Cli auth.liping #640

lipingxue · 2016-10-21T20:21:09Z

This change includes the code change to enable AdminCLI command to support tenants.
See #620

lipingxue · 2016-10-21T20:37:00Z

Right now, all unit tests are done manually.

create a tenant


[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant create --name=tenant1 --vm-list photon4

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls
Uuid                                  Name     Description  Default_datastore  VM_list  
------------------------------------  -------  -----------  -----------------  -------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4  

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant vm ls --name=tenant1
Uuid                                  Name     
------------------------------------  -------  
564df562-3d58-c99a-e76e-e8792b77ca2d  photon4

add vm to tenant

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant vm add --name=tenant1 --vm-list photon5


[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls 
Uuid                                  Name     Description  Default_datastore  VM_list          
------------------------------------  -------  -----------  -----------------  ---------------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4,photon5  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant vm ls --name=tenant1
Uuid                                  Name     
------------------------------------  -------  
564df562-3d58-c99a-e76e-e8792b77ca2d  photon4  
564d4728-f1c7-2029-d01e-51f5e6536cd9  photon5

remove vm from tenant

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant vm rm --name=tenant1 --vm-list photon5

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant vm ls --name=tenant1

Uuid                                  Name     
------------------------------------  -------  
564df562-3d58-c99a-e76e-e8792b77ca2d  photon4  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls
Uuid                                  Name     Description  Default_datastore  VM_list  
------------------------------------  -------  -----------  -----------------  -------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4

Add access control for a (tenant,datastore)

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access add --name=tenant1 --datastore=datastore1 --rights all --volume-maxsize=500MB --volume-totalsize=1GB

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant1
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              1             500.00MB         1.00GB

Modify access control for a (tenant,datastore)

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access set --name=tenant1 --datastore=datastore1 --rm-rights=mount --volume-maxsize=500MB --volume-totalsize=2GB

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant1
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              0             500.00MB         2.00GB      

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access set --name=tenant1 --datastore=datastore1 --add-rights=mount --volume-maxsize=600MB --volume-totalsize=1GB

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant1
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              1             600.00MB         1.00GB

Remove access control for a (tenant, datastore)

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access rm --name=tenant1 --datastore=datastore1

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant1
Datastore  Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
---------  -------------  -------------  ------------  ---------------  ----------

lipingxue · 2016-10-21T21:18:06Z

create two tenants, make sure each tenant can only see volumes belong to that tenant

step 1: create another tenant(tenant2), add vm and access control to this tenant

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant create --name=tenant2 --vm-list=photon5

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls
Uuid                                  Name     Description  Default_datastore  VM_list  
------------------------------------  -------  -----------  -----------------  -------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4  
98958c5c-ae85-4a59-8e86-6845b107158c  tenant2               default_ds         photon5  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access add --name=tenant2 --datastore=datastore1 --rights all --volume-maxsize=1GB --volume-totalsize=2TB

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls
Uuid                                  Name     Description  Default_datastore  VM_list  
------------------------------------  -------  -----------  -----------------  -------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4  
98958c5c-ae85-4a59-8e86-6845b107158c  tenant2               default_ds         photon5  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant1
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              1             600.00MB         1.00GB      

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant access ls --name=tenant2
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              1             1.00GB           2.00TB

step 2: create two volumes on photon4 (VM which is associated to tenant1)

 root@photon-JQQBWNwG6 [ ~ ]# docker volume ls
DRIVER              VOLUME NAME
root@photon-JQQBWNwG6 [ ~ ]# docker volume create --driver=vmdk --name=tenant1-vol1 -o size=100MB
tenant1-vol1
root@photon-JQQBWNwG6 [ ~ ]# docker volume create --driver=vmdk --name=tenant1-vol2 -o size=100MB
tenant1-vol2

step 3: create two volumes on photon 5 (VM which is associated to tenant2)

root@photon-eZ5ILvREQ [ ~ ]# docker volume ls
DRIVER              VOLUME NAME

root@photon-eZ5ILvREQ [ ~ ]# docker volume create --driver=vmdk --name=tenant2-vol1 -o size=200MB
tenant2-vol1
root@photon-eZ5ILvREQ [ ~ ]# docker volume create --driver=vmdk --name=tenant2-vol2 -o size=200MB
tenant2-vol2

step4: run “docker volume ls” on both VMs, only volumes created by that tenant are listed
On photon4 (tenant1)

root@photon-JQQBWNwG6 [ ~ ]# docker volume ls
DRIVER              VOLUME NAME
vmdk                tenant1-vol1
vmdk                tenant1-vol2

On photon 5(tenant2)

root@photon-eZ5ILvREQ [ ~ ]# docker volume ls
DRIVER              VOLUME NAME
vmdk                tenant2-vol1
vmdk                tenant2-vol2

lipingxue · 2016-10-21T21:25:06Z

unit test for tenant rm command

step 1: remove tenant2

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant rm --name=tenant2 --remove-volumes=True
 [root@localhost:~] 

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py tenant ls
Uuid                                  Name     Description  Default_datastore  VM_list  
------------------------------------  -------  -----------  -----------------  -------  
f140cf6e-1fea-42b0-a706-41efc52d195c  tenant1               default_ds         photon4

step 2: run "docker volume ls" on photon5 (which used to belong to tenant2, but now not belong to any tenant), it will only show volumes which not associated with any tenant

root@photon-eZ5ILvREQ [ ~ ]# docker volume ls
DRIVER              VOLUME NAME
vmdk                non-tenant-vol1
vmdk                non-tenant-vol2
vmdk                non-tenant-vol3

step 3: check the "/vmfs/volumes/datastore1/dockervols/", all volumes under "tenant2" are removed and directory "tenant2" is removed

lipingxue · 2016-10-21T21:27:14Z

unit test for ls command with --tenant option



[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls 
Volume           Datastore   Created By VM  Created                   Attached To VM  Policy  Capacity  Used     Filesystem Type  Access      Attach As               
---------------  ----------  -------------  ------------------------  --------------  ------  --------  -------  ---------------  ----------  ----------------------  
non-tenant-vol1  datastore1  photon4        Sun Aug 14 09:36:45 2016  detached        N/A     100.00MB  0B       ext4             read-write  independent_persistent  
non-tenant-vol2  datastore1  photon4        Sun Aug 14 09:40:53 2016  detached        N/A     100.00MB  0B       ext4             read-write  independent_persistent  
non-tenant-vol3  datastore1  photon4        Thu Aug 18 07:22:24 2016  detached        N/A     100.00MB  13.00MB  ext4             read-write  independent_persistent  
tenant1-vol1     datastore1  photon4        Fri Aug 19 16:13:03 2016  detached        N/A     100.00MB  13.00MB  ext4             read-write  independent_persistent  
tenant1-vol2     datastore1  photon4        Fri Aug 19 16:13:11 2016  detached        N/A     100.00MB  13.00MB  ext4             read-write  independent_persistent  

 [root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls -c=volume,datastore,access
Volume           Datastore   Access      
---------------  ----------  ----------  
non-tenant-vol1  datastore1  read-write  
non-tenant-vol2  datastore1  read-write  
non-tenant-vol3  datastore1  read-write  
tenant1-vol1     datastore1  read-write  
tenant1-vol2     datastore1  read-write  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls --tenant=tenant1
Volume        Datastore   Created By VM  Created                   Attached To VM  Policy  Capacity  Used     Filesystem Type  Access      Attach As               
------------  ----------  -------------  ------------------------  --------------  ------  --------  -------  ---------------  ----------  ----------------------  
tenant1-vol1  datastore1  photon4        Fri Aug 19 16:13:03 2016  detached        N/A     100.00MB  13.00MB  ext4             read-write  independent_persistent  
tenant1-vol2  datastore1  photon4        Fri Aug 19 16:13:11 2016  detached        N/A     100.00MB  13.00MB  ext4             read-write  independent_persistent  

[root@localhost:~] /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls --tenant=tenant1 -c=volume,datastore,access
Volume        Datastore   Access      
------------  ----------  ----------  
tenant1-vol1  datastore1  read-write  
tenant1-vol2  datastore1  read-write

lipingxue · 2016-10-21T21:27:59Z

Please start first round review.
In the meantime, I plan to

to do more testings, especially more negative testings to shake out more bugs.
add automated testing for those new commands

msterin · 2016-10-21T22:45:31Z

@lipingxue - please rebase on master (which now has the CLI syntax merged) and re-push , this way we can review the delta only. Thanks

…nant.

lipingxue · 2016-10-21T23:43:12Z

@msterin I have rebased with master and repush the change.
Most of the code related to admin CLI is in vmdkops_admin.py.
Since my previous change at auth.liping branch has not been merged to master yet (still need your final review), the diff in this change will show some changes that I made in auth.liping, which has already been reviewed by Andy and you.

msterin · 2016-10-22T00:32:14Z

Overall good draft and the logic is sound. Copy-n-paste should be eliminated and some consistency in messages (with the rest of the code) is needed. Also it still has a bunch of files from prior PRs, there is no need to do it - please only push the new code in this PR (you can always branch from the prior PR , this way only delta will show up on the review)

lipingxue · 2016-10-24T23:47:55Z

I incorrectly merged commit(SHA 396dec8) into master branch. This merge has been revert from master by Ritesh.

* master: (25 commits) Update new ESX IP added forgotten .so file Install sqlite3 py libs on ESX and load for Python2 Added py code and binaries for sqlite3 python libs Update drone security Removed accidental .pyc files Handle byte to string conversions for status command. Auth configuration and operation admission check (Auth.liping) (vmware-archive#603) Revert "Cli auth.liping" Cli auth.liping (vmware-archive#640) Handle missing or invalid fs type on mount. (vmware-archive#639) Updated Admin CLI commands to support tenants. (vmware-archive#620) Workaround older versions of e2fsprogs (vmware-archive#631) Add auth proposal Made handing of missing metafile less harsh. (vmware-archive#627) Fixed ACLs in payload bin dir (vmware-archive#624) Fixed error handling for set command. (vmware-archive#610) Use new error variables when rolling back volume creation to avoid nil reassignment. (vmware-archive#617) Change wording Fix broken link ...

andrewjstone and others added 3 commits October 21, 2016 16:26

Implementation of auth VMODL and vmdk ops authorization check..

b595544

First checkin for admin CLI to handle multi-tenancy.

279bc44

Fix an issue that allow remove disk when VM does not belong to any te…

8a2620d

…nant.

lipingxue force-pushed the cli-auth.liping branch from a6121f1 to 8a2620d Compare October 21, 2016 23:38

lipingxue merged commit 396dec8 into master Oct 24, 2016

kerneltime mentioned this pull request Oct 24, 2016

Revert "Cli auth.liping" #642

Merged

lipingxue mentioned this pull request Oct 25, 2016

AdminCLI change to support multitenancy #645

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cli auth.liping #640

Cli auth.liping #640

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016 •

edited

Loading

msterin commented Oct 21, 2016

lipingxue commented Oct 21, 2016 •

edited

Loading

msterin commented Oct 22, 2016

lipingxue commented Oct 24, 2016

Cli auth.liping #640

Cli auth.liping #640

Conversation

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016

lipingxue commented Oct 21, 2016 • edited Loading

msterin commented Oct 21, 2016

lipingxue commented Oct 21, 2016 • edited Loading

msterin commented Oct 22, 2016

lipingxue commented Oct 24, 2016

lipingxue commented Oct 21, 2016 •

edited

Loading

lipingxue commented Oct 21, 2016 •

edited

Loading