On Thu, Jun 16, 2016 at 3:39 PM, Fabian Grünbichler <f.gruenbichler@xxxxxxxxxxx> wrote: > Hello, > > we already filed an issue over at Redmine (http://tracker.ceph.com/issues/16255), but since this is more of a question than bug report, I will repeat it here (and hope to get more insight ;)) > > The ceph documentation for monitor bootstrapping (http://tracker.ceph.com/issues/16255) says to create the client.admin key with (among other things) "--cap mds 'allow'" (while the cap for mon and osd is set to 'allow *', note the added ' *'). All our existing (users') ceph installations are setup with keyrings following this documentation, which worked find under Hammer. > > Recently (in Jewel?), ceph-create-keys was changed to call "ceph auth get-or-create" with "mon 'allow *'" (again, note the added ' *'): https://github.com/ceph/ceph/commit/c7e905e7e232a973abf7c6fa71a2ffbad7aa0ffd > > This is not only inconsistent with the current documentation, but also breaks all the existing installations/keyrings, because get-or-create will neither get nor create if the keyring exists, but the caps don't match. > > Any pointers on how to remedy this situation? I could not find any information in the release notes (e.g., for a potential upgrade path) and either the change or the documentation seems to be wrong. You can avoid this issue by leaving the admin key in place in /etc/ceph on your mon nodes. More detail in the ticket. Cheers, John > Regards, > Fabian > > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
