Bug #22227
closedKeyrings created by ceph auth get are not suitable for ceph auth import
0%
Description
The ceph auth get process creates a keyring file which is not suitable for usage in ceph auth import.
This occurs when the original client entry has permissions enable such as allow command.
Fixes needed:
1) ceph auth get should return a keyring which can be used in ceph auth import. It should escape any embedded quotes
2) ceph auth import should return an error if any parsing error occurs. It should fail to import the keyring instead of partially importing an invalid keyring.
Example:
1) Ceph keyring in the file system:- cat /etc/ceph/ceph.client.manila.keyring
[client.manila]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps mon = "allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\""
caps osd = "allow rw"
2) Ceph client entry in ceph auth
- ceph auth list
installed auth entries:
.
.
client.manila
key: AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps: [mds] allow *
caps: [mon] allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"
caps: [osd] allow rw
- ceph auth get client.manila -o temp.keyring
exported keyring for client.manila - sed -e 's/manila/manila2/' -i temp.keyring
- cat temp.keyring
[client.manila2]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps mon = "allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create""
caps osd = "allow rw"
- ceph auth import -i temp.keyring
imported keyring
- ceph auth get client.manila2
exported keyring for client.manila2
[client.manila2]
key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps mds = "allow *"
caps osd = "allow rw"
The new keyring is imported but the caps are not added and no error is returned to the user.
Keith