Merge pull request #1199 from andyzhangx/support-volume-mount-group

feat: support volume mount group and add FSGroupChangePolicy param for NFS mount

Author: andyzhangx

docs/driver-parameters.md

@@ -97,6 +97,7 @@ nodeStageSecretRef.name | secret name that stores(check below examples):<br>`azu
 nodeStageSecretRef.namespace | secret namespace | k8s namespace  |  Yes  |
 --- | **Following parameters are only for NFS protocol** | --- | --- |
 volumeAttributes.mountPermissions | mounted folder permissions | `0777` | No |
+fsGroupChangePolicy | indicates how volume's ownership will be changed by the driver, pod `securityContext.fsGroupChangePolicy` is ignored  | `OnRootMismatch`(by default), `Always`, `None` | No | `OnRootMismatch`
 --- | **Following parameters are only for feature: blobfuse [Managed Identity and Service Principal Name auth](https://github.com/Azure/azure-storage-fuse/tree/blobfuse-1.4.5#environment-variables)** | --- | --- |
 volumeAttributes.AzureStorageAuthType | Authentication Type | `Key`, `SAS`, `MSI`, `SPN` | No | `Key`
 volumeAttributes.AzureStorageIdentityClientID | Identity Client ID |  | No |

pkg/blob/blob.go

@@ -114,6 +114,7 @@ const (
 	accessTierField                = "accesstier"
 	networkEndpointTypeField       = "networkendpointtype"
 	mountPermissionsField          = "mountpermissions"
+	fsGroupChangePolicyField       = "fsgroupchangepolicy"
 	useDataPlaneAPIField           = "usedataplaneapi"
 
 	// See https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names
@@ -145,11 +146,14 @@ const (
 	VolumeID = "volumeid"
 
 	defaultStorageEndPointSuffix = "core.windows.net"
+
+	FSGroupChangeNone = "None"
 )
 
 var (
-	supportedProtocolList = []string{Fuse, Fuse2, NFS}
-	retriableErrors       = []string{accountNotProvisioned, tooManyRequests, statusCodeNotFound, containerBeingDeletedDataplaneAPIError, containerBeingDeletedManagementAPIError, clientThrottled}
+	supportedProtocolList            = []string{Fuse, Fuse2, NFS}
+	retriableErrors                  = []string{accountNotProvisioned, tooManyRequests, statusCodeNotFound, containerBeingDeletedDataplaneAPIError, containerBeingDeletedManagementAPIError, clientThrottled}
+	supportedFSGroupChangePolicyList = []string{FSGroupChangeNone, string(v1.FSGroupChangeAlways), string(v1.FSGroupChangeOnRootMismatch)}
 )
 
 // DriverOptions defines driver parameters specified in driver deployment
@@ -168,6 +172,8 @@ type DriverOptions struct {
 	EnableAznfsMount                       bool
 	VolStatsCacheExpireInMinutes           int
 	SasTokenExpirationMinutes              int
+	EnableVolumeMountGroup                 bool
+	FSGroupChangePolicy                    string
 }
 
 func (option *DriverOptions) AddFlags() {
@@ -185,6 +191,8 @@ func (option *DriverOptions) AddFlags() {
 	flag.BoolVar(&option.EnableAznfsMount, "enable-aznfs-mount", false, "replace nfs mount with aznfs mount")
 	flag.IntVar(&option.VolStatsCacheExpireInMinutes, "vol-stats-cache-expire-in-minutes", 10, "The cache expire time in minutes for volume stats cache")
 	flag.IntVar(&option.SasTokenExpirationMinutes, "sas-token-expiration-minutes", 1440, "sas token expiration minutes during volume cloning")
+	flag.BoolVar(&option.EnableVolumeMountGroup, "enable-volume-mount-group", true, "indicates whether enabling VOLUME_MOUNT_GROUP")
+	flag.StringVar(&option.FSGroupChangePolicy, "fsgroup-change-policy", "", "indicates how the volume's ownership will be changed by the driver, OnRootMismatch is the default value")
 }
 
 // Driver implements all interfaces of CSI drivers
@@ -204,6 +212,8 @@ type Driver struct {
 	blobfuseProxyConnTimout                int
 	mountPermissions                       uint64
 	enableAznfsMount                       bool
+	enableVolumeMountGroup                 bool
+	fsGroupChangePolicy                    string
 	mounter                                *mount.SafeFormatAndMount
 	volLockMap                             *util.LockMap
 	// A map storing all volumes with ongoing operations so that additional operations
@@ -230,7 +240,6 @@ type Driver struct {
 // NewDriver Creates a NewCSIDriver object. Assumes vendor version is equal to driver version &
 // does not support optional driver plugin info manifest field. Refer to CSI spec for more details.
 func NewDriver(options *DriverOptions, kubeClient kubernetes.Interface, cloud *provider.Cloud) *Driver {
-	var err error
 	d := Driver{
 		volLockMap:                             util.NewLockMap(),
 		subnetLockMap:                          util.NewLockMap(),
@@ -241,10 +250,12 @@ func NewDriver(options *DriverOptions, kubeClient kubernetes.Interface, cloud *p
 		blobfuseProxyConnTimout:                options.BlobfuseProxyConnTimout,
 		enableBlobMockMount:                    options.EnableBlobMockMount,
 		enableGetVolumeStats:                   options.EnableGetVolumeStats,
+		enableVolumeMountGroup:                 options.EnableVolumeMountGroup,
 		appendMountErrorHelpLink:               options.AppendMountErrorHelpLink,
 		mountPermissions:                       options.MountPermissions,
 		enableAznfsMount:                       options.EnableAznfsMount,
 		sasTokenExpirationMinutes:              options.SasTokenExpirationMinutes,
+		fsGroupChangePolicy:                    options.FSGroupChangePolicy,
 		azcopy:                                 &util.Azcopy{},
 		KubeClient:                             kubeClient,
 		cloud:                                  cloud,
@@ -253,6 +264,7 @@ func NewDriver(options *DriverOptions, kubeClient kubernetes.Interface, cloud *p
 	d.Version = driverVersion
 	d.NodeID = options.NodeID
 
+	var err error
 	getter := func(key string) (interface{}, error) { return nil, nil }
 	if d.accountSearchCache, err = azcache.NewTimedCache(time.Minute, getter, false); err != nil {
 		klog.Fatalf("%v", err)
@@ -302,6 +314,9 @@ func NewDriver(options *DriverOptions, kubeClient kubernetes.Interface, cloud *p
 	if d.enableGetVolumeStats {
 		nodeCap = append(nodeCap, csi.NodeServiceCapability_RPC_GET_VOLUME_STATS)
 	}
+	if d.enableVolumeMountGroup {
+		nodeCap = append(nodeCap, csi.NodeServiceCapability_RPC_VOLUME_MOUNT_GROUP)
+	}
 	d.AddNodeServiceCapabilities(nodeCap)
 
 	return &d
@@ -1022,3 +1037,15 @@ func replaceWithMap(str string, m map[string]string) string {
 	}
 	return str
 }
+
+func isSupportedFSGroupChangePolicy(policy string) bool {
+	if policy == "" {
+		return true
+	}
+	for _, v := range supportedFSGroupChangePolicyList {
+		if policy == v {
+			return true
+		}
+	}
+	return false
+}

pkg/blob/blob_test.go

@@ -1784,3 +1784,42 @@ func TestDriverOptions_AddFlags(t *testing.T) {
 		}
 	})
 }
+
+func TestIsSupportedFSGroupChangePolicy(t *testing.T) {
+	tests := []struct {
+		policy         string
+		expectedResult bool
+	}{
+		{
+			policy:         "",
+			expectedResult: true,
+		},
+		{
+			policy:         "None",
+			expectedResult: true,
+		},
+		{
+			policy:         "Always",
+			expectedResult: true,
+		},
+		{
+			policy:         "OnRootMismatch",
+			expectedResult: true,
+		},
+		{
+			policy:         "onRootMismatch",
+			expectedResult: false,
+		},
+		{
+			policy:         "invalid",
+			expectedResult: false,
+		},
+	}
+
+	for _, test := range tests {
+		result := isSupportedFSGroupChangePolicy(test.policy)
+		if result != test.expectedResult {
+			t.Errorf("isSupportedFSGroupChangePolicy(%s) returned with %v, not equal to %v", test.policy, result, test.expectedResult)
+		}
+	}
+}

pkg/blob/controllerserver.go

@@ -99,7 +99,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 	var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace string
 	var isHnsEnabled, requireInfraEncryption, enableBlobVersioning, createPrivateEndpoint, enableNfsV3 *bool
-	var vnetResourceGroup, vnetName, subnetName, accessTier, networkEndpointType, storageEndpointSuffix string
+	var vnetResourceGroup, vnetName, subnetName, accessTier, networkEndpointType, storageEndpointSuffix, fsGroupChangePolicy string
 	var matchTags, useDataPlaneAPI, getLatestAccountKey bool
 	var softDeleteBlobs, softDeleteContainers int32
 	var vnetResourceIDs []string
@@ -212,6 +212,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			}
 		case useDataPlaneAPIField:
 			useDataPlaneAPI = strings.EqualFold(v, trueValue)
+		case fsGroupChangePolicyField:
+			fsGroupChangePolicy = v
 		default:
 			return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("invalid parameter %q in storage class", k))
 		}
@@ -223,6 +225,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		}
 	}
 
+	if !isSupportedFSGroupChangePolicy(fsGroupChangePolicy) {
+		return nil, status.Errorf(codes.InvalidArgument, "fsGroupChangePolicy(%s) is not supported, supported fsGroupChangePolicy list: %v", fsGroupChangePolicy, supportedFSGroupChangePolicyList)
+	}
+
 	if matchTags && account != "" {
 		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("matchTags must set as false when storageAccount(%s) is provided", account))
 	}

pkg/blob/controllerserver_test.go

@@ -238,6 +238,29 @@ func TestCreateVolume(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "Invalid fsGroupChangePolicy",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{}
+				mp := map[string]string{
+					fsGroupChangePolicyField: "test_fsGroupChangePolicy",
+				}
+				req := &csi.CreateVolumeRequest{
+					Name:               "unit-test",
+					VolumeCapabilities: stdVolumeCapabilities,
+					Parameters:         mp,
+				}
+				d.Cap = []*csi.ControllerServiceCapability{
+					controllerServiceCapability,
+				}
+				_, err := d.CreateVolume(context.Background(), req)
+				expectedErr := status.Errorf(codes.InvalidArgument, "fsGroupChangePolicy(test_fsGroupChangePolicy) is not supported, supported fsGroupChangePolicy list: [None Always OnRootMismatch]")
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr)
+				}
+			},
+		},
 		{
 			name: "invalid getLatestAccountKey value",
 			testFunc: func(t *testing.T) {

pkg/blob/nodeserver.go

@@ -237,6 +237,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	defer d.volumeLocks.Release(lockKey)
 
 	mountFlags := req.GetVolumeCapability().GetMount().GetMountFlags()
+	volumeMountGroup := req.GetVolumeCapability().GetMount().GetVolumeMountGroup()
 	attrib := req.GetVolumeContext()
 	secrets := req.GetSecrets()
 
@@ -251,6 +252,8 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 
 	containerNameReplaceMap := map[string]string{}
 
+	fsGroupChangePolicy := d.fsGroupChangePolicy
+
 	mountPermissions := d.mountPermissions
 	performChmodOp := (mountPermissions > 0)
 	for k, v := range attrib {
@@ -286,9 +289,15 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 					mountPermissions = perm
 				}
 			}
+		case fsGroupChangePolicyField:
+			fsGroupChangePolicy = v
 		}
 	}
 
+	if !isSupportedFSGroupChangePolicy(fsGroupChangePolicy) {
+		return nil, status.Errorf(codes.InvalidArgument, "fsGroupChangePolicy(%s) is not supported, supported fsGroupChangePolicy list: %v", fsGroupChangePolicy, supportedFSGroupChangePolicyList)
+	}
+
 	mnt, err := d.ensureMountPoint(targetPath, fs.FileMode(mountPermissions))
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "Could not mount target %q: %v", targetPath, err)
@@ -348,6 +357,13 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 			klog.V(2).Infof("skip chmod on targetPath(%s) since mountPermissions is set as 0", targetPath)
 		}
 
+		if volumeMountGroup != "" && fsGroupChangePolicy != FSGroupChangeNone {
+			klog.V(2).Infof("set gid of volume(%s) as %s using fsGroupChangePolicy(%s)", volumeID, volumeMountGroup, fsGroupChangePolicy)
+			if err := volumehelper.SetVolumeOwnership(targetPath, volumeMountGroup, fsGroupChangePolicy); err != nil {
+				return nil, status.Error(codes.Internal, fmt.Sprintf("SetVolumeOwnership with volume(%s) on %s failed with %v", volumeID, targetPath, err))
+			}
+		}
+
 		isOperationSucceeded = true
 		klog.V(2).Infof("volume(%s) mount %s on %s succeeded", volumeID, source, targetPath)
 		return &csi.NodeStageVolumeResponse{}, nil
@@ -361,6 +377,12 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	if isHnsEnabled {
 		mountOptions = util.JoinMountOptions(mountOptions, []string{"--use-adls=true"})
 	}
+
+	if !checkGidPresentInMountFlags(mountFlags) && volumeMountGroup != "" {
+		klog.V(2).Infof("append volumeMountGroup %s", volumeMountGroup)
+		mountOptions = append(mountOptions, fmt.Sprintf("-o gid=%s", volumeMountGroup))
+	}
+
 	tmpPath := fmt.Sprintf("%s/%s", "/mnt", volumeID)
 	if d.appendTimeStampInCacheDir {
 		tmpPath += fmt.Sprintf("#%d", time.Now().Unix())
@@ -372,8 +394,8 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		args = args + " " + opt
 	}
 
-	klog.V(2).Infof("target %v\nprotocol %v\n\nvolumeId %v\ncontext %v\nmountflags %v\nmountOptions %v\nargs %v\nserverAddress %v",
-		targetPath, protocol, volumeID, attrib, mountFlags, mountOptions, args, serverAddress)
+	klog.V(2).Infof("target %v\nprotocol %v\n\nvolumeId %v\ncontext %v\nmountflags %v mountOptions %v volumeMountGroup %s\nargs %v\nserverAddress %v",
+		targetPath, protocol, volumeID, attrib, mountFlags, mountOptions, volumeMountGroup, args, serverAddress)
 
 	authEnv = append(authEnv, "AZURE_STORAGE_ACCOUNT="+accountName, "AZURE_STORAGE_BLOB_ENDPOINT="+serverAddress)
 	if d.enableBlobMockMount {
@@ -653,3 +675,12 @@ func waitForMount(path string, intervel, timeout time.Duration) error {
 		}
 	}
 }
+
+func checkGidPresentInMountFlags(mountFlags []string) bool {
+	for _, mountFlag := range mountFlags {
+		if strings.Contains(mountFlag, "gid=") {
+			return true
+		}
+	}
+	return false
+}

pkg/blob/nodeserver_test.go

@@ -463,6 +463,25 @@ func TestNodeStageVolume(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "[Error] Invalid fsGroupChangePolicy",
+			testFunc: func(t *testing.T) {
+				req := &csi.NodeStageVolumeRequest{
+					VolumeId:          "unit-test",
+					StagingTargetPath: "unit-test",
+					VolumeCapability:  &csi.VolumeCapability{AccessMode: &volumeCap},
+					VolumeContext: map[string]string{
+						fsGroupChangePolicyField: "test_fsGroupChangePolicy",
+					},
+				}
+				d := NewFakeDriver()
+				_, err := d.NodeStageVolume(context.TODO(), req)
+				expectedErr := status.Error(codes.InvalidArgument, "fsGroupChangePolicy(test_fsGroupChangePolicy) is not supported, supported fsGroupChangePolicy list: [None Always OnRootMismatch]")
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr)
+				}
+			},
+		},
 		{
 			name: "[Error] Could not mount to target",
 			testFunc: func(t *testing.T) {
@@ -812,3 +831,34 @@ func Test_waitForMount(t *testing.T) {
 		})
 	}
 }
+
+func TestCheckGidPresentInMountFlags(t *testing.T) {
+	tests := []struct {
+		desc       string
+		MountFlags []string
+		result     bool
+	}{
+		{
+			desc:       "[Success] Gid present in mount flags",
+			MountFlags: []string{"gid=3000"},
+			result:     true,
+		},
+		{
+			desc:       "[Success] Gid present in mount flags",
+			MountFlags: []string{"-o gid=3000"},
+			result:     true,
+		},
+		{
+			desc:       "[Success] Gid not present in mount flags",
+			MountFlags: []string{},
+			result:     false,
+		},
+	}
+
+	for _, test := range tests {
+		gIDPresent := checkGidPresentInMountFlags(test.MountFlags)
+		if gIDPresent != test.result {
+			t.Errorf("[%s]: Expected result : %t, Actual result: %t", test.desc, test.result, gIDPresent)
+		}
+	}
+}