Bug 1464955

Summary: [RFE] Simplified CephFS client key creation
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: John Spray <john.spray>
Component: CephFSAssignee: Patrick Donnelly <pdonnell>
Status: CLOSED ERRATA QA Contact: Ramakrishnan Periyasamy <rperiyas>
Severity: urgent Docs Contact: Bara Ancincova <bancinco>
Priority: urgent    
Version: 3.0CC: anharris, ceph-eng-bugs, dfuller, edonnell, hnallurv, icolle, john.spray, kdreyer, pdonnell
Target Milestone: rcKeywords: FutureFeature
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-12.1.4-1.el7cp Ubuntu: ceph_12.1.4-2redhat1xenial Doc Type: Enhancement
Doc Text:
.Simplified creation of CephFS client keyring A new command, `ceph fs authorize`, is now supported. The command simplifies creation of `cephx` capabilities for a Ceph File System (CephFS) client user. For example, to grant the `client.1` user read and write access to MDS nodes and read access to Monitor and OSD nodes on a Ceph File System named `cephfs`: ---- # ceph fs authorize cephfs client.1 rw r ---- Use this command only when creating new users. It is not possible to modify existing users with `ceph fs authorize`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-05 23:34:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1494421    

Description John Spray 2017-06-26 09:50:49 UTC 
Instead of user having to manually write out auth caps syntax, provide a command that allows them to grant access to a client ID by filesystem name.
Comment 5 Douglas Fuller 2017-08-02 15:44:31 UTC 
Upstream ticket: http://tracker.ceph.com/issues/20885
Comment 6 Ken Dreyer (Red Hat) 2017-08-07 17:31:17 UTC 
We need a new upstream point release since this PR landed after v12.1.2 was tagged.
Comment 10 Ramakrishnan Periyasamy 2017-09-20 20:52:43 UTC 
Moving this bug to verified state.

Command used for verification

[ubuntu@host028 ~]$ sudo ceph --cluster qetest fs authorize cephfs client.fs rw r
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==
Comment 11 Ramakrishnan Periyasamy 2017-09-20 20:58:26 UTC 
The caps created by the command

[ubuntu@host028 ~]$ sudo ceph --cluster qetest fs authorize cephfs client.fs rw r
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==

[ubuntu@host028 ~]$ sudo ceph --cluster qetest auth get client.fs
exported keyring for client.fs
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==
	caps mds = "allow r path=rw"
	caps mon = "allow r"
	caps osd = "allow r pool=cephfs_data"

Command: ceph fs authorize <fs_name> <entity> <caps>
Comment 17 errata-xmlrpc 2017-12-05 23:34:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3387