Bug #22227
closedKeyrings created by ceph auth get are not suitable for ceph auth import
0%
Description
The ceph auth get process creates a keyring file which is not suitable for usage in ceph auth import.
This occurs when the original client entry has permissions enable such as allow command.
Fixes needed:
1) ceph auth get should return a keyring which can be used in ceph auth import. It should escape any embedded quotes
2) ceph auth import should return an error if any parsing error occurs. It should fail to import the keyring instead of partially importing an invalid keyring.
Example:
1) Ceph keyring in the file system:- cat /etc/ceph/ceph.client.manila.keyring
[client.manila]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps mon = "allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\""
caps osd = "allow rw"
2) Ceph client entry in ceph auth
- ceph auth list
installed auth entries:
.
.
client.manila
key: AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps: [mds] allow *
caps: [mon] allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"
caps: [osd] allow rw
- ceph auth get client.manila -o temp.keyring
exported keyring for client.manila - sed -e 's/manila/manila2/' -i temp.keyring
- cat temp.keyring
[client.manila2]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps mon = "allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create""
caps osd = "allow rw"
- ceph auth import -i temp.keyring
imported keyring
- ceph auth get client.manila2
exported keyring for client.manila2
[client.manila2]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps osd = "allow rw"
The new keyring is imported but the caps are not added and no error is returned to the user.
Keith
Updated by Brad Hubbard over 5 years ago
- Status changed from New to In Progress
Please check https://github.com/ceph/ceph/pull/20610 (closed)
Updated by Kefu Chai almost 5 years ago
- Status changed from In Progress to Fix Under Review
- Assignee set to Kefu Chai
- Pull request ID set to 28634
Updated by Kefu Chai almost 5 years ago
- Backport set to nautilus, luminous, mimic
Updated by Nathan Cutler almost 5 years ago
- Subject changed from Keyrings created by ceph auth get are not suitable for auth auth import to Keyrings created by ceph auth get are not suitable for ceph auth import
Updated by Kefu Chai almost 5 years ago
- Status changed from Fix Under Review to Pending Backport
only the commit of "auth/KeyRing: escape quotes around commands" needs to be backported.
Updated by Nathan Cutler almost 5 years ago
- Copied to Backport #40546: nautilus: Keyrings created by ceph auth get are not suitable for ceph auth import added
Updated by Nathan Cutler almost 5 years ago
- Copied to Backport #40547: mimic: Keyrings created by ceph auth get are not suitable for ceph auth import added
Updated by Nathan Cutler almost 5 years ago
- Copied to Backport #40548: luminous: Keyrings created by ceph auth get are not suitable for ceph auth import added
Updated by Nathan Cutler almost 5 years ago
Follow-on fix: https://github.com/ceph/ceph/pull/28776 (does not affect the backports, since the feature as a whole is not being backported)
Updated by Nathan Cutler over 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved".