Ceph

I left out a line at the end of the error, the complete error is:

__main__ ERROR: Exception on /api/v0.1/mds [GET]
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1504, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1264, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1262, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1248, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/lib/python2.7/dist-packages/ceph_rest_api.py", line 418, in handler
    helptext = show_human_help(prefix)
  File "/usr/lib/python2.7/dist-packages/ceph_rest_api.py", line 292, in show_human_help
    line.append(permmap[cmdsig['perm']])
KeyError: u'w'

By printing the other method keys, I can see that GET requests are "r" and PUT requests are "rw". There are no POST or DELETE calls.
So the KeyError is in fact about permmap, not cmdsig - and indeed, "w" is not currently mapped:
https://github.com/ceph/ceph/blob/master/src/pybind/ceph_rest_api.py#L277

Okay, I'm starting to understand how it works..

This is how the mapping is done between the API and the commands available:
https://github.com/ceph/ceph/blob/master/src/mon/MonCommands.h#L277-L285

allow_new_snaps commands are the only ones available with only the "w" permission. Is this intended ?

Ah, I did the allow_new_snaps command. I'm not very familiar with the REST api, but I think it needs to be able to handle something that requires the "w" bit without anything else. It wouldn't really hurt anything to make allow_new_snaps require "rw" in the short term, but we have capabilities instead of user levels and we want to keep them that way. ;)

There was previously no "w-only" permission supported, indeed. I'm not sure it makes sense even for allow new snaps...but it's easy enough to do.

Just noticed there is a rest-api category (I was searching for ceph-rest-api..). Could someone flag this properly ? I don't have permissions to edit.

Well, hang on a minute...the question is about the nature of the command, which is totally mds-specific, not rest-api, and the mds code is what changed to allow the new option; the rest-api part of this is certainly no mystery.

I haven't looked, but has anyone ever answered the question of whether 'w-only' permission even makes sense?

The immediate issue was resolved by switching it to rw (or so my code check and utter lack of memory tells me). But I stick by my statement that we have capabilities rather than user levels and want to keep it that way. :)

My guess is that this is not a high priority issue though.

I'm happy to redefine the permissions if and when that becomes an option/requirement, but until then, it seems like this is no longer a bug?