Project

General

Profile

Actions
Copy link

Bug #64147

open

Adding "network {CIDR}" constraint to mgr caps causes some commands to fail with EACCESS

Added by Tomasz Kuzemko 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
v17.2.6
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

If a Ceph client's mgr caps are constrained with [network {CIDR}] like in the example:

[client.foo]
        caps mds = "allow * network 10.0.0.0/8" 
        caps mgr = "allow * network 10.0.0.0/8" 
        caps mon = "allow * network 10.0.0.0/8" 
        caps osd = "allow * network 10.0.0.0/8"

then certain ceph CLI subcommands fail with Error EACCESS. I haven't tried too many but I found at least:

$ ceph osd pool stats
Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/en/latest/mgr/administrator/#client-authentication

$ ceph pg dump
Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/en/latest/mgr/administrator/#client-authentication

After removing the network constraint just from mgr caps everything works.

Might this be caused by ceph-mgr forwarding requests to other daemons using the client's auth token and hence coming from an IP outside of the allowed network?

No data to display

Actions
Copy link

Also available in: Atom PDF