Bug 2072340

Summary: RFE: Rook should use a client.rook key, not client.admin
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Greg Farnum <gfarnum>
Component: rookAssignee: Subham Rai <srai>
Status: CLOSED WONTFIX QA Contact: Neha Berry <nberry>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.9CC: madam, mmuench, muagarwa, ocs-bugs, odf-bz-bot, srai, tnielsen
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-13 17:50:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Greg Farnum 2022-04-06 04:21:56 UTC
Right now, Rook uses the default client.admin key to perform its actions.

This makes tracking Rook's actions inside a Ceph cluster difficult, since all commands issued could come from Rook, or a cluster administrator, or whatever. (See eg https://bugzilla.redhat.com/show_bug.cgi?id=2071783)

Instead, Rook should generate a client.rook CephX identity (with admin permissions, presumably) and use that to perform cluster actions. This will make reading the audit/mon/mgr logs and diagnosing behaviors and sources of input much easier. Improving supportability and log clarity is great!

Comment 3 Travis Nielsen 2022-04-06 17:50:53 UTC
Great idea for improving the troubleshooting.

Comment 4 Travis Nielsen 2022-04-12 15:21:58 UTC
Let's discuss...

Comment 5 Travis Nielsen 2022-04-26 21:12:40 UTC
More details added to the upstream issue: https://github.com/rook/rook/issues/10169

Comment 6 Travis Nielsen 2022-05-09 15:10:50 UTC
Planning on it for 4.12

Comment 7 Mudit Agarwal 2022-06-02 11:40:26 UTC
Subham, can you please QE impact for this fix. Also, what they need to test.

Comment 8 Subham Rai 2022-06-02 12:23:41 UTC
(In reply to Mudit Agarwal from comment #7)
> Subham, can you please QE impact for this fix. Also, what they need to test.

Regarding testing, this is early to say since we require to think about upgrade scenarios and also need to make pr work for the upgrade first.
But for the new cluster, we just need to check the logs of Ceph pods (osd,mon,mgr) that the user that is running Ceph command is `client.rookoperator` and not `client.admin`.

I'll update here about QE testing more once we have progress.

Comment 9 Mudit Agarwal 2022-06-02 12:42:20 UTC
Then we should not introduce it in 4.11, given that we are already past FF.
Travis, WDYT?

Comment 10 Subham Rai 2022-06-02 12:51:49 UTC
(In reply to Mudit Agarwal from comment #9)
> Then we should not introduce it in 4.11, given that we are already past FF.
> Travis, WDYT?

Mudit, I think Travis already moved to 4.12. see https://bugzilla.redhat.com/show_bug.cgi?id=2072340#c6

Comment 11 Travis Nielsen 2022-12-13 17:50:50 UTC
Much effort went into https://github.com/rook/rook/pull/10190 to attempt to get this working for the operator and toolbox to have a different user context than just using the client.admin. Even after much effort, there are still issues getting it to work, particularly around upgraded clusters. Given other priorities I'm closing this for now. We can readdress if it becomes a priority.