fix missing admin capabilities for cephobjectstoreusers

users and buckets admin capabilities are supported by ceph (see https://github.com/ceph/ceph/blob/main/src/rgw/rgw_common.cc#L2093) but are discarded by rook/kubernetes because they aren't part of the CRD.
criteo-forks · Jun 20, 2023 · e9a0d17 · e9a0d17
1 parent 02ee0b9
commit e9a0d17
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 9 deletions.
diff --git a/deploy/charts/rook-ceph/templates/resources.yaml b/deploy/charts/rook-ceph/templates/resources.yaml
@@ -12881,7 +12881,7 @@ spec:
                   description: Additional admin-level capabilities for the Ceph object store user
                   nullable: true
                   properties:
-                    bucket:
+                    buckets:
                       description: Admin capabilities to read/write Ceph object store buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
                       enum:
                         - '*'
@@ -12913,6 +12913,14 @@ spec:
                         - write
                         - read, write
                       type: string
+                    users:
+                      description: Admin capabilities to read/write Ceph object store users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
+                      enum:
+                        - '*'
+                        - read
+                        - write
+                        - read, write
+                      type: string
                     zone:
                       description: Admin capabilities to read/write Ceph object store zones. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
                       enum:

diff --git a/deploy/examples/crds.yaml b/deploy/examples/crds.yaml
@@ -12872,7 +12872,7 @@ spec:
                   description: Additional admin-level capabilities for the Ceph object store user
                   nullable: true
                   properties:
-                    bucket:
+                    buckets:
                       description: Admin capabilities to read/write Ceph object store buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
                       enum:
                         - '*'
@@ -12904,6 +12904,14 @@ spec:
                         - write
                         - read, write
                       type: string
+                    users:
+                      description: Admin capabilities to read/write Ceph object store users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
+                      enum:
+                        - '*'
+                        - read
+                        - write
+                        - read, write
+                      type: string
                     zone:
                       description: Admin capabilities to read/write Ceph object store zones. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
                       enum:

diff --git a/pkg/apis/ceph.rook.io/v1/types.go b/pkg/apis/ceph.rook.io/v1/types.go
@@ -1563,8 +1563,12 @@ type ObjectUserCapSpec struct {
 	User string `json:"user,omitempty"`
 	// +optional
 	// +kubebuilder:validation:Enum={"*","read","write","read, write"}
+	// Admin capabilities to read/write Ceph object store users. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
+	Users string `json:"users,omitempty"`
+	// +optional
+	// +kubebuilder:validation:Enum={"*","read","write","read, write"}
 	// Admin capabilities to read/write Ceph object store buckets. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities
-	Bucket string `json:"bucket,omitempty"`
+	Buckets string `json:"buckets,omitempty"`
 	// +optional
 	// +kubebuilder:validation:Enum={"*","read","write","read, write"}
 	// Admin capabilities to read/write Ceph object store metadata. Documented in https://docs.ceph.com/en/latest/radosgw/admin/?#add-remove-admin-capabilities

diff --git a/pkg/operator/ceph/object/user/controller.go b/pkg/operator/ceph/object/user/controller.go
@@ -422,8 +422,11 @@ func generateUserConfig(user *cephv1.CephObjectStoreUser) admin.User {
 		if user.Spec.Capabilities.User != "" {
 			userConfig.UserCaps += fmt.Sprintf("users=%s;", user.Spec.Capabilities.User)
 		}
-		if user.Spec.Capabilities.Bucket != "" {
-			userConfig.UserCaps += fmt.Sprintf("buckets=%s;", user.Spec.Capabilities.Bucket)
+		if user.Spec.Capabilities.Users != "" {
+			userConfig.UserCaps += fmt.Sprintf("users=%s;", user.Spec.Capabilities.User)
+		}
+		if user.Spec.Capabilities.Buckets != "" {
+			userConfig.UserCaps += fmt.Sprintf("buckets=%s;", user.Spec.Capabilities.Buckets)
 		}
 		if user.Spec.Capabilities.MetaData != "" {
 			userConfig.UserCaps += fmt.Sprintf("metadata=%s;", user.Spec.Capabilities.MetaData)

diff --git a/pkg/operator/ceph/object/user/controller_test.go b/pkg/operator/ceph/object/user/controller_test.go
@@ -461,8 +461,8 @@ func TestCreateOrUpdateCephUser(t *testing.T) {
 	t.Run("setting Capabilities for the user", func(t *testing.T) {
 		objectUser.Spec.Quotas = nil
 		objectUser.Spec.Capabilities = &cephv1.ObjectUserCapSpec{
-			User:   "read",
-			Bucket: "read",
+			User:    "read",
+			Buckets: "read",
 		}
 		userConfig = generateUserConfig(objectUser)
 		r.userConfig = &userConfig
@@ -510,8 +510,8 @@ func TestCreateOrUpdateCephUser(t *testing.T) {
 
 	t.Run("setting both Quotas and Capabilities for the user", func(t *testing.T) {
 		objectUser.Spec.Capabilities = &cephv1.ObjectUserCapSpec{
-			User:   "read",
-			Bucket: "read",
+			User:    "read",
+			Buckets: "read",
 		}
 		objectUser.Spec.Quotas = &cephv1.ObjectUserQuotaSpec{MaxBuckets: &maxbucket, MaxObjects: &maxobject, MaxSize: &maxsize}
 		userConfig = generateUserConfig(objectUser)