Cleanup #9106
closed
ceph-authtool: Modifying user without --gen-key overwrites the key
Added by John Wilkins over 9 years ago.
Updated almost 8 years ago.
Description
If you are trying to modify a user's caps/permissions using ceph-authtool, and the user has an existing key, specifying a command such as:
sudo ceph-authtool -C /etc/ceph/ceph.keyring -n client.ringo --cap osd 'allow rwx' --cap mon 'allow rwx'
Will overwrite the key. Specifying --gen-key resolves the matter, but does mean that the key has to be regenerated each time a user changes permissions with ceph-authtool. This isn't the case with ceph auth caps.
Wasn't able to reproduce this after retrying. Maybe just a usage issue.
- Assignee set to Brad Hubbard
I can reproduce this, working on a fix.
- Status changed from New to In Progress
I've submitted a PR which changes this behaviour so your command now errors.
https://github.com/ceph/ceph/pull/9704
$ ./ceph-authtool /tmp/keyring -C --name=mon.0 --cap mon 'allow *' --cap osd 'allow *'
must specify either gen-key or add-key when creating
If you specify gen-key or add-key it will still overwrite the key but that is expected as you have specified you want it to create the key.
To accomplish the addition or removal of caps use a command like the following.
$ ./ceph-authtool /tmp/keyring --name=mon.0 --cap mon 'allow *' && cat /tmp/keyring
[mon.0]
key = AQDwimBXtCKWOhAAzSlY7lKxkSz7PeImQ8A5ow==
caps mon = "allow *"
$ ./ceph-authtool /tmp/keyring --name=mon.0 --cap mon 'allow *' --cap osd 'allow *' && cat /tmp/keyring
[mon.0]
key = AQDwimBXtCKWOhAAzSlY7lKxkSz7PeImQ8A5ow==
caps mon = "allow *"
caps osd = "allow *"
- Status changed from In Progress to Resolved
Also available in: Atom
PDF