Feature #18932
closed'ceph auth import -i' overwrites caps, should alert user before overwrite
0%
Description
- User unknowingly imported a ceph.client.admin.keyring file which was lacking caps and was situated in their /etc/ceph directory:
# ceph auth import -i /etc/ceph/ceph.client.admin.keyring
- This resulted in import the client.admin user with no caps:
client.admin
key: AQCs3E5YFMAmKxAAKdepvH90aEaKSkQJemqu2A==
- Which of course results in no access to a Ceph cluster. Running ceph commands results in:
2017-01-23 10:13:01.773952 7f5cff5da700 0 librados: client.admin authentication error (13) Permission denied Error connecting to cluster: PermissionDeniedError
- logs show the following cephx issue:
2017-01-23 11:31:42.031102 7f1402117700 0 -- 192.168.100.22:6789/0 >> 192.168.100.21:6789/0 pipe(0x7f14197f6800 sd=8 :6789 s=0 pgs=0 cs=0 l=0 c=0x7f1419a05480).accept: got bad authorizer 2017-01-23 11:31:44.075460 7f1402117700 0 cephx: verify_authorizer could not decrypt ticket info: error: NSS AES final round failed: -8190
Downstream RFE bug: https://bugzilla.redhat.com/show_bug.cgi?id=1415821
Updated by Vikhyat Umrao about 7 years ago
File - src/mon/AuthMonitor.cc
void AuthMonitor::import_keyring(KeyRing& keyring)
{
for (map<EntityName, EntityAuth>::iterator p = keyring.get_keys().begin();
p != keyring.get_keys().end();
++p) {
KeyServerData::Incremental auth_inc;
auth_inc.name = p->first;
auth_inc.auth = p->second;
auth_inc.op = KeyServerData::AUTH_INC_ADD;
dout(10) << " importing " << auth_inc.name << dendl;
dout(30) << " " << auth_inc.auth << dendl;
push_cephx_inc(auth_inc);
}
}
- Looks like we can add some check here if import kerying file does not have 'caps', we should not allow import. Because we do not keep any keyring without 'caps' in ceph auth list.
- I have tested other scenarios like if keyring is not in the correct format or corrupted import command hangs.
- But if keyring is fine and format of keyring file is fine as given in1 and only 'caps' are missing it updates the keyring in the list.
[1] keyring
# cat /etc/ceph/ceph.client.admin.keyring
[client.admin]
key = AQAC9CBWyJXIARAAM/0fpu0rG2ZWkZqIUTVn+w==
Updated by Vikhyat Umrao about 7 years ago
- Status changed from New to In Progress
- Assignee set to Vikhyat Umrao
Updated by Vikhyat Umrao about 7 years ago
- Status changed from In Progress to Fix Under Review
Updated by Kefu Chai about 7 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Loïc Dachary about 7 years ago
- Copied to Backport #18998: jewel: 'ceph auth import -i' overwrites caps, should alert user before overwrite added
Updated by Nathan Cutler almost 7 years ago
- Status changed from Pending Backport to Resolved