Bug 1762001 - "rbd task" MGR commands require appropriate caps to run
Summary: "rbd task" MGR commands require appropriate caps to run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RBD
Version: 4.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 4.0
Assignee: Jason Dillaman
QA Contact: Gopi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-15 19:57 UTC by Jason Dillaman
Modified: 2020-01-31 12:47 UTC (History)
4 users (show)

Fixed In Version: ceph-14.2.4-89.el8cp, ceph-14.2.4-29.el7cp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-31 12:47:36 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 42265 0 None None None 2019-10-15 19:57:35 UTC
Github ceph ceph pull 30912 0 'None' closed mgr: add 'rbd' profiles to support 'rbd_support' module commands 2020-11-09 02:28:55 UTC
Github ceph ceph pull 32086 0 'None' closed nautilus: mgr: add 'rbd' profiles to support 'rbd_support' module commands 2020-11-09 02:28:56 UTC
Red Hat Product Errata RHBA-2020:0312 0 None None None 2020-01-31 12:47:46 UTC

Description Jason Dillaman 2019-10-15 19:57:36 UTC
Description of problem:
The ceph-csi needs permissions to the MGR to properly issue background tasks like image removal. The default documented permissions do not provide adequate caps to access this new feature.

This also affects the new "rbd top" tools when running as a non-admin.

Version-Release number of selected component (if applicable):
14.2.3-2.el8

How reproducible:
100%

Steps to Reproduce:
$ ceph auth get-or-create client.ceph-csi mon 'profile rbd' osd 'profile rbd' >> keyring 
$ ceph auth get client.ceph-csi
exported keyring for client.ceph-csi
[client.ceph-csi]
    key = AQCtJJ9d/g6vCxAAQ5r5Rbvxo5vo43wAGHGwkw==
    caps mon = "profile rbd" 
    caps osd = "profile rbd" 
$ rbd --id ceph-csi create --size 1G image

Actual results:
$ ceph --id ceph-csi rbd task add remove rbd/image
Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication

Expected results:
$ ceph --id ceph-csi rbd task add remove rbd/image
{"sequence": 1, "id": "987a711e-e19a-476c-b64d-b98a0ddfa427", "message": "Removing image rbd/image", "refs": {"action": "remove", "pool_name": "rbd", "pool_namespace": "", "image_name": "image", "image_id": "10291e504559"}}

Additional info:

Comment 5 Gopi 2019-12-31 04:45:58 UTC
Still facing the same issue on latest build. Hence moving to assign state.

# ceph auth get-or-create client.ceph-csi mon 'profile rbd' osd 'profile rbd' -o /etc/ceph/ceph.client.ceph-csi.keyring

# ceph auth get client.ceph-csi
exported keyring for client.ceph-csi
[client.ceph-csi]
	key = AQCqzgpeDaaeFRAA1s+3QWjpHfMO5fRlly3a5g==
	caps mon = "profile rbd"
	caps osd = "profile rbd"

# ceph osd pool create pool1 10 10
pool 'pool1' created

# rbd --id ceph-csi create --size 1G image -p pool1

# ceph --id ceph-csi rbd task add remove pool1/image
Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication

# ceph -v 
ceph version 14.2.4-91.el8cp (23607558df3b077b6190cdf96cd8d9043aa2a1c5) nautilus (stable)
ceph-ansible-4.0.6-1.el8cp.noarch
ceph-mon-14.2.4-91.el8cp.x86_64

Comment 6 Jason Dillaman 2020-01-02 14:02:19 UTC
Your "ceph auth get client.ceph-csi" shows that you don't have any MGR caps, so that is expected to fail.

Comment 7 Jason Dillaman 2020-01-02 15:29:08 UTC
To clarify, the fix is to add support for "profile rbd" MGR caps. Therefore, existing user caps should be updated like: 

# ceph auth cap client.<client id> mon 'profile rbd' mgr 'profile rbd' osd 'profile rbd'

Comment 8 Gopi 2020-01-02 15:34:58 UTC
Verified as suggested and working as expected.

ceph auth caps client.ceph-csi mon 'profile rbd' mgr 'profile rbd' osd 'profile rbd'
 ceph --id ceph-csi rbd task add remove pool1/image
{"sequence": 1, "id": "7e340c89-0bc5-4713-b8f8-a10f789efe4e", "message": "Removing image pool1/image", "refs": {"action": "remove", "pool_name": "pool1", "pool_namespace": "", "image_name": "image", "image_id": "aaa228a0afa14"}}

ceph version 14.2.4-91.el8cp (23607558df3b077b6190cdf96cd8d9043aa2a1c5) nautilus (stable)
ceph-ansible-4.0.6-1.el8cp.noarch
ceph-mon-14.2.4-91.el8cp.x86_64

Comment 10 errata-xmlrpc 2020-01-31 12:47:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0312


Note You need to log in before you can comment on or make changes to this bug.