On Fri, Mar 25, 2022 at 10:11 AM Eugen Block <eblock@xxxxxx> wrote:
>
> Hi,
>
> I was curious and tried the same with debug logs. One thing I noticed
> was that if I use the '-k <keyring>' option I get a different error
> message than with '--id user3'. So with '-k' the result is the same:
>
> ---snip---
> pacific:~ # rbd -k /etc/ceph/ceph.client.user3.keyring -p test2
> --namespace user3 create --size 1G --image test2-user3
> 2022-03-25T09:45:44.541+0100 7f1f21021700 -1 monclient(hunting):
> handle_auth_bad_method server allowed_methods [2] but i only support
> [2,1]
> rbd: couldn't connect to the cluster!
> ---snip---
Hi Eugen,
This is because the default client id is "admin" -- you are trying to
connect to the cluster as admin with user3's key here.
>
> With '--id' I get these messages:
>
> ---snip---
> pacific:~ # rbd --id user3 -p test2 --namespace user3 create --size 1G
> --image test2-user3
> 2022-03-25T09:45:49.573+0100 7f186bfff700 -1
> librbd::image::GetMetadataRequest: 0x5627b6b5d6b0
> handle_metadata_list: failed to retrieve image metadata: (1) Operation
> not permitted
> 2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::PoolMetadata:
> list: failed listing metadata: (1) Operation not permitted
> 2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::Config:
> apply_pool_overrides: failed to read pool config overrides: (1)
> Operation not permitted
> 2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
> librbd::image::ValidatePoolRequest: handle_read_rbd_info: failed to
> read RBD info: (1) Operation not permitted
> 2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
> librbd::image::CreateRequest: 0x5627b69b61c0
> handle_validate_data_pool: failed to validate pool: (1) Operation not
> permitted
> rbd: create error: (1) Operation not permitted
> ---snip---
Specifying --id user3 naturally fixes that. Now you are able to
connect to the cluster but getting restricted by user3's (lack of)
appropriate RBD-related caps.
>
> The user apparently requires permissions to read some of the pool's
> information which are not stored in a namespace like rbd_info but it's
> not allowed:
>
> pacific:~ # rados -p test2 --id user3 stat rbd_info
> error stat-ing test2/rbd_info: (1) Operation not permitted
>
> I modified the caps for that user a little:
>
> pacific:~ # ceph auth get-or-create client.user3 mon 'profile rbd' osd
> 'profile rbd, allow rwx pool=test2 namespace=user3' -o
> /etc/ceph/ceph.client.user3.keyring
This is a bit broader than perhaps needed. If the intention is to
allow user3 to create and use RBD images in namespace user3 of pool
test2 and nothing else, I believe it should be:
... osd 'profile rbd pool=test2 namespace=user3' ...
Thanks,
Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
