2011-09-23 22:52:49 +00:00
|
|
|
=================================================
|
2011-09-22 22:16:56 +00:00
|
|
|
ceph-authtool -- ceph keyring manipulation tool
|
2011-09-23 22:52:49 +00:00
|
|
|
=================================================
|
2011-09-09 23:21:52 +00:00
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
.. program:: ceph-authtool
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
Synopsis
|
|
|
|
========
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
| **ceph-authtool** *keyringfile* [ -l | --list ] [ -C | --create-keyring
|
2011-09-09 23:21:52 +00:00
|
|
|
] [ -p | --print ] [ -n | --name *entityname* ] [ --gen-key ] [ -a |
|
2012-05-21 15:52:49 +00:00
|
|
|
--add-key *base64_key* ] [ --caps *capfils* ]
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
|
|
|
|
Description
|
|
|
|
===========
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
**ceph-authtool** is a utility to create, view, and modify a Ceph keyring
|
2011-09-09 23:21:52 +00:00
|
|
|
file. A keyring file stores one or more Ceph authentication keys and
|
|
|
|
possibly an associated capability specification. Each key is
|
|
|
|
associated with an entity name, of the form
|
|
|
|
``{client,mon,mds,osd}.name``.
|
|
|
|
|
2012-04-11 22:50:03 +00:00
|
|
|
**WARNING** Ceph provides authentication and protection against
|
|
|
|
man-in-the-middle attacks once secret keys are in place. However,
|
|
|
|
data over the wire is not encrypted, which may include the messages
|
|
|
|
used to configure said keys. The system is primarily intended to be
|
|
|
|
used in trusted environments.
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
Options
|
|
|
|
=======
|
|
|
|
|
|
|
|
.. option:: -l, --list
|
|
|
|
|
|
|
|
will list all keys and capabilities present in the keyring
|
|
|
|
|
|
|
|
.. option:: -p, --print
|
|
|
|
|
|
|
|
will print an encoded key for the specified entityname. This is
|
|
|
|
suitable for the ``mount -o secret=`` argument
|
|
|
|
|
|
|
|
.. option:: -C, --create-keyring
|
|
|
|
|
|
|
|
will create a new keyring, overwriting any existing keyringfile
|
|
|
|
|
|
|
|
.. option:: --gen-key
|
|
|
|
|
|
|
|
will generate a new secret key for the specified entityname
|
|
|
|
|
|
|
|
.. option:: --add-key
|
|
|
|
|
|
|
|
will add an encoded key to the keyring
|
|
|
|
|
|
|
|
.. option:: --cap subsystem capability
|
|
|
|
|
|
|
|
will set the capability for given subsystem
|
|
|
|
|
|
|
|
.. option:: --caps capsfile
|
|
|
|
|
|
|
|
will set all of capabilities associated with a given key, for all subsystems
|
|
|
|
|
|
|
|
|
|
|
|
Capabilities
|
|
|
|
============
|
|
|
|
|
|
|
|
The subsystem is the name of a Ceph subsystem: ``mon``, ``mds``, or
|
|
|
|
``osd``.
|
|
|
|
|
|
|
|
The capability is a string describing what the given user is allowed
|
|
|
|
to do. This takes the form of a comma separated list of allow, deny
|
|
|
|
clauses with a permission specifier containing one or more of rwx for
|
|
|
|
read, write, and execute permission. The ``allow *`` grants full
|
|
|
|
superuser permissions for the given subsystem.
|
|
|
|
|
|
|
|
For example::
|
|
|
|
|
|
|
|
# can read, write, and execute objects
|
|
|
|
osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]"
|
|
|
|
|
|
|
|
# can access mds server
|
|
|
|
mds = "allow"
|
|
|
|
|
|
|
|
# can modify cluster state (i.e., is a server daemon)
|
|
|
|
mon = "allow rwx"
|
|
|
|
|
|
|
|
A librados user restricted to a single pool might look like::
|
|
|
|
|
|
|
|
osd = "allow rw pool foo"
|
|
|
|
|
|
|
|
A client mounting the file system with minimal permissions would need caps like::
|
|
|
|
|
|
|
|
mds = "allow"
|
|
|
|
|
|
|
|
osd = "allow rw pool=data"
|
|
|
|
|
|
|
|
mon = "allow r"
|
|
|
|
|
|
|
|
|
|
|
|
Caps file format
|
|
|
|
================
|
|
|
|
|
|
|
|
The caps file format consists of zero or more key/value pairs, one per
|
|
|
|
line. The key and value are separated by an ``=``, and the value must
|
|
|
|
be quoted (with ``'`` or ``"``) if it contains any whitespace. The key
|
|
|
|
is the name of the Ceph subsystem (``osd``, ``mds``, ``mon``), and the
|
|
|
|
value is the capability string (see above).
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
=======
|
|
|
|
|
|
|
|
To create a new keyring containing a key for client.foo::
|
|
|
|
|
2012-02-17 22:09:55 +00:00
|
|
|
ceph-authtool -C -n client.foo --gen-key keyring
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
To associate some capabilities with the key (namely, the ability to
|
|
|
|
mount a Ceph filesystem)::
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
To display the contents of the keyring::
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
ceph-authtool -l keyring
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
When mount a Ceph file system, you can grab the appropriately encoded secret key with::
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`ceph-authtool -p -n client.foo keyring`
|
2011-09-09 23:21:52 +00:00
|
|
|
|
|
|
|
|
|
|
|
Availability
|
|
|
|
============
|
|
|
|
|
2011-09-22 22:16:56 +00:00
|
|
|
**ceph-authtool** is part of the Ceph distributed file system. Please
|
2011-09-09 23:21:52 +00:00
|
|
|
refer to the Ceph wiki at http://ceph.newdream.net/wiki for more
|
|
|
|
information.
|
|
|
|
|
|
|
|
|
|
|
|
See also
|
|
|
|
========
|
|
|
|
|
|
|
|
:doc:`ceph <ceph>`\(8)
|