Project

General

Profile

Bug #22227

Keyrings created by ceph auth get are not suitable for ceph auth import

Added by Keith Schincke over 6 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
ceph cli
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
nautilus, luminous, mimic
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The ceph auth get process creates a keyring file which is not suitable for usage in ceph auth import.
This occurs when the original client entry has permissions enable such as allow command.

Fixes needed:
1) ceph auth get should return a keyring which can be used in ceph auth import. It should escape any embedded quotes
2) ceph auth import should return an error if any parsing error occurs. It should fail to import the keyring instead of partially importing an invalid keyring.

Example:

1) Ceph keyring in the file system:
  1. cat /etc/ceph/ceph.client.manila.keyring
    [client.manila]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps mon = "allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\""
    caps osd = "allow rw"

2) Ceph client entry in ceph auth

  1. ceph auth list
    installed auth entries:

.
.
client.manila
key: AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
caps: [mds] allow *
caps: [mon] allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"
caps: [osd] allow rw

3) Make a new copy of the keyring
  1. ceph auth get client.manila -o temp.keyring
    exported keyring for client.manila
  2. sed -e 's/manila/manila2/' -i temp.keyring
  3. cat temp.keyring
    [client.manila2]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps mon = "allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create""
    caps osd = "allow rw"
4) Import the keyring
  1. ceph auth import -i temp.keyring
    imported keyring
5) Display the new client entry
  1. ceph auth get client.manila2
    exported keyring for client.manila2
    [client.manila2]
    key = AQAJlgRaAAAAABAAKOyA/uFL9962CR0WXC73IA==
    caps mds = "allow *"
    caps osd = "allow rw"

The new keyring is imported but the caps are not added and no error is returned to the user.

Keith


Related issues

Copied to Ceph - Backport #40546: nautilus: Keyrings created by ceph auth get are not suitable for ceph auth import Resolved
Copied to Ceph - Backport #40547: mimic: Keyrings created by ceph auth get are not suitable for ceph auth import Resolved
Copied to Ceph - Backport #40548: luminous: Keyrings created by ceph auth get are not suitable for ceph auth import Resolved

History

#1 Updated by Brad Hubbard over 5 years ago

  • Status changed from New to In Progress

#2 Updated by Kefu Chai almost 5 years ago

  • Status changed from In Progress to Fix Under Review
  • Assignee set to Kefu Chai
  • Pull request ID set to 28634

#3 Updated by Kefu Chai almost 5 years ago

  • Backport set to nautilus, luminous, mimic

#4 Updated by Nathan Cutler almost 5 years ago

  • Subject changed from Keyrings created by ceph auth get are not suitable for auth auth import to Keyrings created by ceph auth get are not suitable for ceph auth import

#5 Updated by Kefu Chai almost 5 years ago

  • Status changed from Fix Under Review to Pending Backport

only the commit of "auth/KeyRing: escape quotes around commands" needs to be backported.

#6 Updated by Nathan Cutler almost 5 years ago

  • Copied to Backport #40546: nautilus: Keyrings created by ceph auth get are not suitable for ceph auth import added

#7 Updated by Nathan Cutler almost 5 years ago

  • Copied to Backport #40547: mimic: Keyrings created by ceph auth get are not suitable for ceph auth import added

#8 Updated by Nathan Cutler almost 5 years ago

  • Copied to Backport #40548: luminous: Keyrings created by ceph auth get are not suitable for ceph auth import added

#9 Updated by Nathan Cutler over 4 years ago

Follow-on fix: https://github.com/ceph/ceph/pull/28776 (does not affect the backports, since the feature as a whole is not being backported)

#10 Updated by Nathan Cutler over 4 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved".

Also available in: Atom PDF