Bug 1996830 - OCS external mode should allow specifying names for all Ceph auth principals [NEEDINFO]
Summary: OCS external mode should allow specifying names for all Ceph auth principals
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat
Component: rook
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ODF 4.11.0
Assignee: Parth Arora
QA Contact: Neha Berry
URL:
Whiteboard:
Depends On:
Blocks: 2069314
TreeView+ depends on / blocked
 
Reported: 2021-08-23 18:49 UTC by Lars Kellogg-Stedman
Modified: 2022-04-13 18:50 UTC (History)
10 users (show)

Fixed In Version: 4.10.0-113
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2069314 (view as bug list)
Environment:
Last Closed: 2022-04-13 18:49:40 UTC
Target Upstream Version:
nberry: needinfo? (shmohan)
nberry: needinfo? (olakra)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rook rook pull 8994/ 0 None None None 2021-11-08 16:23:55 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:50:35 UTC

Description Lars Kellogg-Stedman 2021-08-23 18:49:36 UTC
The `ceph-external-cluster-details-exporter.py` script currently allows setting the name of the `healthchecker` principal via the `--run-as-user` option. This is inadequate for a Ceph cluster serving storage to multiple OpenShift clusters, especially when those clusters (and of the Ceph cluster itself) may be managed by different groups.

The exporter script should either (a) permit the administrator to specify principal names explicitly, or (b) should permit the administrator to apply a suffix and/or prefix to be applied to every name, so that instead of:

  - client.healthchecker
  - client.csi-rbd-provisioner
  - client.csi-rbd-node
  - Etc.

We should have:

  - client.healthchecker-cluster1
  - client.csi-rbd-provisioner-cluster1
  - client.csi-rbd-node-cluster1
  - client.healthchecker-cluster2
  - client.csi-rbd-provisioner-cluster2
  - client.csi-rbd-node-cluster2
  - Etc.

This allows permissions to be scoped appropriately to each individual
cluster.

Comment 2 Mudit Agarwal 2021-08-24 07:37:26 UTC
AFAIK, this script is owned by rook. Please change the component if that is not correct.

Comment 3 Sébastien Han 2021-08-31 09:03:54 UTC
(In reply to Lars Kellogg-Stedman from comment #0)
> The `ceph-external-cluster-details-exporter.py` script currently allows
> setting the name of the `healthchecker` principal via the `--run-as-user`
> option. This is inadequate for a Ceph cluster serving storage to multiple
> OpenShift clusters, especially when those clusters (and of the Ceph cluster
> itself) may be managed by different groups.
> 
> The exporter script should either (a) permit the administrator to specify
> principal names explicitly, or (b) should permit the administrator to apply
> a suffix and/or prefix to be applied to every name, so that instead of:
> 
>   - client.healthchecker
>   - client.csi-rbd-provisioner
>   - client.csi-rbd-node
>   - Etc.
> 
> We should have:
> 
>   - client.healthchecker-cluster1

This can be achieved by setting the `--run-as-user` option right?

>   - client.csi-rbd-provisioner-cluster1
>   - client.csi-rbd-node-cluster1
>   - client.healthchecker-cluster2
>   - client.csi-rbd-provisioner-cluster2
>   - client.csi-rbd-node-cluster2
>   - Etc.

Agreed, adding a suffix or the ability to change the name sounds good.

> 
> This allows permissions to be scoped appropriately to each individual
> cluster.

Comment 5 Travis Nielsen 2021-09-27 15:15:55 UTC
Parth can you take a look at this one? Thanks!

Comment 6 Travis Nielsen 2021-10-11 15:19:05 UTC
Too late for 4.9

Comment 7 Sébastien Han 2021-11-15 11:34:19 UTC
Part of https://github.com/red-hat-storage/rook/tree/release-4.10

Comment 18 Mudit Agarwal 2022-03-03 09:59:52 UTC
Since we are doing doc changes, do we need to add doc text in the bug?
Also, have we raised a doc bug?

Comment 29 errata-xmlrpc 2022-04-13 18:49:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372


Note You need to log in before you can comment on or make changes to this bug.