Bug 1996833

Summary: ceph-external-cluster-details-exporter.py should have a read-only mode
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Lars Kellogg-Stedman <lars>
Component: rookAssignee: Subham Rai <srai>
Status: CLOSED ERRATA QA Contact: Vijay Avuthu <vavuthu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.8CC: madam, muagarwa, nberry, ocs-bugs, odf-bz-bot, pbalogh, shan, tnielsen
Target Milestone: ---   
Target Release: ODF 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.0-113 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-13 18:49:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lars Kellogg-Stedman 2021-08-23 18:59:12 UTC 
In an environment in which an external Ceph cluster is maintained by someone other than the group maintaining the OpenShift cluster, they be leery about allowing a random Python script to make changes to their Ceph environment.

The `ceph-external-cluster-details-exporter.py` script should have a read-only mode in which it will only collect the information necessary to create the JSON configuration blog. It should error out with appropriate messages if the administrator needs to create specific authentication principals or other resources.

Ultimately, it should be possible to configure OCS external mode without running the script at all (e.g., by entering configuration values into an appropriate form), for situations in which storage administrators are simply unwilling to run any sort of script in their environment.
Comment 2 Mudit Agarwal 2021-08-24 07:38:06 UTC 
AFAIK, this script is owned by rook. Please change the component if that is not correct.
Comment 3 Subham Rai 2021-12-17 11:30:58 UTC 
(In reply to Lars Kellogg-Stedman from comment #0)
> In an environment in which an external Ceph cluster is maintained by someone
> other than the group maintaining the OpenShift cluster, they be leery about
> allowing a random Python script to make changes to their Ceph environment.
> 
> The `ceph-external-cluster-details-exporter.py` script should have a
> read-only mode in which it will only collect the information necessary to
> create the JSON configuration blog. It should error out with appropriate
> messages if the administrator needs to create specific authentication
> principals or other resources.
> 
> Ultimately, it should be possible to configure OCS external mode without
> running the script at all (e.g., by entering configuration values into an
> appropriate form), for situations in which storage administrators are simply
> unwilling to run any sort of script in their environment.

The fixed is merged and instead of `read-only` we have come with `dry-run` as it makes script more idempotent
Comment 11 Vijay Avuthu 2022-03-29 05:27:59 UTC 
Job: https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/11205/consoleFull

verified dry-run option

# python /tmp/external-cluster-details-exporter-aluszk5x.py --rbd-data-pool-name rbd --rgw-endpoint <endpoint_ip>:8080 --dry-run
Execute: 'ceph fs ls'
Execute: 'ceph fsid'
Execute: 'ceph quorum_status'
Execute: 'ceph auth get-or-create client.healthchecker mon allow r, allow command quorum_status, allow command version mgr allow command config osd allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index'
Execute: 'ceph mgr services'
Execute: 'ceph auth get-or-create client.csi-rbd-node mon profile rbd, allow command 'osd blocklist' osd profile rbd'
Execute: 'ceph auth get-or-create client.csi-rbd-provisioner mgr allow rw mon profile rbd, allow command 'osd blocklist' osd profile rbd'
Execute: 'ceph status'
Execute: 'ceph radosgw-admin user create --uid rgw-admin-ops-user --display-name Rook RGW Admin Ops user --caps buckets=*;users=*;usage=read;metadata=read;zone=read'

# python /tmp/external-cluster-details-exporter-aluszk5x.py -h | grep -i dry
                                                     [--dry-run]
  --dry-run             Dry run prints the executed commands without running


# python /tmp/external-cluster-details-exporter-aluszk5x.py --rbd-data-pool-name rbd  --dry-run
Execute: 'ceph fs ls'
Execute: 'ceph fsid'
Execute: 'ceph quorum_status'
Execute: 'ceph auth get-or-create client.healthchecker mon allow r, allow command quorum_status, allow command version mgr allow command config osd allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index'
Execute: 'ceph mgr services'
Execute: 'ceph auth get-or-create client.csi-rbd-node mon profile rbd, allow command 'osd blocklist' osd profile rbd'
Execute: 'ceph auth get-or-create client.csi-rbd-provisioner mgr allow rw mon profile rbd, allow command 'osd blocklist' osd profile rbd'
Execute: 'ceph status'

Changing status to Verified
Comment 13 errata-xmlrpc 2022-04-13 18:49:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372