https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2018-02-23T11:37:51ZCeph RADOS - Feature #23096: mon: don't remove auth caps without a flaghttps://tracker.ceph.com/issues/23096?journal_id=1079102018-02-23T11:37:51ZJohn Sprayjcspray@gmail.com
<ul></ul><p>Bit torn on this one: there is a security downside to changing this behaviour in-place -- any existing scripts that expected to erase pre-existing caps when writing new ones would potentially leave extra caps. On the other hand, the CLI is not a stable API, so we should be allowed to change things.</p>
<p>We could change the existing command to give an error if a user had caps for some daemons, but those daemon's weren't specified in the command, and tell them to explicitly do something like <pre>auth caps client.cinder mon "allow rw" osd ""</pre> if they really intended to blow away the OSD caps.</p>
<p>The long term solution is to have higher level commands that don't require users to know auth cap syntax, like "ceph fs authorize" etc.</p> RADOS - Feature #23096: mon: don't remove auth caps without a flaghttps://tracker.ceph.com/issues/23096?journal_id=1079612018-02-23T22:24:21ZGreg Farnumgfarnum@redhat.com
<ul></ul><p>We could throw an error instead, yeah. That is probably a wise forcing function. I think we still want the flag though, because it's an easier update for the scripts. And maybe another flag to tell it to update only the specified cap group (because getting caps in and out via the CLI can sometimes be tedious with the escaping).</p>