Right now, Rook uses the default client.admin key to perform its actions. This makes tracking Rook's actions inside a Ceph cluster difficult, since all commands issued could come from Rook, or a cluster administrator, or whatever. (See eg https://bugzilla.redhat.com/show_bug.cgi?id=2071783) Instead, Rook should generate a client.rook CephX identity (with admin permissions, presumably) and use that to perform cluster actions. This will make reading the audit/mon/mgr logs and diagnosing behaviors and sources of input much easier. Improving supportability and log clarity is great!
Great idea for improving the troubleshooting.
Let's discuss...
More details added to the upstream issue: https://github.com/rook/rook/issues/10169
Planning on it for 4.12
Subham, can you please QE impact for this fix. Also, what they need to test.
(In reply to Mudit Agarwal from comment #7) > Subham, can you please QE impact for this fix. Also, what they need to test. Regarding testing, this is early to say since we require to think about upgrade scenarios and also need to make pr work for the upgrade first. But for the new cluster, we just need to check the logs of Ceph pods (osd,mon,mgr) that the user that is running Ceph command is `client.rookoperator` and not `client.admin`. I'll update here about QE testing more once we have progress.
Then we should not introduce it in 4.11, given that we are already past FF. Travis, WDYT?
(In reply to Mudit Agarwal from comment #9) > Then we should not introduce it in 4.11, given that we are already past FF. > Travis, WDYT? Mudit, I think Travis already moved to 4.12. see https://bugzilla.redhat.com/show_bug.cgi?id=2072340#c6
Much effort went into https://github.com/rook/rook/pull/10190 to attempt to get this working for the operator and toolbox to have a different user context than just using the client.admin. Even after much effort, there are still issues getting it to work, particularly around upgraded clusters. Given other priorities I'm closing this for now. We can readdress if it becomes a priority.