Bug 2299930
| Summary: | Caps Only Honor First Permission, Ignoring Subsequent Permissions | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Amarnath <amk> | |
| Component: | CephFS | Assignee: | Kotresh HR <khiremat> | |
| Status: | CLOSED ERRATA | QA Contact: | Amarnath <amk> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | ceph-eng-bugs, cephqe-warriors, khiremat, ngangadh, pdonnell, rpollack, vshankar | |
| Target Milestone: | --- | Keywords: | Automation, Regression | |
| Target Release: | 7.1z1 | Flags: | khiremat:
needinfo-
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ceph-18.2.1-229 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2302045 (view as bug list) | Environment: | ||
| Last Closed: | 2024-08-07 11:20:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2302045, 2307931 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 7.1 security and bug fix update.), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:5080 |
Description of problem: We are experiencing an issue where the specified caps intended to provide read access to the entire filesystem and write access to a specific directory are not being fully honored. The current caps configuration is: caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/dir2" The issue is that the caps are only being applied up to the first comma, causing subsequent permissions to be ignored. This was passing in older builds Steps : 1. Created 3 clients. 2. client1 --> compete access , client2 --> only read, client --> only read for filesystem and read write for /dir2 3. mounted with each client and tried creating the files [root@ceph-amk-verify-y5cb3c-node7 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name1/ [root@ceph-amk-verify-y5cb3c-node7 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name2/ [root@ceph-amk-verify-y5cb3c-node7 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name3/ [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph fs authorize cephfs client.name1 / rw /dir1 rw /dir2 r -o /etc/ceph/ceph.client.name1.keyring [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph fs authorize cephfs client.name2 / r /dir1 r -o /etc/ceph/ceph.client.name2.keyring [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph fs authorize cephfs client.name3 / r /dir2 rw -o /etc/ceph/ceph.client.name3.keyring [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph auth get client.name1 [client.name1] key = AQA+kKJm66vnAhAAJ6o+78XB9JtUs8Q8w7LK8Q== caps mds = "allow rw fsname=cephfs, allow rw fsname=cephfs path=/dir1, allow r fsname=cephfs path=/dir2" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph auth get client.name2 [client.name2] key = AQBLkKJmTZgbExAAyD7Me4l4UdxTpxGguMQJXQ== caps mds = "allow r fsname=cephfs, allow r fsname=cephfs path=/dir1" caps mon = "allow r fsname=cephfs" caps osd = "allow r tag cephfs data=cephfs" [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph auth get client.name3 [client.name3] key = AQBTkKJm3A1ULhAA1ORITTDxwSEGWpqCRbZ4Qw== caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/dir2" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph auth get client.name4 Error ENOENT: failed to find client.name4 in keyring [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph-fuse -n client.name1 /mnt/cephfs_fuse_vv0r1_name1/ 2024-07-25T13:51:57.623-0400 7fbd6aa58480 -1 init, newargv = 0x7fbd58003020 newargc=15 ceph-fuse[5652]: starting ceph client ceph-fuse[5652]: starting fuse [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph-fuse -n client.name2 /mnt/cephfs_fuse_vv0r1_name2/ 2024-07-25T13:52:04.748-0400 7f0f4eeb2480 -1 init, newargv = 0x7f0f40004ba0 newargc=15 ceph-fuse[5691]: starting ceph client ceph-fuse[5691]: starting fuse [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph-fuse -n client.name3 /mnt/cephfs_fuse_vv0r1_name3/ 2024-07-25T13:52:12.654-0400 7f0fb280b480 -1 init, newargv = 0x7f0fa4004c60 newargc=15 ceph-fuse[5730]: starting ceph client ceph-fuse[5730]: starting fuse [root@ceph-amk-verify-y5cb3c-node7 ~]# mkdir /mnt/cephfs_fuse_vv0r1_name1/dir1 [root@ceph-amk-verify-y5cb3c-node7 ~]# mkdir /mnt/cephfs_fuse_vv0r1_name1/dir2 [root@ceph-amk-verify-y5cb3c-node7 ~]# touch /mnt/cephfs_fuse_vv0r1_name1/dir1/file1 [root@ceph-amk-verify-y5cb3c-node7 ~]# ls /mnt/cephfs_fuse_vv0r1_name2/dir1/ file1 [root@ceph-amk-verify-y5cb3c-node7 ~]# touch /mnt/cephfs_fuse_vv0r1_name2/dir1/file2 touch: cannot touch '/mnt/cephfs_fuse_vv0r1_name2/dir1/file2': Permission denied [root@ceph-amk-verify-y5cb3c-node7 ~]# touch /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 touch: setting times of '/mnt/cephfs_fuse_vv0r1_name3/dir2/file3': Permission denied [root@ceph-amk-verify-y5cb3c-node7 ~]# ceph versions { "mon": { "ceph version 18.2.1-228.el9cp (26a6dfb9d5132badb606ef83e88da470a80452a6) reef (stable)": 3 }, "mgr": { "ceph version 18.2.1-228.el9cp (26a6dfb9d5132badb606ef83e88da470a80452a6) reef (stable)": 2 }, "osd": { "ceph version 18.2.1-228.el9cp (26a6dfb9d5132badb606ef83e88da470a80452a6) reef (stable)": 11 }, "mds": { "ceph version 18.2.1-228.el9cp (26a6dfb9d5132badb606ef83e88da470a80452a6) reef (stable)": 7 }, "overall": { "ceph version 18.2.1-228.el9cp (26a6dfb9d5132badb606ef83e88da470a80452a6) reef (stable)": 23 } } [root@ceph-amk-verify-y5cb3c-node7 ~]# Older Version: [root@ceph-amk-bugs-kaeazw-node9 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name1/ [root@ceph-amk-bugs-kaeazw-node9 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name2/ [root@ceph-amk-bugs-kaeazw-node9 ~]# mkdir -p /mnt/cephfs_fuse_vv0r1_name3/ [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph fs authorize cephfs client.name1 / rw /dir1 rw /dir2 r -o /etc/ceph/ceph.client.name1.keyring [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph fs authorize cephfs client.name2 / r /dir1 r -o /etc/ceph/ceph.client.name2.keyring [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph fs authorize cephfs client.name3 / r /dir2 rw -o /etc/ceph/ceph.client.name3.keyring [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph auth get client.name1 [client.name1] key = AQDNkaJm2echEhAABJcF/j3glNnh1Y4HOLNlAQ== caps mds = "allow rw fsname=cephfs, allow rw fsname=cephfs path=/dir1, allow r fsname=cephfs path=/dir2" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph auth get client.name2 [client.name2] key = AQDSkaJmPgv+JhAAGMQncgMX96Nqrtji8mZzCA== caps mds = "allow r fsname=cephfs, allow r fsname=cephfs path=/dir1" caps mon = "allow r fsname=cephfs" caps osd = "allow r tag cephfs data=cephfs" [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph auth get client.name3 [client.name3] key = AQDXkaJmVei4GRAAVGKea5PqdDd7QgG7qlFneA== caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/dir2" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph-fuse -n client.name1 /mnt/cephfs_fuse_vv0r1_name1/ 2024-07-25T13:57:07.514-0400 7f3031c41480 -1 init, newargv = 0x7f302001c690 newargc=15 ceph-fuse[1833592]: starting ceph client ceph-fuse[1833592]: starting fuse [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph-fuse -n client.name2 /mnt/cephfs_fuse_vv0r1_name2/ 2024-07-25T13:57:11.763-0400 7f21f1c43480 -1 init, newargv = 0x7f21e0004c60 newargc=15 ceph-fuse[1833632]: starting ceph client ceph-fuse[1833632]: starting fuse [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph-fuse -n client.name3 /mnt/cephfs_fuse_vv0r1_name3/ 2024-07-25T13:57:15.707-0400 7f12f5b34480 -1 init, newargv = 0x7f12e400a260 newargc=15 ceph-fuse[1833671]: starting ceph client ceph-fuse[1833671]: starting fuse [root@ceph-amk-bugs-kaeazw-node9 ~]# mkdir /mnt/cephfs_fuse_vv0r1_name1/dir1 [root@ceph-amk-bugs-kaeazw-node9 ~]# mkdir /mnt/cephfs_fuse_vv0r1_name1/dir2 [root@ceph-amk-bugs-kaeazw-node9 ~]# touch /mnt/cephfs_fuse_vv0r1_name1/dir1/file1 [root@ceph-amk-bugs-kaeazw-node9 ~]# ls /mnt/cephfs_fuse_vv0r1_name2/dir1/ file1 [root@ceph-amk-bugs-kaeazw-node9 ~]# touch /mnt/cephfs_fuse_vv0r1_name2/dir1/file2 touch: cannot touch '/mnt/cephfs_fuse_vv0r1_name2/dir1/file2': Permission denied [root@ceph-amk-bugs-kaeazw-node9 ~]# touch /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 [root@ceph-amk-bugs-kaeazw-node9 ~]# ceph versions { "mon": { "ceph version 18.2.1-221.el9cp (2906901da1623d09405764b3ec69427aeef0fa1a) reef (stable)": 3 }, "mgr": { "ceph version 18.2.1-221.el9cp (2906901da1623d09405764b3ec69427aeef0fa1a) reef (stable)": 2 }, "osd": { "ceph version 18.2.1-221.el9cp (2906901da1623d09405764b3ec69427aeef0fa1a) reef (stable)": 16 }, "mds": { "ceph version 18.2.1-221.el9cp (2906901da1623d09405764b3ec69427aeef0fa1a) reef (stable)": 5 }, "overall": { "ceph version 18.2.1-221.el9cp (2906901da1623d09405764b3ec69427aeef0fa1a) reef (stable)": 26 } } [root@ceph-amk-bugs-kaeazw-node9 ~]# ls /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 [root@ceph-amk-bugs-kaeazw-node9 ~]# ls -lrt /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 -rw-r--r--. 1 root root 0 Jul 25 13:58 /mnt/cephfs_fuse_vv0r1_name3/dir2/file3 [root@ceph-amk-bugs-kaeazw-node9 ~]# Logs : http://magna002.ceph.redhat.com/cephci-jenkins/cephci-run-03LJUE/ (18.2.1-221.el9cp) --> Passed http://magna002.ceph.redhat.com/cephci-jenkins/cephci-run-H85MXD/ (18.2.1-228.el9cp) --> Failed Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: