Project

General

Profile

Bug #42381

cephfs: metadata pool cephx cap does not have permissions

Added by Patrick Donnelly 9 months ago. Updated 9 months ago.

Status:
Rejected
Priority:
Immediate
Assignee:
Category:
-
Target version:
% Done:

0%

Source:
Development
Tags:
Backport:
nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Labels (FS):
Pull request ID:
Crash signature:

Description

$ ceph auth get-or-create client.csi-cephfs-provisioner mon 'allow r' mgr 'allow rw' osd 'allow rw tag cephfs meta=*' >> keyring
$ rados --name client.csi-cephfs-provisioner -p cephfs.a.meta ls
rados_nobjects_list_next: Operation not permitted

Changing it to a normal MDS cap:

$ ceph auth get-or-create client.csi-cephfs-provisioner2 mon 'allow r' mgr 'allow rw' osd 'allow rw tag cephfs *=*' >> keyring
$ rados --name client.csi-cephfs-provisioner2 -p cephfs.a.meta ls
601.00000000
602.00000000
600.00000000
603.00000000
1.00000000.inode
200.00000000
200.00000001
606.00000000
607.00000000
mds0_openfiles.0
608.00000000
604.00000000
500.00000000
mds_snaptable
605.00000000
mds0_inotable
100.00000000
mds0_sessionmap
609.00000000
400.00000000
100.00000000.inode
1.00000000

Found by Rook testing: https://github.com/rook/rook/pull/4086#issuecomment-543859860

History

#1 Updated by Patrick Donnelly 9 months ago

  • Status changed from New to Rejected

We had the syntax wrong:

pdonnell@senta02 ~/ceph/build$ bin/ceph auth get-or-create client.csi-cephfs-provisioner3 mon 'allow r' mgr 'allow rw' osd 'allow rw tag cephfs metadata=*' >> keyring 
pdonnell@senta02 ~/ceph/build$ bin/rados --name client.csi-cephfs-provisioner3 -p cephfs.a.meta ls
601.00000000
602.00000000
600.00000000
603.00000000
1.00000000.inode
200.00000000
200.00000001
606.00000000
607.00000000
mds0_openfiles.0
608.00000000
604.00000000
500.00000000
mds_snaptable
605.00000000
mds0_inotable
100.00000000
mds0_sessionmap
609.00000000
400.00000000
100.00000000.inode
1.00000000

Also available in: Atom PDF