mgr: print a more helpful error message for when users lack mgr cephx caps

Add some brief documentation on updating their caps and link to it.

Fixes: http://tracker.ceph.com/issues/20296
Signed-off-by: Greg Farnum <gfarnum@redhat.com>

diff --git a/doc/mgr/administrator.rst b/doc/mgr/administrator.rst
index 7be1e92fd89c4e28dfe8e69eadd3b074de091ef9..e636c80ed86385af4ab67e06cf1e01a5b9ec272d 100644 (file)
--- a/doc/mgr/administrator.rst
+++ b/doc/mgr/administrator.rst
@@ -25,6 +25,15 @@ of ``ceph status``, which should now include a mgr status line::
 
     mgr active: $name
 
+Client authentication
+---------------------
+The manager is a new daemon which requires new CephX capabilities. If you upgrade
+a cluster from an old version of Ceph, or use the default install/deploy tools,
+your admin client should get this capability automatically. If you use tooling from
+elsewhere, you may get EACCES errors when invoking certain ceph cluster commands.
+To fix that, add a "mgr allow *" stanza to your client's cephx capabilities by
+`Modifying User Capabilities`_.
+
 High availability
 -----------------
 
@@ -92,3 +101,4 @@ OPTION(mgr_module_path, OPT_STR, CEPH_PKGLIBDIR "/mgr") // where to load python
 :Type: Integer
 :Default: ``30``
 
+.. _Modifying User Capabilities: ../rados/operations/user-management#modify-user-capabilities

diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
index ccdb09787c4887ea4d2b6492f08f91fe6696d551..2e47f37ff35cffb497153fc377602a989bb54e83 100644 (file)
--- a/doc/rados/operations/user-management.rst
+++ b/doc/rados/operations/user-management.rst
@@ -360,6 +360,7 @@ are often restricted to accessing a particular pool. ::
    pools in the cluster!
 
 
+.. _modify-user-capabilities:
 Modify User Capabilities
 ------------------------
 

diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc
index 9446a125744a871bbbfa39090c4a48cffcfddd18..93891673d95bf921abfab4658408f57f159540f1 100644 (file)
--- a/src/mgr/DaemonServer.cc
+++ b/src/mgr/DaemonServer.cc
@@ -550,7 +550,8 @@ bool DaemonServer::handle_command(MCommand *m)
     if (!_allowed_command(session.get(), py_command.module, prefix, cmdctx->cmdmap,
                           param_str_map, &py_command)) {
       dout(1) << " access denied" << dendl;
-      ss << "access denied";
+      ss << "access denied; does your client key have mgr caps?"
+       " See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication";
       cmdctx->reply(-EACCES, ss);
       return true;
     }
@@ -562,7 +563,8 @@ bool DaemonServer::handle_command(MCommand *m)
       audit_clog->info() << "from='" << session->inst << "' "
                          << "entity='" << session->entity_name << "' "
                          << "cmd=" << m->cmd << ":  access denied";
-      ss << "access denied";
+      ss << "access denied' does your client key have mgr caps?"
+       " See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication";
       cmdctx->reply(-EACCES, ss);
       return true;
     }