分散式存儲系統之Ceph集群CephX認證和授權
- 2022 年 10 月 7 日
- 筆記
- ceph, ceph-authtool, ceph-authtool命令管理用戶, CephX, CephX認證機制, CephX身份驗證MDS和OSD, Ceph用戶管理, 管理keyring, 認證與授權相關術語
前文我們了解了Ceph集群存儲池操作相關話題,回顧請參考//www.cnblogs.com/qiuhom-1874/p/16743611.html;今天我們來聊一聊在ceph上認證和授權的相關話題;
我們知道ceph作為一個分散式存儲系統,用戶想要在其上面存儲數據,首先得通過認證以後,才能正常使用ceph;那麼對於ceph來講,它是怎麼認證用戶的呢?除了認證,我們知道不是所有用戶都能在ceph上創建存儲池,刪除存儲池等;這也意味著每個用戶都有一定的許可權,在自己的許可權範圍內操作,ceph才算得上是一個安全的存儲系統;那麼ceph的認證和授權到底是怎麼做的呢?
CephX認證機制
Ceph使用cephx協議對客戶端進行身份認證,其過程大致是這樣的;每個mon都可以對客戶端進行身份驗證並分發密鑰;這意味著認證靠mon節點完成,不會存在單點和性能瓶頸;mon會返回用於身份驗證的數據結構,其中包含獲取Ceph服務時用到的session key;所謂session key就是客戶端用來向mon請求所需服務的憑證;session key是通過客戶端的密鑰進行加密傳輸;當mon收到客戶端認證請求後,首先生成session key,然後用客戶端的密鑰加密session key,然後發送給客戶端,客戶端用自己的密鑰將其解密,拿到session key;客戶端有了session key以後,它就可以用這個session key向mon請求服務,mon收到客戶端的請求(攜帶session key),此時mon會向客戶端提供一個ticket(入場卷,票據)然後用session key加密後發送給客戶端;隨後客戶端用session key解密,拿著這個憑證到對應osd完成認證;
以上過程,我們需要注意,客戶端的密鑰是通過mon節點在創建用戶帳號時就會生成,所以mon節點有對應客戶端的密鑰,所以通過客戶端的密鑰加密,客戶端可以用自己的密鑰解密;其次mon節點生成的session key 是有記錄的,所以對於不同客戶端來說,都有不同的記錄;並且該session key是有時間限制的;過期即便是對應客戶端,也沒法正常使用;所以客戶端拿著對應session key向mon請求服務,對應mon都是認可的,所以mon會發放ticket;最後我們要知道,MON和OSD都是共享客戶端的密鑰和session key,以及mon發放的ticket,所以客戶端拿著mon發放的ticket,對應osd是認可的;這也意味著不管是那個mon節點發放的ticket,對應所有mon節點和osd都是知道的;簡單講就是集群組件之間共享同一個secret;
CephX身份驗證MDS和OSD
提示:簡要過程是客戶端請求創建用戶,mon創建用戶並返回與共享密鑰給客戶端;客戶端向mon發起認證,認證成功,mon會返回一個session key;在規定時效範圍內,客戶端拿著session key向mon請求ticket,mon生成ticket並用對應session加密,客戶端收到對應mon返回的數據用session key解密,拿到ticket;隨後客戶端拿著對應當ticket去mds或者osd進行數據存取操作,對應組件會被認證通過,因為mon和mds、osd之間都是共享secret;
這裡需要注意,CephX身份驗正功能僅限制Ceph的各組件之間,它不能擴展到其它非Ceph組件;其次它並不解決數據傳輸加密的問題;什麼意思呢?我們知道ceph的客戶端介面有rbd、cephfs和radosgw;對於ceph來講,它並不關心什麼樣的客戶端通過rbd、cephfs、radosgw介面量訪問數據;它只關心rbd、cephfs、radosgw這些客戶端介面程式能夠正常認證通過;簡單講就是數據最後「一公里」它不負責,至於用rbd、cephfs、radosgw這些介面的客戶端是誰,怎麼傳輸數據它管不著;
認證與授權相關術語
無論Ceph客戶端是何類型,Ceph都會在存儲池中將所有數據存儲為對象;Ceph用戶需要擁有存儲池訪問許可權才能讀取和寫入數據;Ceph用戶必須擁有執行許可權才能使用Ceph的管理命令;
用戶:所謂用戶是指個人或系統參與者(例如應用);通過創建用戶,可以控制誰(或哪個參與者)能夠訪問Ceph存儲集群、以及可訪問的存儲池及存儲池中的數據;Ceph支援多種類型的用戶,但可管理的用戶都屬於Client類型;區分用戶類型的原因在於,MON、OSD和MDS等系統組件也使用cephx協議,但它們非人為客戶端;通過點號來分隔用戶類型和用戶名,格式為TYPE.ID,例如client.admin等
授權和使能:Ceph基於「使能(caps)」來描述用戶可針對MON、OSD或MDS使用的許可權範圍或級別;通用語法格式:daemon-type ‘allow caps’ […];MON使能,包括r、w、x和allow profile cap,例如:mon ‘allow rwx’,以及mon ‘allow profile osd’等;OSD使能包括r、w、x、class-read、class-write和profile osd;此外,OSD 使能還允許進行存儲池和名稱空間設置;MDS使能只需要allow,或留空;
使能的意義
allow:需先於守護進程的訪問設置指定,僅對MDS表示rw之意,其它的表示字面意義;
r:讀取許可權,訪問MON以檢索CRUSH時依賴此使能;
w:對象寫入許可權;
x:調用類方法(讀取和寫入)的能力,以及在MON上執行auth操作的能力;
class-read:x能力的子集,授予用戶調用類讀取方法的能力;
class-write:x的子集,授予用戶調用類寫入方法的能力;
*:授予用戶對特定守護進程/存儲池的讀取、寫入和執行許可權,以及執行管理命令的能力;
profile osd:授予用戶以某個OSD身份連接到其他OSD或監視器的許可權,授予OSD許可權,使OSD能夠處理複製檢測訊號流量和狀態報告;
profile mds: 授予用戶以某個MDS身份連接到其他MDS或監視器的許可權;
profile bootstrap-osd: 授予用戶引導OSD的許可權,授權給部署工具,使其在引導OSD時有權添加密鑰;
profile bootstrap-mds:授予用戶引導元數據伺服器的許可權,授權給部署工具,使其在引導元數據伺服器時有權添加密鑰;
Ceph用戶管理
Ceph集群管理員能夠直接在Ceph集群中創建、更新和刪除用戶;創建用戶時,可能需要將密鑰分發到客戶端,以便將密鑰添加到密鑰環;所謂密鑰環,我們就可以理解為存放密鑰的一個文件,該文件可以同時存放一個或多個用戶的密鑰資訊;有點類似我們生活中的鑰匙環,我們可以在上面掛一個或多個鑰匙;
列出用戶命令:ceph auth list
[root@ceph-admin ~]# ceph auth list installed auth entries: mds.ceph-mon02 key: AQDT1y9jaMUZDRAA79b3XSXqBbXUlNsT0RLeiw== caps: [mds] allow caps: [mon] allow profile mds caps: [osd] allow rwx osd.0 key: AQD3+i1j5IJQCxAAOjQdvckg8TskXu7c4MbPAA== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.1 key: AQAo7C1j+dEDEBAAAA47bD+nZQZuV4kJjnqACA== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.2 key: AQA77C1j5ot+DhAAJ+Y1KwgI2zsxRHmTUkfing== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.3 key: AQBM7C1jdIuHEhAAYBA9gzC4J+kZUxkMzhjq4g== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.4 key: AQBq7C1jZrNZKhAAK+TvnPgK0jAWIwz0PYFT/g== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.5 key: AQB57C1jVcczERAAxJ3iqvKS/2kfE4HlFQHIWQ== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.6 key: AQCP7C1jB80KGhAA9iXzAg+9ANWjgPb2ZdWdhw== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.7 key: AQCe7C1jbx4rNxAANOB3PPLxRXi/st1UYiTWqQ== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.8 key: AQCz7C1jUGzQIhAAj6aTVM6rNsTO3Lp08rePzg== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * osd.9 key: AQDA7C1jwXTrEBAATszxwOKepUHzZ5WKwIMu7w== caps: [mgr] allow profile osd caps: [mon] allow profile osd caps: [osd] allow * client.admin key: AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps: [mds] allow * caps: [mgr] allow * caps: [mon] allow * caps: [osd] allow * client.bootstrap-mds key: AQB94C1jRPwjJhAAZsfgne6whasyCmSCgefocw== caps: [mon] allow profile bootstrap-mds client.bootstrap-mgr key: AQB94C1jvQQkJhAA9y2LmEvBTG0Mjew8k0ecdw== caps: [mon] allow profile bootstrap-mgr client.bootstrap-osd key: AQB94C1jDg4kJhAAhQPCebi6JfF9HZo4q39WGA== caps: [mon] allow profile bootstrap-osd client.bootstrap-rbd key: AQB94C1jkxYkJhAAEUjId8hdDCA67PX+SQXAYw== caps: [mon] allow profile bootstrap-rbd client.bootstrap-rgw key: AQB94C1jPx4kJhAAXIwArGEkQ76tQG1NnJ0Wmw== caps: [mon] allow profile bootstrap-rgw client.rgw.ceph-mon01 key: AQD0zS9jI7e4BRAA7fvC/02D6j2YoGHZwveQCQ== caps: [mon] allow rw caps: [osd] allow rwx mgr.ceph-mgr01 key: AQDi5S1jgpYLHRAAWHJeiwwD86AVg0YzUOPCmQ== caps: [mds] allow * caps: [mon] allow profile mgr caps: [osd] allow * mgr.ceph-mgr02 key: AQDk5S1jY6tkBhAAXPIK4N+bia3W6IoqlJRehw== caps: [mds] allow * caps: [mon] allow profile mgr caps: [osd] allow * mgr.ceph-mon01 key: AQDD9C1ja0vhOBAAnUkp5RcLBkZl8qfb4qXXLw== caps: [mds] allow * caps: [mon] allow profile mgr caps: [osd] allow * [root@ceph-admin ~]#
提示:該命令是列出集群上所有用戶資訊,即非人為用戶和普通用戶;也可以是ceph auth ls命令來列出所有用戶資訊;
檢索特定用戶命令格式:ceph auth get TYPE.ID或者ceph auth export TYPE.ID
[root@ceph-admin ~]# ceph auth get client.admin exported keyring for client.admin [client.admin] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow *" caps osd = "allow *" [root@ceph-admin ~]# ceph auth export client.admin export auth(auid = 18446744073709551615 key=AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== with 4 caps) [client.admin] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow *" caps osd = "allow *" [root@ceph-admin ~]#
提示:如果我們需要將上述資訊導出到文件,可以使用-o來指定文件,或者輸出重定向到方式;
[root@ceph-admin ~]# ceph auth get client.admin -o client.admin.keyring exported keyring for client.admin [root@ceph-admin ~]# ls ceph-deploy-ceph.log client.admin.keyring [root@ceph-admin ~]# cat client.admin.keyring [client.admin] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow *" caps osd = "allow *" [root@ceph-admin ~]# ceph auth export client.admin > client.admin.cluster.keyring export auth(auid = 18446744073709551615 key=AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== with 4 caps) [root@ceph-admin ~]# ls ceph-deploy-ceph.log client.admin.cluster.keyring client.admin.keyring [root@ceph-admin ~]# cat client.admin.cluster.keyring [client.admin] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow *" caps osd = "allow *" [root@ceph-admin ~]#
添加用戶命令格式:auth add <entity> {<caps> [<caps>…]}
[root@ceph-admin ~]# ceph auth add client.testuser mon 'allow r' osd 'allow rw' added key for client.testuser [root@ceph-admin ~]# ceph auth get client.testuser exported keyring for client.testuser [client.testuser] key = AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg== caps mon = "allow r" caps osd = "allow rw" [root@ceph-admin ~]#
提示:ceph add 是添加用戶的規範方法,它能夠創建用戶、生成密鑰並添加指定的caps;這裡需要注意我指定的用戶是有type.id組成,一般普通用戶都是client類型,後面的ID就是用戶名稱;
ceph auth get-or-create:簡便方法,創建用戶並返回密鑰文件格式的密鑰資訊,或者在用戶存在時返回用戶名及密鑰文件格式的密鑰資訊;
[root@ceph-admin ~]# ceph auth get-or-create client.testuser mon 'allow *' osd 'allow rw pool=rbdpool' Error EINVAL: key for client.testuser exists but cap mon does not match [root@ceph-admin ~]# ceph auth get-or-create client.testuser mon 'allow r' osd 'allow rw' [client.testuser] key = AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg== [root@ceph-admin ~]# ceph auth get-or-create client.tom mon 'allow *' osd 'allow rw pool=rbdpool' [client.tom] key = AQBcajhj8INfChAAKKFCESxmbHFJqAwiRE4ufg== [root@ceph-admin ~]# ceph auth get client.tom exported keyring for client.tom [client.tom] key = AQBcajhj8INfChAAKKFCESxmbHFJqAwiRE4ufg== caps mon = "allow *" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
提示:使用ceph auth get-or-create命令添加用戶,如果用戶存在,但授權不匹配,它會提示我們用戶存在,但是許可權不匹配;如果用戶存在,許可權資訊也都匹配,則返回對應用戶的key;如果用戶不存在,則創建對應用並返回用戶的key;
ceph auth get-or-create-key:簡便方法,創建用戶並返回密鑰資訊,或者在用戶存在時返回密鑰資訊;
[root@ceph-admin ~]# ceph auth get-or-create-key client.testuser mon 'allow r' osd 'allow *' Error EINVAL: key for client.testuser exists but cap osd does not match [root@ceph-admin ~]# ceph auth get-or-create-key client.testuser mon 'allow r' osd 'allow rw' AQAoaThjCJLsBhAA8gwl/UQkjjSF+DwB6oB/wg== [root@ceph-admin ~]# ceph auth get-or-create-key client.jerry mon 'allow r' osd 'allow rw' AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A== [root@ceph-admin ~]# ceph auth get client.jerry exported keyring for client.jerry [client.jerry] key = AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A== caps mon = "allow r" caps osd = "allow rw" [root@ceph-admin ~]#
提示:該命令和上面的get-or-create類似,都是用戶存在,如果許可權匹配則返回對應用戶的key,如果不匹配則告訴我們用戶存在,但許可權不匹配;如果不存在則創建,並返回對應用戶的key;不同的是返回key的格式不同;get-or-create是返回keyring文件中的格式;而get-or-create-key則返回key的值,沒有key = ;
注意:典型的用戶至少對 Ceph monitor 具有讀取功能,並對 Ceph OSD 具有讀取和寫入功能;另外,用戶的 OSD 許可權通常應該限制為只能訪問特定的存儲池,否則,他將具有訪問集群中所有存儲池的許可權;
列出用戶的密鑰格式 命令:ceph auth print-key TYPE.ID
[root@ceph-admin ~]# ceph auth print-key client.jerry AQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A==[root@ceph-admin ~]#
導入用戶命令:ceph auth import
[root@ceph-admin ~]# ll total 16 -rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.cluster.keyring -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.keyring -rw-r--r-- 1 root root 164 Oct 2 00:43 client.test.keyring [root@ceph-admin ~]# cat client.test.keyring [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]# ceph auth get client.test Error ENOENT: failed to find client.test in keyring [root@ceph-admin ~]# ceph auth import -i client.test.keyring imported keyring [root@ceph-admin ~]# ceph auth get client.test exported keyring for client.test [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
提示:從keyring文件導入用戶需要用到-i選項來指定對應導入的keyring文件;
修改用戶caps命令:ceph auth caps TYPE.ID daemon ‘allow [r|w|x|*|…] [pool=pool-name] [namespace=namespace-name]’ …
[root@ceph-admin ~]# ceph auth get client.test exported keyring for client.test [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw' updated caps for client.test [root@ceph-admin ~]# ceph auth get client.test exported keyring for client.test [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow rw" caps mgr = "allow r" caps mon = "allow rw" [root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw' osd 'allow rw pool=rbdpool' updated caps for client.test [root@ceph-admin ~]# ceph auth get client.test exported keyring for client.test [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow rw" caps mgr = "allow r" caps mon = "allow rw" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
提示:該命令會覆蓋用戶現有許可權因此建立事先使用ceph auth get TYPE.ID命令查看用戶的caps;若是為添加caps,則需要先指定現有的caps;若為刪除某些許可權,則對應許可權不指定即可;
刪除用戶命令:ceph auth del TYPE.ID
[root@ceph-admin ~]# ceph auth del client.test updated [root@ceph-admin ~]# ceph auth del client.tom updated [root@ceph-admin ~]# ceph auth del client.jerry updated [root@ceph-admin ~]# ceph auth del client.testuser updated [root@ceph-admin ~]# ceph auth get client.testuser Error ENOENT: failed to find client.testuser in keyring [root@ceph-admin ~]#
Keyring
客戶端訪問Ceph集群時,客戶端會於本地查找密鑰環, 默認情況下,Ceph會使用以下四個密鑰環名稱預設密鑰環;
• /etc/ceph/cluster-name.user-name.keyring:保存單個用戶的keyring
• /etc/ceph/cluster.keyring:保存多個用戶的keyring
• /etc/ceph/keyring
• /etc/ceph/keyring.bin
cluster-name是為集群名稱,user-name是為用戶標識(TYPE.ID), client.admin用戶的在名為ceph的集群上的密鑰環文件名為ceph.client.admin.keyring;
管理keyring
創建keyring命令:ceph-authtool –create-keyring /path/to/kerying
[root@ceph-admin ~]# ceph-authtool --create-keyring ./client.abc.keyring creating ./client.abc.keyring [root@ceph-admin ~]# cat ./client.abc.keyring [root@ceph-admin ~]#
提示:創建keyring文件,裡面沒有任何內容,我們需要用ceph auth add 添加用戶,然後通過ceph auth get或export命令將對應用戶資訊導入到對應keyring文件即可;這裡說一下keyring文件的命名規則,keyring文件一般應該保存於/etc/ceph目錄中,以便客戶端能自動查找;創建包含多個用戶的keyring文件時,應該使用cluster-name.keyring作為文件名;創建僅包含單個用戶的kerying文件時,應該使用cluster-name.user-name.keyring作為文件名;這個是規範的keyring命名方式;
將用戶的keyring合併至一個統一的keyring文件中命令:ceph-authtool /etc/ceph/cluster-name.keyring –import-key /etc/ceph/cluster-name.user-name.keyring
[root@ceph-admin ~]# ll total 16 -rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log -rw------- 1 root root 0 Oct 2 00:57 client.abc.keyring -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.cluster.keyring -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.keyring -rw-r--r-- 1 root root 164 Oct 2 00:43 client.test.keyring [root@ceph-admin ~]# cat client.test.keyring [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]# ceph-authtool ./client.test.keyring --import-keyring ./client.admin.keyring importing contents of ./client.admin.keyring into ./client.test.keyring [root@ceph-admin ~]# cat client.test.keyring [client.admin] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow *" caps osd = "allow *" [client.test] key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA== caps mds = "allow *" caps mgr = "allow *" caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
使用ceph-authtool命令管理用戶
ceph-authtool命令可直接創建用戶、授予caps並創建keyring
命令使用幫助
[root@ceph-admin ~]# ceph-authtool -h usage: ceph-authtool keyringfile [OPTIONS]... where the options are: -l, --list will list all keys and capabilities present in the keyring -p, --print-key will print an encoded key for the specified entityname. This is suitable for the 'mount -o secret=..' argument -C, --create-keyring will create a new keyring, overwriting any existing keyringfile -g, --gen-key will generate a new secret key for the specified entityname --gen-print-key will generate a new secret key without set it to the keyringfile, prints the secret to stdout --import-keyring FILE will import the content of a given keyring into the keyringfile -n NAME, --name NAME specify entityname to operate on -u AUID, --set-uid AUID sets the auid (authenticated user id) for the specified entityname -a BASE64, --add-key BASE64 will add an encoded key to the keyring --cap SUBSYSTEM CAPABILITY will set the capability for given subsystem --caps CAPSFILE will set all of capabilities associated with a given key, for all subsystems --mode MODE will set the desired file mode to the keyring e.g: '0644', defaults to '0600' [root@ceph-admin ~]#
提示:-l或–list表示列出所有用戶資訊;-p表示列印對應用戶的key資訊,-C表示keyring文件,-g表示給指定用戶生成key;-n用於指定用戶名稱;–cap 用於指定許可權資訊;–mode用於指定keyring文件的許可權資訊,默認是0600,即只有root或對應宿主擁有讀寫許可權;
[root@ceph-admin ~]# ceph-authtool -C client.usera.keyring -n client.usera --gen-key --cap mon 'allow r' --cap osd 'allow rw pool=rbdpool' creating client.usera.keyring [root@ceph-admin ~]# ll total 20 -rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log -rw------- 1 root root 0 Oct 2 00:57 client.abc.keyring -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.cluster.keyring -rw-r--r-- 1 root root 151 Oct 2 00:14 client.admin.keyring -rw-r--r-- 1 root root 315 Oct 2 01:03 client.test.keyring -rw------- 1 root root 121 Oct 2 01:25 client.usera.keyring [root@ceph-admin ~]# ceph auth get client.usera Error ENOENT: failed to find client.usera in keyring [root@ceph-admin ~]# cat client.usera.keyring [client.usera] key = AQAIeDhjTnmLGhAAWgL3GqtJsPwmOD6CPbJO8Q== caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
提示:使用這種方式添加用戶,對應資訊之存在於keyring文件中,並沒有存在ceph集群,我們還需要將對應keyring文件中的用戶資訊導入到集群上;
[root@ceph-admin ~]# ceph auth add client.usera -i client.usera.keyring added key for client.usera [root@ceph-admin ~]# ceph auth get client.usera exported keyring for client.usera [client.usera] key = AQAIeDhjTnmLGhAAWgL3GqtJsPwmOD6CPbJO8Q== caps mon = "allow r" caps osd = "allow rw pool=rbdpool" [root@ceph-admin ~]#
提示:上述命令等同ceph auth import;