On Tue, Apr 23, 2024 at 8:28 PM Stefan Kooman <stefan@xxxxxx> wrote:
>
> On 23-04-2024 17:44, Ilya Dryomov wrote:
> > On Mon, Apr 22, 2024 at 7:45 PM Stefan Kooman <stefan@xxxxxx> wrote:
> >>
> >> Hi,
> >>
> >> We are testing rbd-mirroring. There seems to be a permission error with
> >> the rbd-mirror user. Using this user to query the mirror pool status gives:
> >>
> >> failed to query services: (13) Permission denied
> >>
> >> And results in the following output:
> >>
> >> health: UNKNOWN
> >> daemon health: UNKNOWN
> >> image health: OK
> >> images: 3 total
> >> 2 replaying
> >> 1 stopped
> >>
> >> So, this command: rbd --id rbd-mirror mirror pool status rbd
> >
> > Hi Stefan,
> >
> > What is the output of "ceph auth get client.rbd-mirror"?
>
> [client.rbd-mirror]
> key = REDACTED
> caps mon = "profile rbd-mirror"
> caps osd = "profile rbd"
Hi Stefan,
I went through the git history and this appears to be expected, at
least for some definition of expected. Commit [1] clearly recognized
the problem and made the
rbd: failed to query services: (13) Permission denied
error that you ran into with "rbd mirror pool status" non-fatal.
Also, there is a comment in the respective PR [2] acknowledging that
even
caps mgr = "profile rbd"
cap (which your client.rbd-mirror user doesn't have and rbd-mirror
daemon doesn't actually need) would NOT be sufficient to resolve the
error because "our profiles don't give the average user access to see
Ceph cluster services".
[1] https://github.com/ceph/ceph/pull/33219/commits/1cb9e3b56932a1b00850b9cce4c65f8681dcc3cc
[2] https://github.com/ceph/ceph/pull/33219#discussion_r378436795
Thanks,
Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
