1464955 – [RFE] Simplified CephFS client key creation

Bug 1464955 - [RFE] Simplified CephFS client key creation

Summary: [RFE] Simplified CephFS client key creation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	CephFS
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	3.0
Assignee:	Patrick Donnelly
QA Contact:	Ramakrishnan Periyasamy
Docs Contact:	Bara Ancincova
URL:
Whiteboard:
Depends On:
Blocks:	1494421
TreeView+	depends on / blocked

Reported:	2017-06-26 09:50 UTC by John Spray
Modified:	2017-12-05 23:34 UTC (History)
CC List:	9 users (show)
Fixed In Version:	RHEL: ceph-12.1.4-1.el7cp Ubuntu: ceph_12.1.4-2redhat1xenial
Doc Type:	Enhancement
Doc Text:	.Simplified creation of CephFS client keyring A new command, `ceph fs authorize`, is now supported. The command simplifies creation of `cephx` capabilities for a Ceph File System (CephFS) client user. For example, to grant the `client.1` user read and write access to MDS nodes and read access to Monitor and OSD nodes on a Ceph File System named `cephfs`: ---- # ceph fs authorize cephfs client.1 rw r ---- Use this command only when creating new users. It is not possible to modify existing users with `ceph fs authorize`.
Clone Of:
Environment:
Last Closed:	2017-12-05 23:34:34 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	20885	0	None	None	None	2017-08-02 19:42:08 UTC
Red Hat Product Errata	RHBA-2017:3387	0	normal	SHIPPED_LIVE	Red Hat Ceph Storage 3.0 bug fix and enhancement update	2017-12-06 03:03:45 UTC

Description John Spray 2017-06-26 09:50:49 UTC

Instead of user having to manually write out auth caps syntax, provide a command that allows them to grant access to a client ID by filesystem name.

Comment 5 Douglas Fuller 2017-08-02 15:44:31 UTC

Upstream ticket: http://tracker.ceph.com/issues/20885

Comment 6 Ken Dreyer (Red Hat) 2017-08-07 17:31:17 UTC

We need a new upstream point release since this PR landed after v12.1.2 was tagged.

Comment 10 Ramakrishnan Periyasamy 2017-09-20 20:52:43 UTC

Moving this bug to verified state.

Command used for verification

[ubuntu@host028 ~]$ sudo ceph --cluster qetest fs authorize cephfs client.fs rw r
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==

Comment 11 Ramakrishnan Periyasamy 2017-09-20 20:58:26 UTC

The caps created by the command

[ubuntu@host028 ~]$ sudo ceph --cluster qetest fs authorize cephfs client.fs rw r
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==

[ubuntu@host028 ~]$ sudo ceph --cluster qetest auth get client.fs
exported keyring for client.fs
[client.fs]
	key = AQDO1MJZU4JtOBAAvBocj+CzsNDp3Cogk2FsMw==
	caps mds = "allow r path=rw"
	caps mon = "allow r"
	caps osd = "allow r pool=cephfs_data"

Command: ceph fs authorize <fs_name> <entity> <caps>

Comment 17 errata-xmlrpc 2017-12-05 23:34:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3387

Note You need to log in before you can comment on or make changes to this bug.