mon/AuthMonitor: add osd w cap for superuser client

[batrick]

Right now only a client with "rw" permissions on an MDS gets "rw" on an OSD.

Reported-by: John Mulligan jmulligan@redhat.com
Fixes: https://tracker.ceph.com/issues/75013

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins test classic perf Jenkins Job | Jenkins Job Definition
• jenkins test crimson perf Jenkins Job | Jenkins Job Definition
• jenkins test signed Jenkins Job | Jenkins Job Definition
• jenkins test make check Jenkins Job | Jenkins Job Definition
• jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
• jenkins test submodules Jenkins Job | Jenkins Job Definition
• jenkins test dashboard Jenkins Job | Jenkins Job Definition
• jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
• jenkins test api Jenkins Job | Jenkins Job Definition
• jenkins test docs ReadTheDocs | Github Workflow Definition
• jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
• jenkins test windows Jenkins Job | Jenkins Job Definition
• jenkins test rook e2e Jenkins Job | Jenkins Job Definition

You must only issue one Jenkins command per-comment. Jenkins does not understand
comments with more than one command.

[batrick]

jenkins test api

[phlogistonjohn]

Hi @batrick
I did a build that includes my branch as well as this PR and ran the smb sub-suite in teuthology. I have some tests that use only the lower level parts of cephadm (as opposed to going through the smb mgr module).

Those tests execute: ceph fs authorize cephfs client.smbdata / rw those tests hit the following error:

ceph.client.admin.keyring --fsid 998b7c2f-1002-11f1-8f98-d404e6e7d460 -- bash -c 'ceph fs authorize cephfs client.smbdata / rw'
2026-02-22T15:26:04.093 INFO:teuthology.orchestra.run.trial017.stderr:Inferring config /var/lib/ceph/998b7c2f-1002-11f1-8f98-d404e6e7d460/mon.a/config
2026-02-22T15:26:04.353 INFO:teuthology.orchestra.run.trial017.stderr:Error EINVAL: osd capability parse failed, stopped at 'w tag cephfs data=cephfs' of 'allow rww tag cephfs data=cephfs'
2026-02-22T15:26:04.487 DEBUG:teuthology.orchestra.run:got remote process result: 22

In case it helps when I merged the commit id of your change was 186f068

[batrick]

Hi @batrick I did a build that includes my branch as well as this PR and ran the smb sub-suite in teuthology. I have some tests that use only the lower level parts of cephadm (as opposed to going through the smb mgr module).

Those tests execute: ceph fs authorize cephfs client.smbdata / rw those tests hit the following error:

ceph.client.admin.keyring --fsid 998b7c2f-1002-11f1-8f98-d404e6e7d460 -- bash -c 'ceph fs authorize cephfs client.smbdata / rw'
2026-02-22T15:26:04.093 INFO:teuthology.orchestra.run.trial017.stderr:Inferring config /var/lib/ceph/998b7c2f-1002-11f1-8f98-d404e6e7d460/mon.a/config
2026-02-22T15:26:04.353 INFO:teuthology.orchestra.run.trial017.stderr:Error EINVAL: osd capability parse failed, stopped at 'w tag cephfs data=cephfs' of 'allow rww tag cephfs data=cephfs'
2026-02-22T15:26:04.487 DEBUG:teuthology.orchestra.run:got remote process result: 22

In case it helps when I merged the commit id of your change was 186f068

Apologies, please try again.

[batrick]

jenkins test make check arm64

[phlogistonjohn]

I'm not a C++ expert, so take this review with a grain of salt.
However, I combined this PR with mine and did a teuthology run and it resolved this issues I was seeing.

[phlogistonjohn]

jenkins test make check arm64

[batrick]

jenkins test make check arm64

[phlogistonjohn]

Hi all, I am waiting on having this get merged before I finally merge #64641 - is this just mainly waiting on teuthology? Anything else?

[vshankar]

This PR is under test in https://tracker.ceph.com/issues/75334.

[vshankar]

Pushed a fix.

[avanthakkar]

I think issue was just that * wasn't handled,right? These changes restructures the loop, osd_cap_needs_w boolean, and rw-reset hack are all consequences of starting the loop at index 0 instead of 2. Instead could we just early exit for * and leave the rest untouched?

if (cap == "*") {
    osd_cap_wanted = "rw";
    mds_cap_string += mds_cap_string.empty() ? "" : ", ";
    mds_cap_string += "allow *";
    if (filesystem != "*" && filesystem != "all" && fs != nullptr)
        mds_cap_string += " fsname=" + string(fs->get_mds_map().get_fs_name());
    if (path != "/")
        mds_cap_string += " path=" + path;
    if (root_squash)
        mds_cap_string += " root_squash";
    continue;
}
// rest of existing logic unchanged

[vshankar]

Aren't you duplicating the code that way?

[vshankar]

I think the code restructure improved readability. Unfortunately, a bug got introduced and its nice that it was caught in testing :)

[vshankar]

This causes malformed OSD caps to be generated for auth string "/ rw root_squash /dir1 rw".

See: /a/vshankar-2026-03-05_08:10:26-fs-wip-vshankar-testing-20260304.135307-testing-default-trial/87189

OSD caps get generated as "rww" which fails the "fs authorize" command.

[vshankar]

Aren't you duplicating the code that way?

[vshankar]

Fixing and validating a test case change.

[vshankar]

https://tracker.ceph.com/projects/cephfs/wiki/QA_main_--_2026#wip-vshankar-testing-20260304135307

[vshankar]

jenkins test api