Project

General

Profile

Actions
Copy link

Bug #10923

closed

Syntax validation of ceph auth caps

Added by Tyler Bishop about 9 years ago. Updated about 6 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
cephx
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Ceph auth caps validation of syntax is weak.

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS

Can see it loaded and is available here:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * Backups-DVS"

But authentication fails for this keyring now.

Correct syntax should be:

ceph auth caps client.ceph0-nfs0 mon 'allow r' osd 'allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS

Loaded:

[ceph@ceph0-mon0 ~]$ ceph auth get client.ceph0-nfs0
exported keyring for client.ceph0-nfs0
[client.ceph0-nfs0]
    key = AQB2qOJUSEfXBxAADkvppPquK9ttJrm7UX1IiA==
    caps mon = "allow r" 
    caps osd = "allow * pool=Backups-Hybrid, allow * pool=General-Storage, allow * pool=Backups-DVS"

Related issues 2 (0 open2 closed)

Has duplicate Ceph - Bug #10974: missing pool= in osd caps is validated but breaks accessDuplicate02/27/2015

Actions
Is duplicate of RADOS - Bug #22525: auth: ceph auth add does not sanity-check capsResolved12/21/2017

Actions
Actions
Copy link
 #1

Updated by Josh Durgin about 9 years ago

In the past we haven't done this since different versions of monitors + osds may not have the same caps syntax, and the monitors store the caps, while the osds enforce them.

I think it's worth doing though. A simple first step could be trying to parse the caps in the monitors and returning an error if that fails and the relevant daemons are currently the same version as the monitors, but if there are version differences returning a warning string and reporting success.

Actions
Copy link
 #2

Updated by Greg Farnum almost 7 years ago

  • Category set to cephx
Actions
Copy link
 #3

Updated by Greg Farnum almost 7 years ago

  • Has duplicate Bug #10974: missing pool= in osd caps is validated but breaks access added
Actions
Copy link
 #4

Updated by Patrick Donnelly about 6 years ago

  • Is duplicate of Bug #22525: auth: ceph auth add does not sanity-check caps added
Actions
Copy link
 #5

Updated by Patrick Donnelly about 6 years ago

  • Status changed from New to Duplicate
Actions
Copy link

Also available in: Atom PDF