Project

General

Profile

Bug #57120

CEPH_KEYRING environment variable has weird functionality

Added by David Turner over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
4 - irritation
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

If there is a CEPH_KEYRING environment variable it is checked if it exists even if the CLI argument is provided. It does not seem to actually affect the behavior of the command other than a very disconcerting error message before the command responds properly. I've tested this on multiple versions of Ceph including Pacific and Quincy.

[1] Test with CEPH_KEYRING set to a non-existent file
[2] Test with CEPH_KEYRING set to an empty file (/dev/null)
[3] Test with CEPH_KEYRING set to a keyring without privileges to access auth while the CLI argument can
[4] Test with CEPH_KEYRING set to a keyring with privileges to access auth while the CLI argument cannot

As noted in all of those examples the only one with any noticeable behavior out of the ordinary is when the environment variable is set to a non-existent file, but that indicates that the code path is happening to check for that file on every CLI command regardless if the CLI argument was provided.

[1]
$ ceph --keyring /etc/ceph/ceph.client.admin.keyring --name client.admin status
2022-08-12T15:55:25.853-0400 7f9d6efb1700 -1 auth: unable to find a keyring on /bad/file: (2) No such file or directory
2022-08-12T15:55:25.853-0400 7f9d6efb1700 -1 AuthRegistry(0x7f9d6805fa50) no keyring found at /bad/file, disabling cephx
cluster:
id: a2f67bf4-47f9-4e95-9c2a-55e0dbb652a7
health: HEALTH_OK

services:
mon: 3 daemons, quorum ceph4,ceph5,ceph6 (age 5w)
mgr: ceph4(active, since 5w), standbys: ceph5, ceph6
mds: 1/1 daemons up, 2 standby
osd: 12 osds: 12 up (since 5w), 12 in
data:
volumes: 1/1 healthy
pools: 7 pools, 481 pgs
objects: 5.01M objects, 18 TiB
usage: 28 TiB used, 17 TiB / 45 TiB avail
pgs: 481 active+clean
io:
client: 1022 B/s rd, 233 KiB/s wr, 0 op/s rd, 38 op/s wr

$ env | grep CEPH
CEPH_KEYRING=/bad/file

[2]
$ ceph --keyring /etc/ceph/ceph.client.admin.keyring --name client.admin status
cluster:
id: a2f67bf4-47f9-4e95-9c2a-55e0dbb652a7
health: HEALTH_OK

services:
mon: 3 daemons, quorum ceph4,ceph5,ceph6 (age 5w)
mgr: ceph4(active, since 5w), standbys: ceph5, ceph6
mds: 1/1 daemons up, 2 standby
osd: 12 osds: 12 up (since 5w), 12 in
data:
volumes: 1/1 healthy
pools: 7 pools, 481 pgs
objects: 5.01M objects, 18 TiB
usage: 28 TiB used, 17 TiB / 45 TiB avail
pgs: 481 active+clean
io:
client: 15 KiB/s rd, 254 KiB/s wr, 0 op/s rd, 16 op/s wr

$ env | grep CEPH
CEPH_KEYRING=/dev/null

[3]
$ ceph --keyring /etc/ceph/ceph.client.admin.keyring --name client.admin auth get client.readonly
[client.readonly]
key = AQ~~redacted~~rg==
caps mgr = "allow r"
caps mon = "allow r"
exported keyring for client.readonly

$ env | grep CEPH
CEPH_KEYRING=/etc/ceph/ceph.client.readonly.keyring

[4]
$ ceph --keyring /etc/ceph/ceph.client.readonly.keyring --name client.readonly a
uth get client.readonly
Error EACCES: access denied

$ env | grep CEPH
CEPH_USER=client.admin
CEPH_KEYRING=/etc/ceph/ceph.client.admin.keyring

Also available in: Atom PDF