Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth: 'ceph auth import -i' overwrites caps, if caps are not specified #13468

Merged
merged 1 commit into from Feb 20, 2017

Conversation

Projects
None yet
3 participants
@vumrao
Copy link
Contributor

vumrao commented Feb 16, 2017

auth: 'ceph auth import -i' overwrites caps, if caps are not specified
in given keyring file, should alert user and should not allow this import.
Because in 'ceph auth list' we keep all the keyrings with caps and importing
'client.admin' user keyring without caps locks the cluster with error[1]
because admin keyring caps are missing in 'ceph auth'.

[1] Error connecting to cluster: PermissionDeniedError

Fixes: http://tracker.ceph.com/issues/18932

Signed-off-by: Vikhyat Umrao vumrao@redhat.com

@vumrao vumrao force-pushed the vumrao:wip-vumrao-18932 branch from d428299 to e717c6f Feb 16, 2017

@vumrao

This comment has been minimized.

Copy link
Contributor Author

vumrao commented Feb 16, 2017

  • vstart cluster test results:
$ cat keyring 
[mon.]
	key = AQAkOKZYI1sjAhAAQ3zSsmiHMwTyT+IYLtVZOQ==
	caps mon = "allow *"
[client.admin]
	key = AQAkOKZYuyeOBBAAO0O22zM2xY920Ip8nzye6g==
	auid = 0
	caps mds = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"

$ cp keyring ceph.client.admin.keyring 

- Modify ceph.client.admin.keyring:
$ cat ceph.client.admin.keyring 
[client.admin]
	key = AQAkOKZYuyeOBBAAO0O22zM2xY920Ip8nzye6g==

$ bin/ceph auth import -i ceph.client.admin.keyring 
Error EINVAL: auth import: no caps supplied
  • make check test results:
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:503: test_auth:  ceph auth import -i authfile
imported keyring


/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:521: test_auth:  ceph-authtool --create-keyring --name client.TEST --gen-key --set-uid 444 TEST-keyring
creating TEST-keyring
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:522: test_auth:  expect_false ceph auth import --in-file TEST-keyring
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:31: expect_false:  set -x
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:32: expect_false:  ceph auth import --in-file TEST-keyring
Error EINVAL: auth import: no caps supplied
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:32: expect_false:  return 0
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:523: test_auth:  rm TEST-keyring

/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:524: test_auth:  ceph-authtool --create-keyring --name client.TEST --gen-key --cap mon 'allow r' --set-uid 444 TEST-keyring
creating TEST-keyring
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:525: test_auth:  ceph auth import --in-file TEST-keyring
imported keyring
/home/vumrao/Projects/ceph/qa/workunits/cephtool/test.sh:526: test_auth:  rm TEST-keyring
@vumrao

This comment has been minimized.

Copy link
Contributor Author

vumrao commented Feb 16, 2017

@tchaikov Hi Kefu, as discussed could you please review this PR. Thank you!

@liewegas

This comment has been minimized.

Copy link
Member

liewegas commented Feb 17, 2017

Hmm, it seems conceivable that someone would want to import keys without specifying any caps. I'm not sure why, though, so this is probably better unless/until that happens!

@liewegas liewegas added the needs-qa label Feb 17, 2017

@vumrao

This comment has been minimized.

Copy link
Contributor Author

vumrao commented Feb 17, 2017

Thanks Sage. This issue came from one of the internal customers who did it by mistake. The cluster was locked for all ceph commands because he was not having any other user with admin caps.Then we disabled the cephx and then imported the correct admin kerying and reenabled the cephx. We create admin keyring file 'ceph.client.admin.keyring' in monitor nodes in /etc/ceph path without caps and he ran import with this admin kerying file.

{
for (map<EntityName, EntityAuth>::iterator p = keyring.get_keys().begin();
p != keyring.get_keys().end();
++p) {
if (p->second.caps.size() == 0) {

This comment has been minimized.

Copy link
@tchaikov

tchaikov Feb 18, 2017

Contributor

nit, use empty() if we don't care about the size.

This comment has been minimized.

Copy link
@vumrao

vumrao Feb 19, 2017

Author Contributor

Thanks Kefu. I have changed it to caps.empty().

auth: 'ceph auth import -i' overwrites caps, if caps are not specified
in given keyring file, should alert user and should not allow this import.
Because in 'ceph auth list' we keep all the keyrings with caps and importing
'client.admin' user keyring without caps locks the cluster with error[1]
because admin keyring caps are missing in 'ceph auth'.

[1] Error connecting to cluster: PermissionDeniedError

Fixes: http://tracker.ceph.com/issues/18932

Signed-off-by: Vikhyat Umrao <vumrao@redhat.com>

@vumrao vumrao force-pushed the vumrao:wip-vumrao-18932 branch from e717c6f to 90144aa Feb 19, 2017

@tchaikov tchaikov merged commit 0f9c15e into ceph:master Feb 20, 2017

3 checks passed

Signed-off-by all commits in this PR are signed
Details
Unmodifed Submodules submodules for project are unmodified
Details
default Build finished.
Details

@tchaikov tchaikov self-assigned this Feb 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.