Re: RBD key permission to unprotect a rbd snapshot

Jason Dillaman <jdillama@xxxxxxxxxx> · Thu, 12 Jan 2017 11:38:21 -0500

The "rbd snap unprotect" action needs to scan the "rbd_children"
object of all pools to ensure that the image doesn't have any children
attached. Therefore, you need to ensure that the user that will
perform the "snap unprotect" has the "allow class-read object_prefix
rbd_children" on all pools [1].

[1] http://docs.ceph.com/docs/master/man/8/ceph-authtool/#capabilities

On Thu, Jan 12, 2017 at 10:56 AM, Martin Palma <martin@xxxxxxxx> wrote:
> Hi all,
>
> what permissions do I need to unprotect a protected rbd snapshot?
>
> Currently the key interacting with the pool containing the rbd image
> has the following permissions:
>
> mon 'allow r'
> osd 'allow rwx pool=vms'
>
> When I try to unprotect a snaphost with the following command "rbd
> snap unprotect vms/ubuntu@snap" I get the following error:
>
> 2017-01-12 16:45:15.385212 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: cannot get children for pool 'vms'
> 2017-01-12 16:45:15.385343 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: cannot get children for pool 'data'
> 2017-01-12 16:45:15.386220 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: cannot get children for pool
> 'cephfs_data'
> 2017-01-12 16:45:15.386332 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: cannot get children for pool
> 'cephfs_metadata'
> 2017-01-12 16:45:15.386845 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: encountered error: (1) Operation not
> permitted
> 2017-01-12 16:45:15.386870 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: 0x7fab6376a4a0
> should_complete_error: ret_val=-1
> 2017-01-12 16:45:15.389819 7fab38ee4700 -1
> librbd::SnapshotUnprotectRequest: 0x7fab6376a4a0
> should_complete_error: ret_val=-1
> rbd: unprotecting snap failed: (1) Operation not permitted
>
> What additional permission does the key need? And why does the command
> try to get children on all pools?
>
> Best,
> Martin
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

-- 
Jason
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com