2083722 – `--restricted-auth-permission flag doc update

Bug 2083722 - `--restricted-auth-permission flag doc update

Summary: `--restricted-auth-permission flag doc update

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	documentation
Sub Component:
Version:	4.10
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Kusuma
QA Contact:	Vijay Avuthu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-10 15:31 UTC by Parth Arora
Modified:	2023-08-09 16:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-08 14:51:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Parth Arora 2022-05-10 15:31:16 UTC

Describe the issue:

Describe the task you were trying to accomplish:

1)BZ= Bug 1996830:  OCS external mode should allow specifying names for all Ceph auth principals

-> I have added a flag `--restricted-auth-permission` which you will need to pass while running external-cluster python script while creating the JSON output for the setup.

For example: 
```bash 
kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --cephfs-filesystem-name myfs --rbd-data-pool-name replicapool --rados-namespace radosNamespace --cluster-name rookStorage --restricted-auth-permission true
```

So by that, you can see the auth user-created are for restricted for a particular cluster, pool, and namespace, you can do `ceph auth ls` for checking it.

And then you can use this JSON output for the setup and create the external storage cluster and can check storage/cluster/pvs is created successfully with the users having restricted authentication, for both cephs and rbd.


2)BZ=Bug 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad

-> You can verify this in a similar way, passing flag `--restricted-auth-permission`, and creating the external cluster,
checking the permissions with an external cluster that a user/client can only access the specific pool which is mentioned in the caps.

Pr references: https://github.com/rook/rook/pull/9410, https://github.com/rook/rook/pull/8994, https://github.com/rook/rook/pull/9410

for using --restricted-auth-permission flag, this is a small note that is been added as a note: ```help="Restricted cephCSIKeyrings auth permissions to specific pools, cluster and pool namespaces. Mandatory flags that need to be set are --rbd-data-pool-name, --rados-namespace and --cluster-name. Note: Restricting the users per pool, per cluster and per pool namespace will require to create new users and new secrets for that users."```


Suggestions for improvement:

Document URL:

Chapter/Section Number and Title:

Product Version:

Environment Details:

Any other versions of this document that also needs this update:

Additional information:

Note You need to log in before you can comment on or make changes to this bug.