2010-02-09 18:14:13 +00:00
.TH CAUTHTOOL 8
.SH NAME
cauthtool \- ceph keyring manipulation tool
.SH SYNOPSIS
.B cauthtool
\fI keyringfile\fP
[ \fB \- l\fR | \fB \- \- list\fR ]
[ \fB \- c\fR | \fB \- \- create-keyring\fR ]
[ \fB \- p\fR | \fB \- \- print\fR ]
[ \fB \- n\fR | \fB \- \- name\fR \fI entityname\fP ]
[ \fB \- \- gen-key\fR ]
[ \fB \- a\fR | \fB \- \- add-key \fI base64_key\fP ]
[ \fB \- \- caps\fR \fI capfils\fP ]
.SH DESCRIPTION
.B cauthtool
is a utility to create, view, and modify a Ceph keyring file. A keyring
file stores one or more Ceph authentication keys and possibly an
associated capability specification. Each key is associated with an
entity name, of the form \fI {client,mon,mds,osd}.name\fP .
.SH OPTIONS
.TP
\fB \- l\fP , \fB \- \- list\fP
will list all keys and capabilities present in the keyring.
.TP
\fB \- p\fP , \fB \- \- print\fP
will print an encoded key for the specified \fI entityname\fP . This is suitable for the mount -o secret= argument.
.TP
\fB \- c\fP , \fB \- \- create-keyring\fP
will create a new keyring, overwriting any existing \fI keyringfile\fP .
.TP
\fB \- \- gen\- key\fP
will generate a new secret key for the specified \fI entityname\fP :
.TP
\fB \- \- add\- key\fP
will add an encoded key to the keyring.
.TP
2010-09-17 18:48:57 +00:00
\fB \- \- cap\fI subsystem capability \fP
will set the capability for given subsystem.
.TP
2010-02-09 18:14:13 +00:00
\fB \- \- caps\fI capsfile \fP
2010-09-17 18:48:57 +00:00
will set all of capabilities associated with a given key, for all subsystems.
.SH CAPABILITIES
The \fI subsystem\fP is the name of a Ceph subsystem: mon, mds, or osd.
.PP
The \fI capability\fP is a string describing what the given user is
allowed to do. This takes the form of a comma separated list of
allow, deny clauses with a permission specifier containing one or more
of \fI rwx\fP for read, write, and execute permission. The "allow *" grants
full superuser permissions for the given subsystem.
.PP
For example,
2010-02-09 18:14:13 +00:00
.IP
2010-05-05 20:55:49 +00:00
osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]" # can read, write, and execute objects
2010-02-09 18:14:13 +00:00
.IP
mds = "allow" # can access mds server
.IP
mon = "allow rwx" # can modify cluster state (i.e., is a server daemon)
.PP
A librados user restricted to a single pool might look like
.IP
osd = "allow rw pool foo"
.PP
A client mounting the file system with minimal permissions would need caps like
.IP
mds = "allow"
.IP
2010-07-30 23:35:59 +00:00
osd = "allow rw pool=data"
2010-03-15 17:37:22 +00:00
.IP
mon = "allow r"
2010-02-09 18:14:13 +00:00
.PP
2010-09-17 18:48:57 +00:00
.SH CAPS FILE FORMAT
The caps file format consists of zero or more key/value pairs, one per line. The key and value are separated by an '=', and the value must be quoted (with ' or ") if it contains any whitespace. The key is the name of the Ceph
subsystem (osd, mds, mon), and the value is the capability string (see above).
2010-02-09 18:14:13 +00:00
.SH EXAMPLE
To create a new keyring containing a key for \fI client.foo\fP :
.IP
cauthtool -c -n client.foo --gen-key keyring.bin
.PP
2010-09-17 18:48:57 +00:00
To associate some capabilities with the key (namely, the ability to mount a Ceph filesystem):
2010-02-09 18:14:13 +00:00
.IP
2010-09-17 18:48:57 +00:00
cauthtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring.bin
2010-02-09 18:14:13 +00:00
.PP
To display the contents of the keyring:
.IP
cauthtool -l keyring.bin
.PP
When mount a Ceph file system, you can grab the appropriately encoded secret key with
.IP
mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`cauthtool -p -n client.foo keyring.bin`
.PP
.SH AVAILABILITY
.B cauthtool
is part of the Ceph distributed file system. Please refer to the Ceph wiki at
http://ceph.newdream.net/wiki for more information.
.SH SEE ALSO
.BR ceph (8)