Project

General

Profile

Feature #18932

'ceph auth import -i' overwrites caps, should alert user before overwrite

Added by Vikhyat Umrao 8 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
02/14/2017
Due date:
% Done:

0%

Source:
Support
Tags:
Backport:
jewel
Reviewed:
User Impact:
Affected Versions:
Release:
jewel
Needs Doc:
No

Description

- User unknowingly imported a ceph.client.admin.keyring file which was lacking caps and was situated in their /etc/ceph directory:

# ceph auth import -i /etc/ceph/ceph.client.admin.keyring

- This resulted in import the client.admin user with no caps:

client.admin
       key: AQCs3E5YFMAmKxAAKdepvH90aEaKSkQJemqu2A==

- Which of course results in no access to a Ceph cluster. Running ceph commands results in:

2017-01-23 10:13:01.773952 7f5cff5da700  0 librados: client.admin authentication error (13) Permission denied
Error connecting to cluster: PermissionDeniedError

- logs show the following cephx issue:

2017-01-23 11:31:42.031102 7f1402117700  0 -- 192.168.100.22:6789/0 >> 192.168.100.21:6789/0 pipe(0x7f14197f6800 sd=8 :6789 s=0 pgs=0 cs=0 l=0 c=0x7f1419a05480).accept: got bad authorizer
2017-01-23 11:31:44.075460 7f1402117700  0 cephx: verify_authorizer could not decrypt ticket info: error: NSS AES final round failed: -8190

Downstream RFE bug: https://bugzilla.redhat.com/show_bug.cgi?id=1415821


Related issues

Copied to Ceph - Backport #18998: jewel: 'ceph auth import -i' overwrites caps, should alert user before overwrite Resolved

History

#1 Updated by Vikhyat Umrao 8 months ago

File - src/mon/AuthMonitor.cc

void AuthMonitor::import_keyring(KeyRing& keyring)
{
  for (map<EntityName, EntityAuth>::iterator p = keyring.get_keys().begin();
       p != keyring.get_keys().end();
       ++p) {
    KeyServerData::Incremental auth_inc;
    auth_inc.name = p->first;
    auth_inc.auth = p->second;
    auth_inc.op = KeyServerData::AUTH_INC_ADD;
    dout(10) << " importing " << auth_inc.name << dendl;
    dout(30) << "    " << auth_inc.auth << dendl;
    push_cephx_inc(auth_inc);
  }
}

- Looks like we can add some check here if import kerying file does not have 'caps', we should not allow import. Because we do not keep any keyring without 'caps' in ceph auth list.

- I have tested other scenarios like if keyring is not in the correct format or corrupted import command hangs.

- But if keyring is fine and format of keyring file is fine as given in1 and only 'caps' are missing it updates the keyring in the list.

[1] keyring

# cat /etc/ceph/ceph.client.admin.keyring 
[client.admin]
    key = AQAC9CBWyJXIARAAM/0fpu0rG2ZWkZqIUTVn+w==

#2 Updated by Vikhyat Umrao 8 months ago

  • Status changed from New to In Progress
  • Assignee set to Vikhyat Umrao

#3 Updated by Vikhyat Umrao 8 months ago

  • Status changed from In Progress to Need Review

#4 Updated by Vikhyat Umrao 8 months ago

  • Backport set to jewel

#5 Updated by Kefu Chai 8 months ago

  • Status changed from Need Review to Pending Backport

#6 Updated by Loic Dachary 8 months ago

  • Copied to Backport #18998: jewel: 'ceph auth import -i' overwrites caps, should alert user before overwrite added

#7 Updated by Nathan Cutler 6 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF