Bug 1543879

Summary: ceph_volume_client: sets invalid caps for existing ceph auth IDs with no MDS or OSD caps
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Ram Raja <rraja>
Component: CephFSAssignee: Ram Raja <rraja>
Status: CLOSED ERRATA QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: bniver, ceph-eng-bugs, ceph-qe-bugs, dschoenb, dsorrent, gmeno, john.spray, kdreyer, pdonnell, rperiyas, rraja, tbarron, uboppana
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-12.2.4-1.el7cp Ubuntu: ceph_12.2.4-2redhat1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1493597 Environment:
Last Closed: 2018-04-26 17:38:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1548067    
Bug Blocks:    

Description Ram Raja 2018-02-09 13:15:21 UTC 
Manila's cephfs native driver uses this client library. Users of the driver will get back auth IDs with invalid caps, for auth IDs that weren't created by the driver and had no MDS or OSD caps.

Steps to reproduce:

1. Create a ceph auth ID with no caps.
$ sudo ceph auth get-or-create client.test2

2. Create a ceph client auth ID 'manila' with r/w access to the entire CephFS . It will be used by the ceph volume client.
$ sudo ceph auth get-or-create client.manila mon "allow *" osd "allow rw" mds "allow *" -o /etc/ceph/ceph.client.manila.keyring 
   
3. Allow ceph volume client to authorize ID 'client.test2' to access a volume (a  CephFS subdir). Do this in the python interpreter.

>>> import ceph_volume_client
>>> vc = ceph_volume_client.CephFSVolumeClient("manila", "/etc/ceph/ceph.conf", "ceph")
>>> vc.connect()
>>> vp = ceph_volume_client.VolumePath('group1', 'share1')
>>> vc.create_volume(vp, size=5)
>>> vc.authorize(vp, 'test2')
>>> vc.disconnect()

4. Now check out the caps of 'client.test2'. It's got invalid OSD and MDS caps, a ',' is at the beginning of the caps.
$ sudo ceph auth get client.test2
[client.test2]
key = AQD4CsVZCpBBORAAtqL6wndnhTbip9xf0NQeeQ==
caps mds = ",allow rw path=/volumes/group1/share1"
caps mon = "allow r"
caps osd = ",allow rw pool=cephfs_data namespace=fsvolumens_share1"
Comment 3 Ram Raja 2018-02-09 13:19:44 UTC 
The fix is in uptream v12.2.2
https://github.com/ceph/ceph/commit/c5ccbf1108532547f54f084b8f06c7f5ddf8a4e8
Comment 6 Ram Raja 2018-02-09 13:32:15 UTC 
In https://bugzilla.redhat.com/show_bug.cgi?id=1543879#c0

> Manila's cephfs native driver uses this client library

Meant to say 'ceph_volume_client' library
Comment 15 Ramakrishnan Periyasamy 2018-03-19 10:50:53 UTC 
provided qa_ack, clearing needinfo flag.
Comment 21 errata-xmlrpc 2018-04-26 17:38:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1259