How to create and modify users in ceph (cephx) ?

In this article I am going to show you the method of creating the ceph users. We need to create the ceph user to integrate it with various components or segregate the responsibilities.

Step 1 : If you are having existing user in ceph cluster. You can check the acccess rights and key for that user using below command.

[root@ceph-m1 ceph]# ceph auth get client.glance
exported keyring for client.glance
[client.glance]
key = AQDJkztVMAOxORAAbVtUGdJZr91zvJVpKvKLUA==
caps mon = “allow r”
caps osd = “allow rwx pool=images”

[root@ceph-m1 ceph]# ceph auth get client.vicky
exported keyring for client.vicky
[client.vicky]
key = AQBrZ0xV2H5/EBAA4bcOLGwURXIQuFvp1yYS5Q==

Step 2 : In the previous output we have see that user vicky doesn’t have any access. To provide the access to existing user we can use below commands. I am providing all rights to user vicky.

[root@ceph-m1 ceph]# ceph auth caps client.vicky mon ‘allow *’ osd ‘allow *’
updated caps for client.vicky

After issuing above command we can again check the user vicky rights and keys.

[root@ceph-m1 ceph]# ceph auth get client.vicky
exported keyring for client.vicky
[client.vicky]
key = AQBrZ0xV2H5/EBAA4bcOLGwURXIQuFvp1yYS5Q==
caps mon = “allow *”
caps osd = “allow *”

Step 3 : If you want to remove the given rights from user vicky.

[root@ceph-m1 ceph]# ceph auth caps client.vicky mon ‘ ‘ osd ‘ ‘
updated caps for client.vicky

[root@ceph-m1 ceph]# ceph auth get client.vicky
exported keyring for client.vicky
[client.vicky]
key = AQBrZ0xV2H5/EBAA4bcOLGwURXIQuFvp1yYS5Q==
caps mon = ” ”
caps osd = ” ”

Step 4 : We can delete the user using below command. After deleting it while fetching the information for the user we will get user which is obvious.

[root@ceph-m1 ceph]# ceph auth del client.vicky
updated

[root@ceph-m1 ceph]# ceph auth get client.vicky
Error ENOENT: failed to find client.vicky in keyring

Step 5 : Suppose you want to create a new user key and you are not user whether that user is already key present or not. Below is the safest approach to generate the key.

[root@ceph-m1 ceph]# ceph auth get-or-create-key client.glance
AQDJkztVMAOxORAAbVtUGdJZr91zvJVpKvKLUA==

[root@ceph-m1 ceph]# ceph auth get-or-create-key client.vicky
AQBrZ0xV2H5/EBAA4bcOLGwURXIQuFvp1yYS5Q==

If we want to fetch the key of existing user.

[root@ceph-m1 ceph]# ceph auth print-key client.glance
AQDJkztVMAOxORAAbVtUGdJZr91zvJVpKvKLUA==

Step 6 : If we want to create a user by specifying the keyring file we may use below command.

[ceph@ceph-admin ceph-config]$ sudo ceph-authtool -C /etc/ceph/ceph.keyring -n client.ringo –cap osd ‘allow rwx’ –cap mon ‘allow rw’ –gen-key
creating /etc/ceph/ceph.keyring

[ceph@ceph-admin ceph-config]$ sudo cat /etc/ceph/ceph.keyring
[client.ringo]
key = AQBnbExVsBx5MhAAFXB77/NY8iitSoMjJQaGjQ==
caps mon = “allow rw”
caps osd = “allow rwx”

We can use the below command to modify the permissions of user without generating the new key.

[ceph@ceph-admin ceph-config]$ sudo ceph-authtool /etc/ceph/ceph.keyring -n client.ringo –cap osd ‘allow rwx’ –cap mon ‘allow rw’

[ceph@ceph-admin ceph-config]$ sudo cat /etc/ceph/ceph.keyring
[client.ringo]
key = AQBnbExVsBx5MhAAFXB77/NY8iitSoMjJQaGjQ==
caps mon = “allow rw”
caps osd = “allow rwx”

[References]

http://ceph.com/docs/master/rados/configuration/auth-config-ref/

https://ceph.com/docs/v0.79/rados/operations/auth-intro/

https://ceph.com/docs/v0.79/rados/operations/authentication/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s