Cleanup #9106
closedceph-authtool: Modifying user without --gen-key overwrites the key
0%
Description
If you are trying to modify a user's caps/permissions using ceph-authtool, and the user has an existing key, specifying a command such as:
sudo ceph-authtool -C /etc/ceph/ceph.keyring -n client.ringo --cap osd 'allow rwx' --cap mon 'allow rwx'
Will overwrite the key. Specifying --gen-key resolves the matter, but does mean that the key has to be regenerated each time a user changes permissions with ceph-authtool. This isn't the case with ceph auth caps.
Updated by John Wilkins over 9 years ago
Wasn't able to reproduce this after retrying. Maybe just a usage issue.
Updated by Brad Hubbard almost 8 years ago
- Assignee set to Brad Hubbard
I can reproduce this, working on a fix.
Updated by Brad Hubbard almost 8 years ago
- Status changed from New to In Progress
I've submitted a PR which changes this behaviour so your command now errors.
https://github.com/ceph/ceph/pull/9704
$ ./ceph-authtool /tmp/keyring -C --name=mon.0 --cap mon 'allow *' --cap osd 'allow *'
must specify either gen-key or add-key when creating
If you specify gen-key or add-key it will still overwrite the key but that is expected as you have specified you want it to create the key.
To accomplish the addition or removal of caps use a command like the following.
$ ./ceph-authtool /tmp/keyring --name=mon.0 --cap mon 'allow *' && cat /tmp/keyring
[mon.0]
key = AQDwimBXtCKWOhAAzSlY7lKxkSz7PeImQ8A5ow==
caps mon = "allow *"
$ ./ceph-authtool /tmp/keyring --name=mon.0 --cap mon 'allow *' --cap osd 'allow *' && cat /tmp/keyring
[mon.0]
key = AQDwimBXtCKWOhAAzSlY7lKxkSz7PeImQ8A5ow==
caps mon = "allow *"
caps osd = "allow *"
Updated by Brad Hubbard almost 8 years ago
- Status changed from In Progress to Resolved