Project

General

Profile

Actions
Copy link

Bug #22525

closed

auth: ceph auth add does not sanity-check caps

Added by Fabian Vogt over 6 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Administration/Usability
Target version:
Ceph - v13.0.0
% Done:

0%

Source:
Community (dev)
Tags:
Backport:
luminous, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

When adding a keyring with "ceph auth add -i <keyring> <entity>", it does not verify that the contained capability strings are actually valid.
While ignoring unknown sections and keys makes sense, caps are not verified at all.
The value of "key" gets validated properly, so this also needs to happen for caps.

Example:

broken.keyring:

[client.admin.demo]
    key = AQCrjzta94LYNhAA+vNRhX44iXR3HJ8Ze5QVA==
    auid = 0
    caps mds = "asdfjkl"

adding this keyring results in "added key for client.admin.demo".

This obviously results in errors later in the process.
This was discovered by a user who had a typo in the "caps mds" string, writing "allow " with trailing space instead of "allow".

Related issues 5 (1 open4 closed)

Related to Ceph - Bug #22784: Key exported from auth keyring is not imported properlyFix Under Review01/24/2018

Actions
Has duplicate Ceph - Bug #10923: Syntax validation of ceph auth capsDuplicate02/20/2015

Actions
Has duplicate CephFS - Bug #23191: Improve UX when permissions are misconfiguredDuplicate03/01/2018

Actions
Copied to RADOS - Backport #23670: luminous: auth: ceph auth add does not sanity-check capsResolvedKefu ChaiActions
Copied to RADOS - Backport #23673: jewel: auth: ceph auth add does not sanity-check capsResolvedKefu ChaiActions
Actions
Copy link
 #2

Updated by Patrick Donnelly over 6 years ago

  • Project changed from Ceph to RADOS
Actions
Copy link
 #3

Updated by Jos Collin over 6 years ago

  • Status changed from New to Fix Under Review
Actions
Copy link
 #4

Updated by Nathan Cutler about 6 years ago

  • Related to Bug #22784: Key exported from auth keyring is not imported properly added
Actions
Copy link
 #5

Updated by Patrick Donnelly about 6 years ago

  • Has duplicate Bug #10923: Syntax validation of ceph auth caps added
Actions
Copy link
 #6

Updated by Patrick Donnelly about 6 years ago

  • Has duplicate Bug #23191: Improve UX when permissions are misconfigured added
Actions
Copy link
 #7

Updated by Patrick Donnelly about 6 years ago

  • Subject changed from ceph auth add does not sanity-check caps to auth: ceph auth add does not sanity-check caps
  • Category set to Administration/Usability
  • Target version set to v13.0.0
  • Source set to Community (dev)
  • Release deleted (jewel)
  • Release deleted (master)
  • Release deleted (kraken)
  • Release deleted (luminous)
Actions
Copy link
 #9

Updated by Nathan Cutler about 6 years ago

  • Backport set to luminous
Actions
Copy link
 #10

Updated by Nathan Cutler about 6 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #11

Updated by Nathan Cutler about 6 years ago

  • Copied to Backport #23670: luminous: auth: ceph auth add does not sanity-check caps added
Actions
Copy link
 #12

Updated by Nathan Cutler about 6 years ago

  • Backport changed from luminous to luminous, jewel
Actions
Copy link
 #13

Updated by Nathan Cutler about 6 years ago

  • Copied to Backport #23673: jewel: auth: ceph auth add does not sanity-check caps added
Actions
Copy link
 #14

Updated by Nathan Cutler about 5 years ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF