ceph-backed volumes via the Libvirt driver, the
+    auth values (rbd_user, rbd_secret_uuid) are now pulled from the backing
+    cinder.conf rather than nova.conf. The nova.conf values are only used if
+    set and the cinder.conf values are not set, but this fallback support is
+    considered accidental and will be removed in the Nova 16.0.0 Pike release.
+    See the Ceph documentation for `configuring Cinder`_ for RBD auth.
+
+    .. _configuring Cinder: http://docs.ceph.com/docs/master/rbd/rbd-openstack/#configuring-cinder