From 69662e63ed0eaaaef1d135138b997a45cf6d8793 Mon Sep 17 00:00:00 2001
From: Madhu Rajanna <madhupr007@gmail.com>
Date: Tue, 11 Jun 2019 18:10:31 +0530
Subject: [PATCH] change permission of targetpath

setting the permission of  targetpath to 777
will allow non-root user to write to pv.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
---
 e2e/cephfs.go               |   4 ++
 e2e/rbd.go                  |   5 ++
 e2e/utils.go                | 109 +++++++++++++++++++++++++++++++-----
 pkg/cephfs/nodeserver.go    |   8 ++-
 pkg/cephfs/volumeoptions.go |   5 +-
 pkg/rbd/nodeserver.go       |   4 ++
 6 files changed, 119 insertions(+), 16 deletions(-)

diff --git a/e2e/cephfs.go b/e2e/cephfs.go
index 40f2e74a42b2..22e9e17a8659 100644
--- a/e2e/cephfs.go
+++ b/e2e/cephfs.go
@@ -70,6 +70,10 @@ var _ = Describe("cephfs", func() {
 
 				})
 
+				By("create a PVC and Bind it to an app with normal user", func() {
+					pvcPath := cephfsExamplePath + "pvc.yaml"
+					validateNormalUserPVCAccess(pvcPath, f)
+				})
 			})
 		})
 	})
diff --git a/e2e/rbd.go b/e2e/rbd.go
index 7fa1b4e03d52..b85924dff9bb 100644
--- a/e2e/rbd.go
+++ b/e2e/rbd.go
@@ -69,6 +69,11 @@ var _ = Describe("RBD", func() {
 				appPath := rbdExamplePath + "pod.yaml"
 				validatePVCAndAppBinding(pvcPath, appPath, f)
 			})
+
+			By("create a PVC and Bind it to an app with normal user", func() {
+				pvcPath := rbdExamplePath + "pvc.yaml"
+				validateNormalUserPVCAccess(pvcPath, f)
+			})
 		})
 	})
 
diff --git a/e2e/utils.go b/e2e/utils.go
index 77b8eec9715f..6c39317f292a 100644
--- a/e2e/utils.go
+++ b/e2e/utils.go
@@ -103,13 +103,10 @@ func waitForDeploymentComplete(name, ns string, c clientset.Interface, t int) er
 	return nil
 }
 
-func execCommandInToolBox(f *framework.Framework, c string) string {
+func execCommandInPod(f *framework.Framework, c, ns string, opt *metav1.ListOptions) string {
 
 	cmd := []string{"/bin/sh", "-c", c}
-	opt := metav1.ListOptions{
-		LabelSelector: "app=rook-ceph-tools",
-	}
-	podList, err := f.PodClientNS(rookNS).List(opt)
+	podList, err := f.PodClientNS(ns).List(*opt)
 	framework.ExpectNoError(err)
 	Expect(podList.Items).NotTo(BeNil())
 	Expect(err).Should(BeNil())
@@ -117,7 +114,7 @@ func execCommandInToolBox(f *framework.Framework, c string) string {
 	podPot := framework.ExecOptions{
 		Command:            cmd,
 		PodName:            podList.Items[0].Name,
-		Namespace:          rookNS,
+		Namespace:          ns,
 		ContainerName:      podList.Items[0].Spec.Containers[0].Name,
 		Stdin:              nil,
 		CaptureStdout:      true,
@@ -159,7 +156,10 @@ func createCephfsStorageClass(c kubernetes.Interface, f *framework.Framework) {
 	sc := getStorageClass(c, scPath)
 	sc.Parameters["pool"] = "myfs-data0"
 	sc.Parameters["fsName"] = "myfs"
-	fsID := execCommandInToolBox(f, "ceph fsid")
+	opt := metav1.ListOptions{
+		LabelSelector: "app=rook-ceph-tools",
+	}
+	fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
 	// remove new line present in fsID
 	fsID = strings.Trim(fsID, "\n")
 
@@ -173,8 +173,10 @@ func createRBDStorageClass(c kubernetes.Interface, f *framework.Framework) {
 	sc := getStorageClass(c, scPath)
 	delete(sc.Parameters, "userid")
 	sc.Parameters["pool"] = "replicapool"
-
-	fsID := execCommandInToolBox(f, "ceph fsid")
+	opt := metav1.ListOptions{
+		LabelSelector: "app=rook-ceph-tools",
+	}
+	fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
 	// remove new line present in fsID
 	fsID = strings.Trim(fsID, "\n")
 
@@ -188,8 +190,10 @@ func createConfigMap(c kubernetes.Interface, f *framework.Framework) {
 	cm := v1.ConfigMap{}
 	err := unmarshal(path, &cm)
 	Expect(err).Should(BeNil())
-
-	fsID := execCommandInToolBox(f, "ceph fsid")
+	opt := metav1.ListOptions{
+		LabelSelector: "app=rook-ceph-tools",
+	}
+	fsID := execCommandInPod(f, "ceph fsid", rookNS, &opt)
 	// remove new line present in fsID
 	fsID = strings.Trim(fsID, "\n")
 	// get mon list
@@ -225,7 +229,10 @@ func getSecret(path string) v1.Secret {
 func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
 	scPath := fmt.Sprintf("%s/%s", cephfsExamplePath, "secret.yaml")
 	sc := getSecret(scPath)
-	adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin")
+	opt := metav1.ListOptions{
+		LabelSelector: "app=rook-ceph-tools",
+	}
+	adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
 	sc.Data["adminID"] = []byte("admin")
 	sc.Data["adminKey"] = []byte(adminKey)
 	delete(sc.Data, "userID")
@@ -237,7 +244,10 @@ func createCephfsSecret(c kubernetes.Interface, f *framework.Framework) {
 func createRBDSecret(c kubernetes.Interface, f *framework.Framework) {
 	scPath := fmt.Sprintf("%s/%s", rbdExamplePath, "secret.yaml")
 	sc := getSecret(scPath)
-	adminKey := execCommandInToolBox(f, "ceph auth get-key client.admin")
+	opt := metav1.ListOptions{
+		LabelSelector: "app=rook-ceph-tools",
+	}
+	adminKey := execCommandInPod(f, "ceph auth get-key client.admin", rookNS, &opt)
 	sc.Data["admin"] = []byte(adminKey)
 	delete(sc.Data, "kubernetes")
 	_, err := c.CoreV1().Secrets("default").Create(&sc)
@@ -486,3 +496,76 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) {
 		Fail(err.Error())
 	}
 }
+
+func validateNormalUserPVCAccess(pvcPath string, f *framework.Framework) {
+	pvc := loadPVC(pvcPath)
+	pvc.Namespace = f.UniqueName
+	pvc.Name = f.UniqueName
+	framework.Logf("The PVC  template %+v", pvc)
+	err := createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
+	if err != nil {
+		Fail(err.Error())
+	}
+	var user int64 = 2000
+	app := &v1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Pod",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "pod-run-as-non-root",
+			Namespace: f.UniqueName,
+			Labels: map[string]string{
+				"app": "pod-run-as-non-root",
+			},
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:    "write-pod",
+					Image:   "alpine",
+					Command: []string{"/bin/sleep", "999999"},
+					SecurityContext: &v1.SecurityContext{
+						RunAsUser: &user,
+					},
+					VolumeMounts: []v1.VolumeMount{
+						{
+							MountPath: "/target",
+							Name:      "target",
+						},
+					},
+				},
+			},
+			Volumes: []v1.Volume{
+				{
+					Name: "target",
+					VolumeSource: v1.VolumeSource{
+						PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
+							ClaimName: pvc.Name,
+							ReadOnly:  false},
+					},
+				},
+			},
+		},
+	}
+
+	err = createApp(f.ClientSet, app, deployTimeout)
+	if err != nil {
+		Fail(err.Error())
+	}
+
+	opt := metav1.ListOptions{
+		LabelSelector: "app=pod-run-as-non-root",
+	}
+	execCommandInPod(f, "echo testing > /target/testing", app.Namespace, &opt)
+
+	err = deletePod(app.Name, app.Namespace, f.ClientSet, deployTimeout)
+	if err != nil {
+		Fail(err.Error())
+	}
+
+	err = deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
+	if err != nil {
+		Fail(err.Error())
+	}
+}
diff --git a/pkg/cephfs/nodeserver.go b/pkg/cephfs/nodeserver.go
index 155a32e8176d..90fbe9c30b80 100644
--- a/pkg/cephfs/nodeserver.go
+++ b/pkg/cephfs/nodeserver.go
@@ -237,12 +237,18 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
-	if err := volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil {
+	if err = volumeMountCache.nodePublishVolume(volID, targetPath, req.GetReadonly()); err != nil {
 		klog.Warningf("mount-cache: failed to publish volume %s %s: %v", volID, targetPath, err)
 	}
 
 	klog.Infof("cephfs: successfully bind-mounted volume %s to %s", volID, targetPath)
 
+	err = os.Chmod(targetPath, 0777)
+	if err != nil {
+		klog.Errorf("failed to change targetpath permission for volume %s: %v", volID, err)
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+
 	return &csi.NodePublishVolumeResponse{}, nil
 }
 
diff --git a/pkg/cephfs/volumeoptions.go b/pkg/cephfs/volumeoptions.go
index cc7b854569f8..50d24187ce97 100644
--- a/pkg/cephfs/volumeoptions.go
+++ b/pkg/cephfs/volumeoptions.go
@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"strconv"
 
+	"github.com/pkg/errors"
+
 	"github.com/ceph/ceph-csi/pkg/util"
 )
 
@@ -189,8 +191,7 @@ func newVolumeOptionsFromVolID(volID string, volOpt, secrets map[string]string)
 	volOptions.FscID = vi.LocationID
 
 	if volOptions.Monitors, err = util.Mons(csiConfigFile, vi.ClusterID); err != nil {
-		err = fmt.Errorf("failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
-		return nil, nil, err
+		return nil, nil, errors.Wrapf(err, "failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
 	}
 
 	cr, err := getAdminCredentials(secrets)
diff --git a/pkg/rbd/nodeserver.go b/pkg/rbd/nodeserver.go
index 4942feb6fde4..44a5a84b444f 100644
--- a/pkg/rbd/nodeserver.go
+++ b/pkg/rbd/nodeserver.go
@@ -108,6 +108,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	if err != nil {
 		return nil, err
 	}
+	err = os.Chmod(targetPath, 0777)
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
 	return &csi.NodePublishVolumeResponse{}, nil
 }