Skip to content

Allow to set Supplemental Groups or fsGroup for the registry via the command line#12951

Merged
openshift-bot merged 1 commit intoopenshift:masterfrom
mfojtik:registry-groups
Apr 5, 2017
Merged

Allow to set Supplemental Groups or fsGroup for the registry via the command line#12951
openshift-bot merged 1 commit intoopenshift:masterfrom
mfojtik:registry-groups

Conversation

@mfojtik
Copy link
Contributor

@mfojtik mfojtik commented Feb 14, 2017

php-coder
php-coder reviewed Feb 14, 2017
View reviewed changes
pkg/cmd/admin/registry/registry.go Outdated
cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS")
cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS")
cmd.Flags().StringSliceVar(&cfg.SupplementalGroupRange, "supplemental-groups", cfg.SupplementalGroupRange, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage")
cmd.Flags().StringVar(&cfg.FSGroup, "fs-group", "", "Specify fsGroup which is an ID's that grants group access to registry block storage")
Copy link
Contributor

@php-coder php-coder Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/ID's/ID/

php-coder
php-coder reviewed Feb 14, 2017
View reviewed changes
pkg/cmd/admin/registry/registry.go
}
}
if len(opts.Config.SupplementalGroupRange) > 0 && len(opts.Config.FSGroup) > 0 {
return kcmdutil.UsageError(cmd, "fsGroup and supplemental groups cannot be specified both at the same time")
Copy link
Contributor

@php-coder php-coder Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see a reason of why they cannot be specified both. Would be interesting to know.

Copy link
Contributor Author

@mfojtik mfojtik Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@php-coder I think you either want block storage or shared for registry volume, not both.

php-coder
php-coder reviewed Feb 14, 2017
View reviewed changes
pkg/cmd/admin/registry/registry.go Outdated
// Complete().
continue
}
result.SupplementalGroups = append(result.SupplementalGroups, groupID)
Copy link
Contributor

@php-coder php-coder Feb 14, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW to be consistent with the code below and to reduce lines of code this can be re-written to:

	if groupID, err := strconv.ParseInt(val, 10, 64); err == nil {
		result.SupplementalGroups = append(result.SupplementalGroups, groupID)
	}

php-coder
php-coder reviewed Feb 14, 2017
View reviewed changes
pkg/cmd/admin/registry/registry.go Outdated
}

if len(opts.Config.FSGroup) > 0 {
if val, err := strconv.ParseInt(opts.Config.FSGroup, 10, 64); err != nil || val == 0 {
Copy link
Contributor

@php-coder php-coder Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this allows the values less than zero. Perhaps uint32 is more suitable in this case.

Copy link
Contributor Author

@mfojtik mfojtik Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

negative values will be refused by PodSpec validation, actually having this to be set to 0 might be valid case (you want root group?).

php-coder
php-coder reviewed Feb 14, 2017
View reviewed changes
pkg/cmd/admin/registry/registry.go Outdated
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.")
cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS")
cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS")
cmd.Flags().StringSliceVar(&cfg.SupplementalGroupRange, "supplemental-groups", cfg.SupplementalGroupRange, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage")
Copy link
Contributor

@php-coder php-coder Feb 14, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Range in the name is a bit confusing. As far I can see, it's just a list and not range like 10-15 or 10/5.

The code for parsing fsGroup/supplementalGroups from the openshift.io/sa.scc.supplemental-groups annotation that actually support ranges could be found here:

  • origin/pkg/security/scc/matcher.go

    Lines 334 to 393 in bd3e362

    // getPreallocatedFSGroup gets the annotated value from the namespace.
    func getPreallocatedFSGroup(ns *kapi.Namespace) ([]kapi.IDRange, error) {
    groups, err := getSupplementalGroupsAnnotation(ns)
    if err != nil {
    return nil, err
    }
    glog.V(4).Infof("got preallocated value for groups: %s in namespace %s", groups, ns.Name)
    blocks, err := parseSupplementalGroupAnnotation(groups)
    if err != nil {
    return nil, err
    }
    return []kapi.IDRange{
    {
    Min: int64(blocks[0].Start),
    Max: int64(blocks[0].Start),
    },
    }, nil
    }
    // getPreallocatedSupplementalGroups gets the annotated value from the namespace.
    func getPreallocatedSupplementalGroups(ns *kapi.Namespace) ([]kapi.IDRange, error) {
    groups, err := getSupplementalGroupsAnnotation(ns)
    if err != nil {
    return nil, err
    }
    glog.V(4).Infof("got preallocated value for groups: %s in namespace %s", groups, ns.Name)
    blocks, err := parseSupplementalGroupAnnotation(groups)
    if err != nil {
    return nil, err
    }
    idRanges := []kapi.IDRange{}
    for _, block := range blocks {
    rng := kapi.IDRange{
    Min: int64(block.Start),
    Max: int64(block.End),
    }
    idRanges = append(idRanges, rng)
    }
    return idRanges, nil
    }
    // parseSupplementalGroupAnnotation parses the group annotation into blocks.
    func parseSupplementalGroupAnnotation(groups string) ([]uid.Block, error) {
    blocks := []uid.Block{}
    segments := strings.Split(groups, ",")
    for _, segment := range segments {
    block, err := uid.ParseBlock(segment)
    if err != nil {
    return nil, err
    }
    blocks = append(blocks, block)
    }
    if len(blocks) == 0 {
    return nil, fmt.Errorf("no blocks parsed from annotation %s", groups)
    }
    return blocks, nil
    }

  • origin/pkg/security/uid/uid.go

    Lines 18 to 40 in bd3e362

    func ParseBlock(in string) (Block, error) {
    if strings.Contains(in, "/") {
    var start, size uint32
    n, err := fmt.Sscanf(in, "%d/%d", &start, &size)
    if err != nil {
    return Block{}, err
    }
    if n != 2 {
    return Block{}, ErrBlockSlashBadFormat
    }
    return Block{Start: start, End: start + size - 1}, nil
    }
    var start, end uint32
    n, err := fmt.Sscanf(in, "%d-%d", &start, &end)
    if err != nil {
    return Block{}, err
    }
    if n != 2 {
    return Block{}, ErrBlockDashBadFormat
    }
    return Block{Start: start, End: end}, nil
    }

Copy link
Contributor Author

@mfojtik mfojtik Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, the name is wrong, shold be just --supplemental-groups=[]

@mfojtik mfojtik force-pushed the registry-groups branch 2 times, most recently from 3d69ad6 to a917cb1 Compare February 14, 2017 20:41
@mfojtik
Copy link
Contributor Author

mfojtik commented Feb 14, 2017

@php-coder comments addressed, PTAL.

@php-coder
Copy link
Contributor

php-coder commented Feb 15, 2017

LGTM (and Travis says that you have to re-generate docs).

@openshift-bot openshift-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 26, 2017
@mfojtik
Copy link
Contributor Author

mfojtik commented Apr 4, 2017

[merge]

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 4, 2017

Evaluated for origin merge up to ef3fc41

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 4, 2017

[Test]ing while waiting on the merge queue

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 4, 2017

Evaluated for origin test up to ef3fc41

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 4, 2017

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/549/) (Base Commit: f0670df)

@openshift-bot openshift-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 4, 2017
@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 5, 2017
edited
Loading

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/549/) (Base Commit: 83a6089) (Image: devenv-rhel7_6118)

@openshift-bot openshift-bot merged commit 7cb8747 into openshift:master Apr 5, 2017
@mfojtik
Copy link
Contributor Author

mfojtik commented Apr 24, 2017

(0) Supplemental Group and fsGroup Support With Registry Install

@mfojtik mfojtik deleted the registry-groups branch September 5, 2018 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@php-coder php-coder php-coder left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mfojtik @php-coder @openshift-bot