分散式存儲系統之Ceph集群CephX認證和授權

  前文我們了解了Ceph集群存儲池操作相關話題,回顧請參考//www.cnblogs.com/qiuhom-1874/p/16743611.html;今天我們來聊一聊在ceph上認證和授權的相關話題;

  我們知道ceph作為一個分散式存儲系統,用戶想要在其上面存儲數據,首先得通過認證以後,才能正常使用ceph;那麼對於ceph來講,它是怎麼認證用戶的呢?除了認證,我們知道不是所有用戶都能在ceph上創建存儲池,刪除存儲池等;這也意味著每個用戶都有一定的許可權,在自己的許可權範圍內操作,ceph才算得上是一個安全的存儲系統;那麼ceph的認證和授權到底是怎麼做的呢?

  CephX認證機制

  Ceph使用cephx協議對客戶端進行身份認證,其過程大致是這樣的;每個mon都可以對客戶端進行身份驗證並分發密鑰;這意味著認證靠mon節點完成,不會存在單點和性能瓶頸;mon會返回用於身份驗證的數據結構,其中包含獲取Ceph服務時用到的session key;所謂session key就是客戶端用來向mon請求所需服務的憑證;session key是通過客戶端的密鑰進行加密傳輸;當mon收到客戶端認證請求後,首先生成session key,然後用客戶端的密鑰加密session key,然後發送給客戶端,客戶端用自己的密鑰將其解密,拿到session key;客戶端有了session key以後,它就可以用這個session key向mon請求服務,mon收到客戶端的請求(攜帶session key),此時mon會向客戶端提供一個ticket(入場卷,票據)然後用session key加密後發送給客戶端;隨後客戶端用session key解密,拿著這個憑證到對應osd完成認證;

  以上過程,我們需要注意,客戶端的密鑰是通過mon節點在創建用戶帳號時就會生成,所以mon節點有對應客戶端的密鑰,所以通過客戶端的密鑰加密,客戶端可以用自己的密鑰解密;其次mon節點生成的session key 是有記錄的,所以對於不同客戶端來說,都有不同的記錄;並且該session key是有時間限制的;過期即便是對應客戶端,也沒法正常使用;所以客戶端拿著對應session key向mon請求服務,對應mon都是認可的,所以mon會發放ticket;最後我們要知道,MON和OSD都是共享客戶端的密鑰和session key,以及mon發放的ticket,所以客戶端拿著mon發放的ticket,對應osd是認可的;這也意味著不管是那個mon節點發放的ticket,對應所有mon節點和osd都是知道的;簡單講就是集群組件之間共享同一個secret;

  CephX身份驗證MDS和OSD

  提示:簡要過程是客戶端請求創建用戶,mon創建用戶並返回與共享密鑰給客戶端;客戶端向mon發起認證,認證成功,mon會返回一個session key;在規定時效範圍內,客戶端拿著session key向mon請求ticket,mon生成ticket並用對應session加密,客戶端收到對應mon返回的數據用session key解密,拿到ticket;隨後客戶端拿著對應當ticket去mds或者osd進行數據存取操作,對應組件會被認證通過,因為mon和mds、osd之間都是共享secret;

  這裡需要注意,CephX身份驗正功能僅限制Ceph的各組件之間,它不能擴展到其它非Ceph組件;其次它並不解決數據傳輸加密的問題;什麼意思呢?我們知道ceph的客戶端介面有rbd、cephfs和radosgw;對於ceph來講,它並不關心什麼樣的客戶端通過rbd、cephfs、radosgw介面量訪問數據;它只關心rbd、cephfs、radosgw這些客戶端介面程式能夠正常認證通過;簡單講就是數據最後「一公里」它不負責,至於用rbd、cephfs、radosgw這些介面的客戶端是誰,怎麼傳輸數據它管不著;

  認證與授權相關術語

  無論Ceph客戶端是何類型,Ceph都會在存儲池中將所有數據存儲為對象;Ceph用戶需要擁有存儲池訪問許可權才能讀取和寫入數據;Ceph用戶必須擁有執行許可權才能使用Ceph的管理命令;

  用戶:所謂用戶是指個人或系統參與者(例如應用);通過創建用戶,可以控制誰(或哪個參與者)能夠訪問Ceph存儲集群、以及可訪問的存儲池及存儲池中的數據;Ceph支援多種類型的用戶,但可管理的用戶都屬於Client類型;區分用戶類型的原因在於,MON、OSD和MDS等系統組件也使用cephx協議,但它們非人為客戶端;通過點號來分隔用戶類型和用戶名,格式為TYPE.ID,例如client.admin等

  授權和使能:Ceph基於「使能(caps)」來描述用戶可針對MON、OSD或MDS使用的許可權範圍或級別;通用語法格式:daemon-type ‘allow caps’ […];MON使能,包括r、w、x和allow profile cap,例如:mon ‘allow rwx’,以及mon ‘allow profile osd’等;OSD使能包括r、w、x、class-read、class-write和profile osd;此外,OSD 使能還允許進行存儲池和名稱空間設置;MDS使能只需要allow,或留空;

  使能的意義

  allow:需先於守護進程的訪問設置指定,僅對MDS表示rw之意,其它的表示字面意義;

  r:讀取許可權,訪問MON以檢索CRUSH時依賴此使能;

  w:對象寫入許可權;
  x:調用類方法(讀取和寫入)的能力,以及在MON上執行auth操作的能力;
  class-read:x能力的子集,授予用戶調用類讀取方法的能力;
  class-write:x的子集,授予用戶調用類寫入方法的能力;
  *:授予用戶對特定守護進程/存儲池的讀取、寫入和執行許可權,以及執行管理命令的能力;

  profile osd:授予用戶以某個OSD身份連接到其他OSD或監視器的許可權,授予OSD許可權,使OSD能夠處理複製檢測訊號流量和狀態報告;

  profile mds: 授予用戶以某個MDS身份連接到其他MDS或監視器的許可權;

  profile bootstrap-osd: 授予用戶引導OSD的許可權,授權給部署工具,使其在引導OSD時有權添加密鑰;

  profile bootstrap-mds:授予用戶引導元數據伺服器的許可權,授權給部署工具,使其在引導元數據伺服器時有權添加密鑰;

  Ceph用戶管理

  Ceph集群管理員能夠直接在Ceph集群中創建、更新和刪除用戶;創建用戶時,可能需要將密鑰分發到客戶端,以便將密鑰添加到密鑰環;所謂密鑰環,我們就可以理解為存放密鑰的一個文件,該文件可以同時存放一個或多個用戶的密鑰資訊;有點類似我們生活中的鑰匙環,我們可以在上面掛一個或多個鑰匙;

  列出用戶命令:ceph auth list

[root@ceph-admin ~]# ceph auth list
installed auth entries:

mds.ceph-mon02
        key: AQDT1y9jaMUZDRAA79b3XSXqBbXUlNsT0RLeiw==
        caps: [mds] allow
        caps: [mon] allow profile mds
        caps: [osd] allow rwx
osd.0
        key: AQD3+i1j5IJQCxAAOjQdvckg8TskXu7c4MbPAA==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.1
        key: AQAo7C1j+dEDEBAAAA47bD+nZQZuV4kJjnqACA==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.2
        key: AQA77C1j5ot+DhAAJ+Y1KwgI2zsxRHmTUkfing==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.3
        key: AQBM7C1jdIuHEhAAYBA9gzC4J+kZUxkMzhjq4g==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.4
        key: AQBq7C1jZrNZKhAAK+TvnPgK0jAWIwz0PYFT/g==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.5
        key: AQB57C1jVcczERAAxJ3iqvKS/2kfE4HlFQHIWQ==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.6
        key: AQCP7C1jB80KGhAA9iXzAg+9ANWjgPb2ZdWdhw==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.7
        key: AQCe7C1jbx4rNxAANOB3PPLxRXi/st1UYiTWqQ==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.8
        key: AQCz7C1jUGzQIhAAj6aTVM6rNsTO3Lp08rePzg==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
osd.9
        key: AQDA7C1jwXTrEBAATszxwOKepUHzZ5WKwIMu7w==
        caps: [mgr] allow profile osd
        caps: [mon] allow profile osd
        caps: [osd] allow *
client.admin
        key: AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps: [mds] allow *
        caps: [mgr] allow *
        caps: [mon] allow *
        caps: [osd] allow *
client.bootstrap-mds
        key: AQB94C1jRPwjJhAAZsfgne6whasyCmSCgefocw==
        caps: [mon] allow profile bootstrap-mds
client.bootstrap-mgr
        key: AQB94C1jvQQkJhAA9y2LmEvBTG0Mjew8k0ecdw==
        caps: [mon] allow profile bootstrap-mgr
client.bootstrap-osd
        key: AQB94C1jDg4kJhAAhQPCebi6JfF9HZo4q39WGA==
        caps: [mon] allow profile bootstrap-osd
client.bootstrap-rbd
        key: AQB94C1jkxYkJhAAEUjId8hdDCA67PX+SQXAYw==
        caps: [mon] allow profile bootstrap-rbd
client.bootstrap-rgw
        key: AQB94C1jPx4kJhAAXIwArGEkQ76tQG1NnJ0Wmw==
        caps: [mon] allow profile bootstrap-rgw
client.rgw.ceph-mon01
        key: AQD0zS9jI7e4BRAA7fvC/02D6j2YoGHZwveQCQ==
        caps: [mon] allow rw
        caps: [osd] allow rwx
mgr.ceph-mgr01
        key: AQDi5S1jgpYLHRAAWHJeiwwD86AVg0YzUOPCmQ==
        caps: [mds] allow *
        caps: [mon] allow profile mgr
        caps: [osd] allow *
mgr.ceph-mgr02
        key: AQDk5S1jY6tkBhAAXPIK4N+bia3W6IoqlJRehw==
        caps: [mds] allow *
        caps: [mon] allow profile mgr
        caps: [osd] allow *
mgr.ceph-mon01
        key: AQDD9C1ja0vhOBAAnUkp5RcLBkZl8qfb4qXXLw==
        caps: [mds] allow *
        caps: [mon] allow profile mgr
        caps: [osd] allow *
[root@ceph-admin ~]# 

  提示:該命令是列出集群上所有用戶資訊,即非人為用戶和普通用戶;也可以是ceph auth ls命令來列出所有用戶資訊;

  檢索特定用戶命令格式:ceph auth get TYPE.ID或者ceph auth export TYPE.ID

[root@ceph-admin ~]# ceph auth get client.admin
exported keyring for client.admin
[client.admin]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"
[root@ceph-admin ~]# ceph auth export client.admin
export auth(auid = 18446744073709551615 key=AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== with 4 caps)
[client.admin]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"
[root@ceph-admin ~]# 

  提示:如果我們需要將上述資訊導出到文件,可以使用-o來指定文件,或者輸出重定向到方式;

[root@ceph-admin ~]# ceph auth get client.admin -o client.admin.keyring
exported keyring for client.admin
[root@ceph-admin ~]# ls
ceph-deploy-ceph.log  client.admin.keyring
[root@ceph-admin ~]# cat client.admin.keyring
[client.admin]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"
[root@ceph-admin ~]# ceph auth export client.admin > client.admin.cluster.keyring
export auth(auid = 18446744073709551615 key=AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== with 4 caps)
[root@ceph-admin ~]# ls
ceph-deploy-ceph.log  client.admin.cluster.keyring  client.admin.keyring
[root@ceph-admin ~]# cat client.admin.cluster.keyring
[client.admin]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"
[root@ceph-admin ~]# 

  添加用戶命令格式:auth add <entity> {<caps> [<caps>…]}

[root@ceph-admin ~]# ceph auth add client.testuser mon 'allow r' osd 'allow rw'
added key for client.testuser
[root@ceph-admin ~]# ceph auth get client.testuser
exported keyring for client.testuser
[client.testuser]
        key = AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg==
        caps mon = "allow r"
        caps osd = "allow rw"
[root@ceph-admin ~]# 

  提示:ceph add 是添加用戶的規範方法,它能夠創建用戶、生成密鑰並添加指定的caps;這裡需要注意我指定的用戶是有type.id組成,一般普通用戶都是client類型,後面的ID就是用戶名稱;

  ceph auth get-or-create:簡便方法,創建用戶並返回密鑰文件格式的密鑰資訊,或者在用戶存在時返回用戶名及密鑰文件格式的密鑰資訊;

[root@ceph-admin ~]# ceph auth get-or-create client.testuser mon 'allow *' osd 'allow rw pool=rbdpool'
Error EINVAL: key for client.testuser exists but cap mon does not match
[root@ceph-admin ~]# ceph auth get-or-create client.testuser mon 'allow r' osd 'allow rw'       [client.testuser]
        key = AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg==
[root@ceph-admin ~]# ceph auth get-or-create client.tom mon 'allow *' osd 'allow rw pool=rbdpool'
[client.tom]
        key = AQBcajhj8INfChAAKKFCESxmbHFJqAwiRE4ufg==
[root@ceph-admin ~]#  ceph auth get client.tom
exported keyring for client.tom
[client.tom]
        key = AQBcajhj8INfChAAKKFCESxmbHFJqAwiRE4ufg==
        caps mon = "allow *"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]#

  提示:使用ceph auth get-or-create命令添加用戶,如果用戶存在,但授權不匹配,它會提示我們用戶存在,但是許可權不匹配;如果用戶存在,許可權資訊也都匹配,則返回對應用戶的key;如果用戶不存在,則創建對應用並返回用戶的key;

  ceph auth get-or-create-key:簡便方法,創建用戶並返回密鑰資訊,或者在用戶存在時返回密鑰資訊;

[root@ceph-admin ~]# ceph auth get-or-create-key client.testuser mon 'allow r' osd 'allow *' 
Error EINVAL: key for client.testuser exists but cap osd does not match
[root@ceph-admin ~]# ceph auth get-or-create-key client.testuser mon 'allow r' osd 'allow rw'
AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg==
[root@ceph-admin ~]# ceph auth get-or-create-key client.jerry mon 'allow r' osd 'allow rw'        
AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A==
[root@ceph-admin ~]# ceph auth get client.jerry
exported keyring for client.jerry
[client.jerry]
        key = AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A==
        caps mon = "allow r"
        caps osd = "allow rw"
[root@ceph-admin ~]# 

  提示:該命令和上面的get-or-create類似,都是用戶存在,如果許可權匹配則返回對應用戶的key,如果不匹配則告訴我們用戶存在,但許可權不匹配;如果不存在則創建,並返回對應用戶的key;不同的是返回key的格式不同;get-or-create是返回keyring文件中的格式;而get-or-create-key則返回key的值,沒有key = ;

  注意:典型的用戶至少對 Ceph monitor 具有讀取功能,並對 Ceph OSD 具有讀取和寫入功能;另外,用戶的 OSD 許可權通常應該限制為只能訪問特定的存儲池,否則,他將具有訪問集群中所有存儲池的許可權;

  列出用戶的密鑰格式 命令:ceph auth print-key TYPE.ID

[root@ceph-admin ~]# ceph auth print-key client.jerry
AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A==[root@ceph-admin ~]# 

  導入用戶命令:ceph auth import

[root@ceph-admin ~]# ll
total 16
-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.cluster.keyring
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.keyring
-rw-r--r-- 1 root root  164 Oct  2 00:43 client.test.keyring
[root@ceph-admin ~]# cat client.test.keyring 
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# ceph auth get client.test
Error ENOENT: failed to find client.test in keyring
[root@ceph-admin ~]# ceph auth import -i client.test.keyring
imported keyring
[root@ceph-admin ~]# ceph auth get client.test              
exported keyring for client.test
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# 

  提示:從keyring文件導入用戶需要用到-i選項來指定對應導入的keyring文件;

  修改用戶caps命令:ceph auth caps TYPE.ID daemon ‘allow [r|w|x|*|…] [pool=pool-name] [namespace=namespace-name]’ …

[root@ceph-admin ~]# ceph auth get client.test
exported keyring for client.test
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw'   
updated caps for client.test
[root@ceph-admin ~]# ceph auth get client.test
exported keyring for client.test
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow rw"
        caps mgr = "allow r"
        caps mon = "allow rw"
[root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw' osd 'allow rw pool=rbdpool'
updated caps for client.test
[root@ceph-admin ~]# ceph auth get client.test
exported keyring for client.test
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow rw"
        caps mgr = "allow r"
        caps mon = "allow rw"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# 

  提示:該命令會覆蓋用戶現有許可權因此建立事先使用ceph auth get TYPE.ID命令查看用戶的caps;若是為添加caps,則需要先指定現有的caps;若為刪除某些許可權,則對應許可權不指定即可;

  刪除用戶命令:ceph auth del TYPE.ID

[root@ceph-admin ~]# ceph auth del client.test
updated
[root@ceph-admin ~]# ceph auth del client.tom
updated
[root@ceph-admin ~]# ceph auth del client.jerry
updated
[root@ceph-admin ~]# ceph auth del client.testuser
updated
[root@ceph-admin ~]# ceph auth get client.testuser
Error ENOENT: failed to find client.testuser in keyring
[root@ceph-admin ~]# 

  Keyring

  客戶端訪問Ceph集群時,客戶端會於本地查找密鑰環, 默認情況下,Ceph會使用以下四個密鑰環名稱預設密鑰環;

  • /etc/ceph/cluster-name.user-name.keyring:保存單個用戶的keyring
  • /etc/ceph/cluster.keyring:保存多個用戶的keyring
  • /etc/ceph/keyring
  • /etc/ceph/keyring.bin

  cluster-name是為集群名稱,user-name是為用戶標識(TYPE.ID), client.admin用戶的在名為ceph的集群上的密鑰環文件名為ceph.client.admin.keyring;

  管理keyring

  創建keyring命令:ceph-authtool –create-keyring /path/to/kerying

[root@ceph-admin ~]# ceph-authtool --create-keyring ./client.abc.keyring
creating ./client.abc.keyring
[root@ceph-admin ~]# cat ./client.abc.keyring
[root@ceph-admin ~]# 

  提示:創建keyring文件,裡面沒有任何內容,我們需要用ceph auth add 添加用戶,然後通過ceph auth get或export命令將對應用戶資訊導入到對應keyring文件即可;這裡說一下keyring文件的命名規則,keyring文件一般應該保存於/etc/ceph目錄中,以便客戶端能自動查找;創建包含多個用戶的keyring文件時,應該使用cluster-name.keyring作為文件名;創建僅包含單個用戶的kerying文件時,應該使用cluster-name.user-name.keyring作為文件名;這個是規範的keyring命名方式;

  將用戶的keyring合併至一個統一的keyring文件中命令:ceph-authtool /etc/ceph/cluster-name.keyring –import-key /etc/ceph/cluster-name.user-name.keyring

[root@ceph-admin ~]# ll
total 16
-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log
-rw------- 1 root root    0 Oct  2 00:57 client.abc.keyring
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.cluster.keyring
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.keyring
-rw-r--r-- 1 root root  164 Oct  2 00:43 client.test.keyring
[root@ceph-admin ~]# cat client.test.keyring                                    
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# ceph-authtool ./client.test.keyring --import-keyring ./client.admin.keyring  
importing contents of ./client.admin.keyring into ./client.test.keyring
[root@ceph-admin ~]# cat client.test.keyring   
[client.admin]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow *"
        caps osd = "allow *"
[client.test]
        key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==
        caps mds = "allow *"
        caps mgr = "allow *"
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# 

  使用ceph-authtool命令管理用戶

  ceph-authtool命令可直接創建用戶、授予caps並創建keyring

  命令使用幫助

[root@ceph-admin ~]# ceph-authtool -h
usage: ceph-authtool keyringfile [OPTIONS]...
where the options are:
  -l, --list                    will list all keys and capabilities present in
                                the keyring
  -p, --print-key               will print an encoded key for the specified
                                entityname. This is suitable for the
                                'mount -o secret=..' argument
  -C, --create-keyring          will create a new keyring, overwriting any
                                existing keyringfile
  -g, --gen-key                 will generate a new secret key for the
                                specified entityname
  --gen-print-key               will generate a new secret key without set it
                                to the keyringfile, prints the secret to stdout
  --import-keyring FILE         will import the content of a given keyring
                                into the keyringfile
  -n NAME, --name NAME          specify entityname to operate on
  -u AUID, --set-uid AUID       sets the auid (authenticated user id) for the
                                specified entityname
  -a BASE64, --add-key BASE64   will add an encoded key to the keyring
  --cap SUBSYSTEM CAPABILITY    will set the capability for given subsystem
  --caps CAPSFILE               will set all of capabilities associated with a
                                given key, for all subsystems
  --mode MODE                   will set the desired file mode to the keyring
                                e.g: '0644', defaults to '0600'
[root@ceph-admin ~]# 

  提示:-l或–list表示列出所有用戶資訊;-p表示列印對應用戶的key資訊,-C表示keyring文件,-g表示給指定用戶生成key;-n用於指定用戶名稱;–cap 用於指定許可權資訊;–mode用於指定keyring文件的許可權資訊,默認是0600,即只有root或對應宿主擁有讀寫許可權;

[root@ceph-admin ~]# ceph-authtool -C client.usera.keyring  -n client.usera --gen-key --cap mon 'allow r' --cap osd 'allow rw pool=rbdpool'
creating client.usera.keyring
[root@ceph-admin ~]# ll
total 20
-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log
-rw------- 1 root root    0 Oct  2 00:57 client.abc.keyring
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.cluster.keyring
-rw-r--r-- 1 root root  151 Oct  2 00:14 client.admin.keyring
-rw-r--r-- 1 root root  315 Oct  2 01:03 client.test.keyring
-rw------- 1 root root  121 Oct  2 01:25 client.usera.keyring
[root@ceph-admin ~]# ceph auth get client.usera
Error ENOENT: failed to find client.usera in keyring
[root@ceph-admin ~]# cat client.usera.keyring 
[client.usera]
        key = AQAIeDhjTnmLGhAAWgL3GqtJsPwmOD6CPbJO8Q==
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# 

  提示:使用這種方式添加用戶,對應資訊之存在於keyring文件中,並沒有存在ceph集群,我們還需要將對應keyring文件中的用戶資訊導入到集群上;

[root@ceph-admin ~]# ceph auth add client.usera -i client.usera.keyring 
added key for client.usera
[root@ceph-admin ~]# ceph auth get client.usera
exported keyring for client.usera
[client.usera]
        key = AQAIeDhjTnmLGhAAWgL3GqtJsPwmOD6CPbJO8Q==
        caps mon = "allow r"
        caps osd = "allow rw pool=rbdpool"
[root@ceph-admin ~]# 

  提示:上述命令等同ceph auth import;