Project

General

Profile

Actions
Copy link

Bug #10923

closed

Syntax validation of ceph auth caps

Added by Tyler Bishop about 9 years ago. Updated about 6 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Ceph auth caps validation of syntax is weak.

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS

Can see it loaded and is available here:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS"

But authentication fails for this keyring now.

Correct syntax should be:

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS

Loaded:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS"

Related issues 2 (0 open2 closed)

Has duplicate Ceph - Bug #10974: missing pool= in osd caps is validated but breaks accessDuplicate02/27/2015

Actions
Is duplicate of RADOS - Bug #22525: auth: ceph auth add does not sanity-check capsResolved12/21/2017

Actions
Actions
Copy link

Also available in: Atom PDF