Project

General

Profile

Bug #19940

client.admin not granted mgr caps on upgrade (was: mgr access denied on pg dump)

Added by Dan van der Ster 2 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
packaging
Target version:
-
Start date:
05/16/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Release:
master
Needs Doc:
No

Description

This is a newly deployed master test cluster running ceph-12.0.2-1185.g3155335.el7.x86_64.

Once per minute our mgr is getting access denied on a pg dump:

2017-05-16 13:53:02.059795 client.156173 [INF] from='client.194556 128.142.215.68:0/3128562804' entity='client.admin' cmd=[{"prefix": "pg dump", "target": ["mgr", ""], "format": "json"}]:  access denied
2017-05-16 13:54:02.794116 client.156173 [INF] from='client.204392 128.142.215.68:0/2029671957' entity='client.admin' cmd=[{"prefix": "pg dump", "target": ["mgr", ""], "format": "json"}]:  access denied

128.142.215.68 is the active mgr p06636710a37514.

    cluster f502e0e8-63e1-42c8-b38b-5b4f8daba3f8
     health HEALTH_WARN
            too few PGs per OSD (1 < min 30)
     monmap e4: 3 mons at {p06636710a37514=128.142.215.68:6789/0,p06636710a59202=128.142.215.77:6789/0,p06636710a82299=128.142.215.81:6789/0}
            election epoch 34, quorum 0,1,2 p06636710a37514,p06636710a59202,p06636710a82299
        mgr active: p06636710a37514 standbys: p06636710a82299, p06636710a59202
     osdmap e898: 144 osds: 144 up, 144 in
      pgmap v3379: 64 pgs, 1 pools, 0 bytes data, 0 objects
            161 GB used, 785 TB / 785 TB avail
                  64 active+clean

The mgr log says:

2017-05-16 13:57:02.313376 7f4a6918c700  1 mgr.server handle_command  access denied
2017-05-16 13:57:02.313390 7f4a6918c700  0 log_channel(audit) log [INF] : from='client.204422 128.142.215.68:0/1044875011' entity='client.admin' cmd=[{"prefix": "pg dump", "target": ["mgr", ""], "format": "json"}]:  access denied
2017-05-16 13:57:02.313397 7f4a6918c700  1 mgr.server reply do_command r=-13 access denied

Could there be something wrong with our deployment or is this a bug?

History

#1 Updated by Dan van der Ster 2 months ago

client.admin
    key: xx==
    caps: [mds] allow
    caps: [mon] allow *
    caps: [osd] allow *

[14:02][root@p06636710a82299 (ceph_dev:ceph/bigbang/mon*50) ~]# ceph pg dump
Error EACCES: access denied
[14:02][root@p06636710a82299 (ceph_dev:ceph/bigbang/mon*50) ~]#

oh?? admin cannot even pg dump?

#2 Updated by Dan van der Ster 2 months ago

Found it. client.admin now needs the mgr 'allow *' cap.
This fixes it:

ceph auth caps client.admin osd 'allow *' mds 'allow *' mon 'allow *' mgr 'allow *'

Is something supposed to solve this for upgrades?

#3 Updated by John Spray 2 months ago

  • Subject changed from mgr access denied on pg dump to client.admin not granted mgr caps on upgrade (was: mgr access denied on pg dump)

#4 Updated by John Spray 2 months ago

  • Project changed from Ceph to mgr
  • Category set to packaging
  • Assignee deleted (John Spray)

#5 Updated by John Spray 2 months ago

  • Status changed from New to Need Review
  • Assignee set to John Spray

#6 Updated by Sage Weil 2 months ago

  • Status changed from Need Review to Resolved

Also available in: Atom PDF