Bug #67708
openmgr removes mon caps from cephx upon `fs subvolume deauthorize` even if key is used to access other subvolumes
0%
Description
The fs/operations module of the mgr removes mon caps (should be at least `allow r`) from a cephx key when doing `fs subvolume deauthorize`.
This can be problematic if the same cephx key is used to access multiple subvolumes, as upon deauthorization, the key will miss caps on the mon and clients will not be able to check in when attempting to mount.
Steps to reproduce:
1. Create two subvolumes (test1, test2) and authorize the same cephx (mykey) for both:
$ ceph fs subvolume create cephfs test1 --size 1048576
$ ceph fs subvolume create cephfs test2 --size 1048576
$ ceph fs subvolume authorize cephfs test1 mykey
$ ceph fs subvolume authorize cephfs test2 mykey
$ ceph auth get client.mykey
[client.mykey]
key = AQCqsshmotUnGRAAVj3oV2Tvz5BPfc4pOpdvcA==
caps mds = "allow rw path=/volumes/_nogroup/test1/c8d593a5-3736-4e0c-8d88-7fef9a098e31,allow rw path=/volumes/_nogroup/test2/8a2e0430-2363-47e5-b709-c1108e2423a6"
caps mon = "allow r"
caps osd = "allow rw pool=cephfs_data,allow rw pool=cephfs_data"
2. Deauthorize the key for any of the two subvolumes (test2 here)
$ ceph fs subvolume deauthorize cephfs test2 mykey
$ ceph auth get client.mykey
[client.mykey]
key = AQCqsshmotUnGRAAVj3oV2Tvz5BPfc4pOpdvcA==
caps mds = "allow rw path=/volumes/_nogroup/test1/c8d593a5-3736-4e0c-8d88-7fef9a098e31"
caps osd = "allow rw pool=cephfs_data"
exported keyring for client.mykey
OpenStack Manila uses `fs subvolume deauthorize` when removing access to a key and when deleting a share.
If the user uses the same key for multiple share, deleting any will lock the clients out also for all the remaining shares.
Updated by Venky Shankar over 1 year ago
- Status changed from New to Fix Under Review
- Target version set to v20.0.0
- Backport set to quincy,reef,squid
Updated by Venky Shankar over 1 year ago
- Project changed from mgr to CephFS
- Category changed from ceph-mgr to Administration/Usability
- Component(FS) mgr/volumes added
Updated by Konstantin Shalygin about 1 year ago
- Backport changed from quincy,reef,squid to reef,squid
Updated by Venky Shankar 9 months ago
- Status changed from Fix Under Review to Pending Backport
- Assignee set to Kotresh Hiremath Ravishankar
- Backport changed from reef,squid to tentacle,squid,reef
@Kotresh Hiremath Ravishankar please do the backports.
Updated by Venky Shankar 9 months ago
- Target version changed from v20.0.0 to v21.0.0
Updated by Upkeep Bot 9 months ago
- Copied to Backport #71831: tentacle: mgr removes mon caps from cephx upon `fs subvolume deauthorize` even if key is used to access other subvolumes added
Updated by Upkeep Bot 9 months ago
- Copied to Backport #71832: reef: mgr removes mon caps from cephx upon `fs subvolume deauthorize` even if key is used to access other subvolumes added
Updated by Upkeep Bot 9 months ago
- Copied to Backport #71833: squid: mgr removes mon caps from cephx upon `fs subvolume deauthorize` even if key is used to access other subvolumes added
Updated by Upkeep Bot 9 months ago
- Merge Commit set to d78ffd1247d6cef5cbd829e77204185dc0d3a8ba
- Fixed In set to v20.3.0-1176-gd78ffd1247d
- Upkeep Timestamp set to 2025-07-08T18:45:28+00:00
Updated by Upkeep Bot 8 months ago
- Fixed In changed from v20.3.0-1176-gd78ffd1247d to v20.3.0-1176-gd78ffd1247d6
- Upkeep Timestamp changed from 2025-07-08T18:45:28+00:00 to 2025-07-14T15:45:48+00:00
Updated by Upkeep Bot 8 months ago
- Fixed In changed from v20.3.0-1176-gd78ffd1247d6 to v20.3.0-1176-gd78ffd1247
- Upkeep Timestamp changed from 2025-07-14T15:45:48+00:00 to 2025-07-14T21:10:04+00:00