ceph/doc/config-cluster/authentication.rst

================
 Authentication
================

Default users and pools are suitable for initial testing purposes. For test bed 
and production environments, you should create users and assign pool access to 
the users. For user management, see the `ceph-authtool`_ command for details.

Enabling Authentication
-----------------------
In the ``[global]`` settings of your ``ceph.conf`` file, you must enable 
authentication for your cluster. ::

	[global]
		auth supported = cephx

The valid values are ``cephx`` or ``none``. If you specify ``cephx``, you should
also specify the keyring's path. We recommend using the ``/etc/ceph`` directory.
Provide a ``keyring`` setting in ``ceph.conf`` like this::

	[global]
		auth supported = cephx
		keyring = /etc/ceph/keyring.bin	

If there is no keyring in the path, generate one.  

Generating a Keyring
--------------------
To generate a keyring in the default location, use the ``ceph-authtool`` and 
specify the same path you specified in the ``[global]`` section of your 
``ceph.conf`` file. For example::

	sudo ceph-authtool --create-keyring /etc/ceph/keyring.bin	

Specify Keyrings for each Daemon
--------------------------------
In your ``ceph.conf`` file under the daemon settings, you must also specify the
keyring directory and keyring name. The metavariable ``$name`` resolves 
automatically. ::

	[mon]
		keyring = /etc/ceph/keyring.$name
		
	[osd]
		keyring = /etc/ceph/keyring.$name

	[mds]
		keyring = /etc/ceph/keyring.$name		

Generate a Key
--------------
Keys enable a specific user to access the monitor, metadata server and cluster
according to capabilities assigned to the key. To generate a key for a user,
you must specify specify a path to the keyring and a username. Replace 
the ``{keyring/path}`` and ``{username}`` below. ::

	sudo ceph-authtool {keyring/path} -n client.{username} --gen-key

For example:: 

	sudo ceph-authtool /etc/ceph/keyring.bin -n client.whirlpool --gen-key
	
.. note: User names are associated to user types, which include ``client``
   ``admin``, ``osd``, ``mon``, and ``mds``. In most cases, you will be 
   creating keys for ``client`` users.

List Keys
---------
To see a list of keys in a keyring, execute the following::

	sudo ceph-authtool /etc/ceph/keyring.bin --list
	
A keyring will display the user, the user's key, and the capabilities
associated to the user's key.

Add Capabilities to a Key
-------------------------
To add capabilities to a key, you must specify the username, and a capability 
for at least one of the monitor, metadata server and OSD. You may add more than
one capability when executing the ``ceph-authtool`` command. Replace the 
``{usertype.username}``, ``{daemontype}`` and ``{capability}`` below::  

	sudo ceph-authtool -n {usertype.username} --cap {daemontype} {capability}

For example:: 

	ceph-authtool -n client.whirlpool --cap mds 'allow' --cap osd 'allow rw pool=swimmingpool' --cap mon 'allow r' /etc/ceph/keyring.bin

Add the Keys to your Cluster
----------------------------
Once you have generated keys and added capabilities to the keys, add each of the
keys to your cluster. Replace the ``{usertype.username}`` below. ::

	sudo ceph auth add {usertype.username} -i /etc/ceph/keyring.bin

For example:: 

	sudo ceph auth add client.whirlpool -i /etc/ceph/keyring.bin
	
To list the keys in your cluster, execute the following:: 

	sudo ceph auth list

The ``client.admin`` Key
------------------------
Each Ceph command you execute on the command line assumes that you are
the ``client.admin`` default user. When running Ceph with ``cephx`` enabled,
you need to have a ``client.admin`` key to run ``ceph`` commands.

.. important: To continue to run Ceph commands on the command line with
   ``cephx`` enabled, you need to create a key for the ``client.admin`` 
   user, and create a secret file under ``/etc/ceph``. 
   
::
   
	sudo ceph-authtool /etc/ceph/keyring.bin -n client.admin --gen-key
	sudo ceph-authtool -n client.admin --cap mds 'allow' --cap osd 'allow *' --cap mon 'allow *' /etc/ceph/keyring.bin
	sudo ceph auth add client.admin -i /etc/ceph/keyring.bin


.. _ceph-authtool: http://ceph.com/docs/master/man/8/ceph-authtool/
doc: Added pools and authentication. Signed-off-by: John Wilkins <john.wilkins@inktank.com> 2012-05-30 20:48:04 +00:00			`================`
			`Authentication`
			`================`

			`Default users and pools are suitable for initial testing purposes. For test bed`
			`and production environments, you should create users and assign pool access to`
			the users. For user management, see the `ceph-authtool`_ command for details.

			`Enabling Authentication`
			`-----------------------`
			In the ``[global]`` settings of your ``ceph.conf`` file, you must enable
			`authentication for your cluster. ::`

			`[global]`
			`auth supported = cephx`

			The valid values are ``cephx`` or ``none``. If you specify ``cephx``, you should
			also specify the keyring's path. We recommend using the ``/etc/ceph`` directory.
			Provide a ``keyring`` setting in ``ceph.conf`` like this::

			`[global]`
			`auth supported = cephx`
			`keyring = /etc/ceph/keyring.bin`

			`If there is no keyring in the path, generate one.`

			`Generating a Keyring`
			`--------------------`
			To generate a keyring in the default location, use the ``ceph-authtool`` and
			specify the same path you specified in the ``[global]`` section of your
			``ceph.conf`` file. For example::

			`sudo ceph-authtool --create-keyring /etc/ceph/keyring.bin`

			`Specify Keyrings for each Daemon`
			`--------------------------------`
			In your ``ceph.conf`` file under the daemon settings, you must also specify the
			keyring directory and keyring name. The metavariable ``$name`` resolves
			`automatically. ::`

			`[mon]`
			`keyring = /etc/ceph/keyring.$name`

			`[osd]`
			`keyring = /etc/ceph/keyring.$name`

			`[mds]`
			`keyring = /etc/ceph/keyring.$name`

			`Generate a Key`
			`--------------`
			`Keys enable a specific user to access the monitor, metadata server and cluster`
			`according to capabilities assigned to the key. To generate a key for a user,`
			`you must specify specify a path to the keyring and a username. Replace`
			the ``{keyring/path}`` and ``{username}`` below. ::

			`sudo ceph-authtool {keyring/path} -n client.{username} --gen-key`

			`For example::`

			`sudo ceph-authtool /etc/ceph/keyring.bin -n client.whirlpool --gen-key`

			.. note: User names are associated to user types, which include ``client``
			``admin``, ``osd``, ``mon``, and ``mds``. In most cases, you will be
			creating keys for ``client`` users.

			`List Keys`
			`---------`
			`To see a list of keys in a keyring, execute the following::`

			`sudo ceph-authtool /etc/ceph/keyring.bin --list`

			`A keyring will display the user, the user's key, and the capabilities`
			`associated to the user's key.`

			`Add Capabilities to a Key`
			`-------------------------`
			`To add capabilities to a key, you must specify the username, and a capability`
			`for at least one of the monitor, metadata server and OSD. You may add more than`
			one capability when executing the ``ceph-authtool`` command. Replace the
			``{usertype.username}``, ``{daemontype}`` and ``{capability}`` below::

			`sudo ceph-authtool -n {usertype.username} --cap {daemontype} {capability}`

			`For example::`

			`ceph-authtool -n client.whirlpool --cap mds 'allow' --cap osd 'allow rw pool=swimmingpool' --cap mon 'allow r' /etc/ceph/keyring.bin`

			`Add the Keys to your Cluster`
			`----------------------------`
			`Once you have generated keys and added capabilities to the keys, add each of the`
			keys to your cluster. Replace the ``{usertype.username}`` below. ::

			`sudo ceph auth add {usertype.username} -i /etc/ceph/keyring.bin`

			`For example::`

			`sudo ceph auth add client.whirlpool -i /etc/ceph/keyring.bin`

			`To list the keys in your cluster, execute the following::`

			`sudo ceph auth list`

			The ``client.admin`` Key
			`------------------------`
			`Each Ceph command you execute on the command line assumes that you are`
			the ``client.admin`` default user. When running Ceph with ``cephx`` enabled,
			you need to have a ``client.admin`` key to run ``ceph`` commands.

			`.. important: To continue to run Ceph commands on the command line with`
			``cephx`` enabled, you need to create a key for the ``client.admin``
			user, and create a secret file under ``/etc/ceph``.

			`::`

			`sudo ceph-authtool /etc/ceph/keyring.bin -n client.admin --gen-key`
			`sudo ceph-authtool -n client.admin --cap mds 'allow' --cap osd 'allow ' --cap mon 'allow ' /etc/ceph/keyring.bin`
			`sudo ceph auth add client.admin -i /etc/ceph/keyring.bin`


			`.. _ceph-authtool: http://ceph.com/docs/master/man/8/ceph-authtool/`