"no key for auth" when running "auth export mon. -o /tmp/monkey"?

"no key for auth" when running "auth export mon. -o /tmp/monkey"?

[Matthew Roy]

When following http://ceph.com/docs/master/ops/manage/grow/mon/#adding-a-monitor
running the command:

ceph auth export mon. -o /tmp/monkey

on a working cluster gives the result:

no key for auth(auid = <20 digits> key=AAAAAAAAAAAAAAAA with 0 caps)

The key "mon." is in the monitors' keyrings, but not in the list of
keys returned by "ceph auth list". Is this an indication of a problem
with the cluster or a bug in the documentation?

Thanks for your help,
Matthew

Re: "no key for auth" when running "auth export mon. -o /tmp/monkey"?

[Tommi Virtanen]

On Sat, Aug 4, 2012 at 11:13 PM, Matthew Roy <imjustmatthew@gmail.com> wrote:
> When following http://ceph.com/docs/master/ops/manage/grow/mon/#adding-a-monitor
> running the command:
>
> ceph auth export mon. -o /tmp/monkey
>
> on a working cluster gives the result:
>
> no key for auth(auid = <20 digits> key=AAAAAAAAAAAAAAAA with 0 caps)
>
> The key "mon." is in the monitors' keyrings, but not in the list of
> keys returned by "ceph auth list". Is this an indication of a problem
> with the cluster or a bug in the documentation?

I think you're encountering side effects of these commits:


commit 7830f859e0c8c317c516736343eb9f3d8d824f77
Author: Sage Weil <sage@newdream.net>
Date:   2012-05-08 16:30:26 -0700

    mon: use external keyring for mon->mon auth

    - Feed our keyring into the auth methods.
    - Do not fail to build a ticket for type MON when we don't have a cap; it
      won't be in the auth database.  Also, we don't have caps on the monitors
      that are enfoced between each other.

    Signed-off-by: Sage Weil <sage@newdream.net>

commit 7be78101da85d8db9d2cd319beee7dbef2ecd7a7
Author: Sage Weil <sage@inktank.com>
Date:   2012-05-14 20:13:40 -0700

    mon: keep mon. secret in an external keyring

    - Keep the mon. key in a separate keyring files, "keyring", in the mon
      data dir.
    - During init, if we don't find that file, copy the key from the keyserver
      database.
    - During mkfs, put the mon. key in that file, and remove it from the seed
      file that primes the auth database.

    This will allow admins to change the mon. key without bringing the cluster
    online and doing something wonky.

    Signed-off-by: Sage Weil <sage@newdream.net>

We'll need to edit the docs. Do you have the file "keyring" in your
mon data dir, and does it contain a [mon.] section? If so, that
section is what you need in /tmp/monkey. If you're going by defaults,
there should be no other section in the file, and you can use the file
as-is.

John, for the docs, Sage is probably the best person to say what those
commands really should be; I don't know if there's a good way to
extract just the [mon.] section from the file with a single
ceph-authtool command, etc.

Re: "no key for auth" when running "auth export mon. -o /tmp/monkey"?

[Matthew Roy]

On Mon, Aug 6, 2012 at 11:55 AM, Tommi Virtanen <tv@inktank.com> wrote:
> Do you have the file "keyring" in your
> mon data dir, and does it contain a [mon.] section? If so, that
> section is what you need in /tmp/monkey. If you're going by defaults,
> there should be no other section in the file, and you can use the file
> as-is.

Yes, and that worked to initialize the new monitor.

Thanks Tommi.

Matthew

Re: "no key for auth" when running "auth export mon. -o /tmp/monkey"?

[Tommi Virtanen]

On Mon, Aug 6, 2012 at 2:07 PM, Matthew Roy <imjustmatthew@gmail.com> wrote:
> On Mon, Aug 6, 2012 at 11:55 AM, Tommi Virtanen <tv@inktank.com> wrote:
>> Do you have the file "keyring" in your
>> mon data dir, and does it contain a [mon.] section? If so, that
>> section is what you need in /tmp/monkey. If you're going by defaults,
>> there should be no other section in the file, and you can use the file
>> as-is.
>
> Yes, and that worked to initialize the new monitor.

For the record, this is being tracked at http://tracker.newdream.net/issues/2924