Project

General

Profile

Bug #22227

Keyrings created by ceph auth get are not suitable for ceph auth import

Added by Keith Schincke over 1 year ago. Updated 17 days ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Category:
ceph cli
Target version:
-
Start date:
11/22/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
nautilus, luminous, mimic
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

The ceph auth get process creates a keyring file which is not suitable for usage in ceph auth import.
This occurs when the original client entry has permissions enable such as allow command.

Fixes needed:
1) ceph auth get should return a keyring which can be used in ceph auth import. It should escape any embedded quotes
2) ceph auth import should return an error if any parsing error occurs. It should fail to import the keyring instead of partially importing an invalid keyring.

Example:

1) Ceph keyring in the file system:
  1. cat /etc/ceph/ceph.client.manila.keyring
    [client.manila]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps mon = "allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\""
    caps osd = "allow rw"

2) Ceph client entry in ceph auth

  1. ceph auth list
    installed auth entries:

.
.
client.manila
key: AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps: [mds] allow *
caps: [mon] allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"
caps: [osd] allow rw

3) Make a new copy of the keyring
  1. ceph auth get client.manila -o temp.keyring
    exported keyring for client.manila
  2. sed -e 's/manila/manila2/' -i temp.keyring
  3. cat temp.keyring
    [client.manila2]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps mon = "allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create""
    caps osd = "allow rw"
4) Import the keyring
  1. ceph auth import -i temp.keyring
    imported keyring
5) Display the new client entry
  1. ceph auth get client.manila2
    exported keyring for client.manila2
    [client.manila2]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps osd = "allow rw"

The new keyring is imported but the caps are not added and no error is returned to the user.

Keith


Related issues

Copied to Ceph - Backport #40546: nautilus: Keyrings created by ceph auth get are not suitable for ceph auth import In Progress
Copied to Ceph - Backport #40547: mimic: Keyrings created by ceph auth get are not suitable for ceph auth import In Progress
Copied to Ceph - Backport #40548: luminous: Keyrings created by ceph auth get are not suitable for ceph auth import In Progress

History

#1 Updated by Brad Hubbard 8 months ago

  • Status changed from New to In Progress

#2 Updated by Kefu Chai about 1 month ago

  • Status changed from In Progress to Need Review
  • Assignee set to Kefu Chai
  • Pull request ID set to 28634

#3 Updated by Kefu Chai about 1 month ago

  • Backport set to nautilus, luminous, mimic

#4 Updated by Nathan Cutler about 1 month ago

  • Subject changed from Keyrings created by ceph auth get are not suitable for auth auth import to Keyrings created by ceph auth get are not suitable for ceph auth import

#5 Updated by Kefu Chai 25 days ago

  • Status changed from Need Review to Pending Backport

only the commit of "auth/KeyRing: escape quotes around commands" needs to be backported.

#6 Updated by Nathan Cutler 25 days ago

  • Copied to Backport #40546: nautilus: Keyrings created by ceph auth get are not suitable for ceph auth import added

#7 Updated by Nathan Cutler 25 days ago

  • Copied to Backport #40547: mimic: Keyrings created by ceph auth get are not suitable for ceph auth import added

#8 Updated by Nathan Cutler 25 days ago

  • Copied to Backport #40548: luminous: Keyrings created by ceph auth get are not suitable for ceph auth import added

#9 Updated by Nathan Cutler 17 days ago

Follow-on fix: https://github.com/ceph/ceph/pull/28776 (does not affect the backports, since the feature as a whole is not being backported)

Also available in: Atom PDF