mgr: print a more helpful error message for when users lack mgr cephx…

… caps Add some brief documentation on updating their caps and link to it. Fixes: http://tracker.ceph.com/issues/20296 Signed-off-by: Greg Farnum <gfarnum@redhat.com>
ceph · Jun 14, 2017 · 26f7ed8 · 26f7ed8
1 parent 3ace41f
commit 26f7ed8
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/doc/mgr/administrator.rst b/doc/mgr/administrator.rst
@@ -25,6 +25,15 @@ of ``ceph status``, which should now include a mgr status line::
 
     mgr active: $name
 
+Client authentication
+---------------------
+The manager is a new daemon which requires new CephX capabilities. If you upgrade
+a cluster from an old version of Ceph, or use the default install/deploy tools,
+your admin client should get this capability automatically. If you use tooling from
+elsewhere, you may get EACCES errors when invoking certain ceph cluster commands.
+To fix that, add a "mgr allow *" stanza to your client's cephx capabilities by
+`Modifying User Capabilities`_.
+
 High availability
 -----------------
 
@@ -92,3 +101,4 @@ OPTION(mgr_module_path, OPT_STR, CEPH_PKGLIBDIR "/mgr") // where to load python
 :Type: Integer
 :Default: ``30``
 
+.. _Modifying User Capabilities: ../rados/operations/user-management#modify-user-capabilities
diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
@@ -360,6 +360,7 @@ are often restricted to accessing a particular pool. ::
    pools in the cluster!
 
 
+.. _modify-user-capabilities:
 Modify User Capabilities
 ------------------------
 

diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc
@@ -550,7 +550,8 @@ bool DaemonServer::handle_command(MCommand *m)
     if (!_allowed_command(session.get(), py_command.module, prefix, cmdctx->cmdmap,
                           param_str_map, &py_command)) {
       dout(1) << " access denied" << dendl;
-      ss << "access denied";
+      ss << "access denied; does your client key have mgr caps?"
+	" See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication";
       cmdctx->reply(-EACCES, ss);
       return true;
     }
@@ -562,7 +563,8 @@ bool DaemonServer::handle_command(MCommand *m)
       audit_clog->info() << "from='" << session->inst << "' "
                          << "entity='" << session->entity_name << "' "
                          << "cmd=" << m->cmd << ":  access denied";
-      ss << "access denied";
+      ss << "access denied' does your client key have mgr caps?"
+	" See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication";
       cmdctx->reply(-EACCES, ss);
       return true;
     }