Merge pull request ceph#55870 from rhcs-dashboard/cephfs-auth

mgr/dashboard: ceph authenticate user from fs

Reviewed-by: Ankush Behl <[email protected]>
Reviewed-by: ivoalmeida <NOT@FOUND>
Reviewed-by: Nizamudeen A <[email protected]>

Author: nizamial09

src/pybind/mgr/dashboard/controllers/cephfs.py

@@ -101,6 +101,29 @@ def rename(self, name: str, new_name: str):
                 component='cephfs')
         return f'Volume {name} renamed successfully to {new_name}'
 
+    @UpdatePermission
+    @Endpoint('PUT')
+    @EndpointDoc("Set Ceph authentication capabilities for the specified user ID in the given path",
+                 parameters={
+                     'fs_name': (str, 'File system name'),
+                     'client_id': (str, 'Cephx user ID'),
+                     'caps': (str, 'Path and given capabilities'),
+                     'root_squash': (str, 'File System Identifier'),
+
+                 })
+    def auth(self, fs_name: str, client_id: int, caps: List[str], root_squash: bool):
+        if root_squash:
+            caps.insert(2, 'root_squash')
+        error_code, _, err = mgr.mon_command({'prefix': 'fs authorize',
+                                              'filesystem': fs_name,
+                                              'entity': client_id,
+                                              'caps': caps})
+        if error_code != 0:
+            raise DashboardException(
+                msg=f'Error setting authorization for {client_id} with {caps}: {err}',
+                component='cephfs')
+        return f'Updated {client_id} authorization successfully'
+
     def get(self, fs_id):
         fs_id = self.fs_id_to_int(fs_id)
         return self.fs_status(fs_id)

src/pybind/mgr/dashboard/frontend/src/app/ceph/cephfs/cephfs-auth-modal/cephfs-auth-modal.component.html

@@ -0,0 +1,166 @@
+<cd-modal [modalRef]="activeModal">
+  <ng-container i18n="form title"
+                class="modal-title">{{ action | titlecase }} {{ resource | upperFirst }}</ng-container>
+  <ng-container class="modal-content"
+                *cdFormLoading="loading">
+    <form name="form"
+          #formDir="ngForm"
+          [formGroup]="form">
+      <div class="modal-body">
+
+        <!-- FsName -->
+        <div class="form-group row">
+          <label class="cd-col-form-label required"
+                 for="userId"
+                 i18n>Fs name
+          </label>
+          <div class="cd-col-form-input">
+            <input id="fsName"
+                   name="fsName"
+                   type="text"
+                   class="form-control"
+                   formControlName="fsName">
+            <span class="invalid-feedback"
+                  *ngIf="form.showError('fsName', formDir, 'required')"
+                  i18n>This field is required!</span>
+          </div>
+        </div>
+
+        <!-- UserId -->
+        <div class="form-group row">
+          <label class="cd-col-form-label required"
+                 for="userId"
+                 i18n>User ID
+            <cd-helper>
+              You can manage users from
+              <a routerLink="/ceph-users"
+                 (click)="closeModal()">Ceph Users</a>
+              page
+            </cd-helper>
+          </label>
+          <div class="cd-col-form-input">
+            <div class="input-group">
+              <span class="input-group-text"
+                    for="userId"
+                    i18n>client.
+              </span>
+              <input id="userId"
+                     name="userId"
+                     type="text"
+                     class="form-control"
+                     formControlName="userId">
+              <span class="invalid-feedback"
+                    *ngIf="form.showError('userId', formDir, 'required')"
+                    i18n>This field is required!</span>
+            </div>
+          </div>
+        </div>
+
+        <!-- Directory -->
+        <div class="form-group row">
+          <label class="cd-col-form-label required"
+                 for="directory"
+                 i18n>Directory
+            <cd-helper>Path to restrict access to</cd-helper>
+          </label>
+          <div class="cd-col-form-input">
+            <input id="typeahead-http"
+                   i18n
+                   type="text"
+                   class="form-control"
+                   disabled="directoryStore.isLoading"
+                   formControlName="directory"
+                   [ngbTypeahead]="search"
+                   [placeholder]="directoryStore.isLoading ? 'Loading directories' : 'Directory search'"
+                   i18n-placeholder>
+            <div *ngIf="directoryStore.isLoading">
+              <i [ngClass]="[icons.spinner, icons.spin, 'mt-2', 'me-2']"></i>
+            </div>
+            <span class="invalid-feedback"
+                  *ngIf="form.showError('directory', formDir, 'required')"
+                  i18n>This field is required!</span>
+          </div>
+        </div>
+
+        <!-- Permissions -->
+        <div class="form-group row">
+          <label i18n
+                 class="cd-col-form-label"
+                 for="permissions">Permissons</label>
+          <div class="cd-col-form-input">
+
+            <!-- Read -->
+            <div class="custom-control custom-checkbox">
+              <input class="custom-control-input"
+                     id="read"
+                     formControlName="read"
+                     type="checkbox">
+              <label class="custom-control-label"
+                     for="read"
+                     i18n>Read
+              </label>
+              <cd-helper i18n>Read permission is the minimum givable access</cd-helper>
+            </div>
+
+            <!-- Write -->
+            <div class="custom-control custom-checkbox">
+              <input class="custom-control-input"
+                     id="write"
+                     formControlName="write"
+                     type="checkbox"
+                     (change)="toggleFormControl()">
+              <label class="custom-control-label"
+                     for="write"
+                     i18n>Write
+              </label>
+            </div>
+
+            <!-- Quota -->
+            <div class="custom-control custom-checkbox">
+              <input class="custom-control-input"
+                     id="quota"
+                     formControlName="quota"
+                     type="checkbox">
+              <label class="custom-control-label"
+                     for="quota"
+                     i18n>Quota
+              </label>
+              <cd-helper i18n>Permission to set layouts or quotas, write access needed</cd-helper>
+            </div>
+
+            <!-- Snapshot -->
+            <div class="custom-control custom-checkbox">
+              <input class="custom-control-input"
+                     id="snapshot"
+                     formControlName="snapshot"
+                     type="checkbox">
+              <label class="custom-control-label"
+                     for="snapshot"
+                     i18n>Snapshot
+              </label>
+              <cd-helper i18n>Permission to create or delete snapshots, write access needed</cd-helper>
+            </div>
+
+            <!-- Root Squash -->
+            <div class="custom-control custom-checkbox">
+              <input class="custom-control-input"
+                     id="rootSquash"
+                     formControlName="rootSquash"
+                     type="checkbox">
+              <label class="custom-control-label"
+                     for="rootSquash"
+                     i18n>Root Squash
+              </label>
+              <cd-helper>Safety measure to prevent scenarios such as accidental sudo rm -rf /path</cd-helper>
+            </div>
+          </div>
+        </div>
+      </div>
+      <div class="modal-footer">
+        <cd-form-button-panel (submitActionEvent)="onSubmit()"
+                              [form]="form"
+                              [submitText]="(action | titlecase)"></cd-form-button-panel>
+      </div>
+    </form>
+  </ng-container>
+</cd-modal>

src/pybind/mgr/dashboard/frontend/src/app/ceph/cephfs/cephfs-auth-modal/cephfs-auth-modal.component.scss

@@ -0,0 +1,29 @@
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { CephfsAuthModalComponent } from './cephfs-auth-modal.component';
+import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
+import { HttpClientTestingModule } from '@angular/common/http/testing';
+import { ToastrModule } from 'ngx-toastr';
+import { SharedModule } from '~/app/shared/shared.module';
+import { ReactiveFormsModule } from '@angular/forms';
+
+describe('CephfsAuthModalComponent', () => {
+  let component: CephfsAuthModalComponent;
+  let fixture: ComponentFixture<CephfsAuthModalComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [CephfsAuthModalComponent],
+      imports: [HttpClientTestingModule, SharedModule, ReactiveFormsModule, ToastrModule.forRoot()],
+      providers: [NgbActiveModal]
+    }).compileComponents();
+
+    fixture = TestBed.createComponent(CephfsAuthModalComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

src/pybind/mgr/dashboard/frontend/src/app/ceph/cephfs/cephfs-auth-modal/cephfs-auth-modal.component.spec.ts

@@ -0,0 +1,129 @@
+import { Component, OnInit } from '@angular/core';
+import { FormControl, Validators } from '@angular/forms';
+import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
+import { OperatorFunction, Observable, of } from 'rxjs';
+import { debounceTime, distinctUntilChanged, switchMap, catchError } from 'rxjs/operators';
+import { CephfsService } from '~/app/shared/api/cephfs.service';
+import { DirectoryStoreService } from '~/app/shared/api/directory-store.service';
+import { ActionLabelsI18n } from '~/app/shared/constants/app.constants';
+import { Icons } from '~/app/shared/enum/icons.enum';
+import { CdForm } from '~/app/shared/forms/cd-form';
+import { CdFormGroup } from '~/app/shared/forms/cd-form-group';
+import { FinishedTask } from '~/app/shared/models/finished-task';
+import { TaskWrapperService } from '~/app/shared/services/task-wrapper.service';
+
+const DEBOUNCE_TIMER = 300;
+
+@Component({
+  selector: 'cd-cephfs-auth-modal',
+  templateUrl: './cephfs-auth-modal.component.html',
+  styleUrls: ['./cephfs-auth-modal.component.scss']
+})
+export class CephfsAuthModalComponent extends CdForm implements OnInit {
+  fsName: string;
+  id: number;
+  subvolumeGroup: string;
+  subvolume: string;
+  isDefaultSubvolumeGroup = false;
+  isSubvolume = false;
+  form: CdFormGroup;
+  action: string;
+  resource: string;
+  icons = Icons;
+
+  constructor(
+    public activeModal: NgbActiveModal,
+    private actionLabels: ActionLabelsI18n,
+    public directoryStore: DirectoryStoreService,
+    private cephfsService: CephfsService,
+    private taskWrapper: TaskWrapperService
+  ) {
+    super();
+    this.action = this.actionLabels.UPDATE;
+    this.resource = $localize`access`;
+  }
+
+  ngOnInit() {
+    this.directoryStore.loadDirectories(this.id, '/', 3);
+    this.createForm();
+    this.loadingReady();
+  }
+
+  createForm() {
+    this.form = new CdFormGroup({
+      fsName: new FormControl(
+        { value: this.fsName, disabled: true },
+        {
+          validators: [Validators.required]
+        }
+      ),
+      directory: new FormControl(undefined, {
+        updateOn: 'blur',
+        validators: [Validators.required]
+      }),
+      userId: new FormControl(undefined, {
+        validators: [Validators.required]
+      }),
+      read: new FormControl(
+        { value: true, disabled: true },
+        {
+          validators: [Validators.required]
+        }
+      ),
+      write: new FormControl(undefined),
+      snapshot: new FormControl({ value: false, disabled: true }),
+      quota: new FormControl({ value: false, disabled: true }),
+      rootSquash: new FormControl(undefined)
+    });
+  }
+
+  search: OperatorFunction<string, readonly string[]> = (input: Observable<string>) =>
+    input.pipe(
+      debounceTime(DEBOUNCE_TIMER),
+      distinctUntilChanged(),
+      switchMap((term) =>
+        this.directoryStore.search(term, this.id).pipe(
+          catchError(() => {
+            return of([]);
+          })
+        )
+      )
+    );
+
+  closeModal() {
+    this.activeModal.close();
+  }
+
+  onSubmit() {
+    const clientId: number = this.form.getValue('userId');
+    const caps: string[] = [this.form.getValue('directory'), this.transformPermissions()];
+    const rootSquash: boolean = this.form.getValue('rootSquash');
+    this.taskWrapper
+      .wrapTaskAroundCall({
+        task: new FinishedTask('cephfs/auth', {
+          clientId: clientId
+        }),
+        call: this.cephfsService.setAuth(this.fsName, clientId, caps, rootSquash)
+      })
+      .subscribe({
+        error: () => this.form.setErrors({ cdSubmitButton: true }),
+        complete: () => {
+          this.activeModal.close();
+        }
+      });
+  }
+
+  transformPermissions(): string {
+    const write = this.form.getValue('write');
+    const snapshot = this.form.getValue('snapshot');
+    const quota = this.form.getValue('quota');
+    return `r${write ? 'w' : ''}${quota ? 'p' : ''}${snapshot ? 's' : ''}`;
+  }
+
+  toggleFormControl() {
+    const snapshot = this.form.get('snapshot');
+    const quota = this.form.get('quota');
+    snapshot.disabled ? snapshot.enable() : snapshot.disable();
+    quota.disabled ? quota.enable() : quota.disable();
+  }
+}

src/pybind/mgr/dashboard/frontend/src/app/ceph/cephfs/cephfs-auth-modal/cephfs-auth-modal.component.ts

@@ -25,6 +25,7 @@ import { NgbModalRef } from '@ng-bootstrap/ng-bootstrap';
 import { CephfsMountDetailsComponent } from '../cephfs-mount-details/cephfs-mount-details.component';
 import { map, switchMap } from 'rxjs/operators';
 import { HealthService } from '~/app/shared/api/health.service';
+import { CephfsAuthModalComponent } from '~/app/ceph/cephfs/cephfs-auth-modal/cephfs-auth-modal.component';
 
 const BASE_URL = 'cephfs';
 
@@ -95,6 +96,12 @@ export class CephfsListComponent extends ListWithDetails implements OnInit {
         click: () =>
           this.router.navigate([this.urlBuilder.getEdit(String(this.selection.first().id))])
       },
+      {
+        name: this.actionLabels.AUTHORIZE,
+        permission: 'update',
+        icon: Icons.edit,
+        click: () => this.authorizeModal()
+      },
       {
         name: this.actionLabels.ATTACH,
         permission: 'read',
@@ -187,4 +194,16 @@ export class CephfsListComponent extends ListWithDetails implements OnInit {
 
     return true;
   }
+
+  authorizeModal() {
+    const selectedFileSystem = this.selection?.selected?.[0];
+    this.modalService.show(
+      CephfsAuthModalComponent,
+      {
+        fsName: selectedFileSystem.mdsmap['fs_name'],
+        id: selectedFileSystem.id
+      },
+      { size: 'lg' }
+    );
+  }
 }