cephx auth issue

cephx auth issue

[Travis Rhoden]

I'm not sure what I've done wrong here:

Things are okay as client.admin:

# rbd -p images --id admin ls
test

But not as client.images:

# rbd -p images --id images ls
error: (1) Operation not permitted

The privs/caps seem okay in ceph auth:

# ceph auth list
<snip>
client.admin
	key: <snip>
	caps: [mds] allow
	caps: [mon] allow *
	caps: [osd] allow *
client.images
	key: <snip>
	caps: [mon] allow r
	caps: [osd] allow rwx pool=images
client.volumes
	key: <snip>
	caps: [mon] allow r
	caps: [osd] allow rwx pool=volumes, allow rx pool=images


And the keyrings are present as:

# ls -al /etc/ceph
total 36
drwxr-xr-x   2 root   root    4096 Nov  9 17:48 .
drwxr-xr-x 108 root   root    4096 Nov  9 17:27 ..
-rw-r-----   1 root   root      63 Nov  8 22:37 ceph.client.admin.keyring
-rw-r-----   1 glance glance    64 Nov  9 17:48 ceph.client.images.keyring
-rw-r-----   1 cinder cinder    65 Nov  9 17:48 ceph.client.volumes.keyring
-rw-r--r--   1 root   root    2095 Nov  9 17:42 ceph.conf

Ad the keyring seems readable just fine:
# strace rbd -p images --id images ls
<snip>
open("/etc/ceph/ceph.client.images.keyring", O_RDONLY) = 3
close(3)                                = 0
open("/etc/ceph/ceph.client.images.keyring", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0640, st_size=64, ...}) = 0
read(3, "[client.images]\n\tkey = AQBC85tQK"..., 64) = 64
<snip>


What am I missing?

Same thing happens for volumes pool/user:
# rbd ls -p volumes --id volumes
error: (1) Operation not permitted
# rbd ls -p images --id volumes
error: (1) Operation not permitted


Thanks in advance,

Travis

Re: cephx auth issue

[Ben Poliakoff]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

* Travis Rhoden <trhoden@gmail.com> [20121109 09:55]:
> I'm not sure what I've done wrong here:
> 
> Things are okay as client.admin:
> 
> # rbd -p images --id admin ls
> test
> 
> But not as client.images:
> 
> # rbd -p images --id images ls
> error: (1) Operation not permitted
> 
> The privs/caps seem okay in ceph auth:
> 
> # ceph auth list
> <snip>
> client.admin
> 	key: <snip>
> 	caps: [mds] allow
> 	caps: [mon] allow *
> 	caps: [osd] allow *
> client.images
> 	key: <snip>
> 	caps: [mon] allow r
> 	caps: [osd] allow rwx pool=images
> client.volumes
> 	key: <snip>
> 	caps: [mon] allow r
> 	caps: [osd] allow rwx pool=volumes, allow rx pool=images
> 

I had a very similar problem after I upgraded my test cluster from
argonaut to 0.53.  For me it was a "caps" parsing issue involving the
'=' character (which has been fixed in 0.54.  A nice person on IRC
helped me out.  Updating the caps from something like this:

> 	caps: [osd] allow rwx pool=volumes, allow rx pool=images

To this:

  	caps: [osd] allow rwx pool volumes, allow rx pool images

...fixed the issue for me.

Apparently in 0.54 parsing of '=' in a caps line will work properly
again.

Ben

-- 
________________________________________________________________________
pub   4096R/318B6A97 2009-05-11 Ben Poliakoff <benp@reed.edu>
 Primary key fingerprint: 3F23 EBC8 B73E 92B7 0A67  705A 8219 DCF0 318B 6A97

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: cephx auth issue

[Travis Rhoden]

Ben,

That did it!  Thank you so much, I owe you one.

 - Travis

On Fri, Nov 9, 2012 at 1:08 PM, Ben Poliakoff <benp@reed.edu> wrote:
> * Travis Rhoden <trhoden@gmail.com> [20121109 09:55]:
>> I'm not sure what I've done wrong here:
>>
>> Things are okay as client.admin:
>>
>> # rbd -p images --id admin ls
>> test
>>
>> But not as client.images:
>>
>> # rbd -p images --id images ls
>> error: (1) Operation not permitted
>>
>> The privs/caps seem okay in ceph auth:
>>
>> # ceph auth list
>> <snip>
>> client.admin
>>       key: <snip>
>>       caps: [mds] allow
>>       caps: [mon] allow *
>>       caps: [osd] allow *
>> client.images
>>       key: <snip>
>>       caps: [mon] allow r
>>       caps: [osd] allow rwx pool=images
>> client.volumes
>>       key: <snip>
>>       caps: [mon] allow r
>>       caps: [osd] allow rwx pool=volumes, allow rx pool=images
>>
>
> I had a very similar problem after I upgraded my test cluster from
> argonaut to 0.53.  For me it was a "caps" parsing issue involving the
> '=' character (which has been fixed in 0.54.  A nice person on IRC
> helped me out.  Updating the caps from something like this:
>
>>       caps: [osd] allow rwx pool=volumes, allow rx pool=images
>
> To this:
>
>         caps: [osd] allow rwx pool volumes, allow rx pool images
>
> ...fixed the issue for me.
>
> Apparently in 0.54 parsing of '=' in a caps line will work properly
> again.
>
> Ben
>
> --
> ________________________________________________________________________
> pub   4096R/318B6A97 2009-05-11 Ben Poliakoff <benp@reed.edu>
>  Primary key fingerprint: 3F23 EBC8 B73E 92B7 0A67  705A 8219 DCF0 318B 6A97
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIVAwUBUJ1GfYIZ3PAxi2qXAQhiehAAjAoLcof0hhngUfB7qZy24xOczIVOkysm
> Hm6XnavM9rYKwoW2wBv76dJ2JFLC1JVcG4ujjIi6XAHYb9SpwcuNeHynAKgNxl2k
> kk4Qf1vXRQ5lvPxxOJKNgT+liC8lw7mB2U3wlIO3njng1c/9T8Qx96ocmGXU0TB6
> 6jeboQOo6mdGxHzWPZTq2BjesS8rhajgpKgNvgwll5qaHcXNudg0LZ79raW5fj6g
> O8YpCmHcyqIM4hRHqeeBl56lfLmpjFybQqp32sfPdo78TLUZuBEhYJbtgKfpnnid
> WcS4FafTiU2UB51XWwwbLTG+YQibpCDXfiEoeidyxh2is66mhdzan99xy4E+DqWs
> 4A/GVeHiQO7fPXTSlUyeB8CyE6OEsKyszDMoh+LpEPnLBHDZO66PB96IHVPnvdPh
> pPhQJ3X5sIxKk295pnIpqaoT/ICvjh1ebEV0KrLQ9D4pTRoZT+TECdpHP7QhofzW
> 0IxP8quC2Jk0x1+HsutDjw5v9VvP1b4rbYvxTVuvoTQUIwWliFoBCmRG9sftkZqT
> tvXyxBoLLJq0GXYmor0SF1sdpl/TAmfLAE7oYUIYzWpfFlH7REVFBTNcUY3wwaqW
> oNa0IO9ZIZc+lZhr010TV+lTbndWg20EmJ4YZasZ9q7u1WOxNC8USfcu8PtxxMz5
> 8R6GccASMvc=
> =+vPS
> -----END PGP SIGNATURE-----
>