From: Sage Weil <sage@inktank.com>
Date: Fri, 4 Apr 2014 19:59:41 +0000 (-0700)
Subject: doc/release-notes: note about emperor backport of mon auth fix
X-Git-Tag: v0.79~8
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4aef403dbc2ba3dd572d13c43b5192f04941dc07;p=ceph.git

doc/release-notes: note about emperor backport of mon auth fix

Signed-off-by: Sage Weil <sage@inktank.com>
---

diff --git a/doc/release-notes.rst b/doc/release-notes.rst
index ccf0998d9bc6..a589c1f498d0 100644
--- a/doc/release-notes.rst
+++ b/doc/release-notes.rst
@@ -1018,6 +1018,24 @@ Notable Changes
 * rgw: support for password (instead of admin token) for keystone authentication (Christophe Courtaut)
 * sysvinit, upstart: prevent both init systems from starting the same daemons (Josh Durgin)
 
+v0.72.3 Emperor (pending release)
+=================================
+
+Upgrading
+---------
+
+* Monitor 'auth' read-only commands now expect the user to have 'rx' caps.
+  This is the same behavior that was present in dumpling, but in emperor
+  and more recent development releases the 'r' cap was sufficient.  Note that
+  this backported security fix will break mon keys that are using the following
+  commands but do not have the 'x' bit in the mon capability::
+
+    ceph auth export
+    ceph auth get
+    ceph auth get-key
+    ceph auth print-key
+    ceph auth list
+
 
 v0.72.2 Emperor
 ===============