ceph user management
Ceph user management is mainly to improve the authentication and authorization of the cluster
osd.0
key: AQCvCbtToC6MDhAATtuT70Sl+DymPCfDSsyV4w==
caps: [mon] allow profile osd
caps: [osd] allow *
osd.1
key: AQC4CbtTCFJBChAAVq5spj0ff4eHZICxIOVZeA==
caps: [mon] allow profile osd
caps: [osd] allow *
client.admin
key: AQBHCbtT6APDHhAA5W00cBchwkQjh3dkKsyPjw==
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-mds
key: AQBICbtTOK9uGBAAdbe5zcIGHZL3T/u2g6EBww==
caps: [mon] allow profile bootstrap-mds
client.bootstrap-osd
key: AQBHCbtT4GxqORAADE5u7RkpCN/oo4e5W0uBtw==
caps: [mon] allow profile bootstrap-osd
Ceph user types
- Client user
- Operation user
- Application user
- Daemon user
client.admin: User naming follows the naming rule of <TYPE.ID>, that is, <user type.user name>. Among them, Type has mon, osd, and mgr as daemons, and client is the client user
key: that is, it acts like a password
User password belongs to the authentication phase
caps: The user's authorization, only after authorization, the user can use the functions of MON, OSD, MDS within the scope of authority
There are two authorization phases: access authorization and capability authorization.
Access authorization:
allow: has specific permissions before the daemon process access settings, only for MDS implied rw
r: user read permissions, the monitor has read permissions to obtain CRUSH map
w: grant users the ability to write objects
x: grant users the ability to call class methods, that is, read and write at the same time, and can perform auth operations on the monitor
class-read: grant users the ability to call class read methods, x Subset
class-write: grants users the ability to call class write methods, a subset of x
*, all: has full authority rwx and management command
ability authorization:
profile osd: grants a user the identity of OSD to link to other OSDs, Allow other OSDs to handle replication, heartbeat traffic and status reporting
profile mds: Authorize a user to connect to other MDS or Monitor
profile as MDS. Bootstrap-osd: Authorize users the ability to boot OSD daemons, usually grant the deployment tool ceph-deploy, let them in When booting the OSD, you have the right to increase the key.
profile bootstrap-mds: the ability of authorized users to guide the MDS daemon, ibid.
profile bootstrap-rbd: the ability of authorized users to guide the RBD daemon, ibid.
profile bootstrap-rbd-mirror: authorized users The ability to guide the rbd-mirror daemon, same as the above
profile rbd: Authorize a user to operate rbd image permissions
profile rbd-mirror: authorize a user to operate rbd image and obtain the osd
mirroring configuration key profile rbd-read-only: authorize a user to read only rbd image
Keyring file
Keyring file. Keyring is the carrier of Ceph users, that is, the client's authentication and authorization files, and the client will find Keyring in the following 4 directories
- /etc/ceph/$cluster.name.keyring
- /etc/ceph/$cluster.keyring
- /etc/ceph/keyring
- /etc/ceph/keyring.bin
A key ring file
is required to access the Ceph cluster. MON startup is required. /var/lib/ceph/mon/ceph-node1/ceph-mon.keyring The
keyring file is required for authentication . The content of the MON keyring is modified and does not affect the startup of MON. , But it will affect the shared key authentication. The
OSD needs the correct keyring to start, otherwise it cannot be started. The correct keyring will be stored in the MON database.
Client access to the cluster is the same as the OSD. The correct keyring must match the corresponding keyring stored in the MON database.
User Management
file
- /etc/ceph/: configuration file and secret key file
- /var/lib/ceph/: files needed for ceph operation
tool
- ceph-authtool: User Keyring management tool (tool used for official website deployment)
- ceph auth: user management tool
Both tools can complete user creation, modification and generation of Keyring files
Reference: https://www.cnblogs.com/jmilkfan-fanguiju/p/11825069.html
Reference: https://docs.ceph.com/en/nautilus/rados/operations/user-management/