Hi,
This is because the default client id is "admin" -- you are trying to
connect to the cluster as admin with user3's key here.
that makes sense, of course.
This is a bit broader than perhaps needed. If the intention is to
allow user3 to create and use RBD images in namespace user3 of pool
test2 and nothing else, I believe it should be:
... osd 'profile rbd pool=test2 namespace=user3' ...
Thanks for the pointer (also to Kai), I tried to reproduce it as
closely to the OP's attempt as possible to make it work, but yeah,
using only 'profile rbd...' is the better option.
Thanks!
Zitat von Ilya Dryomov <idryomov@xxxxxxxxx>:
On Fri, Mar 25, 2022 at 10:11 AM Eugen Block <eblock@xxxxxx> wrote:
Hi,
I was curious and tried the same with debug logs. One thing I noticed
was that if I use the '-k <keyring>' option I get a different error
message than with '--id user3'. So with '-k' the result is the same:
---snip---
pacific:~ # rbd -k /etc/ceph/ceph.client.user3.keyring -p test2
--namespace user3 create --size 1G --image test2-user3
2022-03-25T09:45:44.541+0100 7f1f21021700 -1 monclient(hunting):
handle_auth_bad_method server allowed_methods [2] but i only support
[2,1]
rbd: couldn't connect to the cluster!
---snip---
Hi Eugen,
This is because the default client id is "admin" -- you are trying to
connect to the cluster as admin with user3's key here.
With '--id' I get these messages:
---snip---
pacific:~ # rbd --id user3 -p test2 --namespace user3 create --size 1G
--image test2-user3
2022-03-25T09:45:49.573+0100 7f186bfff700 -1
librbd::image::GetMetadataRequest: 0x5627b6b5d6b0
handle_metadata_list: failed to retrieve image metadata: (1) Operation
not permitted
2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::PoolMetadata:
list: failed listing metadata: (1) Operation not permitted
2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::Config:
apply_pool_overrides: failed to read pool config overrides: (1)
Operation not permitted
2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
librbd::image::ValidatePoolRequest: handle_read_rbd_info: failed to
read RBD info: (1) Operation not permitted
2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
librbd::image::CreateRequest: 0x5627b69b61c0
handle_validate_data_pool: failed to validate pool: (1) Operation not
permitted
rbd: create error: (1) Operation not permitted
---snip---
Specifying --id user3 naturally fixes that. Now you are able to
connect to the cluster but getting restricted by user3's (lack of)
appropriate RBD-related caps.
The user apparently requires permissions to read some of the pool's
information which are not stored in a namespace like rbd_info but it's
not allowed:
pacific:~ # rados -p test2 --id user3 stat rbd_info
error stat-ing test2/rbd_info: (1) Operation not permitted
I modified the caps for that user a little:
pacific:~ # ceph auth get-or-create client.user3 mon 'profile rbd' osd
'profile rbd, allow rwx pool=test2 namespace=user3' -o
/etc/ceph/ceph.client.user3.keyring
This is a bit broader than perhaps needed. If the intention is to
allow user3 to create and use RBD images in namespace user3 of pool
test2 and nothing else, I believe it should be:
... osd 'profile rbd pool=test2 namespace=user3' ...
Thanks,
Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx