Bug 1672878 - [Ceph-Ansible][ceph-containers] Missing permission for MDS in client.admin
Summary: [Ceph-Ansible][ceph-containers] Missing permission for MDS in client.admin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Ceph-Ansible
Version: 3.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z2
: 3.2
Assignee: Dimitri Savineau
QA Contact: Vasishta
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-06 05:44 UTC by Persona non grata
Modified: 2019-04-30 15:57 UTC (History)
13 users (show)

Fixed In Version: rhceph:ceph-3.2-rhel-7-containers-candidate-10451-20190423185135
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-30 15:56:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-ansible pull 3642 0 None None None 2019-02-27 16:24:27 UTC
Red Hat Product Errata RHSA-2019:0911 0 None None None 2019-04-30 15:57:00 UTC

Description Persona non grata 2019-02-06 05:44:03 UTC 
Description of problem:
Command 'ceph tell mds.0 session ls' is failing with permission error due to missing permission for MDS in client.admin

[root@ceph-cephfs-1549351399814-node1-monmgrinstaller ceph]# ceph tell mds.0 session ls
2019-02-06 00:33:01.644120 7faad5ffb700  0 client.64221 ms_handle_reset on 172.16.115.137:6800/263978892
Error EPERM: problem getting command descriptions from mds.0

---------------------
client.admin's keyring looks like this:
[client.admin]
	key = AQDSQVlclkwsORAAMWQgP/c4EXo0N1bYjbS4aQ==
	auid = 0
	caps mds = "allow"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"


Version-Release number of selected component (if applicable):

ceph-ansible-3.2.5-1.el7cp.noarch

How reproducible:

Always

Steps to Reproduce:
1. Setup a ceph cluster on containers, try to run command 'ceph tell mds.0 session ls'


Actual results:
[root@ceph-cephfs-1549351399814-node1-monmgrinstaller ceph]# ceph tell mds.0 session ls
2019-02-06 00:33:01.644120 7faad5ffb700  0 client.64221 ms_handle_reset on 172.16.115.137:6800/263978892

Expected results:

Should output clients session info

Additional info:
Command like 'ceph tell osd.0 injectargs --debug-osd 20 --debug-ms 1' works without any problems since it has "allow *" permission
Comment 6 Vasishta 2019-04-21 12:49:31 UTC 
using - ceph-ansible-3.2.13-1.el7cp.noarch

$ sudo docker exec ceph-mon-magna094 ceph auth get client.admin
exported keyring for client.admin
[client.admin]
	key = AQCw3LZce22SJRAA+ZJJcVesNlhocQ0crHyI8g==
	auid = 0
	caps mds = "allow"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"


Checked stable-3.2 branch, I think fix is not backported o 3.2.
Moving back to ASSIGNED state.


Regards,
Vasishta Shastry
QE, Ceph
Comment 12 Vasishta 2019-04-24 06:52:07 UTC 
Working fine with ceph-3.2-rhel-7-containers-candidate-24188-20190423220645
Moving to VERIFIED state.
Comment 14 errata-xmlrpc 2019-04-30 15:56:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0911
Note You need to log in before you can comment on or make changes to this bug.