Description of problem (please be detailed as possible and provide log snippests): [External] : client.healthchecker osd permissions are changed in build 156 as compared to build 147 Version of all relevant components (if applicable): OCP 4.14.0-0.nightly-2023-10-26-172837 ODF 4.14.0-156 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? NA Is there any workaround available to the best of your knowledge? NA Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 1 Can this issue reproducible? Yes Can this issue reproduce from the UI? NA If this is a regression, please provide more details to justify this: client.healthchecker permission was changed from ODF 4.14.0 build 147 to build 156 Steps to Reproduce: 1. Install OCP and ODF cluster in external mode 2. Connect to ceph tools pod and run 'ceph auth ls' command 3. Verify the output for client.healthchecker Actual results: Build 156; ceph auth ls output client.healthchecker key: AQCUcmNk/N2GDxAA6KMjeCBMNxFMtzxOUiMwOQ== caps: [mgr] allow command config caps: [mon] allow r, allow command quorum_status, allow command version caps: [osd] allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index Expected results: build 147 ceph auth ls output client.healthchecker key: AQANpTplz6DoABAAzXAKtbvnKR2YTDPp2gBo4Q== caps: [mgr] allow command config caps: [mon] allow r, allow command quorum_status, allow command version caps: [osd] profile rbd-read-only, allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index Additional info: This behaviour was noticed upon verifying bug https://bugzilla.redhat.com/show_bug.cgi?id=2239802
In the script case right permission is present https://github.com/red-hat-storage/rook/blob/release-4.14/deploy/examples/create-external-cluster-resources.py#L973 in the 4.14 branch. And the difference between build 147 and 156 are not touching the Python file https://github.com/red-hat-storage/rook/commits/release-4.14 (fe613c584ed7b69b65399af057e179190d8d2594 commit id for build 147 and 17590995fc68e66fd3e89380be551c129ea8c698 is commit id for 156). Can you share what Python script is used to create the external cluster between the two builds?
Between the two builds, I learned from Joy Pinto that the version of RHCS had been changed from 5.2 to 6.1 between builds 147 and 156. @tnielsen do you think that will impact the osd permission mentioned in the python script?
I don't see what would change between RHCS versions. The caps requested by the external script are defined in Rook here, so I would also expect it to be consistent: https://github.com/red-hat-storage/rook/blob/release-4.14/deploy/examples/create-external-cluster-resources.py#L973 Does this repro consistently?
Tried reproducing the issue with latest build (ODF build 157) RHCS 5.2 + ODF build 157 -> Issue still persists RHCS 6.1 + ODF build 157 -> Issue is not seen (caps: [osd] profile rbd-read-only, allow rwx pool=default.rgw.meta, allow r pool=.rgw.root, allow rw pool=default.rgw.control, allow rx pool=default.rgw.log, allow x pool=default.rgw.buckets.index). Looks like issue is seen only with RHCS 5.2 cluster, Also support matrix states RHCS 6.1 and above is supported (https://url.corp.redhat.com/189ba44)
Any update on this?
Removing the needinfo flag, as this bug was not reproducible with later builds and its in closed state