The `ceph-external-cluster-details-exporter.py` script currently allows setting the name of the `healthchecker` principal via the `--run-as-user` option. This is inadequate for a Ceph cluster serving storage to multiple OpenShift clusters, especially when those clusters (and of the Ceph cluster itself) may be managed by different groups. The exporter script should either (a) permit the administrator to specify principal names explicitly, or (b) should permit the administrator to apply a suffix and/or prefix to be applied to every name, so that instead of: - client.healthchecker - client.csi-rbd-provisioner - client.csi-rbd-node - Etc. We should have: - client.healthchecker-cluster1 - client.csi-rbd-provisioner-cluster1 - client.csi-rbd-node-cluster1 - client.healthchecker-cluster2 - client.csi-rbd-provisioner-cluster2 - client.csi-rbd-node-cluster2 - Etc. This allows permissions to be scoped appropriately to each individual cluster.
AFAIK, this script is owned by rook. Please change the component if that is not correct.
(In reply to Lars Kellogg-Stedman from comment #0) > The `ceph-external-cluster-details-exporter.py` script currently allows > setting the name of the `healthchecker` principal via the `--run-as-user` > option. This is inadequate for a Ceph cluster serving storage to multiple > OpenShift clusters, especially when those clusters (and of the Ceph cluster > itself) may be managed by different groups. > > The exporter script should either (a) permit the administrator to specify > principal names explicitly, or (b) should permit the administrator to apply > a suffix and/or prefix to be applied to every name, so that instead of: > > - client.healthchecker > - client.csi-rbd-provisioner > - client.csi-rbd-node > - Etc. > > We should have: > > - client.healthchecker-cluster1 This can be achieved by setting the `--run-as-user` option right? > - client.csi-rbd-provisioner-cluster1 > - client.csi-rbd-node-cluster1 > - client.healthchecker-cluster2 > - client.csi-rbd-provisioner-cluster2 > - client.csi-rbd-node-cluster2 > - Etc. Agreed, adding a suffix or the ability to change the name sounds good. > > This allows permissions to be scoped appropriately to each individual > cluster.
Parth can you take a look at this one? Thanks!
Too late for 4.9
Part of https://github.com/red-hat-storage/rook/tree/release-4.10
Since we are doing doc changes, do we need to add doc text in the bug? Also, have we raised a doc bug?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1372