mirror of https://github.com/ceph/ceph
86 lines
2.8 KiB
Groff
86 lines
2.8 KiB
Groff
.TH CAUTHTOOL 8
|
|
.SH NAME
|
|
cauthtool \- ceph keyring manipulation tool
|
|
.SH SYNOPSIS
|
|
.B cauthtool
|
|
\fIkeyringfile\fP
|
|
[ \fB\-l\fR | \fB\-\-list\fR ]
|
|
[ \fB\-c\fR | \fB\-\-create-keyring\fR ]
|
|
[ \fB\-p\fR | \fB\-\-print\fR ]
|
|
[ \fB\-n\fR | \fB\-\-name\fR \fIentityname\fP ]
|
|
[ \fB\-\-gen-key\fR ]
|
|
[ \fB\-a\fR | \fB\-\-add-key \fIbase64_key\fP ]
|
|
[ \fB\-\-caps\fR \fIcapfils\fP ]
|
|
.SH DESCRIPTION
|
|
.B cauthtool
|
|
is a utility to create, view, and modify a Ceph keyring file. A keyring
|
|
file stores one or more Ceph authentication keys and possibly an
|
|
associated capability specification. Each key is associated with an
|
|
entity name, of the form \fI{client,mon,mds,osd}.name\fP.
|
|
.SH OPTIONS
|
|
.TP
|
|
\fB\-l\fP, \fB\-\-list\fP
|
|
will list all keys and capabilities present in the keyring.
|
|
.TP
|
|
\fB\-p\fP, \fB\-\-print\fP
|
|
will print an encoded key for the specified \fIentityname\fP. This is suitable for the mount -o secret= argument.
|
|
.TP
|
|
\fB\-c\fP, \fB\-\-create-keyring\fP
|
|
will create a new keyring, overwriting any existing \fIkeyringfile\fP.
|
|
.TP
|
|
\fB\-\-gen\-key\fP
|
|
will generate a new secret key for the specified \fIentityname\fP:
|
|
.TP
|
|
\fB\-\-add\-key\fP
|
|
will add an encoded key to the keyring.
|
|
.TP
|
|
\fB\-\-caps\fI capsfile \fP
|
|
will set the capabilities associated with a given key.
|
|
.SH CAPS FILE FORMAT
|
|
The caps file format consists of zero or more key/value pairs. The key is the name of the Ceph
|
|
subsystem (osd, mds, mon). The value is a comma separated list of allow, deny clauses with a permission
|
|
specifier containing one or more of \fIrwx\fP, for read, write, and execute permission. If you want to declare the key an administrator (with full privileges on everything), use the shorthand 'subsystem = "allow *"'. For
|
|
example,
|
|
.IP
|
|
osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]" # can read, write, and execute objects
|
|
.IP
|
|
mds = "allow" # can access mds server
|
|
.IP
|
|
mon = "allow rwx" # can modify cluster state (i.e., is a server daemon)
|
|
.PP
|
|
A librados user restricted to a single pool might look like
|
|
.IP
|
|
osd = "allow rw pool foo"
|
|
.PP
|
|
A client mounting the file system with minimal permissions would need caps like
|
|
.IP
|
|
mds = "allow"
|
|
.IP
|
|
osd = "allow rw; allow rw pool = data_pool_num"
|
|
.IP
|
|
mon = "allow r"
|
|
.PP
|
|
.SH EXAMPLE
|
|
To create a new keyring containing a key for \fIclient.foo\fP:
|
|
.IP
|
|
cauthtool -c -n client.foo --gen-key keyring.bin
|
|
.PP
|
|
To associate some capabilities with the key:
|
|
.IP
|
|
cauthtool -n client.foo --caps foocaps.conf keyring.bin
|
|
.PP
|
|
To display the contents of the keyring:
|
|
.IP
|
|
cauthtool -l keyring.bin
|
|
.PP
|
|
When mount a Ceph file system, you can grab the appropriately encoded secret key with
|
|
.IP
|
|
mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`cauthtool -p -n client.foo keyring.bin`
|
|
.PP
|
|
.SH AVAILABILITY
|
|
.B cauthtool
|
|
is part of the Ceph distributed file system. Please refer to the Ceph wiki at
|
|
http://ceph.newdream.net/wiki for more information.
|
|
.SH SEE ALSO
|
|
.BR ceph (8)
|