Secure SMB implementation for Ontap-Nas Clone

alloydsa · web-flow · commit 593b0743ec82 · 2025-06-04T15:14:27.000+05:30
diff --git a/core/orchestrator_core.go b/core/orchestrator_core.go
@@ -2370,6 +2370,11 @@ func (o *TridentOrchestrator) cloneVolumeInitial(
 	if volumeConfig.SplitOnClone != "" {
 		cloneConfig.SplitOnClone = volumeConfig.SplitOnClone
 	}
+	// Override this value only if SecureSMB is enabled in clone volume's config
+	if volumeConfig.SecureSMBEnabled {
+		cloneConfig.SecureSMBEnabled = volumeConfig.SecureSMBEnabled
+		cloneConfig.SMBShareACL = volumeConfig.SMBShareACL
+	}
 	cloneConfig.ReadOnlyClone = volumeConfig.ReadOnlyClone
 	cloneConfig.Namespace = volumeConfig.Namespace
 	cloneConfig.RequestName = volumeConfig.RequestName
diff --git a/storage/backend.go b/storage/backend.go
@@ -791,13 +791,10 @@ func (b *StorageBackend) RemoveVolume(ctx context.Context, volConfig *VolumeConf
 		return err
 	}
 
-	// If it's a RO clone, no need to delete the volume in the driver
-	if !volConfig.ReadOnlyClone {
-		if err := b.driver.Destroy(ctx, volConfig); err != nil {
-			// TODO:  Check the error being returned once the nDVP throws errors
-			// for volumes that aren't found.
-			return err
-		}
+	if err := b.driver.Destroy(ctx, volConfig); err != nil {
+		// TODO:  Check the error being returned once the nDVP throws errors
+		// for volumes that aren't found.
+		return err
 	}
 
 	b.RemoveCachedVolume(volConfig.Name)
diff --git a/storage_drivers/azure/azure_anf.go b/storage_drivers/azure/azure_anf.go
@@ -1553,6 +1553,12 @@ func (d *NASStorageDriver) Destroy(ctx context.Context, volConfig *storage.Volum
 		"Type":   "NASStorageDriver",
 		"name":   name,
 	}
+
+	// If it's a RO clone, no need to delete the volume
+	if volConfig.ReadOnlyClone {
+		return nil
+	}
+
 	Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace(">>>> Destroy")
 	defer Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace("<<<< Destroy")
 
diff --git a/storage_drivers/gcp/gcp_gcnv.go b/storage_drivers/gcp/gcp_gcnv.go
@@ -1340,6 +1340,12 @@ func (d *NASStorageDriver) Destroy(ctx context.Context, volConfig *storage.Volum
 		"Type":   "NASStorageDriver",
 		"name":   name,
 	}
+
+	// If it's a RO clone, no need to delete the volume
+	if volConfig.ReadOnlyClone {
+		return nil
+	}
+
 	Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace(">>>> Destroy")
 	defer Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace("<<<< Destroy")
 
diff --git a/storage_drivers/ontap/ontap_common.go b/storage_drivers/ontap/ontap_common.go
@@ -4336,8 +4336,13 @@ func ConstructOntapNASVolumeAccessPath(
 		}
 
 		if volConfig.ReadOnlyClone {
-			completeVolumePath = fmt.Sprintf("%s\\%s\\%s\\%s", smbSharePath, volConfig.CloneSourceVolumeInternal,
-				"~snapshot", volConfig.CloneSourceSnapshot)
+			if volConfig.SecureSMBEnabled {
+				completeVolumePath = fmt.Sprintf("%s\\%s\\%s\\%s", smbSharePath, volConfig.InternalName, "~snapshot",
+					volConfig.CloneSourceSnapshot)
+			} else {
+				completeVolumePath = fmt.Sprintf("%s\\%s\\%s\\%s", smbSharePath, volConfig.CloneSourceVolumeInternal,
+					"~snapshot", volConfig.CloneSourceSnapshot)
+			}
 		} else {
 			// If the user does not specify an SMB Share, Trident creates it with the same name as the flexvol volume name.
 			completeVolumePath = smbSharePath + volumeName
diff --git a/storage_drivers/ontap/ontap_common_test.go b/storage_drivers/ontap/ontap_common_test.go
@@ -2405,7 +2405,7 @@ func TestConstructOntapNASVolumeAccessPath_SecureSMBDisabled(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.smbShare, func(t *testing.T) {
 			result := ConstructOntapNASVolumeAccessPath(ctx, test.smbShare, test.volName, volConfig, test.protocol)
-			assert.Equal(t, test.expectedPath, result, "unable to construct Ontap-NAS volume access path")
+			assert.Equal(t, test.expectedPath, result, "the constructed Ontap-NAS volume access path is incorrect")
 		})
 	}
 }
@@ -2431,7 +2431,7 @@ func TestConstructOntapNASVolumeAccessPath_SecureSMBEnabled(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.smbShare, func(t *testing.T) {
 			result := ConstructOntapNASVolumeAccessPath(ctx, test.smbShare, test.volName, volConfig, test.protocol)
-			assert.Equal(t, test.expectedPath, result, "unable to construct Ontap-NAS volume access path")
+			assert.Equal(t, test.expectedPath, result, "the constructed Ontap-NAS volume access path is incorrect")
 		})
 	}
 }
@@ -2459,7 +2459,35 @@ func TestConstructOntapNASVolumeAccessPath_ROClone(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.smbShare, func(t *testing.T) {
 			result := ConstructOntapNASVolumeAccessPath(ctx, test.smbShare, "/vol", volConfig, test.protocol)
-			assert.Equal(t, test.expectedPath, result, "unable to construct Ontap-NAS volume access path")
+			assert.Equal(t, test.expectedPath, result, "the constructed Ontap-NAS volume access path is incorrect")
+		})
+	}
+}
+
+func TestConstructOntapNASVolumeAccessPath_ROCloneSecureSMBEnabled(t *testing.T) {
+	ctx := context.Background()
+
+	volConfig := &storage.VolumeConfig{
+		InternalName:              "vol",
+		ReadOnlyClone:             true,
+		CloneSourceVolumeInternal: "sourceVol",
+		CloneSourceSnapshot:       "snapshot-abcd-1234-wxyz",
+		SecureSMBEnabled:          true,
+	}
+
+	tests := []struct {
+		smbShare     string
+		protocol     string
+		expectedPath string
+	}{
+		{"test_share", "smb", "\\vol\\~snapshot\\snapshot-abcd-1234-wxyz"},
+		{"", "smb", "\\vol\\~snapshot\\snapshot-abcd-1234-wxyz"},
+	}
+
+	for _, test := range tests {
+		t.Run(test.smbShare, func(t *testing.T) {
+			result := ConstructOntapNASVolumeAccessPath(ctx, test.smbShare, "/vol", volConfig, test.protocol)
+			assert.Equal(t, test.expectedPath, result, "the constructed Ontap-NAS volume access path is incorrect")
 		})
 	}
 }
@@ -2478,7 +2506,7 @@ func TestConstructOntapNASFlexGroupSMBVolumePath(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.smbShare, func(t *testing.T) {
 			result := ConstructOntapNASFlexGroupSMBVolumePath(ctx, test.smbShare, "vol")
-			assert.Equal(t, test.expectedPath, result, "unable to construct Ontap-NAS-QTree SMB volume path")
+			assert.Equal(t, test.expectedPath, result, "the constructed  Ontap-NAS-QTree SMB volume access path is incorrect")
 		})
 	}
 }
@@ -2576,7 +2604,7 @@ func TestConstructOntapNASQTreeVolumePath(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.smbShare, func(t *testing.T) {
 			result := ConstructOntapNASQTreeVolumePath(ctx, test.smbShare, "flex-vol", test.volConfig, test.protocol)
-			assert.Equal(t, test.expectedPath, result, "unable to construct Ontap-NAS-QTree SMB volume path")
+			assert.Equal(t, test.expectedPath, result, "the constructed Ontap-NAS-QTree SMB volume path is incorrect")
 		})
 	}
 }
diff --git a/storage_drivers/ontap/ontap_nas.go b/storage_drivers/ontap/ontap_nas.go
@@ -497,8 +497,9 @@ func (d *NASStorageDriver) CreateClone(
 	// If we still don't have splitOnClone value then HERE we check for value in the source PV's Storage/Virtual Pool
 	// If the value for "splitOnClone" is still empty then HERE we set it to backend config's SplitOnClone value
 
-	// Attempt to get splitOnClone value based on storagePool (source Volume's StoragePool)
+	// Attempt to get splitOnClone value and adAdminUser value based on storagePool (source Volume's StoragePool)
 	var storagePoolSplitOnCloneVal string
+	var adAdminUser string
 
 	var labelErr error
 	if storage.IsStoragePoolUnset(storagePool) {
@@ -511,22 +512,46 @@ func (d *NASStorageDriver) CreateClone(
 		if labelErr != nil {
 			return labelErr
 		}
+		if d.Config.NASType == sa.SMB {
+			adAdminUser = d.Config.ADAdminUser
+		}
 	} else {
 		if labels, labelErr = ConstructLabelsFromConfigs(ctx, storagePool, cloneVolConfig,
 			d.Config.CommonStorageDriverConfig, api.MaxNASLabelLength); labelErr != nil {
 			return labelErr
 		}
 		storagePoolSplitOnCloneVal = storagePool.InternalAttributes()[SplitOnClone]
+
+		if d.Config.NASType == sa.SMB {
+			// Update the clone volume config with the admin user details from the storage pool
+			adAdminUser = storagePool.InternalAttributes()[ADAdminUser]
+		}
+	}
+
+	if d.Config.NASType == sa.SMB {
+		if adAdminUser != "" {
+			if _, exists := cloneVolConfig.SMBShareACL[adAdminUser]; !exists {
+				cloneVolConfig.SMBShareACL[adAdminUser] = ADAdminUserPermission
+			}
+		}
 	}
 
 	if cloneVolConfig.ReadOnlyClone {
 		if flexvol.SnapshotDir == nil {
 			return fmt.Errorf("snapshot directory access is undefined on flexvol %s", flexvol.Name)
 		}
+
 		if *flexvol.SnapshotDir == false {
 			return fmt.Errorf("snapshot directory access is set to %t and readOnly clone is set to %t ",
 				*flexvol.SnapshotDir, cloneVolConfig.ReadOnlyClone)
 		}
+
+		if d.Config.NASType == sa.SMB && cloneVolConfig.SecureSMBEnabled {
+			if err := d.EnsureSMBShare(ctx, cloneVolConfig.InternalName, "/"+cloneVolConfig.CloneSourceVolumeInternal,
+				cloneVolConfig.SMBShareACL, cloneVolConfig.SecureSMBEnabled); err != nil {
+				return err
+			}
+		}
 		return nil
 	}
 
@@ -577,9 +602,9 @@ func (d *NASStorageDriver) CreateClone(
 
 	cloneVolConfig.ExportPolicy = exportPolicy
 
-	// TODO: enable secure SMB share for clone volumes
 	if d.Config.NASType == sa.SMB {
-		if err := d.EnsureSMBShare(ctx, cloneVolConfig.InternalName, "/"+cloneVolConfig.InternalName, cloneVolConfig.SMBShareACL, false); err != nil {
+		if err := d.EnsureSMBShare(ctx, cloneVolConfig.InternalName, "/"+cloneVolConfig.InternalName,
+			cloneVolConfig.SMBShareACL, cloneVolConfig.SecureSMBEnabled); err != nil {
 			return err
 		}
 	}
@@ -598,6 +623,16 @@ func (d *NASStorageDriver) Destroy(ctx context.Context, volConfig *storage.Volum
 	Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace(">>>> Destroy")
 	defer Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace("<<<< Destroy")
 
+	// Handle ReadOnlyClone case early
+	if volConfig.ReadOnlyClone {
+		if d.Config.NASType == sa.SMB && volConfig.SecureSMBEnabled {
+			if err := d.DestroySMBShare(ctx, name); err != nil {
+				return err
+			}
+		}
+		return nil // Return early for all ReadOnlyClone cases
+	}
+
 	// TODO: If this is the parent of one or more clones, those clones have to split from this
 	// volume before it can be deleted, which means separate copies of those volumes.
 	// If there are a lot of clones on this volume, that could seriously balloon the amount of
diff --git a/storage_drivers/ontap/ontap_nas_qtree.go b/storage_drivers/ontap/ontap_nas_qtree.go
@@ -574,6 +574,12 @@ func (d *NASQtreeStorageDriver) Destroy(ctx context.Context, volConfig *storage.
 		"Type":   "NASQtreeStorageDriver",
 		"name":   name,
 	}
+
+	// If it's a RO clone, no need to delete the volume
+	if volConfig.ReadOnlyClone {
+		return nil
+	}
+
 	Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace(">>>> Destroy")
 	defer Logd(ctx, d.Name(), d.Config.DebugTraceFlags["method"]).WithFields(fields).Trace("<<<< Destroy")
 
diff --git a/storage_drivers/ontap/ontap_nas_test.go b/storage_drivers/ontap/ontap_nas_test.go
