auth: 'ceph auth import -i' overwrites caps, if caps are not specified

in given keyring file, should alert user and should not allow this import. Because in 'ceph auth list' we keep all the keyrings with caps and importing 'client.admin' user keyring without caps locks the cluster with error[1] because admin keyring caps are missing in 'ceph auth'. [1] Error connecting to cluster: PermissionDeniedError Fixes: http://tracker.ceph.com/issues/18932 Signed-off-by: Vikhyat Umrao <vumrao@redhat.com> (cherry picked from commit 90144aa)
ceph · Feb 20, 2017 · 7c6c3c7 · 7c6c3c7
1 parent c9ece04
commit 7c6c3c7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/qa/workunits/cephtool/test.sh b/qa/workunits/cephtool/test.sh
@@ -504,6 +504,9 @@ function test_auth()
   #
   local auid=444
   ceph-authtool --create-keyring --name client.TEST --gen-key --set-uid $auid TEST-keyring
+  expect_false ceph auth import --in-file TEST-keyring
+  rm TEST-keyring
+  ceph-authtool --create-keyring --name client.TEST --gen-key --cap mon "allow r" --set-uid $auid TEST-keyring
   ceph auth import --in-file TEST-keyring
   rm TEST-keyring
   ceph auth get client.TEST > $TMPFILE

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
@@ -652,11 +652,15 @@ void AuthMonitor::export_keyring(KeyRing& keyring)
   mon->key_server.export_keyring(keyring);
 }
 
-void AuthMonitor::import_keyring(KeyRing& keyring)
+int AuthMonitor::import_keyring(KeyRing& keyring)
 {
   for (map<EntityName, EntityAuth>::iterator p = keyring.get_keys().begin();
        p != keyring.get_keys().end();
        ++p) {
+    if (p->second.caps.empty()) {
+      dout(0) << "import: no caps supplied" << dendl;
+      return -EINVAL;
+    }
     KeyServerData::Incremental auth_inc;
     auth_inc.name = p->first;
     auth_inc.auth = p->second;
@@ -665,6 +669,7 @@ void AuthMonitor::import_keyring(KeyRing& keyring)
     dout(30) << "    " << auth_inc.auth << dendl;
     push_cephx_inc(auth_inc);
   }
+  return 0;
 }
 
 bool AuthMonitor::prepare_command(MonOpRequestRef op)
@@ -731,7 +736,13 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       rs = err;
       goto done;
     }
-    import_keyring(keyring);
+    err = import_keyring(keyring);
+    if (err < 0) {
+      ss << "auth import: no caps supplied";
+      getline(ss, rs);
+      mon->reply_command(op, -EINVAL, rs, get_last_committed());
+      return true;
+    }
     ss << "imported keyring";
     getline(ss, rs);
     err = 0;

diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h
@@ -114,7 +114,7 @@ class AuthMonitor : public PaxosService {
   void upgrade_format();
 
   void export_keyring(KeyRing& keyring);
-  void import_keyring(KeyRing& keyring);
+  int import_keyring(KeyRing& keyring);
 
   void push_cephx_inc(KeyServerData::Incremental& auth_inc) {
     Incremental inc;