Actions
Bug #64147
openAdding "network {CIDR}" constraint to mgr caps causes some commands to fail with EACCESS
Status:
New
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
% Done:
0%
Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Description
If a Ceph client's mgr
caps are constrained with [network {CIDR}]
like in the example:
[client.foo] caps mds = "allow * network 10.0.0.0/8" caps mgr = "allow * network 10.0.0.0/8" caps mon = "allow * network 10.0.0.0/8" caps osd = "allow * network 10.0.0.0/8"
then certain ceph
CLI subcommands fail with Error EACCESS
. I haven't tried too many but I found at least:
$ ceph osd pool stats Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/en/latest/mgr/administrator/#client-authentication $ ceph pg dump Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/en/latest/mgr/administrator/#client-authentication
After removing the network constraint just from mgr
caps everything works.
Might this be caused by ceph-mgr
forwarding requests to other daemons using the client's auth token and hence coming from an IP outside of the allowed network?
No data to display
Actions