2072340 – RFE: Rook should use a client.rook key, not client.admin

Bug 2072340 - RFE: Rook should use a client.rook key, not client.admin

Summary: RFE: Rook should use a client.rook key, not client.admin

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	rook
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Subham Rai
QA Contact:	Neha Berry
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-06 04:21 UTC by Greg Farnum
Modified:	2023-08-09 17:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-12-13 17:50:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	rook rook issues 10169	0	None	open	Operator should run Ceph commands with rook username(s) instead of `client.admin`	2022-04-26 21:12:39 UTC
Github	rook rook pull 10190	0	None	open	core: use client.rookoperator instead of client.admin	2022-06-02 08:22:15 UTC

Description Greg Farnum 2022-04-06 04:21:56 UTC

Right now, Rook uses the default client.admin key to perform its actions.

This makes tracking Rook's actions inside a Ceph cluster difficult, since all commands issued could come from Rook, or a cluster administrator, or whatever. (See eg https://bugzilla.redhat.com/show_bug.cgi?id=2071783)

Instead, Rook should generate a client.rook CephX identity (with admin permissions, presumably) and use that to perform cluster actions. This will make reading the audit/mon/mgr logs and diagnosing behaviors and sources of input much easier. Improving supportability and log clarity is great!

Comment 3 Travis Nielsen 2022-04-06 17:50:53 UTC

Great idea for improving the troubleshooting.

Comment 4 Travis Nielsen 2022-04-12 15:21:58 UTC

Let's discuss...

Comment 5 Travis Nielsen 2022-04-26 21:12:40 UTC

More details added to the upstream issue: https://github.com/rook/rook/issues/10169

Comment 6 Travis Nielsen 2022-05-09 15:10:50 UTC

Planning on it for 4.12

Comment 7 Mudit Agarwal 2022-06-02 11:40:26 UTC

Subham, can you please QE impact for this fix. Also, what they need to test.

Comment 8 Subham Rai 2022-06-02 12:23:41 UTC

(In reply to Mudit Agarwal from comment #7)
> Subham, can you please QE impact for this fix. Also, what they need to test.

Regarding testing, this is early to say since we require to think about upgrade scenarios and also need to make pr work for the upgrade first.
But for the new cluster, we just need to check the logs of Ceph pods (osd,mon,mgr) that the user that is running Ceph command is `client.rookoperator` and not `client.admin`.

I'll update here about QE testing more once we have progress.

Comment 9 Mudit Agarwal 2022-06-02 12:42:20 UTC

Then we should not introduce it in 4.11, given that we are already past FF.
Travis, WDYT?

Comment 10 Subham Rai 2022-06-02 12:51:49 UTC

(In reply to Mudit Agarwal from comment #9)
> Then we should not introduce it in 4.11, given that we are already past FF.
> Travis, WDYT?

Mudit, I think Travis already moved to 4.12. see https://bugzilla.redhat.com/show_bug.cgi?id=2072340#c6

Comment 11 Travis Nielsen 2022-12-13 17:50:50 UTC

Much effort went into https://github.com/rook/rook/pull/10190 to attempt to get this working for the operator and toolbox to have a different user context than just using the client.admin. Even after much effort, there are still issues getting it to work, particularly around upgraded clusters. Given other priorities I'm closing this for now. We can readdress if it becomes a priority.

Note You need to log in before you can comment on or make changes to this bug.