Hi,
I don't really have any solution, but it appears to require rwx
permissions at least for the rgw tag:
caps osd = "allow rwx tag rgw *=*
This was the only way I got the radosgw-admin commands to work in my
limited test attempts. Maybe someone else has more insights. My
interpretation of these error messages ("failed to update source
index") is that it actually requires to update something:
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed reading
data (obj=default.rgw.log:bucket.sync-source-hints.), r=-1
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed to update
sources index for bucket=:[]) r=-1
But as I said, I might misinterpret things, so I hope someone else can
chime in here.
Regards,
Eugen
Zitat von Alam Mohammad <samdto987@xxxxxxxxx>:
Hello,
In our Ceph cluster we encountered issues while attempting to
execute "radosgw-admin" command on client side using cephx user
having read only permission. Whenever we are executing
"radosgw-admin user list" command it is throwing an error.
"ceph version 18.2.1 (7fe91d5d5842e04be3b4f514d6dd990c54b29c76) reef
(stable)"
We have performed below steps in our environment
Case-1 : First we created cephx user with below privileges
client.rgw.username
key: <-------key------->
caps: [mgr] allow r
caps: [mon] allow r
caps: [osd] allow r tag rgw *=*
on client side we copied keyring and ceph.conf file
What we noticed on client machine all general command like "ceph
-s", "ceph health detail" "ceph df" running fine, even
"radosgw-admin zonegroup list --id=rgw.username," command returned
the expected output, but when attempting commands like
"radosgw-admin user list," "radosgw-admin bucket list," or
"radosgw-admin user info," errors were encountered.
Below are the outputs that is throwing
root@control:~# radosgw-admin user list --id=rgw.username
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed reading
data (obj=default.rgw.log:bucket.sync-source-hints.), r=-1
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed to update
sources index for bucket=:[]) r=-1
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed to
initialize bucket sync policy handler: get_bucket_sync_hints() on
bucket=-- returned r=-1
2024-01-03T17:34:06.498+0000 7f915ece1fc0 -1 ERROR: could not
initialize zone policy handler for zone=default
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed to start
notify service ((1) Operation not permitted
2024-01-03T17:34:06.498+0000 7f915ece1fc0 0 ERROR: failed to init
services (ret=(1) Operation not permitted)
couldn't init storage provider
Case- 2 : In this case we granted read permissions to the rgw data
pool and index pool for the user,
client.rgw.username
key: <----key---->
caps: [mgr] allow r
caps: [mon] allow r
caps: [osd] allow r pool=default.rgw.log
Despite this, while general commands worked perfectly fine on the
client side, but "radosgw-admin" commands still failed to execute.
Here is the output
root@control:~# radosgw-admin user list --id=rgw.username
2024-01-03T17:43:38.071+0000 7f8b5a8bffc0 0 failed reading realm
info: ret -1 (1) Operation not permitted
2024-01-03T17:43:38.071+0000 7f8b5a8bffc0 0 ERROR: failed to start
notify service ((1) Operation not permitted
2024-01-03T17:43:38.071+0000 7f8b5a8bffc0 0 ERROR: failed to init
services (ret=(1) Operation not permitted)
couldn't init storage provider
Have I overlooked anything in the process?
Any guidance or insight would be greatly appreciated.
Thanks,
Mohammad Saif
Ceph Enthusiast
In the first step, we created a CephX user named client.rgw.saif
with read permissions for the manager (mgr), monitor (mon), and
object storage daemon (osd) components, along with specific RGW
capabilities. On the client side, we successfully copied the keyring
and ceph.conf, and certain commands, such as radosgw-admin zonegroup
list --id=rgw.username,
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
