Re: specifying secret in rbd map command
Awesome. Thanks, Sage. I won't bother to try and fix up the docs,
then. Though I might take a look at the branch and see if they have
been updated to capture the latest changes.
- Travis
On Mon, Jul 9, 2012 at 12:22 PM, Sage Weil wrote:
> Hi Travis,
>
> Sorry for the confusion! There is a branch in git (wip-auth) that cleans
> up the rbd map code to be consistent with the rest of the system, so that
> you can use keyrings or explicit keys or keyfiles. It should get merged
> for 0.50.
>
> sage
>
>
> On Mon, 9 Jul 2012, Travis Rhoden wrote:
>
>> Hey folks,
>>
>> I had a bit of unexpected trouble today using the "rbd map" command to
>> map an RBD to a kernel object. I had previously been using the "echo
>> ... > /sys/bus/rbd..." method of manipulating RBDs.
>>
>> I was looking at the instructions here:
>> http://ceph.com/docs/master/rbd/rbd-ko/
>>
>> When I tried to use the given syntax, "sudo rbd map {image-name}
>> --pool {pool-name} --name {client-name} --secret {client-secret}", I
>> found the following:
>>
>> 1. {client-secret} is really supposed to be a file, not the actual
>> secret. An strace on the command shows an attempt to open a file with
>> the secret as its name
>> 2. If I give a keyring file as the client-secret, the command does not
>> parse out the key for the given client-name. In other words, I gave
>> the name as "client.admin", then gave it the keyring file which
>> contained merely
>>
>> [client.admin]
>> key = AQB67+BPGNX0NhAA9iK7Epcj72Jck1wOAQBetA==
>>
>> But the command wouldn't parse out the key.
>>
>> 3. I had to create a new file, containing only the text of the key,
>> and pass that to the command instead. Then everything is happy.
>>
>>
>> I"m happy to update the docs to make this process clear. But I wonder
>> if there might be any plans to modify the command behavior to accept a
>> keyring file and pull out the key belonging to specified client name.
>> Either way, I can update the docs to make it clear that you are
>> specifying a file, not the key string itself.
>>
>> Thanks,
>>
>> - Travis
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majord...@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: specifying secret in rbd map command
Hi Travis,
Sorry for the confusion! There is a branch in git (wip-auth) that cleans
up the rbd map code to be consistent with the rest of the system, so that
you can use keyrings or explicit keys or keyfiles. It should get merged
for 0.50.
sage
On Mon, 9 Jul 2012, Travis Rhoden wrote:
> Hey folks,
>
> I had a bit of unexpected trouble today using the "rbd map" command to
> map an RBD to a kernel object. I had previously been using the "echo
> ... > /sys/bus/rbd..." method of manipulating RBDs.
>
> I was looking at the instructions here:
> http://ceph.com/docs/master/rbd/rbd-ko/
>
> When I tried to use the given syntax, "sudo rbd map {image-name}
> --pool {pool-name} --name {client-name} --secret {client-secret}", I
> found the following:
>
> 1. {client-secret} is really supposed to be a file, not the actual
> secret. An strace on the command shows an attempt to open a file with
> the secret as its name
> 2. If I give a keyring file as the client-secret, the command does not
> parse out the key for the given client-name. In other words, I gave
> the name as "client.admin", then gave it the keyring file which
> contained merely
>
> [client.admin]
> key = AQB67+BPGNX0NhAA9iK7Epcj72Jck1wOAQBetA==
>
> But the command wouldn't parse out the key.
>
> 3. I had to create a new file, containing only the text of the key,
> and pass that to the command instead. Then everything is happy.
>
>
> I"m happy to update the docs to make this process clear. But I wonder
> if there might be any plans to modify the command behavior to accept a
> keyring file and pull out the key belonging to specified client name.
> Either way, I can update the docs to make it clear that you are
> specifying a file, not the key string itself.
>
> Thanks,
>
> - Travis
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: specifying secret in rbd map command
On Mon, Jul 9, 2012 at 4:57 PM, Travis Rhoden wrote:
> Hey folks,
>
> I had a bit of unexpected trouble today using the "rbd map" command to
> map an RBD to a kernel object. I had previously been using the "echo
> ... > /sys/bus/rbd..." method of manipulating RBDs.
>
> I was looking at the instructions here:
> http://ceph.com/docs/master/rbd/rbd-ko/
>
> When I tried to use the given syntax, "sudo rbd map {image-name}
> --pool {pool-name} --name {client-name} --secret {client-secret}", I
> found the following:
>
> 1. {client-secret} is really supposed to be a file, not the actual
> secret. An strace on the command shows an attempt to open a file with
> the secret as its name
> 2. If I give a keyring file as the client-secret, the command does not
> parse out the key for the given client-name. In other words, I gave
> the name as "client.admin", then gave it the keyring file which
> contained merely
>
> [client.admin]
> key = AQB67+BPGNX0NhAA9iK7Epcj72Jck1wOAQBetA==
>
> But the command wouldn't parse out the key.
>
> 3. I had to create a new file, containing only the text of the key,
> and pass that to the command instead. Then everything is happy.
>
>
> I"m happy to update the docs to make this process clear. But I wonder
> if there might be any plans to modify the command behavior to accept a
> keyring file and pull out the key belonging to specified client name.
> Either way, I can update the docs to make it clear that you are
> specifying a file, not the key string itself.
I agree. This confuses quite a few people. Specifically because the
Ceph filesystem client supports "secret" and "secretfile" as mount
options, and expects a file only in the latter case. rbd acting
differently does violate POLA in that way.
Cheers,
Florian
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: specifying secret in rbd map command
I should point out that I did notice (a little too late) the contents
of "rbd --help" has this:
For the map command:
--user rados user to authenticate as
--secret file containing secret key for use with cephx
I should have seen it sooner. But, I still wonder if accepting a
keyring file would be nice. And I can still update the docs to be
consistent with what is actually acceptable to the command.
- Travis
On Mon, Jul 9, 2012 at 10:57 AM, Travis Rhoden wrote:
> Hey folks,
>
> I had a bit of unexpected trouble today using the "rbd map" command to
> map an RBD to a kernel object. I had previously been using the "echo
> ... > /sys/bus/rbd..." method of manipulating RBDs.
>
> I was looking at the instructions here:
> http://ceph.com/docs/master/rbd/rbd-ko/
>
> When I tried to use the given syntax, "sudo rbd map {image-name}
> --pool {pool-name} --name {client-name} --secret {client-secret}", I
> found the following:
>
> 1. {client-secret} is really supposed to be a file, not the actual
> secret. An strace on the command shows an attempt to open a file with
> the secret as its name
> 2. If I give a keyring file as the client-secret, the command does not
> parse out the key for the given client-name. In other words, I gave
> the name as "client.admin", then gave it the keyring file which
> contained merely
>
> [client.admin]
> key = AQB67+BPGNX0NhAA9iK7Epcj72Jck1wOAQBetA==
>
> But the command wouldn't parse out the key.
>
> 3. I had to create a new file, containing only the text of the key,
> and pass that to the command instead. Then everything is happy.
>
>
> I"m happy to update the docs to make this process clear. But I wonder
> if there might be any plans to modify the command behavior to accept a
> keyring file and pull out the key belonging to specified client name.
> Either way, I can update the docs to make it clear that you are
> specifying a file, not the key string itself.
>
> Thanks,
>
> - Travis
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
