Project

General

Profile

Feature #23096

mon: don't remove auth caps without a flag

Added by Greg Farnum over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Administration/Usability
Target version:
-
Start date:
02/22/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Component(RADOS):
Monitor, ceph cli
Pull request ID:

Description

With current syntax, something like

ceph auth caps client.cinder mon "allow rw"

will strip client.cinder of any non-monitor caps it may have.

We should instead only modify caps which are named on the command line, unless a flag is passed to preserve the old behavior.

History

#1 Updated by John Spray over 1 year ago

Bit torn on this one: there is a security downside to changing this behaviour in-place -- any existing scripts that expected to erase pre-existing caps when writing new ones would potentially leave extra caps. On the other hand, the CLI is not a stable API, so we should be allowed to change things.

We could change the existing command to give an error if a user had caps for some daemons, but those daemon's weren't specified in the command, and tell them to explicitly do something like

auth caps client.cinder mon "allow rw" osd ""
if they really intended to blow away the OSD caps.

The long term solution is to have higher level commands that don't require users to know auth cap syntax, like "ceph fs authorize" etc.

#2 Updated by Greg Farnum over 1 year ago

We could throw an error instead, yeah. That is probably a wise forcing function. I think we still want the flag though, because it's an easier update for the scripts. And maybe another flag to tell it to update only the specified cap group (because getting caps in and out via the CLI can sometimes be tedious with the escaping).

Also available in: Atom PDF