Bug 2246484

Summary: [External] : client.healthchecker osd permissions are changed in build 156 as compared to build 147
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Joy John Pinto <jopinto>
Component: rookAssignee: Subham Rai <srai>
Status: CLOSED NOTABUG QA Contact: Neha Berry <nberry>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.14CC: odf-bz-bot, srai, tnielsen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-27 08:59:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joy John Pinto 2023-10-27 06:15:40 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

[External] : client.healthchecker osd permissions are changed in build 156 as compared to build 147


Version of all relevant components (if applicable):
OCP 4.14.0-0.nightly-2023-10-26-172837
ODF 4.14.0-156


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
NA

Is there any workaround available to the best of your knowledge?
NA

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
1

Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
NA

If this is a regression, please provide more details to justify this:
client.healthchecker permission was changed from ODF 4.14.0 build 147 to build 156 

Steps to Reproduce:
1. Install OCP and ODF cluster in external mode
2. Connect to ceph tools pod and run 'ceph auth ls' command
3. Verify the output for client.healthchecker 


Actual results:
Build 156; ceph auth ls output

client.healthchecker
        key: AQCUcmNk/N2GDxAA6KMjeCBMNxFMtzxOUiMwOQ==
        caps: [mgr] allow command config
        caps: [mon] allow r, allow command quorum_status, allow command version
        caps: [osd] allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index

Expected results:

build 147 ceph auth ls output
client.healthchecker
        key: AQANpTplz6DoABAAzXAKtbvnKR2YTDPp2gBo4Q==
        caps: [mgr] allow command config
        caps: [mon] allow r, allow command quorum_status, allow command version
        caps: [osd] profile rbd-read-only, allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index


Additional info:

This behaviour was noticed upon verifying bug https://bugzilla.redhat.com/show_bug.cgi?id=2239802
Comment 2 Subham Rai 2023-10-27 09:08:02 UTC 
In the script case right permission is present https://github.com/red-hat-storage/rook/blob/release-4.14/deploy/examples/create-external-cluster-resources.py#L973 in the 4.14  branch. And the difference between build 147 and 156 are not touching the Python file https://github.com/red-hat-storage/rook/commits/release-4.14 (fe613c584ed7b69b65399af057e179190d8d2594 commit id for build 147 and 17590995fc68e66fd3e89380be551c129ea8c698 is commit id for 156).

Can you share what Python script is used to create the external cluster between the two builds?
Comment 3 Subham Rai 2023-10-30 06:18:42 UTC 
Between the two builds, I learned from Joy Pinto that the version of RHCS had been changed from 5.2 to 6.1 between builds 147 and 156. @tnielsen do you think that will impact the osd permission mentioned in the python script?
Comment 4 Travis Nielsen 2023-10-30 21:16:06 UTC 
I don't see what would change between RHCS versions. The caps requested by the external script are defined in Rook here, so I would also expect it to be consistent:

https://github.com/red-hat-storage/rook/blob/release-4.14/deploy/examples/create-external-cluster-resources.py#L973

Does this repro consistently?
Comment 5 Joy John Pinto 2023-10-31 16:16:42 UTC 
Tried reproducing the issue with latest build (ODF build 157)

RHCS 5.2 + ODF build 157 -> Issue still persists
RHCS 6.1 + ODF build 157 -> Issue is not seen (caps: [osd] profile rbd-read-only, allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index).

Looks like issue is seen only with RHCS 5.2 cluster, Also support matrix states RHCS 6.1 and above is supported (https://url.corp.redhat.com/189ba44)
Comment 9 Subham Rai 2023-11-15 04:36:09 UTC 
Any update on this?
Comment 11 Joy John Pinto 2024-02-09 05:07:35 UTC 
Removing the needinfo flag, as this bug was not reproducible with later builds and its in closed state