Re: Restoring keyring capabilities

Michel Raabe <rmichel@xxxxxxxxxxx> · Fri, 16 Feb 2018 21:14:51 +0100

On 02/16/18 @ 18:59, Nico Schottelius wrote:
> Saw that, too, however it does not work:
> 
> root@server3:/var/lib/ceph/mon/ceph-server3# ceph -n mon. --keyring keyring  auth caps client.admin mds 'allow *' osd 'allow *' mon 'allow *'
> 2018-02-16 17:23:38.154282 7f7e257e3700  0 librados: mon. authentication error (13) Permission denied
> [errno 13] error connecting to the cluster
> 
> ... which kind of makes sense, as the mon. key does not have
> capabilities for it. Then again, I wonder how monitors actually talk to
> each other...

Wired. Works for me.

root@ceph-mon1:/# ceph -k /var/lib/ceph/mon/ceph-ceph-mon1/keyring -n mon. auth list | grep -A4 client.admin    
installed auth entries:

client.admin
        key: AQD1y3RaTyOzNhAA7NwuH5CDmpTiJAX9tAoCzQ==
        auid: 0
        caps: [mgr] allow *
client.bootstrap-mds

root@ceph-mon1:/# ceph -k /var/lib/ceph/mon/ceph-ceph-mon1/keyring -n mon. auth caps client.admin mon 'allow *' osd 'allow *' mgr 'allow *' mds 'allow *'
updated caps for client.admin

root@ceph-mon1:/# ceph -k /var/lib/ceph/mon/ceph-ceph-mon1/keyring -n mon. auth list | grep -A7 client.admin                                             
installed auth entries:

client.admin
        key: AQD1y3RaTyOzNhAA7NwuH5CDmpTiJAX9tAoCzQ==
        auid: 0
        caps: [mds] allow *
        caps: [mgr] allow *
        caps: [mon] allow *
        caps: [osd] allow *
client.bootstrap-mds

root@ceph-mon1:/# cat /var/lib/ceph/mon/ceph-ceph-mon1/keyring
[mon.]
        key = AQD1y3RapVDCNxAAmInc8D3OPZKuTVeUcNsPug==
        caps mon = "allow *"

> Michel Raabe <rmichel@xxxxxxxxxxx> writes:
> > On 02/16/18 @ 18:21, Nico Schottelius wrote:
> >> on a test cluster I issued a few seconds ago:
> >>
> >>   ceph auth caps client.admin mgr 'allow *'
> >>
> >> instead of what I really wanted to do
> >>
> >>   ceph auth caps client.admin mgr 'allow *' mon 'allow *' osd 'allow *' \
> >>   mds allow
> >>
> >> Now any access to the cluster using client.admin correctly results in
> >> client.admin authentication error (13) Permission denied.
> >>
> >> Is there any way to modify the keyring capabilities "from behind",
> >> i.e. by modifying the rocksdb of the monitors or similar?
> >
> > http://lists.ceph.com/pipermail/ceph-users-ceph.com/2017-January/015474.html
Attachment:
signature.asc

Description: PGP signature
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com