Re: Latest Doco Out Of Date?

[Eugen Block <eblock@xxxxxx>]

Hi,

I fully agree that there should be a smoother way to update client  
caps. But regarding the misleading terms, the docs do mention:

> This is because the command fs authorize becomes ambiguous

So they are aware of the current state, but I don't know if there's  
any work in progress to improve the client authorization.

Thanks,
Eugen

Zitat von Frank Schilder <frans@xxxxxx>:

> Hi Eugen,
>
> I would ask for a slight change here:
>
> > If a client already has a capability for file-system name a and path
> > dir1, running fs authorize again for FS name a but path dir2,
> > instead of modifying the capabilities client already holds, a new
> > cap for dir2 will be granted
>
> The formulation "a new cap for dir2 will be granted" is very  
> misleading. I would also read it as that the new cap is in addition  
> to the already existing cap. I tried to modify caps with fs  
> authorize as well in the past, because it will set caps using pool  
> tags and the docu sounded like it will allow to modify caps. In my  
> case, I got the same error and thought that its implementation is  
> buggy and did it with the authtool.
>
> To be honest, when I look at the command sequence
>
> ceph fs authorize a client.x /dir1 rw
> ceph fs authorize a client.x /dir2 rw
>
> and it goes through without error, I would expect the client to have  
> both permissions as a result - no matter what the documentation  
> says. There is no "revoke caps" instruction anywhere. Revoking caps  
> in this way is a really dangerous side effect and telling people to  
> read the documentation about a command that should follow how other  
> linux tools manage permissions is not the best answer. There is  
> something called parallelism in software engineering and this  
> command line syntax violates this in a highly un-intuitive way. The  
> intuition of the syntax clearly is that it *adds* capabilities, its  
> incremental.
>
> A command like this should follow how existing linux tools work so  
> that context switching will be easier for admins. Here, the choice  
> of the term "authorize" seems to be unlucky. A more explicit command  
> that follows setfacl a bit could be
>
> ceph fs caps set a client.x /dir1 rw
> ceph fs caps modify a client.x /dir2 rw
>
> or even more parallel
>
> ceph fs setcaps a client.x /dir1 rw
> ceph fs setcaps -m a client.x /dir2 rw
>
> Such parallel syntax will not only avoid the reported confusion but  
> also make it possible to implement a modify operation in the future  
> without breaking stuff. And you can save time on the documentation,  
> because it works like other stuff.
>
> Best regards,
> =================
> Frank Schilder
> AIT Risø Campus
> Bygning 109, rum S14
>
> ________________________________________
> From: Eugen Block <eblock@xxxxxx>
> Sent: Wednesday, April 24, 2024 9:02 AM
> To: ceph-users@xxxxxxx
> Subject:  Re: Latest Doco Out Of Date?
>
> Hi,
>
> I believe the docs [2] are okay, running 'ceph fs authorize' will
> overwrite the existing caps, it will not add more caps to the client:
>
> > Capabilities can be modified by running fs authorize only in the
> > case when read/write permissions must be changed.
>
> > If a client already has a capability for file-system name a and path
> > dir1, running fs authorize again for FS name a but path dir2,
> > instead of modifying the capabilities client already holds, a new
> > cap for dir2 will be granted
>
> To add more caps you'll need to use the 'ceph auth caps' command,  
> for example:
>
> quincy-1:~ # ceph fs authorize cephfs client.usera /dir1 rw
> [client.usera]
>          key = AQDOrShmk6XhGxAAwz07ngr0JtPSID06RH8lAw==
>
> quincy-1:~ # ceph auth get client.usera
> [client.usera]
>          key = AQDOrShmk6XhGxAAwz07ngr0JtPSID06RH8lAw==
>          caps mds = "allow rw fsname=cephfs path=/dir1"
>          caps mon = "allow r fsname=cephfs"
>          caps osd = "allow rw tag cephfs data=cephfs"
>
> quincy-1:~ # ceph auth caps client.usera mds 'allow rw fsname=cephfs
> path=/dir1, allow rw fsname=cephfs path=/dir2' mon 'allow r
> fsname=cephfs' osd 'allow rw tag cephfs data=cephfs'
> updated caps for client.usera
>
> quincy-1:~ # ceph auth get client.usera
> [client.usera]
>          key = AQDOrShmk6XhGxAAwz07ngr0JtPSID06RH8lAw==
>          caps mds = "allow rw fsname=cephfs path=/dir1, allow rw
> fsname=cephfs path=/dir2"
>          caps mon = "allow r fsname=cephfs"
>          caps osd = "allow rw tag cephfs data=cephfs"
>
> Note that I don't actually have these directories in that cephfs, it's
> just to demonstrate, so you'll need to make sure your caps actually
> work.
>
> Thanks,
> Eugen
>
> [2]
> https://docs.ceph.com/en/latest/cephfs/client-auth/#changing-rw-permissions-in-caps
>
>
> Zitat von Zac Dover <zac.dover@xxxxxxxxx>:
>
> > It's in my list of ongoing initiatives. I'll stay up late tonight
> > and ask Venky directly what's going on in this instance.
> >
> > Sometime later today, I'll create an issue tracking bug and I'll
> > send it to you for review. Make sure that I haven't misrepresented
> > this issue.
> >
> > Zac
> >
> > On Wednesday, April 24th, 2024 at 2:10 PM, duluxoz  
> > <duluxoz@xxxxxxxxx> wrote:
> >
> > > Hi Zac,
> > >
> > > Any movement on this? We really need to come up with an
> > > answer/solution - thanks
> > >
> > > Dulux-Oz
> > >
> > > On 19/04/2024 18:03, duluxoz wrote:
> > >
> > > > Cool!
> > > >
> > > > Thanks for that :-)
> > > >
> > > > On 19/04/2024 18:01, Zac Dover wrote:
> > > >
> > > > > I think I understand, after more thought. The second command is
> > > > > expected to work after the first.
> > > > >
> > > > > I will ask the cephfs team when they wake up.
> > > > >
> > > > > Zac Dover
> > > > > Upstream Docs
> > > > > Ceph Foundation
> > > > >
> > > > > On Fri, Apr 19, 2024 at 17:51, duluxoz
> > > > > <[duluxoz@xxxxxxxxx](mailto:On Fri, Apr 19, 2024 at 17:51,
> > > > > duluxoz <<a href=)> wrote:
> > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > In reference to this page from the Ceph documentation:
> > > > > > https://docs.ceph.com/en/latest/cephfs/client-auth/, down the bottom of
> > > > > > that page it says that you can run the following commands:
> > > > > >
> > > > > > ~~~
> > > > > > ceph fs authorize a client.x /dir1 rw
> > > > > > ceph fs authorize a client.x /dir2 rw
> > > > > > ~~~
> > > > > >
> > > > > > This will allow `client.x` to access both `dir1` and `dir2`.
> > > > > >
> > > > > > So, having a use case where we need to do this, we are, HOWEVER, getting
> > > > > > the following error on running the 2nd command on a Reef 18.2.2 cluster:
> > > > > >
> > > > > > `Error EINVAL: client.x already has fs capabilities that differ from
> > > > > > those supplied. To generate a new auth key for client.x, first remove
> > > > > > client.x from configuration files, execute 'ceph auth rm client.x', then
> > > > > > execute this command again.`
> > > > > >
> > > > > > Something we're doing wrong, or is the doco "out of date" (mind you,
> > > > > > that's from the "latest" version of the doco, and the "reef" version),
> > > > > > or is something else going on?
> > > > > >
> > > > > > Thanks in advance for the help
> > > > > >
> > > > > > Cheers
> > > > > >
> > > > > > Dulux-Oz
> > > > > >
> > > > > > _______________________________________________
> > > > > > ceph-users mailing list -- ceph-users@xxxxxxx
> > > > > > To unsubscribe send an email to ceph-users-leave@xxxxxxx
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx
> > To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx


_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx