ceph/man/ceph-authtool.8

189 lines
4.7 KiB
Groff
Raw Normal View History

.TH "CEPH-AUTHTOOL" "8" "May 21, 2012" "dev" "Ceph"
2010-02-09 18:14:13 +00:00
.SH NAME
ceph-authtool \- ceph keyring manipulation tool
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
2010-02-09 18:14:13 +00:00
.SH SYNOPSIS
.nf
\fBceph\-authtool\fP \fIkeyringfile\fP [ \-l | \-\-list ] [ \-C | \-\-create\-keyring
] [ \-p | \-\-print ] [ \-n | \-\-name \fIentityname\fP ] [ \-\-gen\-key ] [ \-a |
\-\-add\-key \fIbase64_key\fP ] [ \-\-caps \fIcapfils\fP ]
.fi
.sp
2010-02-09 18:14:13 +00:00
.SH DESCRIPTION
.sp
\fBceph\-authtool\fP is a utility to create, view, and modify a Ceph keyring
file. A keyring file stores one or more Ceph authentication keys and
possibly an associated capability specification. Each key is
associated with an entity name, of the form
\fB{client,mon,mds,osd}.name\fP.
.sp
\fBWARNING\fP Ceph provides authentication and protection against
man\-in\-the\-middle attacks once secret keys are in place. However,
data over the wire is not encrypted, which may include the messages
used to configure said keys. The system is primarily intended to be
used in trusted environments.
2010-02-09 18:14:13 +00:00
.SH OPTIONS
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-l, \-\-list
will list all keys and capabilities present in the keyring
.UNINDENT
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-p, \-\-print
will print an encoded key for the specified entityname. This is
suitable for the \fBmount \-o secret=\fP argument
.UNINDENT
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-C, \-\-create\-keyring
will create a new keyring, overwriting any existing keyringfile
.UNINDENT
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-\-gen\-key
will generate a new secret key for the specified entityname
.UNINDENT
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-\-add\-key
will add an encoded key to the keyring
.UNINDENT
.INDENT 0.0
2010-02-09 18:14:13 +00:00
.TP
.B \-\-cap subsystem capability
will set the capability for given subsystem
.UNINDENT
.INDENT 0.0
2010-09-17 18:48:57 +00:00
.TP
.B \-\-caps capsfile
will set all of capabilities associated with a given key, for all subsystems
.UNINDENT
2010-09-17 18:48:57 +00:00
.SH CAPABILITIES
.sp
The subsystem is the name of a Ceph subsystem: \fBmon\fP, \fBmds\fP, or
\fBosd\fP.
.sp
The capability is a string describing what the given user is allowed
to do. This takes the form of a comma separated list of allow, deny
clauses with a permission specifier containing one or more of rwx for
read, write, and execute permission. The \fBallow *\fP grants full
superuser permissions for the given subsystem.
.sp
For example:
.sp
.nf
.ft C
# can read, write, and execute objects
osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]"
2010-09-17 18:48:57 +00:00
# can access mds server
mds = "allow"
2010-09-17 18:48:57 +00:00
# can modify cluster state (i.e., is a server daemon)
mon = "allow rwx"
.ft P
.fi
.sp
A librados user restricted to a single pool might look like:
.sp
.nf
.ft C
2010-02-09 18:14:13 +00:00
osd = "allow rw pool foo"
.ft P
.fi
.sp
A client mounting the file system with minimal permissions would need caps like:
.sp
.nf
.ft C
2010-02-09 18:14:13 +00:00
mds = "allow"
osd = "allow rw pool=data"
2010-09-17 18:48:57 +00:00
mon = "allow r"
.ft P
.fi
2010-09-17 18:48:57 +00:00
.SH CAPS FILE FORMAT
.sp
The caps file format consists of zero or more key/value pairs, one per
line. The key and value are separated by an \fB=\fP, and the value must
be quoted (with \fB\(aq\fP or \fB"\fP) if it contains any whitespace. The key
is the name of the Ceph subsystem (\fBosd\fP, \fBmds\fP, \fBmon\fP), and the
value is the capability string (see above).
2010-02-09 18:14:13 +00:00
.SH EXAMPLE
.sp
To create a new keyring containing a key for client.foo:
.sp
.nf
.ft C
ceph\-authtool \-C \-n client.foo \-\-gen\-key keyring
.ft P
.fi
.sp
To associate some capabilities with the key (namely, the ability to
mount a Ceph filesystem):
.sp
.nf
.ft C
ceph\-authtool \-n client.foo \-\-cap mds \(aqallow\(aq \-\-cap osd \(aqallow rw pool=data\(aq \-\-cap mon \(aqallow r\(aq keyring
.ft P
.fi
.sp
2010-02-09 18:14:13 +00:00
To display the contents of the keyring:
.sp
.nf
.ft C
ceph\-authtool \-l keyring
.ft P
.fi
.sp
When mount a Ceph file system, you can grab the appropriately encoded secret key with:
.sp
.nf
.ft C
mount \-t ceph serverhost:/ mountpoint \-o name=foo,secret=\(gaceph\-authtool \-p \-n client.foo keyring\(ga
.ft P
.fi
2010-02-09 18:14:13 +00:00
.SH AVAILABILITY
.sp
\fBceph\-authtool\fP is part of the Ceph distributed file system. Please
refer to the Ceph wiki at \fI\%http://ceph.newdream.net/wiki\fP for more
information.
2010-02-09 18:14:13 +00:00
.SH SEE ALSO
.sp
\fBceph\fP(8)
.SH COPYRIGHT
2012, New Dream Network
.\" Generated by docutils manpage writer.
.\"
.