Feature #56428
openadd command "fs deauthorize"
0%
Description
Since entity auth keyrings can now hold auth caps for multiple Ceph FSs, it is very tedious and very error-prone to remove caps for a single FS from the keyring. Here's an example from vstart cluster I locally have -
build$ ./bin/ceph fs ls name: a, metadata pool: cephfs.a.meta, data pools: [cephfs.a.data ] name: b, metadata pool: cephfs.b.meta, data pools: [cephfs.b.data ] name: c, metadata pool: cephfs.c.meta, data pools: [cephfs.c.data ] name: d, metadata pool: cephfs.d.meta, data pools: [cephfs.d.data ] build$ ./bin/ceph auth get client.x [client.x] key = AQD8TMpgdaLvEBAAS1IDcMDvIGt1Yw2NYKtjeg== caps mds = "allow rw fsname=a, allow rw fsname=b, allow rw fsname=c, allow rw fsname=d" caps mon = "allow r fsname=a, allow r fsname=b, allow r fsname=c, allow r fsname=d" caps osd = "allow rw tag cephfs data=a, allow rw tag cephfs data=b, allow rw tag cephfs data=c, allow rw tag cephfs data=d" exported keyring for client.x
The only current way to do it is to use ceph auth caps
command and pass all the new caps -
build$ ./bin/ceph auth caps client.x mon "allow r fsname=a, allow r fsname=b, allow r fsname=c" osd "allow rw tag cephfs data=a, allow rw tag cephfs data=b, allow rw tag cephfs data=c" mds "allow rw fsname=a, allow rw fsname=b, allow rw fsname=c" updated caps for client.x build$ ./bin/ceph auth get client.x [client.x] key = AQD8TMpgdaLvEBAAS1IDcMDvIGt1Yw2NYKtjeg== caps mds = "allow rw fsname=a, allow rw fsname=b, allow rw fsname=c" caps mon = "allow r fsname=a, allow r fsname=b, allow r fsname=c" caps osd = "allow rw tag cephfs data=a, allow rw tag cephfs data=b, allow rw tag cephfs data=c" exported keyring for client.x
The other way of doing this is to copy the keyring to a file, modify that file and pass the file path to ceph auth import -i
. But what would make it really short and straightforward, IMO, is something like following -
./bin/ceph fs deauthorize d client.x
It would have exactly the same effect as the ceph auth caps
command above. I think it would also be a good idea to extend this command to take a path -
./bin/ceph fs deauthorize d client.x /dir1/dir2/
In this case, the command would remove only the caps for path /dir1/dir2
for FS "d" from the keyring for the entity "client.x". Every other cap for client.x (both for FS "d" and not for FS "d") would remain unaffected.