Cannot execute rados.py with sudoer

Cannot execute rados.py with sudoer

[Eric_YH_Chen]

Hi, all:

   When I use raods.py, I met some problem even if the user is in sudoer.
　　I found it would access /etc/ceph/client.admin.keyring and /var/log/ceph/client.admin.log which is only available to root.
        Do you have any suggestion? I cannot execute the python problem with “root” account. It would cause some security issue.
        Thanks a lot!

Here is the sample code. 

>>> import rados
>>> cluster = rados.Rados()
>>> cluster.conf_read_file()
failed to open log file '/var/log/ceph/client.admin.log': error 13: Permission denied
>>> cluster.connect()
2011-11-03 11:49:20.937991 7f9fe5320720 monclient(hunting): MonClient::init(): Failed to create keyring
2011-11-03 11:49:50.938235 7f9fe5320720 monclient(hunting): authenticate timed out after 30
2011-11-03 11:49:50.938283 7f9fe5320720 librados: client.admin authentication error error 110: Connection timed out
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/rados.py", line 182, in connect
    raise make_ex(ret, "error calling connect")
rados.Error: error calling connect: error code 110


-rw-------   1 root root    92 2011-11-02 18:13 client.admin.keyring
-rw-------  1 root root     0 2011-11-03 07:47 client.admin.log

regards,

Eric/Pjack

Re: Cannot execute rados.py with sudoer

[Gregory Farnum]

This looks like your standard permissions issue to me. The keyring and
log were probably created by mkcephfs running under sudo? But if you
give your current user the ability to read/write from them everything
should work fine.
-Greg

On Wed, Nov 2, 2011 at 8:55 PM,  <Eric_YH_Chen@wistron.com> wrote:
> Hi, all:
>
>    When I use raods.py, I met some problem even if the user is in sudoer.
> 　　I found it would access /etc/ceph/client.admin.keyring and /var/log/ceph/client.admin.log which is only available to root.
>         Do you have any suggestion? I cannot execute the python problem with “root” account. It would cause some security issue.
>         Thanks a lot!
>
> Here is the sample code.
>
>>>> import rados
>>>> cluster = rados.Rados()
>>>> cluster.conf_read_file()
> failed to open log file '/var/log/ceph/client.admin.log': error 13: Permission denied
>>>> cluster.connect()
> 2011-11-03 11:49:20.937991 7f9fe5320720 monclient(hunting): MonClient::init(): Failed to create keyring
> 2011-11-03 11:49:50.938235 7f9fe5320720 monclient(hunting): authenticate timed out after 30
> 2011-11-03 11:49:50.938283 7f9fe5320720 librados: client.admin authentication error error 110: Connection timed out
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File "/usr/lib/python2.7/rados.py", line 182, in connect
>     raise make_ex(ret, "error calling connect")
> rados.Error: error calling connect: error code 110
>
>
> -rw-------   1 root root    92 2011-11-02 18:13 client.admin.keyring
> -rw-------  1 root root     0 2011-11-03 07:47 client.admin.log
>
> regards,
>
> Eric/Pjack
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Cannot execute rados.py with sudoer

[Eric_YH_Chen]

Hi, Greg, 

The log is generated by ceph service at runtime.

Even I change the permission, it would be overwritten by the service someday.

I am afraid if there is any other permission problem when I execute other commands.  

Ex: I need to modify more files' permission
Ex: The library use any API in kernel space.

Anyway, thanks for your reply, I will try to modify the two files' permission first.

regards,

Eric/Pjack

-----Original Message-----
From: Gregory Farnum [mailto:gregory.farnum@dreamhost.com] 
Sent: Thursday, November 03, 2011 12:49 PM
To: Eric YH Chen/WHQ/Wistron
Cc: ceph-devel@vger.kernel.org
Subject: Re: Cannot execute rados.py with sudoer

This looks like your standard permissions issue to me. The keyring and
log were probably created by mkcephfs running under sudo? But if you
give your current user the ability to read/write from them everything
should work fine.
-Greg

On Wed, Nov 2, 2011 at 8:55 PM,  <Eric_YH_Chen@wistron.com> wrote:
> Hi, all:
>
>    When I use raods.py, I met some problem even if the user is in sudoer.
> 　　I found it would access /etc/ceph/client.admin.keyring and /var/log/ceph/client.admin.log which is only available to root.
>         Do you have any suggestion? I cannot execute the python problem with “root” account. It would cause some security issue.
>         Thanks a lot!
>
> Here is the sample code.
>
>>>> import rados
>>>> cluster = rados.Rados()
>>>> cluster.conf_read_file()
> failed to open log file '/var/log/ceph/client.admin.log': error 13: Permission denied
>>>> cluster.connect()
> 2011-11-03 11:49:20.937991 7f9fe5320720 monclient(hunting): MonClient::init(): Failed to create keyring
> 2011-11-03 11:49:50.938235 7f9fe5320720 monclient(hunting): authenticate timed out after 30
> 2011-11-03 11:49:50.938283 7f9fe5320720 librados: client.admin authentication error error 110: Connection timed out
> Traceback (most recent call last):
>   File "<stdin>", line 1, in <module>
>   File "/usr/lib/python2.7/rados.py", line 182, in connect
>     raise make_ex(ret, "error calling connect")
> rados.Error: error calling connect: error code 110
>
>
> -rw-------   1 root root    92 2011-11-02 18:13 client.admin.keyring
> -rw-------  1 root root     0 2011-11-03 07:47 client.admin.log
>
> regards,
>
> Eric/Pjack
>
>
>

Re: Cannot execute rados.py with sudoer

[Tommi Virtanen]

On Wed, Nov 2, 2011 at 22:24,  <Eric_YH_Chen@wistron.com> wrote:
> The log is generated by ceph service at runtime.
>
> Even I change the permission, it would be overwritten by the service someday.

Did you change ceph.conf and set one of the log options? The default
config writes to /var/log only from the daemons, not from the
libraries. Can you please share your configuration.

As for needing to be able to read client.admin, that file is not
changed by the ceph services starting, you can safely chown/chmod it.
Alternatively, give the non-root user a new key, and authorize that
with "ceph auth add".

RE: Cannot execute rados.py with sudoer

[Eric_YH_Chen]

Hi, Tommi,

Here is my ceph.conf. The "/var/log/ceph" folder is created by myself. 

Because the script in 0.37 didn't create it. 

Maybe the problem is I did not set correct permission to the folder.

; global
[global]
        auth supported = cephx
        max open files = 131072
        log file = /var/log/ceph/$name.log
        pid file = /var/run/ceph/$name.pid
        keyring = /etc/ceph/$name.keyring

[mon]
        mon data = /srv/mon.$id

[mon.a]
        host = ubuntu1104-64-5
        mon addr = 172.16.33.5:6789

[mds]

[mds.a]
        host = ubuntu1104-64-5

[osd]
        osd data = /srv/osd.$id
        osd journal = /srv/osd.$id.journal
        osd journal size = 1000 ; journal size, in megabytes

 [osd.0]
        host = ubuntu1104-64-6
        btrfs devs = /dev/mapper/ubuntu1104--64--6-lvol0

[osd.1]
        host = ubuntu64-33-7
        btrfs devs =  /dev/mapper/ubuntu64--33--7-lvol0

[osd.2]
        host = ubuntu1104-64-5
        btrfs devs =  /dev/mapper/ubuntu1104--64--5-lvol0

regards,

Eric/Pjack

-----Original Message-----
From: Tommi Virtanen [mailto:tommi.virtanen@dreamhost.com] 
Sent: Friday, November 04, 2011 1:51 AM
To: Eric YH Chen/WHQ/Wistron
Cc: gregory.farnum@dreamhost.com; ceph-devel@vger.kernel.org
Subject: Re: Cannot execute rados.py with sudoer

On Wed, Nov 2, 2011 at 22:24,  <Eric_YH_Chen@wistron.com> wrote:
> The log is generated by ceph service at runtime.
>
> Even I change the permission, it would be overwritten by the service someday.

Did you change ceph.conf and set one of the log options? The default
config writes to /var/log only from the daemons, not from the
libraries. Can you please share your configuration.

As for needing to be able to read client.admin, that file is not
changed by the ceph services starting, you can safely chown/chmod it.
Alternatively, give the non-root user a new key, and authorize that
with "ceph auth add".

Re: Cannot execute rados.py with sudoer

[Tommi Virtanen]

On Thu, Nov 3, 2011 at 18:45,  <Eric_YH_Chen@wistron.com> wrote:
> Hi, Tommi,
>
> Here is my ceph.conf. The "/var/log/ceph" folder is created by myself.

> [global]
...
>        log file = /var/log/ceph/$name.log
>        pid file = /var/run/ceph/$name.pid

That's your problem. You told even clients to write to that log file,
yet they don't have permissions to write to it.

You can add

[client]
  log file = ""

to set it back to no logging to file for clients. Other alternatives
are log to stderr, log to syslog, no logging.

For more, see http://ceph.newdream.net/wiki/Cluster_configuration#Debug_Logging_Configuration
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Suggest to return [] when no image in the pool

[Eric_YH_Chen]

Hi, developers,

When I used the API in rbd.py, 

I found RBD().list(ioctx) would return [""] when there is no image in the pool.

I suggest it should return [] in this case. It would avoid some programming problem. Thanks!

regards,

Eric/Pjack

Re: Suggest to return [] when no image in the pool

[Josh Durgin]

On 11/07/2011 01:43 AM, Eric_YH_Chen@wistron.com wrote:
> Hi, developers,
>
> When I used the API in rbd.py,
>
> I found RBD().list(ioctx) would return [""] when there is no image in the pool.
>
> I suggest it should return [] in this case. It would avoid some programming problem. Thanks!
>
> regards,
>
> Eric/Pjack

Fixed by 34d80397f73a847f31aad6f00afd0eeb3d526ca0. Thanks for reporting 
this!

Josh