Feature #23096
mon: don't remove auth caps without a flag
0%
Description
With current syntax, something like
ceph auth caps client.cinder mon "allow rw"
will strip client.cinder of any non-monitor caps it may have.
We should instead only modify caps which are named on the command line, unless a flag is passed to preserve the old behavior.
History
#1 Updated by John Spray about 6 years ago
Bit torn on this one: there is a security downside to changing this behaviour in-place -- any existing scripts that expected to erase pre-existing caps when writing new ones would potentially leave extra caps. On the other hand, the CLI is not a stable API, so we should be allowed to change things.
We could change the existing command to give an error if a user had caps for some daemons, but those daemon's weren't specified in the command, and tell them to explicitly do something like
auth caps client.cinder mon "allow rw" osd ""if they really intended to blow away the OSD caps.
The long term solution is to have higher level commands that don't require users to know auth cap syntax, like "ceph fs authorize" etc.
#2 Updated by Greg Farnum about 6 years ago
We could throw an error instead, yeah. That is probably a wise forcing function. I think we still want the flag though, because it's an easier update for the scripts. And maybe another flag to tell it to update only the specified cap group (because getting caps in and out via the CLI can sometimes be tedious with the escaping).