Project

General

Profile

Bug #10923

Syntax validation of ceph auth caps

Added by Tyler Bishop about 4 years ago. Updated about 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
Start date:
02/20/2015
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Ceph auth caps validation of syntax is weak.

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS

Can see it loaded and is available here:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS" 

But authentication fails for this keyring now.

Correct syntax should be:

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS

Loaded:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS" 

Related issues

Duplicated by Ceph - Bug #10974: missing pool= in osd caps is validated but breaks access Duplicate 02/27/2015
Duplicates RADOS - Bug #22525: auth: ceph auth add does not sanity-check caps Pending Backport 12/21/2017

History

#1 Updated by Josh Durgin about 4 years ago

In the past we haven't done this since different versions of monitors + osds may not have the same caps syntax, and the monitors store the caps, while the osds enforce them.

I think it's worth doing though. A simple first step could be trying to parse the caps in the monitors and returning an error if that fails and the relevant daemons are currently the same version as the monitors, but if there are version differences returning a warning string and reporting success.

#2 Updated by Greg Farnum over 1 year ago

  • Category set to cephx

#3 Updated by Greg Farnum over 1 year ago

  • Duplicated by Bug #10974: missing pool= in osd caps is validated but breaks access added

#4 Updated by Patrick Donnelly about 1 year ago

  • Duplicates Bug #22525: auth: ceph auth add does not sanity-check caps added

#5 Updated by Patrick Donnelly about 1 year ago

  • Status changed from New to Duplicate

Also available in: Atom PDF