Bug 1672878

Summary: [Ceph-Ansible][ceph-containers] Missing permission for MDS in client.admin
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Persona non grata <nobody+410372>
Component: Ceph-AnsibleAssignee: Dimitri Savineau <dsavinea>
Status: CLOSED ERRATA QA Contact: Vasishta <vashastr>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2CC: agunn, anharris, aschoen, ceph-eng-bugs, ceph-qe-bugs, dsavinea, gabrioux, gmeno, kdreyer, nthomas, sankarshan, tchandra, tserlin
Target Milestone: z2Keywords: Automation
Target Release: 3.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhceph:ceph-3.2-rhel-7-containers-candidate-10451-20190423185135 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-30 15:56:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Persona non grata 2019-02-06 05:44:03 UTC 
Description of problem:
Command 'ceph tell mds.0 session ls' is failing with permission error due to missing permission for MDS in client.admin

[root@ceph-cephfs-1549351399814-node1-monmgrinstaller ceph]# ceph tell mds.0 session ls
2019-02-06 00:33:01.644120 7faad5ffb700  0 client.64221 ms_handle_reset on 172.16.115.137:6800/263978892
Error EPERM: problem getting command descriptions from mds.0

---------------------
client.admin's keyring looks like this:
[client.admin]
	key = AQDSQVlclkwsORAAMWQgP/c4EXo0N1bYjbS4aQ==
	auid = 0
	caps mds = "allow"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"


Version-Release number of selected component (if applicable):

ceph-ansible-3.2.5-1.el7cp.noarch

How reproducible:

Always

Steps to Reproduce:
1. Setup a ceph cluster on containers, try to run command 'ceph tell mds.0 session ls'


Actual results:
[root@ceph-cephfs-1549351399814-node1-monmgrinstaller ceph]# ceph tell mds.0 session ls
2019-02-06 00:33:01.644120 7faad5ffb700  0 client.64221 ms_handle_reset on 172.16.115.137:6800/263978892

Expected results:

Should output clients session info

Additional info:
Command like 'ceph tell osd.0 injectargs --debug-osd 20 --debug-ms 1' works without any problems since it has "allow *" permission
Comment 6 Vasishta 2019-04-21 12:49:31 UTC 
using - ceph-ansible-3.2.13-1.el7cp.noarch

$ sudo docker exec ceph-mon-magna094 ceph auth get client.admin
exported keyring for client.admin
[client.admin]
	key = AQCw3LZce22SJRAA+ZJJcVesNlhocQ0crHyI8g==
	auid = 0
	caps mds = "allow"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"


Checked stable-3.2 branch, I think fix is not backported o 3.2.
Moving back to ASSIGNED state.


Regards,
Vasishta Shastry
QE, Ceph
Comment 12 Vasishta 2019-04-24 06:52:07 UTC 
Working fine with ceph-3.2-rhel-7-containers-candidate-24188-20190423220645
Moving to VERIFIED state.
Comment 14 errata-xmlrpc 2019-04-30 15:56:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0911