From 6846f4830c61c5e79888d255a25970229921d551 Mon Sep 17 00:00:00 2001 From: Greg Farnum Date: Wed, 14 Jun 2017 15:00:04 -0700 Subject: [PATCH] mgr: print a more helpful error message for when users lack mgr cephx caps Add some brief documentation on updating their caps and link to it. Fixes: http://tracker.ceph.com/issues/20296 Signed-off-by: Greg Farnum --- doc/mgr/administrator.rst | 10 ++++++++++ doc/rados/operations/user-management.rst | 1 + src/mgr/DaemonServer.cc | 6 ++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/doc/mgr/administrator.rst b/doc/mgr/administrator.rst index 7be1e92fd89..e636c80ed86 100644 --- a/doc/mgr/administrator.rst +++ b/doc/mgr/administrator.rst @@ -25,6 +25,15 @@ of ``ceph status``, which should now include a mgr status line:: mgr active: $name +Client authentication +--------------------- +The manager is a new daemon which requires new CephX capabilities. If you upgrade +a cluster from an old version of Ceph, or use the default install/deploy tools, +your admin client should get this capability automatically. If you use tooling from +elsewhere, you may get EACCES errors when invoking certain ceph cluster commands. +To fix that, add a "mgr allow *" stanza to your client's cephx capabilities by +`Modifying User Capabilities`_. + High availability ----------------- @@ -92,3 +101,4 @@ OPTION(mgr_module_path, OPT_STR, CEPH_PKGLIBDIR "/mgr") // where to load python :Type: Integer :Default: ``30`` +.. _Modifying User Capabilities: ../rados/operations/user-management#modify-user-capabilities diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index ccdb09787c4..2e47f37ff35 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -360,6 +360,7 @@ are often restricted to accessing a particular pool. :: pools in the cluster! +.. _modify-user-capabilities: Modify User Capabilities ------------------------ diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index 9446a125744..93891673d95 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -550,7 +550,8 @@ bool DaemonServer::handle_command(MCommand *m) if (!_allowed_command(session.get(), py_command.module, prefix, cmdctx->cmdmap, param_str_map, &py_command)) { dout(1) << " access denied" << dendl; - ss << "access denied"; + ss << "access denied; does your client key have mgr caps?" + " See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication"; cmdctx->reply(-EACCES, ss); return true; } @@ -562,7 +563,8 @@ bool DaemonServer::handle_command(MCommand *m) audit_clog->info() << "from='" << session->inst << "' " << "entity='" << session->entity_name << "' " << "cmd=" << m->cmd << ": access denied"; - ss << "access denied"; + ss << "access denied' does your client key have mgr caps?" + " See http://docs.ceph.com/docs/master/mgr/administrator/#client-authentication"; cmdctx->reply(-EACCES, ss); return true; } -- 2.47.3