New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mon: added bootstrap-rbd auth profile #16633

Merged
merged 3 commits into from Aug 5, 2017

Conversation

Projects
None yet
3 participants
@dillaman
Contributor

dillaman commented Jul 27, 2017

No description provided.

dillaman added some commits Jul 27, 2017

mon: fixed regex match on RBD profile blacklist add command
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
mon: ceph osd blacklist add/rm read-write permissions not validated
The RWX permissions were retrieved from "osd blacklist list" since that
prefix matched "osd blacklist" first. Re-ordered the monitor commands
to ensure the permissions are properly enforced.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
mon: new bootstrap-rbd auth profile
Signed-off-by: Jason Dillaman <dillaman@redhat.com>

@liewegas liewegas merged commit f766842 into ceph:master Aug 5, 2017

3 of 4 checks passed

make check (arm64) make check failed
Details
Signed-off-by all commits in this PR are signed
Details
Unmodified Submodules submodules for project are unmodified
Details
make check make check succeeded
Details
@@ -258,6 +258,17 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
profile_grants.back().command_args["caps_osd"] = StringConstraint(
StringConstraint::MATCH_TYPE_EQUAL, "allow rwx");
}
if (profile == "bootstrap-rbd") {
profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys

This comment has been minimized.

@liewegas

liewegas Aug 5, 2017

Member

In the future the way to close this is to have the client generate the keys and pass them to the mon. That way the reply from the mon is simply success/failure and there is no potential leak of info.

@dillaman dillaman deleted the dillaman:wip-bootstrap-rbd-mirror branch Aug 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment