Project

General

Profile

Bug #22525

auth: ceph auth add does not sanity-check caps

Added by Fabian Vogt over 1 year ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Administration/Usability
Target version:
Start date:
12/21/2017
Due date:
% Done:

0%

Source:
Community (dev)
Tags:
Backport:
luminous, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:

Description

When adding a keyring with "ceph auth add -i <keyring> <entity>", it does not verify that the contained capability strings are actually valid.
While ignoring unknown sections and keys makes sense, caps are not verified at all.
The value of "key" gets validated properly, so this also needs to happen for caps.

Example:

broken.keyring:

[client.admin.demo]
    key = AQCrjzta94LYNhAA+vNRhX44iXR3HJ8Ze5QVA==
    auid = 0
    caps mds = "asdfjkl" 

adding this keyring results in "added key for client.admin.demo".

This obviously results in errors later in the process.
This was discovered by a user who had a typo in the "caps mds" string, writing "allow " with trailing space instead of "allow".


Related issues

Related to Ceph - Bug #22784: Key exported from auth keyring is not imported properly Need Review 01/24/2018
Duplicated by Ceph - Bug #10923: Syntax validation of ceph auth caps Duplicate 02/20/2015
Duplicated by fs - Bug #23191: Improve UX when permissions are misconfigured Duplicate 03/01/2018
Copied to RADOS - Backport #23670: luminous: auth: ceph auth add does not sanity-check caps Resolved
Copied to RADOS - Backport #23673: jewel: auth: ceph auth add does not sanity-check caps Resolved

History

#2 Updated by Patrick Donnelly over 1 year ago

  • Project changed from Ceph to RADOS

#3 Updated by Jos Collin over 1 year ago

  • Status changed from New to Need Review

#4 Updated by Nathan Cutler over 1 year ago

  • Related to Bug #22784: Key exported from auth keyring is not imported properly added

#5 Updated by Patrick Donnelly over 1 year ago

  • Duplicated by Bug #10923: Syntax validation of ceph auth caps added

#6 Updated by Patrick Donnelly over 1 year ago

  • Duplicated by Bug #23191: Improve UX when permissions are misconfigured added

#7 Updated by Patrick Donnelly over 1 year ago

  • Subject changed from ceph auth add does not sanity-check caps to auth: ceph auth add does not sanity-check caps
  • Category set to Administration/Usability
  • Target version set to v13.0.0
  • Source set to Community (dev)
  • Release deleted (jewel)
  • Release deleted (master)
  • Release deleted (kraken)
  • Release deleted (luminous)

#9 Updated by Nathan Cutler over 1 year ago

  • Backport set to luminous

#10 Updated by Nathan Cutler over 1 year ago

  • Status changed from Need Review to Pending Backport

#11 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #23670: luminous: auth: ceph auth add does not sanity-check caps added

#12 Updated by Nathan Cutler over 1 year ago

  • Backport changed from luminous to luminous, jewel

#13 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #23673: jewel: auth: ceph auth add does not sanity-check caps added

#14 Updated by Nathan Cutler 5 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF