Actions
Bug #22525
closedauth: ceph auth add does not sanity-check caps
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Administration/Usability
Target version:
% Done:
0%
Source:
Community (dev)
Tags:
Backport:
luminous, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
When adding a keyring with "ceph auth add -i <keyring> <entity>", it does not verify that the contained capability strings are actually valid.
While ignoring unknown sections and keys makes sense, caps are not verified at all.
The value of "key" gets validated properly, so this also needs to happen for caps.
Example:
broken.keyring:
[client.admin.demo]
key = AQCrjzta94LYNhAA+vNRhX44iXR3HJ8Ze5QVA==
auid = 0
caps mds = "asdfjkl"
adding this keyring results in "added key for client.admin.demo".
This obviously results in errors later in the process.
This was discovered by a user who had a typo in the "caps mds" string, writing "allow " with trailing space instead of "allow".
Actions