Actions
Bug #10923
closedSyntax validation of ceph auth caps
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Ceph auth caps validation of syntax is weak.
ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS
Can see it loaded and is available here:
[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0 exported keyring for client.ceph0-nfs0 [client.ceph0-nfs0] key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA== caps mon = "allow r" caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS"
But authentication fails for this keyring now.
Correct syntax should be:
ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS
Loaded:
[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0 exported keyring for client.ceph0-nfs0 [client.ceph0-nfs0] key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA== caps mon = "allow r" caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS"
Updated by Josh Durgin about 9 years ago
In the past we haven't done this since different versions of monitors + osds may not have the same caps syntax, and the monitors store the caps, while the osds enforce them.
I think it's worth doing though. A simple first step could be trying to parse the caps in the monitors and returning an error if that fails and the relevant daemons are currently the same version as the monitors, but if there are version differences returning a warning string and reporting success.
Updated by Greg Farnum almost 7 years ago
- Has duplicate Bug #10974: missing pool= in osd caps is validated but breaks access added
Updated by Patrick Donnelly about 6 years ago
- Is duplicate of Bug #22525: auth: ceph auth add does not sanity-check caps added
Updated by Patrick Donnelly about 6 years ago
- Status changed from New to Duplicate
Actions