Re: cephx execute permissions for RBD operations

[Josh Durgin <josh.durgin@inktank.com>]

On 01/30/2013 08:21 AM, Wido den Hollander wrote:
> Hi,
>
> Yesterday I ran into a weird situation where my libvirt RBD pool
> just wouldn't work.
>
> Turned out the credentials I was using only had rw permissions for OSDs
> instead of rwx or *.
>
> This caused rbd_open to fail, looking at librbd itself I understand why
> execute permissions are required to do so (locks, watches).

It's actually not the watches, but the general metadata stored in the
header object (snapshots, locks, and for format 2 images everything
else).

> What is however the best way to detect if you don't have the required
> permissions?

rbd_open() should return -EPERM. From the cli, doing 'rbd info' will do
this and tell you. The one case where you need more permissions
(allow class-read object_prefix rbd_children) is when unprotecting a
snapshot, which will fail with -EPERM when it is attempted. That only
matters for format 2 images though.

> This piece of code:
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/storage/storage_backend_rbd.c;h=8a0e517502c482f23f01bc63e95f1dc210d711cd;hb=master#l215
>
>
> I simply check if the open fails, but just "failed to open the RBD
> image" wasn't really that clear.
>
> I'd like to give a more useful error instead of that, but what error
> codes can I expect?

-EPERM for this case, others could be -EIO, -ENOSPC (since a watch is a
write), -ENOENT, -ENOSYS (trying to open an image that librbd or the
osds don't support), and possibly others I'm forgetting.

Josh