Project

General

Profile

Actions
Copy link

Feature #56428

open

add command "fs deauthorize"

Added by Rishabh Dave almost 2 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Rishabh Dave
Category:
-
Target version:
Ceph - v19.0.0
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Component(FS):
Labels (FS):
Pull request ID:

Description

Since entity auth keyrings can now hold auth caps for multiple Ceph FSs, it is very tedious and very error-prone to remove caps for a single FS from the keyring. Here's an example from vstart cluster I locally have -

build$ ./bin/ceph fs ls
name: a, metadata pool: cephfs.a.meta, data pools: [cephfs.a.data ]
name: b, metadata pool: cephfs.b.meta, data pools: [cephfs.b.data ]
name: c, metadata pool: cephfs.c.meta, data pools: [cephfs.c.data ]
name: d, metadata pool: cephfs.d.meta, data pools: [cephfs.d.data ]
build$ ./bin/ceph auth get client.x
[client.x]
        key = AQD8TMpgdaLvEBAAS1IDcMDvIGt1Yw2NYKtjeg==
        caps mds = "allow rw fsname=a, allow rw fsname=b, allow rw
fsname=c, allow rw fsname=d" 
        caps mon = "allow r fsname=a, allow r fsname=b, allow r
fsname=c, allow r fsname=d" 
        caps osd = "allow rw tag cephfs data=a, allow rw tag cephfs
data=b, allow rw tag cephfs data=c, allow rw tag cephfs data=d" 
exported keyring for client.x

The only current way to do it is to use ceph auth caps command and pass all the new caps -

build$ ./bin/ceph auth caps client.x mon "allow r fsname=a, allow r
fsname=b, allow r fsname=c" osd "allow rw tag cephfs data=a, allow rw
tag cephfs data=b, allow rw tag cephfs data=c" mds "allow rw fsname=a,
allow rw fsname=b, allow rw fsname=c" 
updated caps for client.x
build$ ./bin/ceph auth get client.x
[client.x]
        key = AQD8TMpgdaLvEBAAS1IDcMDvIGt1Yw2NYKtjeg==
        caps mds = "allow rw fsname=a, allow rw fsname=b, allow rw fsname=c" 
        caps mon = "allow r fsname=a, allow r fsname=b, allow r fsname=c" 
        caps osd = "allow rw tag cephfs data=a, allow rw tag cephfs
data=b, allow rw tag cephfs data=c" 
exported keyring for client.x

The other way of doing this is to copy the keyring to a file, modify that file and pass the file path to ceph auth import -i. But what would make it really short and straightforward, IMO, is something like following -

./bin/ceph fs deauthorize d client.x

It would have exactly the same effect as the ceph auth caps command above. I think it would also be a good idea to extend this command to take a path -

./bin/ceph fs deauthorize d client.x /dir1/dir2/

In this case, the command would remove only the caps for path /dir1/dir2 for FS "d" from the keyring for the entity "client.x". Every other cap for client.x (both for FS "d" and not for FS "d") would remain unaffected.

Related issues 1 (0 open1 closed)

Related to CephFS - Feature #47264: "fs authorize" subcommand should work for multiple FSs tooResolvedRishabh Dave

Actions
Actions
Copy link

Also available in: Atom PDF