Description of problem: The ceph-csi needs permissions to the MGR to properly issue background tasks like image removal. The default documented permissions do not provide adequate caps to access this new feature. This also affects the new "rbd top" tools when running as a non-admin. Version-Release number of selected component (if applicable): 14.2.3-2.el8 How reproducible: 100% Steps to Reproduce: $ ceph auth get-or-create client.ceph-csi mon 'profile rbd' osd 'profile rbd' >> keyring $ ceph auth get client.ceph-csi exported keyring for client.ceph-csi [client.ceph-csi] key = AQCtJJ9d/g6vCxAAQ5r5Rbvxo5vo43wAGHGwkw== caps mon = "profile rbd" caps osd = "profile rbd" $ rbd --id ceph-csi create --size 1G image Actual results: $ ceph --id ceph-csi rbd task add remove rbd/image Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication Expected results: $ ceph --id ceph-csi rbd task add remove rbd/image {"sequence": 1, "id": "987a711e-e19a-476c-b64d-b98a0ddfa427", "message": "Removing image rbd/image", "refs": {"action": "remove", "pool_name": "rbd", "pool_namespace": "", "image_name": "image", "image_id": "10291e504559"}} Additional info:
Still facing the same issue on latest build. Hence moving to assign state. # ceph auth get-or-create client.ceph-csi mon 'profile rbd' osd 'profile rbd' -o /etc/ceph/ceph.client.ceph-csi.keyring # ceph auth get client.ceph-csi exported keyring for client.ceph-csi [client.ceph-csi] key = AQCqzgpeDaaeFRAA1s+3QWjpHfMO5fRlly3a5g== caps mon = "profile rbd" caps osd = "profile rbd" # ceph osd pool create pool1 10 10 pool 'pool1' created # rbd --id ceph-csi create --size 1G image -p pool1 # ceph --id ceph-csi rbd task add remove pool1/image Error EACCES: access denied: does your client key have mgr caps? See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication # ceph -v ceph version 14.2.4-91.el8cp (23607558df3b077b6190cdf96cd8d9043aa2a1c5) nautilus (stable) ceph-ansible-4.0.6-1.el8cp.noarch ceph-mon-14.2.4-91.el8cp.x86_64
Your "ceph auth get client.ceph-csi" shows that you don't have any MGR caps, so that is expected to fail.
To clarify, the fix is to add support for "profile rbd" MGR caps. Therefore, existing user caps should be updated like: # ceph auth cap client.<client id> mon 'profile rbd' mgr 'profile rbd' osd 'profile rbd'
Verified as suggested and working as expected. ceph auth caps client.ceph-csi mon 'profile rbd' mgr 'profile rbd' osd 'profile rbd' ceph --id ceph-csi rbd task add remove pool1/image {"sequence": 1, "id": "7e340c89-0bc5-4713-b8f8-a10f789efe4e", "message": "Removing image pool1/image", "refs": {"action": "remove", "pool_name": "pool1", "pool_namespace": "", "image_name": "image", "image_id": "aaa228a0afa14"}} ceph version 14.2.4-91.el8cp (23607558df3b077b6190cdf96cd8d9043aa2a1c5) nautilus (stable) ceph-ansible-4.0.6-1.el8cp.noarch ceph-mon-14.2.4-91.el8cp.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0312